|
| r00fus wrote:
| Looks like the backup servers weren't impacted? Still unclear on
| what this attack consisted of.
| neonate wrote:
| https://archive.is/2MasR
| jl6 wrote:
| The technical debt collector has arrived. This is going to get
| worse before it gets better.
| young_unixer wrote:
| How will it get better?
| jl6 wrote:
| Possible outcomes from most to least likely:
|
| * Non-tech industry belatedly starts prioritising cyber
| security; security gradually gets better while costs increase
| and infosec consultants enjoy a Y2K-style boom.
|
| * Tech-competent startups outcompete non-tech industries
| through avoiding ransom costs.
|
| * The international internet degrades into mostly-closed
| national networks with end-to-end government control and
| monitoring.
|
| * The US government starts treating these attacks as national
| security threats and goes all War on Terror, probably
| triggered by a hit on critical infrastructure that costs
| lives. Heinous collateral damage.
| nradov wrote:
| Most small and medium enterprises will eventually have to
| outsource their technology infrastructure to a few huge cloud
| vendors that have sufficient scale and technical expertise to
| build secure systems.
| Raidion wrote:
| Data security will get better as the risk calculus changes. A
| lot of companies are mentally doing math:
|
| (Probability of cyber attack per year) * (cost of ransom +
| costs of downtime) = X, (Overhead of additional cybersecurity
| personnel)= Y
|
| If X < Y, it's basically just a no brainier to just eat the
| costs and pay the X million if it happens. If Y > X, they
| hire security personnel and it "gets better".
|
| If the government makes paying the ransom less attractive
| (via basically labeling it as a financial transaction with a
| sanctioned entity making it illegal) OR the probability of
| the cyber attack goes up (as this becomes more lucrative),
| risk calculus changes, security is improved, and it "gets
| better".
| whatshisface wrote:
| Losses due to underinvestment will motivate investment. Some
| companies will invest more wisely than others. Eventually
| every company will be wisely investing in security, by
| copying companies that got it right or by being replaced by
| them.
| yosamino wrote:
| So this random article [0] I googled says it's ransomware.
|
| Can that really be called an "attack" ?
|
| JBS said: not aware of any evidence that any
| customer, supplier, or employee data has been
| compromised
|
| So the "attackers" didn't steal anything. Give them the finger
| then, restore from backup, get upset about losing 25 minutes of
| data and keep going.
|
| How are ransomware "attacks" still a thing ? Why is any of the
| software that controlls meat-cutting/oil pipeline hardware not
| air-gapped under normal operations? How is there no plan on how
| to continue operating when losing power, so that stuff still
| works?
|
| One of these "attacks" pops up every three days and I get that if
| data is exfiltrated then the problem is not the same.
|
| BUT
|
| "someone encrypted all my data" and "oh shit, my harddrive
| crashed" have almost the exact same recovery plan and we have
| dedicated a complete international holiday called World Backup
| Day[1] over ten years ago to remind people of the principles of
| how that works that were known since at least when harddrives
| where invented.
|
| It's not an attack, it's pure _negligence_.
|
| It's not special IT SuperHighTechnologyKnowledge either. It's a
| simple principle: Things need to exist in at
| least three places in case one of them breaks and the other
| explodes/tornadoes/earthquakes.
|
| The _slightly_ advanced corollary is: Make sure
| that the thing in the three places is actually the thing that it
| should be.
|
| ... It's not like I do not understand how organizations fail at
| this that or the other and that maybe the tradeoffs here were
| made correctly, but it still boggles the mind.
|
| [0]
| https://townhall.com/tipsheet/leahbarkoukis/2021/06/01/cyber...
|
| [1] http://www.worldbackupday.com/en/
| viraptor wrote:
| > So the "attackers" didn't steal anything.
|
| It's always a weird phase. A proper one would be "we have no
| records of data exfiltration, so we hope it didn't happen".
| Attackers had the access, otherwise the data wouldn't be
| encrypted.
|
| > restore from backup, get upset about losing 25 minutes of
| data and keep going.
|
| Unless you want to be owned again in 30min, you need to first
| analyse how did it happen the first time and how to mitigate
| it, before getting everything back online. That takes time.
|
| > Why is any of the software that controlls meat-cutting/oil
| pipeline hardware not air-gapped
|
| None of those were affected. The pipeline hack took their
| billing system down, not the operations. I haven't seen the
| details here, but it's not like the meat saws and trucks just
| stopped - more likely the stock/communication/billing system
| was stopped as well.
| worik wrote:
| "How are ransomware "attacks" still a thing ?"
|
| It is cheaper to build a shoddy system out of the pre-made
| parts that software companies sell. A shiny very capable system
| can be built quickly, and cheaply.
|
| To build a robust system, segmented, properly backed up,
| maintained professionally... costs a lot more.
|
| To have staff on your payroll who understand your systems, who
| can maintain your systems and recover your systems in a
| disaster means having expensive professionals on the payroll
| who look like they are doing nothing.
|
| When your whole business goes into a paralysis because of the
| costs you saved, there will be some one to blame. Some clerk in
| a office that "clicked on a attachment" - it is their fault....
|
| Yes, it is cheaper in the long run to build robust maintained
| systems. But in the long run we are all dead, and our bonuses
| will be paid before the catastrophe, and anyway it is "some
| body else's fault".
| handrous wrote:
| I think a lot of the "cost savings" and "efficiency" of
| sticking everything on computers and putting them online
| would evaporate if it all had to be secured properly, even
| for fairly generous values of "properly".
| watertom wrote:
| I remember back in the 90's that there was talk about building
| out a business focused Internet.
|
| I'm now starting to think that it's necessary.
|
| I know a lot of people will just say that these companies just
| need to pay attention to security, but the problem is
| asymmetrical.
|
| Focusing on security is like being a pacifist when dealing with a
| hostile bully. You get your butt kicked a lot.
| aaomidi wrote:
| No one is forcing you to connect to the internet really. Plenty
| businesses run their own private network.
| corty wrote:
| Business-focused? How should that do anything about security?
| Do you want to charge an entry fee that evil people cannot
| afford? Or just label it "serious business only"? Have things
| audited somehow? I don't think any of that would do any good.
| s5300 wrote:
| Presumably operating at a much lower level in general so
| attack vectors are greatly reduced.
| paxys wrote:
| How is a "business focused Internet" different from the
| internet? Why would it not have the exact same flaws?
| whatshisface wrote:
| The business-focused internet:
|
| 1. Has enterprise-grade auditing and report generation. For
| what? Doesn't matter, nobody reads them.
|
| 2. Has an account manager for every open port.
|
| 3. Has IBM/Oracle style exponential cost increases for
| locked-in customers.
| yosamino wrote:
| A "business focused internet" is a security measure.
|
| That sounds a lot like "do not connect one's valuable and
| vulnerabe machines to the open internet" which is something
| _one should aready be doing in the first place_ and one can and
| should be doing it right now with the current internet we have.
| goatinaboat wrote:
| _remember back in the 90 's that there was talk about building
| out a business focused Internet._
|
| They exist. Radianz, BPIPE and several more.
| jerf wrote:
| Almost every concrete way to manifest "building a business
| focused internet" is something that the businesses can already
| do, today. They aren't doing it.
|
| It doesn't do any good if your secretary needs access to the
| "business focused internet" and also has to get mail from the
| "normal" internet. The transitive nature of networks makes
| things very hard to isolate in practice. People and businesses
| are going to have to accept a lot more inconvenience to isolate
| things better, and that inconvenience is real money, too.
|
| The problem is you end up with yet another manifestation of a
| common business problem; if you take the time and money to
| build a secure business, that carefully isolates everything
| correctly, that hires good security engineers, that accepts
| higher costs of doing business, you'll be in a position to
| handle a cyberpocalypse better than your competitors and you
| will reap the benefits when that day comes. The problem is,
| you'll never survive to see that day come because you'll have
| been utterly outcompeted by your competition that cut corners
| and carelessly, but effectively, integrated their systems, and
| _over_ -optimized their internal systems to function more
| cheaply day-by-day. You may have taken the time to build on the
| rock while they threw shacks up on the sand but they end up
| killing you before the storm comes.
| unclebucknasty wrote:
| All true, and I think the solution is even harder than that.
| That is, even the best-intentioned and well-resourced
| companies would face severe headwinds in trying to "build [or
| rebuild] on the rock".
|
| A lot of these businesses have been around for decades and
| are working on mountains of technical debt. They built ad-hoc
| systems over the years (before security was "a thing"),
| employ tenuously-functioning integrations with acquired
| company systems and more. To make matters worse, much of the
| technical knowledge has walked out of the door over the
| years.
