Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
China Security United States Technology

Major US Companies Breached, Robbed, and Spied on by Chinese Hackers (foxbusiness.com) 118

Rob Barry and Dustin Volz, reporting for Wall Street Journal: The hackers seemed to be everywhere. In one of the largest-ever corporate espionage efforts, cyberattackers alleged to be working for China's intelligence services stole volumes of intellectual property, security clearance details and other records from scores of companies over the past several years. They got access to systems with prospecting secrets for mining company Rio Tinto, and sensitive medical research for electronics and health-care giant Philips NV. They came in through cloud service providers, where companies thought their data was safely stored. Once they got in, they could freely and anonymously hop from client to client, and defied investigators' attempts to kick them out for years. Cybersecurity investigators first identified aspects of the hack, called Cloud Hopper by the security researchers who first uncovered it, in 2016, and U.S. prosecutors charged two Chinese nationals for the global operation last December. The two men remain at large.

A Wall Street Journal investigation has found that the attack was much bigger than previously known. It goes far beyond the 14 unnamed companies listed in the indictment, stretching across at least a dozen cloud providers, including CGI Group, one of Canada's largest cloud companies; Tieto Oyj, a major Finnish IT services company; and International Business Machines. The Journal pieced together the hack and the sweeping counteroffensive by security firms and Western governments through interviews with more than a dozen people involved in the investigation, hundreds of pages of internal company and investigative documents, and technical data related to the intrusions. The Journal found that Hewlett Packard Enterprise was so overrun that the cloud company didn't see the hackers re-enter their clients' networks, even as the company gave customers the all-clear.

This discussion has been archived. No new comments can be posted.

Major US Companies Breached, Robbed, and Spied on by Chinese Hackers

Comments Filter:
  • by RobinH ( 124750 ) on Tuesday December 31, 2019 @12:49PM (#59573986) Homepage
    To a naïve employee in middle-to-upper-management, the argument to move everything to the cloud is a simple fiscal one: it's cheaper. We don't quantify risk very well. But putting all the data in one place just makes it easier to collect. Our company still hosts our data locally with multiple on-and-off-site backups, and management does seem to understand how that's better.
    • by gweihir ( 88907 )

      What, you mean to imply that cheaper is not better? Sacrilege!

      As a complete unrelated observations, I have seen "decision makers" time and again convince themselves that cheaper was at least as good. The most extreme case was were a not very secure chip-card suddenly became a "mini HSM". The mind boggles.

    • That's an interesting take. The past few times I've looked at replacing on-prem hardware versus spinning up virtual instances in "the cloud" the latter option tended to be the more expensive one. Once you factor in bandwidth utilization, CPU cycles, etc. it was more expensive by a fair margin. Less reliance on local environment power, cooling, etc. still didn't bring it into line.

      • by sheph ( 955019 )
        It's never about what it actually costs. It's about what it looks like on paper for the upward bound manager. Of course it's more expensive in the long run, but by then that manager has moved on and it's someone else's problem.
      • Excatly this.

        I've always invited academics who tell me that our IT departmental costs are far too high and it's cheaper on the cloud to actually go and do the comparisons.

        The ones who came back claiming it was cheaper had the items missing from their shopping list that they didn't get quoted for and told to go away with a real comparison. (The usual failing is "XYZ storage is cheap" - without factoring in the added charges for READING that storage)

        The ones who actually did compare apples with apples _never_

      • I've beed entrusted with 6 figure budgets for platform hardware purchases in the past. I have also migrated a number of platforms to 3-rd party virtualized environments (ie. Clouds) for organizations of various sizes.

        From where I sit, it's primarily a CAPEX vs OPEX - let me explain:

        When you spend money on servers, routers, cabling, and eventually parts, it's a capital expense (CAPEX), which will lose value over time and will have to be handled down the road again. You'll have to eventually upgrade/replace
        • All very true. I work closely with our CFO here, and the expense classification can make a difference. Not to mention depreciation, obsolescence, replacement, etc. of physical hardware.

