This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
I'm a long time lurker, so this is my first attempt at a top level post.
I have recently changed jobs, and this has caused me to work with a bunch of companies that are low level engineering firms. I don't mean they don't have good engineers, but they are small companies with tiny IT budgets. For my personal experience, in college I worked at a help desk and then was a networking engineer until I got my CS degree. My first job out of college was at Cisco, and I have always worked at pretty large companies that had the highest security possible. I wouldn't even consider myself a security expert necessarily, but my experience at Cisco and networking did teach me a lot. We're talking firewalls years out of date, unnecessary equipment plugged in with vulnerabilities, ports open that shouldn't be, default admin passwords, etc.
I am amazed at some of the profits of some of these companies that spend essentially no money on IT or security. Just one look at their server room tells you all I need to know.
There is so much low hanging fruit. My question is this: why are there not more cybersecurity attacks on these blue collar profitable companies? If I was a malicious actor (with my programming and IT experience), there are thousands of profitable companies I could easily snipe if I was so inclined. I have a friend that works for homeland security, and he says there are tons of attacks on government organizations. He says they are basically a MSP for a lot of organizations that have no idea what they are doing such as universities. But the government at least has a standard. So I kind of get that, but from what he tells me they are also vulnerable.
But how are there not more easy attacks? Ransomware would be easy with how some of these companies are. Are there just not enough attackers? Every city and company I have traveled to I could easily have taken over their network if I was so inclined. Are there just not enough attackers to take advantage of everything?
If I was China or an adversary, this would be child's play. Do they just not want to reveal themselves? I just don't get it. Every company I have gone to would be so easy to get admin creds. This makes me think there are two options. Either there aren't enough hackers to take advantage, or they are holding back. Which one is it? Because like I said, it would be trivially easy to hack these companies.
They are occasionally targeted. There’s a growing scam where a coordinated group will hack in, carefully watch company email for a few months, and then when it looks like a big deal might be going through they bust out some targeted social engineering. For example, they might email and text the CEOs secretary with a panicked tone about needing to make a wire transfer ASAP, they have email control and maybe spoofed a SIM, it looks legit and some poor employee actually wires away millions.
But there are a few brakes here. One, sometimes the English or social engineering skills are actually medium rare, and you need a specific set of skills to make the whole thing work. Believe it or not, but the supply of well organized foreign hackers is actually moderately constrained. Second, there’s the discoverability problem. These companies, they also are small enough that many even would-be legitimate employees don’t know about them until they post on Indeed. How is a foreign hacker supposed to find them if job seekers sometimes even can’t?
I would argue that the US actually sees a remarkably low level of internal hacking all things considered. You’re right, if you were malicious you probably could make some money. Part of it is the FBI actually is somewhat effective (Anonymous for example was absolutely picked apart, and US jurisdiction and subpoenas and such are relatively easy and effective compared to international stuff). Part of it is if you have the skills you can earn more money for much less risk working a legit job. All this leads to a less favorable risk-reward. There’s also maybe morals coming into play?
But finally, smaller and smaller companies are targeted each year. You may have noticed for example that smaller regional hospital systems get occasionally hacked. Also some corporations especially smaller ones don’t ever admit when they are hacked, or if they do you don’t hear about it. Smart hackers of course tend to avoid hacking hospitals because it draws US federal attention, which does sometimes successfully strike back.
More options
Context Copy link
More options
Context Copy link