|
| In my consulting days it wasn't unusual to find that no one
| in a company really understood how systems worked (or even
| why). And, in some cases, they actually didn't work. I've
| seen billing systems that were unpredictable and relied on
| customers to call to report billing errors. Not a single
| person in the company even understood how it was _supposed_
| to work.
|
| And, these were sizable companies. Agile has only exacerbated
| these issues as more software is built more quickly and with
| scant documentation.
|
| All of that to say that it's difficult enough for many
| companies to build functioning software, let alone to secure
| it. And, the number of people who _truly_ understand what it
| takes to secure networks /software is tiny relative to demand
| for engineers.
|
| Throw in OSS, zero-days, social engineering attacks, etc. and
| it starts to become clear that any realistic solution
| includes a regime of deterrence through aggressive responses
| at the nation-state level. Sure, we should require companies
| to do more to secure their networks/systems, educate on best
| practices, etc. But, it's easy to issue an off-handed "they
| should've been more secure" response. The reality is that
| many companies simply aren't. We need to appreciate the
| difficulty and the protracted timeline over which any
| hardening might happen (if at all), and deploy a multi-
| faceted approach that also treats the problem as the national
| security issue it represents.
| Animats wrote:
| The first step is reliable backups. Preferably to write-once
| media. And both onsite and offsite. Hard backups aren't
| expensive.
|
| Not of everything. Just the important stuff. Maybe a snapshot
| of the whole business once a month in addition to transaction
| backups.
|
| Any business doing financial transactions should be backing
| them up to something like Blu-Ray disks. Preferably the
| blanks with the 1000-year lifetime. US banks are already
| required to do something like that, by the FDIC.
| worik wrote:
| That is _much_ harder than it sounds.
|
| For one thing backups are no use if you do not test them.
| How often are you going to bring your systems down to test
| restorinig from backup? If you do not how do you know they
| work?
| viraptor wrote:
| You don't need to restore over your existing production.
| (Since it's literally a "will it work" test) You do that
| on a temporary environment.
| tibbydudeza wrote:
| First Covid - now the great hamburger shortage of 2021.
| client4 wrote:
| Hot take: the US is going to use these highly publicized hacks as
| impetus for implementing our own "Great Firewall"...for our
| safety, of course.
| Roboprog wrote:
| We need to ban all assault computers with more than 8 CPUs now.
| Think of the subsidiaries, er, children!!!
|
| Does this fall under violating the First Amendment, or the
| Second?
| Jtsummers wrote:
| Core count seems a less-than-useful restriction on its own.
| Clock rate, cache sizes, and instructions per cycle need to
| be limited for this to be effective. Then bandwidth has to be
| constrained to avoid people building Beowulf clusters of
| RISC-V systems (which we won't be able to buy in the US
| thanks to "munitions" import restrictions from overseas
| producers).
|
| RAM and disk capacities will also have to be limited for
| similar reasons. As will their speeds.
| procombo wrote:
| CPU enthusiasts, builders, and overclockers would get put
| on a government list, then shadowbanned from social video
| platforms for encouraging domestic cyber terrorism.
| Trisell wrote:
| I bet their executives didn't view themselves as running a tech
| company. Funny how that works these days.
| lettergram wrote:
| The U.S. needs to make it illegal to pay ransom. Then respond
| with force, arresting people, targeting however you can.
|
| Further, this should be a wake up call. If you're a business
| harden your network and make backups.
| dahart wrote:
| I think all of that has happened already, it is a wakeup call,
| and the US is making it illegal to pay.
| https://home.treasury.gov/system/files/126/ofac_ransomware_a...
| paxys wrote:
| Only if they violate existing international sanctions.
| ransom1538 wrote:
| "The U.S. needs to make it illegal to pay ransom."
|
| Ugh. So you get attacked through some old wordpress install,
| freak out to get your company online, pay, now you also go to
| jail for paying a ransom. Not a fan of this plan.
| droidist2 wrote:
| Or the attackers even use the fact that you paid to blackmail
| you.
| DesiLurker wrote:
| more appropriately, it should be required to report ransom
| payments on balance sheet under separate heading.
| qbasic_forever wrote:
| Even with backups we've seen companies are more than willing to
| pay a modest ransom, like the pipeline last month. It takes a
| long time to fully restore big infrastructure from backup--
| especially if it's something like old tapes.
|
| But yeah, companies should stop viewing security and IT as a
| cost center and start paying up for good penetration testing
| every few years.
| miketery wrote:
| Most adversaries are in non extradition regions.
| tomschlick wrote:
| If those countries take away the legal system route of
| extradition for attacks on critical infrastructure, then in
| my mind its justifiable to go the batman style of extradition
| with a special forces team.
| yaw13 wrote:
| Because fixing the infrastructure couldn't possibly work,
| we need renditions and live fire operations. Totally.
| ncphil wrote:
| Fixing infrastructure won't get done because the people
| in charge are too stupid, lazy and greedy to fix it. Most
| of them are so wealthy they're completely insulated from
| the consequences of their actions (or inaction, as the
| case may be). Folks need to wake up and realize they're
| living in a global public-private idiocracy.
| young_unixer wrote:
| Or make hacking legal so that companies start taking
| appropiate measures instead of labelling themselves as
| victims.
| Scoundreller wrote:
| I believe it is illegal. But lacking enforcement.
|
| There's a reason people hire these intermediary "consultants"
| to pay the ransoms.
| zerocrates wrote:
| It's generally not illegal to pay ransom, though with
| ransomware you have the issue that the recipients may be
| subject to US sanctions and it could be illegal to send them
| money on those grounds.
| LatteLazy wrote:
| Or identify certain certain specific "hacks" and setup a bounty
| program. If you can gain root access by guessing the CEOs
| password, he should be punished not you.
|
| Edit: doubly so if the company is question is part of important
| infrastructure (including food supply).
| nyc_pizzadev wrote:
| I seriously think one solution to this problem is for the US gov
| to start designating some of these gangs as something similar to
| enemies of the state and start taking military action against
| them. If there were serious repercussions for these actions, like
| serious jail time or even something more grave... then that
| changes the calculus for people running these gangs. At minimum,
| this shows the gov is taking this threat seriously.
|
| EDIT: ok bad idea, lets take it easy on my poor account :)
| zdkl wrote:
| Your intent is to drop US missiles or troops on Russia-Eastern
| Europe/China-SE Asia? That may have different outcomes than
| what you're imagining.
| nyc_pizzadev wrote:
| Right, that would be war. My understanding is that the gov
| has more covert methods... We hunted enemies before in other
| nations with some success.
| f38zf5vdt wrote:
| Why not? $40 trillion dollars in weapons spending would
| easily save $10 billion dollars it would cost to hire
| security professionals on an annual salary to patch
| software and ensure that intrusion was more difficult.
| Raidion wrote:
| This is exactly what they're doing now, they're just doing
| it with law enforcement agencies and not military. Military
| is honestly going to be worse at all of this, as they don't
| have the investigative capacity. This also ducks the very
| thorny political problems where Ukraine (never mind
| Russia!)are NOT going to allow US military involvement in
| domestic affairs, but do have agreements with Interpol that
| make this possible. Nobody wants extrajudicial military
| extraction squads acting on their turf.
|
| I'm sure the various 3 letter agencies (NSA, CIA, etc) are
| already involved to a degree that's not publicly known.
| patrickdavey wrote:
| Are you suggesting hunting enemies in countries like
| Russia/China is going to go down well?
|
| How would you feel if they decided to declare some enemies
| on US soil and start hunting them on your patch?
|
| Unless your assumption is that Russia/China would agree to
| the hunting of course, but that does seem unlikely.
| matz1 wrote:
| >Are you suggesting hunting enemies in countries like
| Russia/China is going to go down well?
|
| Anything has risk of course, any hunting need be covert
| and expertly done.
|
| >How would you feel if they decided to declare some
| enemies on US soil and start hunting them on your patch?
|
| I would assume they already did that.
| sorokod wrote:
| Military is a pretty blunt instrument, also, the US
| government is not the only government that has military and
| "more covert methods".
| dcolkitt wrote:
| There's a continuum of responses existing between "do
| nothing" and "drop missiles". For example, it'd probably be
| relatively easy for special forces to assassinate key
| personnel, even deep within enemy territory.
| ASalazarMX wrote:
| This is implicitly accepting that other countries can also
| assassinate Americans living in USA if they catch them
| spreading malware.
| babelfish wrote:
| Do you really see nothing wrong with the US military
| carrying out assassinations of foreign nationals, in
| foreign territory, on behalf of private companies who can't
| be bothered to just invest in a decent security team?
