This is a mean-spirited interpretation of what happens when you claim nation state.
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker?
* Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X)
* Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
HN can be unnecessarily vicious when it comes to these situations. They have a very narrow slit in which they see companies because they extrapolate their understanding into the large corporation.
The attacker needs to find 1 fault in a system to start attacking a system, the company needs to plug ALL of them to be successful, continually for all updates, for all staff, for all time.
Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
> Having been on both sides of that fence, I dont envy the defenders, it is a losing battle.
Being on the defenders side, I would say it is not a losing battle.
It is a matter if convenience versus security: not using up to date libraries because it requires some code rewrites and “aint nobody got time for that”, adding too much logic to functions and scooe creep instead of segregating services, not microsegmenting workloads, using service accounts with full privileges because figuring out what you actually need takes too much time; and the list could go on.
I am not blaming all developers and engineering managers for this because they might not know about all the intricacies of building secure services - part of the blame is on the ops and security people who don’t understand them either and think they’re secure when they are not. Amd those folks should know better.
And third, hubris: we have all the security solutions that are trendy now, we’re safe. Do they actually work? No one knows.
Generally the government (as of now) is not paying private (but maybe some Critical Infrastructure companies) companies to secure things. We are in the very early stages of figuring out how to hold companies accountable for security breaches, and part of that is figuring out if they should have stopped it.
A lot of that comes down to a few principles:
* How resourced is the defender versus the attacker? * Who was the attacker (attribution matters - (shoutout @ImposeCost on Twitter/X) * Was the victim of the attack performing all reasonable steps to show the cause wasn't some form of gross negligence.
Nation state attacker jobs aren't particularly different from many software shops.
* You have teams of engineers/analysts whose job it is to analyze nearly every piece of software under the sun and find vulnerabilities.
* You have teams whose job it is to build the infrastructure and tooling necessary to run operations
* You have teams whose job it is to turn vulnerabilities into exploits and payloads to be deployed along that infrastructure
* You have teams of people whose job it is to be hands on keyboard running the operation(s)
Depending on the victim organization, if a top-tier country wants what you have, they are going to get it and you'll probably never know.
F5 is, at least by q2 revenue[0], we very profitable, well resourced company that has seen some things and been victims of some high profile attacks and vulns over the years. It's likely that they were still outmatched because there's been a team of people who found a weakness and exploited it.
When they use verbage like nation-state, it's to give a signal that they were doing most/all the right things and they got popped. The relevant government officials already know what happened, this is a signal to the market that they did what they were supposed to and aren't negligent.
[0] -https://www.f5.com/company/news/press-releases/earnings-q2-f...