          I too have to create and maintain annual budgets that aren't insignificant in terms of platform hardware. Every realistic model I came up with pretty much agreed. For what we'd be paying for cloud services when all is said and done came out to the equivalent of completely replacing our on-prem hardware every 2 years. For us,

    • You are absolutely right, of course . . . . but management is still always at the pre-evolutionary stage . . .
    • Do you have any data to support your claim that on-premise is more secure than cloud?

      This article says the opposite is true: Where is your data safer, in the cloud or on premise? [infosecinstitute.com]

      The question is not whether on-premise is better than the cloud for companies with top-level IT staff, but whether it is safer for a typical company.

      • It all depends on what exact cloud service your using, vs your on-premise configuration, plus your policies that affect thus. AWS FedCloud is far more secure than AWS EC2, both are from the same provider. Does your cloud product perform per NIST 800-53? Does it encrypt data-at-rest and data-in-motion? Is the encryption FIPS certified? Does it force proper ECA identity 2fa?

        You can do 800-53 on your local on-premise, and you can find a cloud product that also does this. Or, you can use pirated ISO's of
      • by cusco ( 717999 )

        From the looks of TFA the question is whether your admins are bleeding idiots who respond to phishing attacks. There isn't any way that AWS or anyone else could know if their customer has already given the attacker valid credentials.

        • There isn't any way that AWS or anyone else could know if their customer has already given the attacker valid credentials.

          This is the kind of dangerous thinking all sorts of people are spreading. They say "if a human makes a mistake there's nothing we can do about it". If airliner designers believed that kind of thing then all the airline companies would have planes falling out of the sky every day. The fundamental rule is to design your systems assuming that the people will fail at different points in all possible different ways.

          It is possible to see if credentials are used from a place they aren't normally. It is possi

          • by cusco ( 717999 )

            It is possible . . .

            It certainly is, but if the customer gets annoyed by being inconvenienced too many times they'll turn all the verification off. I've seen it for two decades, when I still did server support for customers I had several management types who insisted that we give them access to resources without even logging in through the VPN because they were too stupid/lazy (fortunately I was always in a position where I could refuse).

            Agree about AWS, but of course they'll always be hobbled by the compe

      • Do you have any data to support your claim that on-premise is more secure than cloud?

        This article is the evidence needed and completely blows away any claim that clouds are always safer whilst we haven't yet had evidence that the two reputable, non Microsoft based, clouds, Google and AWS are insecure.

        It's key that two companies, HPE and IBM are mentioned here. In the case of HPE's Microsoft Azure based clouds it's clear from the article that security has failed in a serious way and most importantly that the companies breached were not in a position to protect themselves because the cloud

    • No executive has gone to jail for failing to protect their data. Nothing will change until accountability becomes a thing again.

    • by rtb61 ( 674572 )

      All smart western cyber criminals know the very first thing you do to be safe, is set up a server in Russia or in China and hack back into the west via that route and never hack into the hosting country, especially employees of the targeted companies. You can not keep them out because they know exactly how to break in and do it via a remote server in Russia or China and make lots of bitcoin. Any employee holding crypto should always be considered a security risk. As for western nations, I suggest you start

  • by ErichTheRed ( 39327 ) on Tuesday December 31, 2019 @12:53PM (#59574006)

    Whether you do it on premises or in the cloud, the common thread is that the IT services companies are the foothold the attackers use. These companies are under intense pressure to whittle down costs on contracts to the bone to squeeze out margin, so I highly doubt they're doing a whole lot to secure the infrastructure of their customers. They don't care at all about the level of service delivered as long as it doesn't fall to a level where the company can invoke SLA payments or cancel the contract. This is a very smart way to get in the back door of company networks...find a vulnerability missed by an overworked undertrained newbie sysadmin, or spear-phish a not-so-bright employee (possibly an account manager) with credentials to the systems you want data from.