| northwest65 wrote:
| The United States invaded a country under false pretenses
| and killed almost 300,000 of their civilians... is using
| a B2 with a laser guided bomb to blow up a team of
| hackers really all that bad?
| yaw11 wrote:
| The vast majority of participants on this forum work in
| an environment where the shelf of footguns and gotchas
| and stupid legacy cruft that is modern software
| development inherently makes sense. Anyone fucking that
| house of cards up gets attention not because of the state
| of modern software development that led them here, but
| because clearly something is wrong with the external
| world and that should be handled with cops or whatever
| the next step after that is. It is in no way an
| indictment of modern software as practiced, from
| toolchain on up.
|
| Reminder: Memorial Day was yesterday and this thread is
| discussing killing human beings in _yet another war_
| because of holes in some stupid software that SV won't
| lift a finger to fix. If you offer such a suggestion to
| fix the woes of vulnerable infrastructure, I'm assuming
| you're volunteering to go pull the trigger, right? Or
| were you expecting someone else to do that for you?
|
| Put down the assault keyboard and Clancy novel and get
| some perspective, subthread. Sheesh. Diddling around in
| the network of a company you didn't know existed until
| five minutes ago is suddenly a capital offense
| because...Whoppers might run out?
| unclebucknasty wrote:
| > _is suddenly a capital offense because...Whoppers might
| run out?_
|
| We know the stakes are much higher. We all know there
| have been attacks on hospitals, law enforcement systems,
| government agencies, infrastructure companies, etc. And,
| we know that none of us have a clue where the next attack
| will be.
|
| > _and stupid legacy cruft that is modern software
| development_
|
| Yes, modern software development is stupid, crufty and
| all of those things. But, these are actual attacks by
| actual actors, not some self-imploding poor designs. In
| many cases, these attacks are state-sanctioned, if not
| outright state-sponsored. So, of course they should be
| treated just as we treat other attacks. And, under what
| other scenario do we respond to an attack by declaring
| "Oh, you got us. We should have better protected that".
|
| These are clear national security threats and should,
| accordingly, be subject to the full range of responses as
| any other threats. That includes deterrence. It doesn't
| necessarily mean dropping bombs. But, it does mean more
| than blaming ourselves.
|
| > _Diddling around in the network of a company you didn't
| know existed until five minutes ago_
|
| I'd wager there are many companies that the average
| person has never heard of that, if knocked offline, would
| result in considerable disruption, economic costs, and
| even physical danger to a significant portion of the
| population.
| toss1 wrote:
| You are absolutely right about the footguns, legacy
| cruft, and the joke-not-a-joke-it's-so-stupid that is
| modern web software development. That all needs to be
| fixed, and here at home
|
| However, it is also not merely about the Whoppers running
| out - this is just this morning's example.
|
| When even major "security" vendors can be turned into
| serious NatSec attack vectors, and much more critical
| infrastructure can also be attacked with ease, and they
| are doing it, it becomes a bona-fide NatSec issue.
|
| Like any other NatSec issue, this requires both serious
| hardening actions at home, and serious threats against
| bad actors abroad. Whether that involves, some kind of
| diplomacy, economic sanctions, targeted software attacks,
| targeted covert actions, or overt drone strikes, is up to
| the experts in those domains, but we do need to treat
| this as a serious NatSec issue that it is.
| s1artibartfast wrote:
| On a planet with seven and a half billion people becoming
| more connected and tech-savy everyday, security by
| intimidation simply isn't a viable solution, or a
| meaningful component of a larger solution.
| yaw11 wrote:
| The entire computing apparatus of humanity ostensibly can't
| figure out secure systems by default without fifty vigilant
| FAANGineers on hand to rewrite everything quarterly, and then
| spends _the day after Memorial Day_ arguing for drone strikes
| and targeted assassinations against two-bit racketeering
| operations calling them on it to avoid fixing the actual
| problem. Video at 11.
| joejerryronnie wrote:
| Do we have ransomware credit default swaps yet?
| jpmattia wrote:
| In a perverse way, the recent attacks on infrastructure are a
| good thing. Can you imagine if these all hit in a coordinated
| attack during actual hostilities?
|
| Yes it's painful and interferes with the economy, but ultimately
| this will harden up potential targets. And boy do some of these
| guys need hardening up.
| [deleted]
| SketchySeaBeast wrote:
| I guess I question if targets will actually harden up or not or
| treat it like the price of doing business.
| pradn wrote:
| While this is one line of thinking, in another way of thinking,
| we're just now in a perpetual cyber cold war. As long as there
| are some rogue nations that turn their eyes away from
| cybercriminals, or adversaries that actively promote them,
| we're going to have an endless series of outages - every
| possible thing from factories to toll roads to desalination
| plants to illicit photos.
| handrous wrote:
| Nah, we're just gonna get every state having its own mini-
| Great-Firewall and very limited access to non-friendly
| states, at the routing level. There's a next gen Internet
| protocol that makes this easy. Maybe also personal IDs with a
| kind of Internet "credit score". We already do that, but with
| IP addresses and machine fingerprints. I expect some
| countries will adopt something like that, even in the "West".
|
| Either that or the cost of attacks will remain lower than the
| benefit of being able to sell bits and bytes to your
| adversaries. I do not expect this to be the case, but maybe.
|
| The open, global, semi-anonymous web is what's not going to
| survive this fight, I'm afraid. I give it 20 more years,
| tops, and maybe a lot less.
| mortenjorck wrote:
| Certificate authorities, but for the evil bit.
| handrous wrote:
| Sorta, but more like marking anyone's packets from
| outside your (or a friendly and cooperative country's)
| legal jurisdiction with the evil bit by default, and then
| also tracking which person or company, not device or IP
| address, originated every packet, so if they sent
| anything that should have been evil-bitted you can track
| them down.
|
| Again, I reckon it's either that or this problem never
| gets much worse. Given trends, I expect we're gonna lose
| the open, global Internet.
| lallysingh wrote:
| While I don't doubt the motivation of such a naked power
| grab, it has almost no useful security effect.
| handrous wrote:
| How so? Can't attack from abroad if non-trusted states
| have trouble even getting packets routed to the target
| state, let alone the specific network you're trying to
| breach. Very hard to attack from inside the "firewall" if
| access is, as a condition of being considered a trusted
| routing peer, gated by tying all traffic to a personal or
| corporate ID that would cause all kinds of trouble for
| the holder of same IDs should they route traffic on some
| bad actor's behalf (as, say, through Tor or other means).
| lallysingh wrote:
| That's just a matter of finding a vulnerable ally county
| to hop through. That's SOP now to hide your tracks. It's
| not like current attacks from Iran to the US have Irani
| addresses in the IP header.
| handrous wrote:
| That's fine until it's nearly impossible to route a
| packet from (for example) Iran to _any_ IP in _any_ state
| that 's legally unfriendly to hackers and scammers, or
| otherwise operates outside the broad legal jurisdiction
| of the hackers' target states.
| heavyset_go wrote:
| Your random Iranian hacker might not, but states will
| find ways around it. Even smaller criminal organizations
| find ways around such limitations.
| handrous wrote:
| Security does not have to be perfect to be effective. If
| it did, we'd have no security, because none of it is both
| useful /practical _and_ perfectly effective.
| viraptor wrote:
| That's why we have technologies like Tor which will
| happily find a number of hops that do allow you to
| establish that connection.
|
| Also IP-level blocks will never be perfect. See Hong Kong
| proxies. Or people in traded IP ranges classified as
| coming from another country.
| handrous wrote:
| Yes, the Internet as currently structured is resistant to
| this. The Internet is not guaranteed to continue to have
| that structure. I'm saying that if our choices are
| "constant attacks such that the Internet is horribly
| dangerous" and "don't have the Internet", the popular (at
| the state level) solution will be "I choose neither--
| instead, we're changing the Internet".
| lallysingh wrote:
| It's not direct packets. You ssh into a box in, say, UAE,
| then Cuba, then Canada, then USA. You're just uploading
| and running scripts, so latency doesn't matter.
| handrous wrote:
| Yes, I know how the Internet works now. It doesn't have
| to keep working that way, and if attacks get really bad
| the result _will not_ be that we just live with them. The
| Internet will be modified to reduce the threat to a
| tolerable level. There 's already been some pretty
| serious work put into what this will look like, if/when
| it happens.
| dublin wrote:
| This is NOT a cybersecurity or network vulnerability
| problem. That's just a symptom.
|
| The real problem is that here, like so many other places in
| modern society, we've allowed consolidation to proceed far
| beyond healthy levels - when a single company is
| responsible for 20% of beef supply, it's time for antitrust
| action! (Yes, I'm looking at you, too, Internet, Tech,
| Media, Pharma, Aerospace/Defense, etc. companies...)
|
| Maybe just allow one merger per decade, only available to
| companies with less than 10% of their market?
| heavyset_go wrote:
| The security state is willing to do anything, up to
| kidnapping, torture and murder, in order to not change a
| thing about the current economic order.
|
| I expect the problem to be addressed with technology,
| treaties, extraditions and putting a lot of people in
| prisons before the fragility of consolidation is
| addressed.
| aphextron wrote:
| Consolidation leads to efficiency. Which in the case of
| commodities, is the only way to ensure low prices. A new
| slaughter company is not going to innovate a more
| efficient means of producing a pound of beef. In theory,
| a perfectly run state monopoly would be the ideal system.
| But that rarely ends well. In the US we've worked out a
| sort of half way between the two extremes, where large
| private corporations are allowed to consolidate in the
| name of consumer prices, while still maintaining just
| enough competition for profit motive to keep things well
| run. It's not perfect but it's the best we've figured out
| so far.
| unclebucknasty wrote:
| There are many problems with over-consolidation, but this
| isn't one of them.
|
| The primary problem here is criminals and criminal
| organizations parading as nation-states. The secondary
| problem is systems and networks that are insufficiently
| secured.
| viraptor wrote:
| That could sounds interesting to to a lawmaker, but it
| wouldn't change anything in practice. Those hacks don't
| come directly from the authors nicely identified by their
| affiliation and location. They'll come from a trusted node
| in the US. Some many already do.
| handrous wrote:
| It would force the attackers to enter the jurisdiction of
| a state that _will_ prosecute them if they 're
| discovered, to carry out the attack, or else resort to
| much more difficult and slower methods (sneaker-net
| introduction of initial malware infections in the target
| state, say).
| viraptor wrote:
| You don't have to enter a specific jurisdiction. There
| are supply chain attacks, escalation through residential
| connections, existing international botnets, and a
| thousand other approaches. And of course, there's always
| someone out there ready to open an email which will own
| them.
| handrous wrote:
| > There are supply chain attacks
|
| Yes, some relatively slow, difficult, and expensive
| attacks would of course still be viable. That does not
| mean that, "it wouldn't change anything in practice."
|
| > escalation through residential connections, existing
| international botnets
|
| Right--so how are you going to talk to your botnet from
| outside the target sub-Internet when it won't even route
| packets you send it, except _maybe_ to some hardened
| commerce-and-propaganda-only subnet that may have limited
| or no connection to the rest of the target state /bloc's
| Internet (and again, even that part existing is a maybe)?
| rlt wrote:
| "The internet interprets censorship as damage and routes
| around it"
|
| Even if you physically firewalled every connection into a
| country all it takes is one little node connected via RF
| (satellite, HF, etc) dropped near an open WiFi hotspot.
| handrous wrote:
| Wifi hotspot asks for personal or corporate/server ID of
| the sender of packets coming from this new node, since
| _it_ can 't route the traffic any farther without that.
| Gets nothing. Drops that node's packets as either hostile
| or malfunctioning, and, regardless, useless, since it
| can't route them anywhere. OK, so maybe you manage to
| steal an ID. See how this is making attacks harder? Now
| you're stealing or forging identities just to get _any_
| packets routed, and if you do anything suspicious-looking
| you 'll rapidly get your stolen ID on the automatically-
| managed collective shit-list and it'll stop being very
| useful. Because the volume of attacks is so much lower,
| your drop-a-radio-near-a-hotspot trick might even trip
| enough flags to get someone to come find the device, if
| you use it very much--and if you can't use it much
| without "burning" the hardware, then, well, sure seems
| like it made your job as an attacker a lot harder, right?
|
| There is nothing that guarantees the Internet will keep
| working the way it does now, and if an open Internet
| causes enough problems, it _will_ be reigned in. How it
| works now is a choice, not a law of nature. I 'm not
| happy about it, but that's just how it is. Either these
| kinds of attacks won't get much worse, or they'll get _a
| lot_ worse and something like that will be what happens.
| FridayoLeary wrote:
| The 'splinternet' allegedly.
| handrous wrote:
| Right. I posit that _either_ we _will_ arrive at that
| outcome, _or_ "cyber attacks" and various other forms of
| Internet-enabled international abuse will never get bad
| enough to justify it. I suspect we're in for the former.
| bostonsre wrote:
| Hopefully its not endless. I kind of view these attacks as
| forced penetration testing of sloppy companies. They may not
| have been hired or perform their work legally, but hopefully
| their work results in changes similar to legal penetration
| testers. Also, the more that these attacks happen, the more
| that insurance companies will begin to increase premiums and
| the more that they will push back on companies that practice
| sloppy security. It may be painful in the near term, but
| hopefully these attacks are a net good in the long term.
| fakedang wrote:
| Did anything happen after the Equifax hack?
|
| _awaits with bated breath_
| stingraycharles wrote:
| I don't think a Cold War is a good description of what's
| happening; it's not as if there's some arms race going on as
| it is just a very public exposure of how bad our overall tech
| / security infrastructure is.
|
| The question is whether the pains we're currently feeling are
| enough to cause a change in the industries affected.
| yaw12 wrote:
| > The question is whether the pains we're currently feeling
| are enough to cause a change in the industries affected.
|
| Considering downthread there are honest suggestions to send
| special forces after the ransomware gangs, I'm gonna go
| with "probably not". That type of denial is pervasive.
|
| The F500 and companies like JBS just need to move
| essentially dataframes around from automation to
| automation, but somehow the software ecosystem is still
| building that with the same tools used to write Google. The
| next answer is usually "they don't invest in a security
| team, clearly," and I'm waiting for that subthread to kick
| off, too, to continue the denial.
|
| Software complexity is the enemy, not the malicious actors
| exploiting it. Fix one, fix the other.
| Dylan16807 wrote:
| I'm confused, why isn't a security team a good way to
| make and enforce things like smaller attack surfaces and
| network isolation?
| viraptor wrote:
| It is, but it's never going to be perfect. Nobody has
| achieved that so far. Or at least not in an environment
| where you have international distribution and thousands
| of endpoints touching different areas of the system.
| joemazerino wrote:
| The arms race is in exploits and software development. The
| country with the largest stockpile of the former and the
| best talent in the latter will emerge the victor.
| wyager wrote:
| The good news is that cyber-war has a huge asymmetric
| advantage for defenders. For modestly more money, we can stop
| building absolute crap infrastructure that constantly gets
| owned. A little bit of investment in quality drastically
| raises the cost of an attack.
| lallysingh wrote:
| Basically we're waiting for regulation to make the
| organizations responsible in a way that's useful for cost/risk
| accounting
| unclebucknasty wrote:
| > _In a perverse way, the recent attacks on infrastructure are
| a good thing._
|
| Voluntary pentesting is a good thing. Costly attacks executed
| by criminals is not.
| nyokodo wrote:
| > but ultimately this will harden up potential targets.
|
| Or they mop up, get bailed out, and then maybe make some minor
| changes that don't really solve the problem that their insecure
| corporate culture begins to undermine immediately. We need
| companies to essentially go into a perpetual cyber-security
| war-footing. I don't see that happening without business being
| impossible to conduct without it.
| nobleach wrote:
| If this is the USDA we're talking about, they mop it up, and
| have countless MEETINGS about what should be done. Then a
| task force is convened. THEN they do nothing.
| mhuffman wrote:
| >but ultimately this will harden up potential targets
|
| I predict that it is going to be used to get rid of privacy and
| anonymity features of the web and they aren't going to harden
| anything!
| Sparkyte wrote:
| alright time to go vegan
| bdamm wrote:
| Impossible Meat is delicious. My trips to Burger King are now
| entirely vegetarian.
| istorical wrote:
| It needs heavy funding or subsidizing, this sort of product
| needs to be scaled up fast, because the price per lb of the
| meat is so much more expensive than low quality chicken,
| beef, pork etc. purchased at costco type bulk prices.
| heavyset_go wrote:
| Does BK separate its griddles and fryers between vegetarian
| and non-vegetarian items? Because if they don't, then meat
| products will leach animal fats and proteins while they cook
| and your vegetarian items will pick them up.
| xsmasher wrote:
| That's not ideal, but doesn't cancel the health and climate
| benefits of eating vegetarian.
| ashtonkem wrote:
| There's no reason to believe that the plants that produce vegan
| products are any more secure; if veganism became the norm then
| the infrastructure required to process that food would be as
| valuable a target as meat processing is today.