    I hope the 2020s bring back some in-house talent at companies. The 90s and 2000s were the domain of the large Indian outsourcers and IBM/HP/Accenture/you name it just being handed entire companies' IT departments on a silver platter. The 2010s seem to have reversed some of this with vendors like DXC circling the drain because the old "offshore everything, ..., Profit!!" model of the 90s doesn't work well anymore. We're seeing some companies take back more control while others are just handing everything over to Microsoft/AWS and SaaS vendors to manage. Maybe the 2020s will bring about an IT department that is more about intelligently putting together this patchwork of services and securing things properly.

    • Cloud services make a very juicy target, so long as there is money to be had someone will find a way whether it's a cloud service or a common internally hosted commercial solution.

    • because the old "offshore everything, ..., Profit!!" model of the 90s doesn't work well anymore.

      It never worked... it just takes a long time for things to break down. Like a car you don't perform maintenance on, it doesn't break down the first day. The companies were just trading profit today for tons of issues down the road... as usual.

      • by cusco ( 717999 )

        That's because "down the road" the executives will all have changed jobs and will be merrily looting some other company. As long as there is time to cash in their stock options they don't care if the company crashes and burns in their wake.

  • Yeah, it's not even close to as the USA.

    • by gweihir ( 88907 )

      The Chinese are just not as good at it and get caught.

    • by Tablizer ( 95088 )

      I'm sure the US does military-related espionage, but I've seen no evidence of general industrial espionage by the gov't*. It's hard to keep such a secret for decades, as current administrations don't care if they embarrass prior ones. Rotating administrations is part of our system of checks and balances. China busted that aspect by making Xi dictator for life.

      If the Chinese gov't is doing general industrial espionage, we should probably sanction them until they stop. If you don't punish such, it keeps happe

    • Are you somehow equating innovation with outright theft?

    • Rather shallow entry to the deeper topic, so I wouldn't give you [dwater] the mod point even if I (ever) had one to give.

      I think it makes more sense to consider the topic from the perspective of freedom, which I define (per my sig) in terms of choice. There are always limits to freedom, but the Chinese limits are not so different from America's. That makes this story into more of a question of jurisdictions, and I am sure that the offenses of "robbery" and "spying" are defined differently there and elsewher

      • What you say is pretty much the opposite of the truth. Firstly in China you have no freedom of speech, religion or if they had their way thought. You are there to serve the party not the Govt. there to serve you so the limits are as different as they could be with few exceptions such as they allow people to travel, not sure if you still need papers to travel from one place to another but you sure used to.

        You quote Trump as saying the same thing in a round about way but I will take you at your word. With T
        • by shanen ( 462549 )

          So your answer boils down to "I lack the imagination to understand how it could happen here."

          By the way, most of your "evidence" was counterfactual or anecdotal or both, except where you indicated that you don't know, are too lazy to do any research, or don't care. Or all of the above.

          I think it safe to regard this "discussion as terminated".

  • by DesScorp ( 410532 ) on Tuesday December 31, 2019 @01:04PM (#59574048) Journal

    Honestly, if you're surprised at Chinese industrial espionage and IP theft, then you haven't been paying attention for, oh, forever.

    From the very beginning of this Devil's Bargain that Richard Nixon made in "opening China", the Chinese saw it as an opportunity to steal every single thing they could from the West. Joe Studwell published a book nearly 20 years ago called The China Dream [theguardian.com] that laid out the Chinese mindset, a mindset that goes back to the very first attempts at trade between China and the West. It's a book that gets right to the meat of the matter: China sees foreigners as a threat to be both kept at bay AND exploited, and they see Westerners as both the biggest threat AND the biggest suckers. And they've been right, especially about the suckers part. China has no compunction against stealing every secret and every technology they can from us, and then making it their own to be used against us. Westerners have been suckered for centuries when it comes to the promise of Chinese markets. China's plan is always to lure them in with the promise of huge profits, and then steal whatever they have to offer and sell it to their own people, gradually kicking foreigners OUT of those markets.

    The Chinese see it this way: It's THEIR turn to rule, and they're taking what is rightfully theirs.