| throwaway1777 wrote:
| Only a matter of time until any industry gets hit. Hospitals
| have been hit already so it's not like moral conscience is an
| important factor.
| GnarfGnarf wrote:
| I hope it's beginning to sink in to corporate America: you need
| to get serious about security. Go Linux. Hire many permanent
| security experts with continuous audit processes. Acknowledge the
| true cost of IT.
| tgsovlerkhgsel wrote:
| Linux vs. Windows makes very little difference here.
| swiley wrote:
| > corporate America: you need to get serious about security.
|
| _USE OF MCAFFE INTENSIFIES_
| 7373737373 wrote:
| Rather, go microkernels! (Recursive) sandboxing and resource
| control have to become a thing:
| https://genode.org/documentation/general-overview/index
|
| Permissions should be able to be set in a fine grained way,
| capability security needs to become much more well known:
| https://github.com/void4/notes/issues/41
| tibbydudeza wrote:
| Probably their plants has some industrial equipment that is
| still running on Windows 2000.
| reilly3000 wrote:
| Absolutely. Plenty of America runs on EOL Windows XP legacy
| apps that have been too complicated to migrate. Sometimes
| they run airgapped until someone realizes that isn't
| practical. CEOs must demand better and be willing to pay
| for it. Without leadership support these migrations almost
| always fail.
| 7373737373 wrote:
| And (operating) system and programming language designers
| must make security a foundational property of their
| systems. Most modern languages will _never_ be secure,
| because their semantics necessitate things like global
| names. Trying to graft security extensions onto an
| existing language that wasn 't built with them in mind
| will be painstaking and will always lag behind and is
| thus often abandoned:
| https://en.wikipedia.org/wiki/Caja_project
| a3n wrote:
| I wonder if "ransomware" is merely a cover, and some of this is
| Russia beta testing economic and infrastructure warfare.
| bdamm wrote:
| It could be, but that's something that only privileged elected
| officials e.g. members of the intelligence committee, US
| President, past presidents, etc, get to know. If you let
| yourself get into conspiratorial thinking you'll soon find
| yourself without any moorings whatsoever.
|
| It could also be many other countries or even private entities
| that get excited about extracting money from big US companies.
| The list of possibilities is very long.
| ergot_vacation wrote:
| Cyber attacks between major powers targeting important
| infrastructure aren't conspiracy theories; we have plenty of
| confirmed cases of it at this point. Whether this situation
| in particular, or the recent oil disruption are targeted
| attacks is hard to say.
|
| As with the "lab origin" situation, it's probably best to
| avoid whatever the mainstream media is saying and try to find
| the few rogue experts who aren't being paid to say the right
| thing (or nothing at all) and thus have no incentives other
| than the satisfaction of offering a frank assessment (with
| any luck, you can find them before they're banned from all
| social media platforms for "misinformation" (ie, disagreeing
| with the party line)). It took years for any official
| confirmation of Stuxnet being a state-sponsored attack. But
| if you were paying attention to the right people, you knew it
| had all the fingerprints of such an attack pretty early on.
| Analemma_ wrote:
| Targeting politically important industries rather than
| _strategically_ important ones (no price increases get people
| quite as fumed and likely to take to the streets as gasoline and
| meat price increases) is an interesting development in quasi-
| state-sponsored cybercrime.
| dudleypippin wrote:
| Interesting. My third thought was "Huh, perhaps we'll be eating
| less beef until the inevitable price shock and hoarding
| passes."
|
| (First thought was for the poor IT folks stuck in this mess and
| the second was remembering a sensitive machine that was open to
| all of AWS because the vendor's servers "needed access to push
| frequent updates." and "nobody has ever pushed back on that
| requirement before.")
| briefcomment wrote:
| Klaus Schwab of the WEF "predicted" this a year ago [1]. Either
| the WEF and other NGOs are incredibly prescient on a number of
| unrelated issues, or we may be getting taken for a ride.
|
| [1]https://m.youtube.com/watch?v=0DKRvS-C04o
| neither_color wrote:
| _gasoline and meat price increases_
|
| These hackers sure are progressive. I wonder what they'll
| target next: plastics, flights, or ammo?
| mtalantikite wrote:
| My first thought was imagining a hacker org taking
| inspiration from the movie 12 Monkeys.
| r00fus wrote:
| In the case of the pipeline disruption, it was reported that
| the USG disrupted the CCC of the ransomer and their crypto
| accounts were drained.
|
| I wonder if a similar sort of reaction will happen here or if
| the attackers will move more quickly?
|
| From a technical standpoint, why was JBS' backup chain a
| workable solution for JBS and not for the pipeline operator?
| Was it incompetence on the part of the attacker or just a
| better defense, or luck?
| nextstep wrote:
| I hope this attack aims to destroy the infrastructure of an
| environmentally disastrous industry and isn't just a ransomware
| attack.
| madcows wrote:
| What's with all the cyber attacks on US infrastructure?
|
| I hope this is because of a self hardening mechanism and not what
| it looks like, continued assault by adversaries.
| briefcomment wrote:
| Posted this on the related thread on the front page: Klaus
| Schwab of the WEF "predicted" this a year ago [1]. Either the
| WEF and other NGOs are incredibly prescient on a number of
| unrelated issues, or we may be getting taken for a ride.
| [1]https://m.youtube.com/watch?v=0DKRvS-C04o
| tbihl wrote:
| Because it always pays
| [deleted]
| buildbot wrote:
| I imagine it happens everywhere, but tends to make bigger news
| in the US. You can still find industrial control systems
| exposed to the internet with password free VNC...
| thatguy0900 wrote:
| It's because none of it is secured, and the US has a shit load
| of infrastructure that all has its own independent systems.
| Even a tiny percent being hacked per lifetime will be constant
| hacks in the news.
| macinjosh wrote:
| Independent systems have their own problems but also
| benefits. The trendy word for this is 'decentralized'. IMHO,
| I'd prefer we don't have one big system. At least when the
| pipeline was shutdown it didn't affect the entire country.
| kevin_thibedeau wrote:
| None of it was on the internet 30 years ago and we survived.
| All it takes is responsible corporate leadership to fix this
| problem.
| viraptor wrote:
| Theory: running the same system in pre-internet style would
| add overhead in salaries and delays that's more costly than
| being down for a few weeks after a hack.
| kolbe wrote:
| It's because the US and Europe have shown there aren't any
| repercussions to defrauding their governments or their
| citizens.
| gwright wrote:
| > Capacity Wiped Out
|
| Overly dramatic and inaccurate as far as I can tell.
|
| Something like a contagion introduced into the facility might
| warrant a "Wiped Out" description but "Production Paused" seems
| more accurate and informative.
| arrosenberg wrote:
| The cyberattack and the fact that one company had 20% of the
| country's beef processing capacity. A more distributed economy
| with smaller operators means fewer, less valuable targets for
| piracy, as well as more supply chain resilience when one company
| is taken offline.
| Animats wrote:
| At least they don't have 60% market share. What happens when
| FedEx or Union Pacific goes down?
| dfsegoat wrote:
| This was an interesting and valid point. Container ship based
| freight looks to be a bit more fragmented:
|
| https://www.statista.com/statistics/198206/share-of-
| leading-...
|
| https://shippingwatch.com/carriers/Container/article12930338.
| ..
| Animats wrote:
| A few years, back, Maersk went down for almost a week due
| to encryption-type malware.[1] Things happen slowly enough
| in sea shipping that the impacts were mostly to Maersk
| itself. It cost them about US$330 million.
|
| [1] https://www.reuters.com/article/us-cyber-attack-maersk-
| idUSK...
| mindracer wrote:
| Crazy how they were saved by a domain controller that had
| been knocked offline by a power outage before the worm
| hit
| midasuni wrote:
| Why couldn't they restore from backup?
| viraptor wrote:
| And higher prices. I'm all for the smaller distributed
| suppliers, but let's remember that scale makes things
| cheaper/easier and there's a reason companies join up. Your
| local delivery organised between a few farms will be beaten on
| price by JBS.
| dzhiurgis wrote:
| Bloomberg missed opportunity to use kiwi slang word 'cooked' in
| the title:
|
| >One-Fifth of U.S. Beef Capacity Cooked by JBS Cyberattack
| mxuribe wrote:
| Dear diary,
|
| Today, I was finally able to incorporate the "Where's the
| beef!?!" catch-phrase into daily conversation! But, it just
| didn't land as funny as I was expecting in my mind.
| tonyb wrote:
| Looks like I'll end up having to pull brisket off the menu again
| this summer (I own & operate a BBQ food truck).
|
| Before this latest blow to the supply chain I have already seen a
| 66% increase in brisket prices in the past 4 weeks ($2.99/lb
| about a month ago, current price is $4.99). The restaurant
| industry is already running on low margins so it will be
| interesting to see how this is all going to shake out.
| asdff wrote:
| You could put brisket at market price like lobster roll food
| trucks tend to do. People still happily pay $18 for a lobster
| roll from a truck.
| pie420 wrote:
| That's because lobster roll customers are rich yuppies. BBQ
| is for poor people who cannot afford good cuts of meat so
| they resort to pulverizing bad cuts of meat with smoke heat
| and sauce.
| rootusrootus wrote:
| > pulverizing bad cuts of meat
|
| Huh? The cuts are tough, yes, but they're also the most
| flavorful. There's nothing bad about them.
|
| Go try and use a ribeye to make a cheeseburger sometime.
| It's incredibly bland compared to the flavor you're used to
| getting from chuck.
| agogdog wrote:
| You seem to be getting downvoted, but you're not wrong.
| They're entirely different ends of the market.
| jt2190 wrote:
| > BBQ is for poor people...
|
| This is _really_ not true anymore. BBQ has become a high-
| ticket item thanks to "Craft BBQ" and growing demand
|
| https://www.khou.com/mobile/article/news/brisket-prices-
| are-...
| tonyb wrote:
| Raising prices is an option but that is very market
| dependant. BBQ customers in general are more price sensitive
| than lobster customers and I would lose sales at a higher
| price point.
|
| There is a certain price (which I have generally found is
| $4.50 - $4.99/lb, that is when my food cost for a brisket
| sandwich hits 50%. Target food cost should be somewhere
| around 30%) where it just isn't worth it to sell brisket. BBQ
| is somewhat unique in that you have to estimate your demand
| ahead of time - you can't just throw on another brisket if
| you run out and I don't reheat/re-use leftovers. So even if I
| raise my prices $2/sandwich to cover the increased cost my
| risk is still higher because any unsold product is now a
| higher loss.
| koolba wrote:
| Is it possible to purchase the cuts in advance and store
| them frozen or does that noticeably effect the quality?
| Seems straightforward to through some cuts in a deep
| freezer to smooth out supply costs. I do that on the small
| scale at home though obviously the capital costs would be
| proportionally larger at scale.
| tonyb wrote:
| That's exactly what I did starting about a month ago -
| I've got enough on hand to last about a month (most of
| that is committed to catering jobs that already have a
| set price - so my forecasting is much easier but if I
| didn't lock in the price I would have to eat the
| difference).
|
| As long as they are safely handled I've found no quality
| difference at all when freezing stuff that is cryo-vaced.
| More often than not it has already been frozen at least
| once before it gets to me.
|
| I don't ever sell anything that has been re-heated after
| cooking though. You can also do that with little to no
| quality loss but I try to position myself as a premium
| brand so everything is 'cooked to order'. There are also
| a lot more food safety concerns (cooing it fast enough,
| re-heating it fast enough, etc.) that I don't want to
| worry about. I vacuum seal cooked BBQ at home and it's
| just as good as fresh but you can't do that in a
| commercial setting without special permits that aren't
| available to food trucks (at least not in my area).
| jasonwatkinspdx wrote:
| I'm sure you know your business and market, but I'd just
| through out an example from my back yard.
|
| Matt's BBQ is the best Texas style bbq in Portland by a
| considerable margin. I've been a customer and friendly with
| him since he started out in a pawn shop parking lot with
| zero foot traffic and almost no road visibility. He charges
| $13.50 for a 1/2 lb of brisket, similar prices for other
| meats. Sides are typically around $3.50.
|
| He's up to multiple locations and his own commissary
| kitchen that's like 2000 sq feet.
|
| He sells out every single day.
|
| It's been really fun to watch his business blow up. It's
| all been from the strength of his product, and his personal
| hustle to get the momentum. His customer base is loyal and
| willing to pay a premium.
|
| He even has a side hustle selling smoker rigs, via a
| partnership.
| atc wrote:
| Can you survey your customers?
| robbmorganf wrote:
| I'm just curious how you started following Hacker News?
| qbasic_forever wrote:
| A lot of folks work like mad in tech to build up a small
| nestegg and then go pursue a passion. Starting with a food
| truck is a great way to suss out and ease into eventually
| owning and running restaurants. It's like the MVP of a
| cuisine/restaurant idea.
| wenc wrote:
| Brisket prices have been going up for quite a while now, not
| least since the pandemic started. This event is likely going to
| be a blip. That said, typically one of the ways to hedge
| against volatile prices is through forward contracts. If you
| have a float, have you thought about pre-paying for brisket to
| get a discount? I only mention this because I remember reading
| a story told by Nick Kokonas, who co-owns Alinea, a famous 3
| Michelin starred restaurant in Chicago. When he discovered he
| had a float, he decided to pre-pay his vendors instead of
| taking net 120 and in the process got a 50% discount on beef.
| (because pre-paying improved his vendor's cashflow and reduced
| their risk, they passed it back to him in the form of savings)
|
| From: https://commoncog.com/blog/cash-flow-games/
|
| "Food costs money. But the way that everyone (in the F&B
| industry) looks at food costs, and paying for food is very
| weird. When COVID started, every famous chef that went on TV
| said, "This is the kind of business where this week's revenues
| pay for bills from a month ago." So when we started to bring in
| money from deposits and prepaid reservations, I suddenly looked
| and we had a bank account that had a couple million dollars in
| it -- of forward money
|
| "I started calling up some of our big vendors for the big,
| expensive items -- like proteins: meat, fish; luxury items:
| like caviar, foie gras, wine and liquor, and I said, "I don't
| want net-120 anymore, I want to prepay you for the next three
| months." And they had never had that kind of a phone call from
| a restaurant before.
|
| So how much should they discount it? So let's say we're going
| to buy steaks. We're going to pay $34 a pound wholesale for dry
| aged rib-eye, we get net-120 (normally). So I call the guy and
| say "I'm going to use 400 pounds of your beef a week for the
| next 4 months, for our menu, which is about about $300,000 of
| beef, what (would) we get, if we prepay you?" And he was like
| "what do you mean?" I'm like "I want to write you a check
| tomorrow for all of it, for four months." And he was like,
| "Well, no one has ever said that." So he called me the next
| day, he said "$18 a pound" ... so ... half. Half price.
|
| I went, "I'll pay you $20 if you tell me why." And he said,
| "Well, it's very simple. I have to slaughter the cows, then I
| put the beef to dry. For the first 35 days I can sell it. After
| 35 days there's only a handful of places that would buy it,
| after 60 days, I sell it $1 a pound for dog food." So his waste
| on the slaughter, and these animals's lives, and the ethics of
| all of that, are because of net-120! Seems like someone should
| have figured this out! As soon as he said that, everything
| clicked, and I went "We need to call every one of our vendors,
| every time, and say that we will prepay them."
| JPKab wrote:
| I think you have a well-reasoned, thoughtful post here, but
| perhaps the person who operates a BBQ food truck might not be
| the best positioned to take futures contracts out on brisket?
|
| Scale matters.
| tonyb wrote:
| Prices had come back down to pre-pandemic levels up until
| about a month ago. Nationwide easing of restrictions has
| increased demand faster than the supply chain has been able
| to keep up.
|
| That is an excellent idea (having more than just a
| transactional relationship with you food vendor is a good
| idea in general) but my volume is way too low to have that
| type of leverage. The best I can do (and fortunately what I
| did when I saw the prices increasing) is pre-buy and freeze
| as much as I can to lock in the then-current pricing. Right
| now food supplies aren't even able to fill many wholesale
| orders because they don't have enough supply so I'm not sure
| pre-paying would help if they can't even get the product. For
| example one major vendor has changed their order cutoff time
| from 11PM to 5PM so they can spend that extra time allocating
| their available stock across all the orders because they
| don't have enough for everyone.
|
| BBQ is my side hustle so I'll be ok either way - but if I was
| paying my mortgage via food service I would be alot more
| concerned.
| secabeen wrote:
| It would be very interesting to see a followup report from
| Nick on what happened with COVID. Did they refund those
| customers who pre-paid for dinners that couldn't happen? Were
| they left holding the bag for the dry-aged ribeye that they
| then couldn't sell? I would love to hear the story.
| [deleted]
| sorokod wrote:
| Expect brisket futures to become a thing
| nradov wrote:
| Cattle futures already exist and prices are up on this news.