    • by Halo1 ( 136547 ) on Tuesday December 31, 2019 @01:19PM (#59574124)

      The whole "Chinese stealing everything from the West" rhetoric sounds rather hollow if you look at how the Western companies treated the Chinese [ffii.org] at the same time. I don't mean this in a "whataboutism" way, just that there is no moral high ground here. It indeed looks like the Chinese government are coming out on top right now, but I think it's incorrect to frame the situation as the "stealing Chinese" versus the "exploited Westerners".

      • No whataboutism at all. China was THE leading techological country for severa; thousand years , losing ground at the start of the industrial revolution but really only stopped when pounded flat by gunboat diplomacy, opium wars, civil wars and genocidal imperialism - and even THEN chinese knowhow helped them build things back up in less than 60 years.

        China has already leapfrogged the USA technologically and is gaining rapidly on Europe. There's no monopoly on human intelligence and ability - (or unfortunate

    • Thanks for your erudite comments, and important to remind people of some little known facts as the declassified documents on the meetings between Nixon, Kissinger and Mao Zedong were released around the time frame of 9/11/01, and were dutifully ignored by the PuppetMedia: Nixon/Kissinger promised Mao that the USA would pull out all military presence in South Korea and Taiwan by the end of Nixon's second term in office (thankfully he was forced to resign before then) --- essentially promising Mao the commie
    • by Solandri ( 704621 ) on Tuesday December 31, 2019 @02:56PM (#59574526)
      Studwell is clueless. I'm Asian. This isn't some attitude unique to China, or specifically against foreigners, or China thinking it's their turn, or thinking they deserve to have this. It's the conflation of two separate things.

      First, Confucianism values loyalty to one's group more than loyalty to one's self. Group can mean family, company, town, country, etc. This is part of the reason the Communist government has such staying power. Unlike in other areas where people's default state is a desire for individual freedom, the default state in Asia is deference and loyalty to authority. You'll notice the remaining Communist nations - China, Vietnam, Cuba, Laos, North Korea - are mostly in Asia. That's because the idea that The State knows best is ingrained in culture there. There will always be a strong sense of nationalism (my group is superior to your group) in an Asian country because of this, which makes them very similar to colonial European countries if they start to get expansionist dreams (e.g. Just like Europeans justified their colonialism due to them being superior to the "lesser" peoples in developing nations, Imperial Japan likewise believed it was entitled to rule the other Asian nations).

      Second is a lack of belief in intellectual property. That's why you'll often see stories in anime or manga about a character being fired if they refuse to spy on another company. Stealing corporate secrets isn't seen as wrong. Rather, the precept is that if you've got something you're want to keep secret, it's your responsibility to keep it secret. And there's nothing wrong with others trying to learn your secret (indeed, you should expect them to try it). IP - the idea that you can restrict the exchange of ideas among the population (protect secrets) with laws - is a completely artificial construct. One invented in the West and foreign to Asia. That is, the Asian attitude towards IP is actually the natural default state, and the Western invention of IP is the aberration. So if you grew up in the West, the innate sense you have that "stealing" someone else's idea or secrets is wrong, is artificial. You only believe it because you've had it pounded into you since childhood. FOSS actually aligns with the Asian perspective. it's the idea that the world will be better off if things which can be duplicated at no cost are shared freely. In FOSS it's limited to software, but if you generalize it to ideas (which can also be duplicated at no cost), you end up with the Asian attitude towards IP. Asians in general will only comply with IP laws if you threaten them. Not necessarily because they have something to gain by ignoring IP, but because the concept is just foreign.

      Combine the two and you get people with no compunction against conducting corporate espionage, and who will willingly do it when asked to do so by the state or company. If you're going to do business in Asia, you need to take steps to fend off these attempts. You're incredibly naive if you think mere words on a piece of paper approved by a legislature will protect your IP secrets from being stolen.
      • Communism comes from Europe too(Marx and Engels are German FYI), and by its nature it doesn't discourage individualism, far from it. And deference to authority is default reaction of any person who doesn't know better in any corner of the world. Confucianism for sure doesn't encourage blind obedience and European thought requires adherence to their values as much as in Asia. So this juxtaposition of values you presented is based on theme park versions of both Confucianism and Communism. Confucius' own life
      • by CaptnCrud ( 938493 ) on Tuesday December 31, 2019 @04:03PM (#59574766)

        Oh give me a break. Its about being perpetually poor as fuck and not giving a rats ass about the next person.

        Case in anecdotal point, I have a western friend who has a Chinese wife and they live in mainland China. From time to time they visit her mom, on his first visit, he noticed the elevator had a burned out bulb (making the elevator pitch dark). 3 months later he visited again and the bulb was still out, so he remarked to his mother in law about it. She said they had had community meetings on several occasions to see who would buy a new bulb...yes, a meeting to replace a light bulb...after "several meetings" no one out of a couple hundred tenants in the complex of would replaces the bulb...not a single one...this is a light bulb where talking about here...no one thought about the older people, no one cared if young women might be scared to get into a dark elevator alone...

        In the end, he said he just bought the $1 bulb and replaced it. That attitude is all thanks to living in a communist regime.

      • by AmiMoJo ( 196126 )

        Chinese companies understand IP. That's why China files the most parents. It's why the US is attacking Huawei - they have all the IP for 5g and are making money out of it while Western companies can only licence it from them.

        It's just the usual growing pains. Look at how the US didn't respect European IP, and then even its own IP when movie producers realised they could just move far away to Hollywood and avoid paying the fees.

    • But I'm confused -- Information wants to be FREE!!! or so I heard.

      Also, my computer really hates when I anthropomorphize it.

      Hmmmm.. so "China sees foreigners as a threat to be kept at bay AND exploited". Sounds a bit like tribalism -- you're not one of us so we can do whatever we want and it's all OK.

      Also, doesn't that sound a little familiar? Muslims: kafir, the worst word in the human language, for unbelievers. Kafirs can be tortured, killed, lied to and cheated. Oh, and that's anyone that's
    • by ceoyoyo ( 59147 )

      Sure, because other rising nations haven't ever done exactly the same thing to the dominant power of their time.

      https://foreignpolicy.com/2012... [foreignpolicy.com]

  • Supermicro (Score:3, Interesting)

    by dills ( 102733 ) on Tuesday December 31, 2019 @01:05PM (#59574056) Homepage

    Maybe that supermicro story wasn't bullshit afterall?

    • by AmiMoJo ( 196126 )

      It was, same as this story.

      First, US companies spy and steal too. Everyone does. Steve Jobs famously bragged about it. Created a popular app? Expect Apple to clone it and make it part of iOS. Do you think Ford doesn't buy every be Toyota and take it apart? Or that Microsoft got where it is by being impeccably honest?

      This is all just because China is now challenging and winning in tech. Huawei has many of the key 5g and WiFi patents, developed in house by Chinese engineers. They overtook the West.

      We aren't g

  • The only thing that the West could steal from the Chinese is the recipe to build better firecrackers.

    • by rldp ( 6381096 )

      Nah. Smokeless powder was invented in the west, and all the amazing colors and patterns and choreography you see are a result of western chemistry, physics, engineering, etc.

        Chinese fireworks are caveman-era trash.

  • I wonder if this will open the Pentagon's eyes and cause them to rethink their decision to put all their eggs in ( anybody's ) cloud. We can only hope.
  • I wonder how much this was facilitated by Intel's speculative execution security shortcuts.
    • by gweihir ( 88907 )

      None yet. As far as I am aware, there are no practical exploits available. The issue is not that these are impossible to write, the issue is that most targets are easier to attack in other ways and hence the respective experts spend their time more productively.

    • by rldp ( 6381096 )

      None.

      Hacking isn't like the movies.

      Look at how many companies are using Slack for their internal communication. We just had a story about a Slack architect who steals mattresses on the side. None of that communication is safe from snooping.

      Silicon valley "disrupt" startup culture is entirely devoid of morals. These are inside jobs.

      • "Hacking isn't like the movies"

        Nor is spying.

        The _VAST MAJORITY_ of espionage has traditionally been carried out in public library newspaper reading rooms.

        How? Primarily by collating stories on certain topics which would appear in small newspapers but not in larger ones, or on topics which would "stop" being aired.