| Guest42 wrote:
| Would make for some tough storage if they got stuck not
| selling them at expiry.
| [deleted]
| SAI_Peregrinus wrote:
| > as hackers increasingly target critical infrastructure.
|
| Many attacks aren't truly targeted, they're blanket ransomware
| attacks trying to hit any entity they can.
|
| Also, meat packing isn't critical infrastructure. It's important,
| sure, but nobody is going to die if they don't get meat. Food
| overall, yes, but meat is a luxury good.
| admax88q wrote:
| If meat collapses it will put strain on other parts of the food
| pipeline which might not be able to pick up the slack.
|
| There's a lot of calories in meat.
| deeblering4 wrote:
| Are there a lot of calories in meat? I always looked at meat
| by itself as pretty lean.
|
| By volume I think there are quite a few types of food that
| are richer in calories, and a lot of times meats are rich due
| to how they are prepared (fried, or drenched in butter, etc.)
| akiselev wrote:
| Depends on how lean the meat and how dense the fat but
| generally only processed foods (like bread) are more
| calorie dense than meat. Protein and sugar (carbs) provide
| 4 kcal per gram while fat provides 9 kcal per gram and our
| gastrointestinal tracts are better adapted to carnivorous
| than herbivorous diets (compared to, say, cows or rabbits).
| We're simply unable to digest a lot of the mass in fruits
| and vegetables like the insoluble fiber and animal
| husbandry's purpose is to convert that material to edible
| food - it'd be pretty pointless if it wasn't more calorie
| dense.
| s1artibartfast wrote:
| Yes, There are a lot of calories is meat, even without
| additions. See bellow for calories in 100g of common foods.
| The only things that are more calorie dense than meat are
| primarily composed of sugar or fat.
|
| 271 Beef
|
| 265 bread
|
| 247 Roast chicken, skin on
|
| 130 black beans
|
| 110 rice
|
| 57 Apples
|
| 35 Broccoli
| dahart wrote:
| The calories in meat aren't relevant, it takes more calories
| in animal food to produce meat than the calories in the meat.
|
| The meat industry is a strain on the food pipeline, losing it
| would free up other parts of the pipeline and feed more
| people. https://en.wikipedia.org/wiki/Environmental_impact_of
| _meat_p...
|
| I eat meat, but the parent is correct, it's a luxury.
|
| *edit: confused by all the downvotes. Am I incorrect, or
| being somehow offensive?
| swiley wrote:
| Beef is grown using cellulose which contains calories that
| are unavailable to humans.
|
| Unless you've discovered a very neat chemistry trick that
| would also make fuel much cheaper.
| dahart wrote:
| I wasn't suggesting that people eat hay. We could use the
| same land to grow edible plants and vegetables instead,
| right?
| aparks517 wrote:
| I imagine some grazing land could be converted, but I do
| think most of it is used for grazing because that's about
| all it's good for. My family used to graze a small herd
| on land that could /almost/ be used to grow grain (with
| lots of chemical help), but definitely not vegetables.
| dahart wrote:
| That is a very good point. I poked the internet about it
| and got this interesting information back which backs up
| your thought: https://www.ers.usda.gov/amber-
| waves/2012/march/data-feature....
|
| Maybe worth mentioning that poultry feed is grains and
| "mostly" edible in theory (though maybe not in today's
| practice), and poultry is the largest segment of meat in
| the US?
|
| Also relevant are that per-capita meat consumption in the
| US has gone up dramatically in the last 50 years, and so
| has the average caloric intake. Looking at history, it
| seems like we have room to downsize some, right?
| aparks517 wrote:
| > poultry feed is grains and "mostly" edible in theory
|
| Yeah, some of them definitely. We fed our chickens a fair
| bit of wheat, which of course makes good bread. Plenty of
| field corn too, which... I guess if you like corn chips
| as much as I do... okay! Poultry and eggs might be better
| for you than loading up on grains though.
|
| > per-capita meat consumption in the US has gone up
| dramatically in the last 50 years, and so has the average
| caloric intake
|
| Perhaps as little as double those fifty years ago it
| would have been unthinkable that even the poorest among
| us could be troubled by obesity. We live in an age of
| riches and I guess we're still figuring out how that
| works. What a problem to have, though!
|
| > it seems like we have room to downsize some, right?
|
| This is perhaps the most amusingly uncontroversial thing
| I've read on the Internet lately. Thank you
| redprince wrote:
| If only that were still completely true.
|
| https://wwf.panda.org/discover/our_focus/food_practice/su
| sta...
|
| You could completely strike meat from everyone's diet and
| still feed everyone.
| swiley wrote:
| Just because you can do something and still feed/house
| everyone doesn't mean it's optimal.
|
| Plants are mostly cellulose, not sugar.
| viraptor wrote:
| You're taking about long-term effects, which are true. But
| that meat waiting to be distributed is already there. If
| the deliveries disappear for a few days/weeks, you don't
| suddenly get extra plants to distribute in that timeframe.
| dahart wrote:
| True. Yeah I thought the whole sub-thread here was
| talking about long-term effects, not a short-term one-
| time gap of unused supply. The top comment was talking
| about the general necessity of meat to our economy,
| right?
| lainga wrote:
| Well general and specific, and short- and long-term, are
| orthogonal. Oil is also generally necessary in the US
| economy in the short-term, if (conceivably) not in the
| long-term. On the other hand electricity is not necessary
| in the short-term specifically to aluminum foundries, but
| in the long-term it is (or the crucibles solidify).
| dahart wrote:
| Sure agreed. I'm perhaps not understanding what part of
| the above that this distinction clarifies. Sudden loss of
| oil would bring the entire economy to a halt and
| certainly result in mass loss of life. Sudden loss of
| human edible meat would no doubt be a major blow and an
| enormous waste, but would not generally result in a lot
| of people dying or stop the economy. It would certainly
| bankrupt and cripple the operations of meat farmers, but
| loss of oil would bankrupt and cripple _all_ farmers, and
| _all_ transportation and distribution of food.
| redprince wrote:
| As if there's a scarcity of food in the US so that missing
| out on calories from meat could not very easily be
| substituted. Incidentally that would also result in a diet
| commonly regarded as healthier.
| [deleted]
| joemazerino wrote:
| I'm curious as to how so-called cyber insurance plays out with
| these attacks.
| sparker72678 wrote:
| > JBS's five biggest beef plants in the U.S. -- which altogether
| handle 22,500 cattle a day -- have halted processing following a
| weekend attack on the company's computer networks, according to
| JBS posts on Facebook, labor unions and employees.
|
| It wasn't clear to me from the headlines that this is about meat
| plants.
| jokoon wrote:
| This reminds me of the earlier cyber attacks on a pipelines.
|
| One could speculate that those are climate activist attacks.
| titanomachy wrote:
| This is being downvoted, but it seems like a reasonable theory
| to me. I know a decent number of brilliant engineers/hackers
| who are strong proponents of a vegetarian diet.
|
| Or maybe it's just a general attack on US food production, and
| meat is the most vulnerable sector due to its complexity.
| yaw11 wrote:
| It isn't reasonable at all.
| Arrath wrote:
| As a prelude to Rainbow Six, it might be.
|
| Otherwise..
| gruez wrote:
| Don't hacktivists/eco-terrorists usually claim responsibility?
| Shutting down beef/oil production for a few days isn't going to
| do much for the environment, if at all since demand basically
| stays the same, so claiming responsibility and/or getting
| awareness is the only reason for hacking.
| simonw wrote:
| Occam's razor says that the most likely reason for this is that
| a ransomware group knew that they could extort a lot of money
| from this company.
| yaw11 wrote:
| You could speculate that. Then you could ask yourself why a
| climate activist would create a situation where cattle starve
| at the plant and are put down and not used economically.
|
| There are thousands of cattle in transit to just one of these
| facilities every hour of every day. Most are not equipped to
| feed incoming cattle - they arrive hungry and with minutes to
| hours to live. If you're annoyed about the climate, forcing a
| manufacturer to throw out and waste hundreds of tons of
| perfectly fine beef does what, exactly? Send a message?
|
| This isn't spiking trees. You're dealing with live animals. I
| have a hard time believing an activist environmentalist would
| be fine with _exacerbating_ an animal welfare situation they
| already don't like. Putting thousands of cattle through even
| worse experiences than usual. Yeah, no.
|
| Source: One degree removed from a foreman at an impacted plant.
| What I'm describing is already happening - plant I'm aware of
| has 14k head on hand with about 24 hours to figure it out or
| kill and discard. The administration is already involved and
| aware of the details, too, and _everyone_ should be vigilant
| regarding speculation as to who's behind it (this is likely
| misdirection, given who it actually is).