        If a story shows in the local rag about XYZ contractor expanding due to new business - and several such stories appear, and you have military bases in the area, you can surmise that there's a loca

  • by gweihir ( 88907 ) on Tuesday December 31, 2019 @01:29PM (#59574198)

    Demonizing these criminals of opportunity just serves to obscure the real problems: Too many companies have dysfunctional and cheapest-possible IT security and are easy targets.

    • EXACTLY THIS.

      But because "cyber", they're able to get away with not securing themselves.

      Thankfully, Insurance companies are wising up to it, but this ALSO means that companies facing losing their cover will double down on the rhetoric.

  • They came in through cloud service providers

    I'm probably having a slow day, but just how do they come into through the cloud and where do they come into?

    where companies thought their data was safely stored

    and why do they need to get in anywhere if the data is already in the fricking cloud?

    Seriously slashdot-editors, what the fuck is this neocon BS doing on a technical blog?
    • Here, read this [us-cert.gov]. This one is from Russia [us-cert.gov], and includes some nice pics of them inside a power plants SCADA system. This one [us-cert.gov] is about the threat of insecure MSPs. You should look over all of these alerts, look at how the attacks are done, and then use that information to help secure yourself and your company.

      tldr; ATP uses compromised cloud credentials to infiltrate on-prem systems. A single compromised cloud provider can lead to multiple victims, especially if one integrated LDAP / AD.
  • of the OPM breach. I won't ever dare to go to China.
  • President Obama received a promise from the Chinese Communist Party/Xi Jinping, China's emperor or top Xi-male, to halt this type of behavior! I am shocked, thoroughly shocked --- just the other day I heard Noel of NPR also shocked to learn that labor laws are ignored by the Chinese Communist Party which practices some serious slave labor, etc., etc. Too many of us shocked today, although just being sarcastic of NPR, which imparts as little news as Fox, et al.
    • Re: (Score:2, Interesting)

      by Freischutz ( 4776131 )

      President Obama received a promise from the Chinese Communist Party/Xi Jinping, China's emperor or top Xi-male, to halt this type of behavior! I am shocked, thoroughly shocked --- just the other day I heard Noel of NPR also shocked to learn that labor laws are ignored by the Chinese Communist Party which practices some serious slave labor, etc., etc. Too many of us shocked today, although just being sarcastic of NPR, which imparts as little news as Fox, et al.

      Interesting analysis, now explain to us why after almost four years in charge Donald J. Trump has done exactly nothing to fix the mess that you claim Obama left behind and prevent things like this from happening.

      • Are you in la la land or have you been asleep for years. Perhaps you have not heard of the Tariffs, sanctions, trade deal. Trump even told all companies to get out of China. He has been working on it and gets abused for it. The reason he is abused is due to money flow, Wall street is invested in China and the world they don't care about the US but about their own wealth. Now if you are asking why Trump did not go in and find the security holes and fix them then yes you have a point he did not do that but as
        • Are you in la la land or have you been asleep for years. Perhaps you have not heard of the Tariffs, sanctions, trade deal. Trump even told all companies to get out of China. He has been working on it and gets abused for it. The reason he is abused is due to money flow, Wall street is invested in China and the world they don't care about the US but about their own wealth. Now if you are asking why Trump did not go in and find the security holes and fix them then yes you have a point he did not do that but as the President he has done about everything he could do. He gets criticized daily by the Dems for his China policies which makes me think they would hand over everything including the keys to the nukes to China, but there is a tiny chance that they are just criticizing them because they are do nothing not even think people who just will criticize everything even if they would do the same.

          And yet all of this failed miserably to stop this mega-hack from happening, four years and nothing, zip, zilch, nix, nada, ... nothing, China's hackathon is in proceeding at full blast. Seems to me DJT is presiding over the exact same kind of mess Obama supposedly left behind. You'd think the most stable genius in history would have gotten a handle on this situation by now instead we have an even bigger mess than under Obama.

          • Your assumption appears to be that I'm a Trump supporter --- you've demonstrated your stupidity on multiple levels now, and I appreciate the previous commenter who placed you correctly in la la land, or the house of pure stupidity!

            So you fully support Obama in passing on state-of-the-art nuclear technology to the Chinese Communist Party AFTER their massive penetration hacks into the Pentagon, the defense contractors, the OPM, Boeing, Google, etc., etc., which represented historic breaches and attacks on
    • What makes you think that CHinese hackers are responsible for most of this?

      My own research and experience over 25+ years points mostly to Bulgarian/Albanian/Romanian hacking crews working for-profit, with a few Ukranian and russian interlopers.

      If there's a hole, they'll exploit it - and they ALWAYS jump out of country first, before launching their attacks.

      As I've pointed out in other postings, China isn't just _riddled_ with compromised systems, it's AWASH with them (and it's far fro the only country in thi

  • Respond in kind.
  • by Futurepower(R) ( 558542 ) on Tuesday December 31, 2019 @02:53PM (#59574514) Homepage
    "The Journal found that Hewlett Packard Enterprise was so overrun that the cloud company didn't see the hackers re-enter their clients' networks, even as the company gave customers the all-clear."

    Sad. HP has not been well-managed since before Carly Fiorina [wikipedia.org] was CEO, from 1999 to 2005, in my opinion.

    One story: Carly Fiorina’s disastrous record as HP’s CEO [fortune.com]. (Sept. 21, 2015)
    • That's what happens when you outsource your IT staff to various local vendors, don't bother doing any vetting, and don't bother to enforce your own security policies. I worked at two different positions at HPE; both got outsourced. I'm absolutely not surprised hearing about HPE...they often will connect up to some vendor, call-center, etc and never go back to secure these connections once they are "working"; duct-taping and slapping it together as fast as possible, not designing it securely, etc.
      • Seconded. Our last purchase from HP (not long before the split) was vastly oversold and when it kept breaking down because it wasn't working as promised the response was to abandon our software (which they'd sold to us in the first place!)

        Not a good look on a $300k purchase...

        As such HPE makes it onto the vendor lists because it has to, but their claims get going over with a very fine toothed comb - resulting in them seldom if ever making it past the vendor lists onto the long list, let alone the short one.

  • by Solandri ( 704621 ) on Tuesday December 31, 2019 @03:00PM (#59574542)
    Don't be an idiot. Don't store your secrets as cleartext. If you do, anybody who works at the cloud service (or hacks them as in this case) can read your stuff.

    Use an encryption layer [boxcryptor.com] to protect your files before they're even transmitted to the cloud.
    • by edis ( 266347 )

      Or reconsider, that such encryption layer is another concentrator, to touch your stuff in most intimate fashions.

  • by RockDoctor ( 15477 ) on Tuesday December 31, 2019 @03:05PM (#59574560) Journal
    It's their job, and they're doing it well. And I'm sure that the US's various corporate and state hackers are doing their jobs well, and their Russian and British and French colleagues are likewise doing their jobs well.

    Which part of "bellum omnium contra omnes" wasn't clear when you were in compulsory schooling?

    • by edis ( 266347 )

      Do they cover this, and latin at all, in compulsory schooling? Or is it rather coming from sheer arrogance?

      • No, picking up a fistful of Latin comes from studying the sciences and a couple of Romance (i.e., derived from the Roman tongue) languages. Which were part of compulsory schooling, at least when I was at school.

        That life is a war of all against all is something that you'd have been ingesting at your mother's tit.

        • by edis ( 266347 )

          "war of all against all" is going against most of assumptions, taken as a starting point by current civilization (including Christianity).
          In fact, Thomas Hobbes states with that phrase in 1642, civil society does begin, departing from such.
          You were bred quite strange to modern standards.

          I demonstrate, in the first place, that the state of men without civil society (which state we may properly call the state of nature) is nothing else but a mere war of all against all; and in that war all men have equal right unto all things.

          • Your first claim suggests that the bases of "current civilization (including Christianity)" are pretty fucked-up and not in alignment with human behaviour. I'm happy to agree wit you on that.

            You were bred quite strange to modern standards.