| Arrath wrote:
| >This isn't spiking trees. You're dealing with live animals.
| I have a hard time believing an activist environmentalist
| would be fine with exacerbating an animal welfare situation
| they already don't like. Putting thousands of cattle through
| even worse experiences than usual. Yeah, no.
|
| Animal rights activists aren't always known for thinking
| about the consequences of their actions.
|
| https://www.independent.co.uk/news/freed-mink-bring-death-
| to...
|
| https://slate.com/technology/2017/07/thousands-of-minks-
| die-...
| genericuser314 wrote:
| "Thus, by a continuous shifting of rhetorical focus, the
| enemies are at the same time too strong and too weak." ~
| Umberto Eco
| hereme888 wrote:
| Are there any details on whether it was ransomware? I'm
| interested in following this story as it develops.
| ChuckMcM wrote:
| Is there any other kind of "cyber attack" with respect to
| companies like this? This is a serious question, I can't
| imagine someone DDos'ing or trying to "steal passwords" or
| "private data" from a meat processor. But disrupting their
| business and holding them hostage? Seems to be a thing these
| days.
| gizmo686 wrote:
| 1) Cyber warfare. Taking down critical capacity like food
| production weakens your enemy. I don't think hostilities are
| anywhere near bad enough with anyone for this to be an issue
| at this point; but it would not surprise me if the other
| major countries are already in our systems and _could_ do
| this with the push of a button if they wanted to. (Similarly,
| it would not surprise me if we were in theirs as well).
| Establishing the capacity to do this at the push of a button,
| could have the effect of accidentally shutting things down.
| Either because of a mistake from the attacker, or because the
| attack is discovered and production is shut down out of an
| abundance of caution while we figure out what happened.
|
| 2) Terrorism. Really, I consider this the same as warfare,
| just coming from "terrorists" instead of "countries". With
| this broader base of attackers, I think there are groups that
| would be willing to do so. The only question is if they have
| the technical know-how. Given how cheap these ransoms can be
| ($4.4 mill for the pipeline hack), and the fact that a payed
| randsom probably a good profit margin, in terms of raw
| funding, these hacks seem within the range of terrorist
| groups.
| ChuckMcM wrote:
| All valid if we were at war or there was an active anti-
| meat terrorist group (I don't consider PETA to be
| terrorists :-). Just using the process of elimination to
| guess what is up and "ransomware" is highest on my survey
| board at the moment. (weak hat tip to Family Feud)
| gizmo686 wrote:
| They do not need to be anti-meat. Simply anti-America
| would suffice.
| Veserv wrote:
| Sure, you could have an attack whose goal is to cause damage
| like what happened in the Sony Pictures hack in 2014 [1]. Or
| follow through on a direct blackmail attempt of money for no
| disruption. Even if we limit ourselves to financially
| motivated actors there are plenty of ways to convert business
| disruption to money other than ransomware such as stock
| manipulation, competitive sabotage, etc.; they are just a
| little more sophisticated in the non-technical aspects.
| However, these tactics are quite rare currently because most
| hackers are extremely financially unsophisticated, being
| mostly young technically-minded people, so they focus more on
| the technical aspect of just doing more hacks rather than the
| business aspect of extracting the most value through solid
| financial engineering.
|
| We can see this by the fact that just a few years ago they
| would take down the same types of companies they are hitting
| now and ask for a ridiculously low sum of like $10k, but now
| they are asking for a much more reasonable, but still low
| $1M. Nothing changed about who they were attacking, they just
| slowly realized that they underestimated how much companies
| would pay for their "services" by a factor of 100x. That is a
| classic mark of a business amateur who has no idea just how
| much money is involved in B2B deals.
|
| But to your underlying question, yeah, it is probably
| ransomware.
|
| [1] https://en.wikipedia.org/wiki/Sony_Pictures_hack
| ChuckMcM wrote:
| FWIW, I'm not saying it _couldn 't_ have some other
| motivation, I am saying that it is _unlikely._
|
| And now Bloomberg is reporting it was a ransomware attack --
| _" It's unclear exactly how many plants globally have been
| affected by the ransomware attack as Sao Paulo-based JBS has
| yet to release those details."_
| pcthrowaway wrote:
| The most obvious one to me, especially affecting a meat
| producer, is activism. Disrupting supply chains for meat
| production could very well drive demand for plant-based
| alternatives, and if it becomes a cost of doing business,
| perhaps it would balance out massive subsidies which keep
| meat prices competitive with prices for plant-based meats.
| ndespres wrote:
| In terms of things that are not specifically targeted:
|
| I still see things attacks on open SMTP ports to relay spam
| email, installing crypto mining software on PCs and servers,
| scanning for insecure VoIP phone systems and racking up long-
| distance phone bills..
|
| The ransomware attacks makes a lot of headlines I think
| because it's somewhat easy to sensationalize without a lot of
| explanation of boring IT stuff, but there are still plenty of
| other things happening regularly to compromise insecure
| systems.
| ChuckMcM wrote:
| Sure, but those don't typically warrant telling anyone
| right? I mean "our email server just sent a zillion spam
| messages, we're working on it." would largely go under the
| radar I suspect.
| whatshisface wrote:
| The big difference is that ransomware is a strike
| directly against the people who got hacked, while turning
| servers into bot farms at worst costs them a little
| electricity. The victims of DDosSes, for example, aren't
| usually the ones whose compromised systems are running
| the DDoS.
| milkytron wrote:
| Yes.
|
| > A CNN White House correspondent reported on Tuesday afternoon
| that JBS told the Biden administration it had received a ransom
| request from a criminal organization "likely based in Russia."
| skindoe wrote:
| And we computer scientists believe political vague statements
| with no evidence behind them why? It's not like there are
| dozens of cases of "intelligence" being wrong in the past 15
| years...
| haspoken wrote:
| http://archive.is/52YQq
| coliveira wrote:
| Hackers are laughing at the idea of concentrating large amounts
| of the economy at a single company. The whole internet will be
| coming to a halt once this can replicated on at least one of the
| big web companies.
| adictator wrote:
| Beautiful!
| davidw wrote:
| This seems like too much consolidation:
|
| > The U.S. meat industry is so consolidated that with JBS
| basically offline due to a cyberattack, the USDA can't publish
| wholesale price data without potentially revealing proprietary
| information about JBS's competitors
|
| From https://twitter.com/sjcasey/status/1399822226313076737
| cupcake-unicorn wrote:
| Good, I hope this encourages people to support plant based
| alternatives and "vat meat" type stuff. The meat industry is
| awful for two major disaster scenarios facing humanity: global
| warming and antibiotic resistance. Meat isn't "critical
| infrastructure", it's a luxury with health risks akin to other
| luxury products that are taxed, and is propped up and subsidized
| already in order to survive. This is not even beginning to talk
| about the ethics of this situation. People like Noam Chomsky etc
| have been behind this:
| https://www.nationalobserver.com/2019/02/12/features/noam-ch...
|
| No one would be particularly choked up if this affected the
| cigarette industry or the alcohol industry.
| hourislate wrote:
| Yeah, we should also take a stand against all the plants and
| fruits we are farming. It is incredibly bad for the environment
| (ex: pesticides, water usage,slave labor practices, etc). The
| whole food sector is a major producer of Green house gasses and
| farming whether livestock or grains, etc is extremely bad for
| the environment. Lets save the planet and stop eatin.
| 1cvmask wrote:
| Although not a cyberattack it reminds me of the massive supply
| disruption and culling that occurred in the UK because of the mad
| cow disease.
|
| There is still no clue as to why these disruptions happened but
| the educated guess mentioned in the article is ransomware. The
| one that is almost always forgotten is how they they escalated
| privileges through compromised passwords because most of these
| organizations don't use multi factor authentication everywhere.
|
| https://en.wikipedia.org/wiki/Bovine_spongiform_encephalopat...
| polskibus wrote:
| Ransomware attacks were made more feasible (the ransom part)
| thanks to cryptocurrencies commoditizing low traceability for
| criminals. I'm pretty sure we're going to see more and more of
| them, especially with all "digital transformation" going on.
| goatinaboat wrote:
| _Although not a cyberattack it reminds me of the massive supply
| disruption and culling that occurred in the UK because of the
| mad cow disease_
|
| Still a form of information warfare attack, perpetuated by none
| other than Neil Ferguson, operating in plain sight. If he was a
| hacker he would be in prison but he does incalculable damage
| again and again and gets away Scot free every time!
___________________________________________________________________
(page generated 2021-06-01 23:01 UTC) |