            Only a half-century old standards. I'm sure your standards will be very different to those current, if you choose to bring up children. Considering some of the dumbfucks and dipshits that seem to be going around the world these decades, I'm pretty glad to not share an upbr

  • by shoor ( 33382 ) on Tuesday December 31, 2019 @03:13PM (#59574578)

    As a country, I wonder how much they actually benefit from stealing corporate secrets and so on. Individuals may use secrets in scams and shakedowns, sure, but what does the country as a whole do?

    I remember reading "The Mitrokhin Archive" (https://en.wikipedia.org/wiki/Mitrokhin_Archive [wikipedia.org]) about how the Soviet Union was stealing a lot of technology from the West, from corporations mostly, and how it was so much easier and cheaper than trying to develop it on their own. Many people in the West would say, OK, we've got to clamp down and become more secretive, but I think that would have had a cost that a lot of suits wouldn't appreciate. It would be to some extent stifling innovation and slowing everything down. (I'm not an extremist who says everything should be open, just that a stringent, objective cost-benefit analysis should be done on levels of secrecy.) The Soviet Union was always behind the West in technology partly because they depended on stealing. I suspect the Chinese may find themselves in the same boat.

    • The Soviet Union was always behind the West in technology partly because they depended on stealing. I suspect the Chinese may find themselves in the same boat.

      5G
      Case closed.

    • by AmiMoJo ( 196126 )

      The most interesting thing in those archives is the fact that Russia has been trying to stir up division and tension with lies and fake news since the cold war. Back then it was fake letters and newspaper articles, now it's Facebook and Twitter, but it's essentially the same attack.

    • "Many people in the West would say, OK, we've got to clamp down and become more secretive, but I think that would have had a cost that a lot of suits wouldn't appreciate. "

      In a lot of cases the other tactic was taken - realising that a lot of stuff was open knowledge anyway or could be worked out from photographs, what was leaked to the soviets was _deliberately_ wrong in critical places (example: The wing leading edge design of the Concorde), in order to send them up a blind alley despite photos showing th

  • And people are puzzled why I use cash instead of plastic everywhere I possibly can. I saw the handwriting on the wall a long time ago now: if it's this easy for them to steal things that are that valuable, you bet your ass it's at least as easy to hack into anything else. I suspect the only reason some criminal organizations aren't draining people's bank accounts en masse is it would make too much noise to be ignored anymore.
  • The US spies are tasked by Congress to answer specific questions, that's how it works. The NSA for example will process one of these requests and return the data to the Congresscritter that asked for it. No one really knows what the Congresscritter does with that information. It seems likely that some hints are handed under the table when meeting with CEO's. Also, the US says it only spies for National Defense. Well what is NOT related to national defense?, like say the price of milk in Canada, steel p
  • You can only blame yourself at this point.
  • The US Military was told to move to the cloud years ago. When they're told to do something, they do it. Who knows if they're safe or not.

    Sometimes to this day I get deer in headlights look when I say - Cloud is nothing more than someone else's computer.

  • The USA engaged in state-sponsored industrial espionage, intellectual property theft and wholesale copyright violations against the rest of the world throughout the 18th, 19th and 20th centuries, frequently against countries it was supposedly allied with - rejecting the Berne convention on copyright until it was _forced_ to accept it by the rest of the world. (And it still engages in a lot of state-sponsored intellectual property theft, just less brazenly)

    Now the boot's on the other foot, it's like watching

  • I'm NOT an extremist, but look at the west news, the west grantpa said, "Soviet Union" stolen, the west parent said "Japan" stolen, now the new generation is saying "China" stolen" ... maybe tomorrow you'll say "India" stolen ... are you favor to repeat the same boring funny and continue this on your son, grandson ... ? Regarding to security and secretive? whose ass is clean ? for me, it's None. So when you point to Soviet, Japan, China... do you check US government and corps' ass are really clean? it's s
  • The PRC must have gotten get impatient with the manufacturing magnates who they deal with to share IP and to lobby the feds.
    Or maybe they are not getting enough IP from PRC nationals being funneled into US universities where much of the bleeding edge development is done.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...