Even that may not work. See Stuxnet.[1]

[1] https://en.wikipedia.org/wiki/Stuxnet

>As someone who's older, and is just generally gobsmacked all the time by the sloppiness in cybersecurity, all of this is just not surprising.

as someone who used to work in cybersec (and is also older), most of the time (in my experiences) it isnt sloppiness.

1) people fight tooth and nail against anything that inconveniences them. security is almost always going to be an inconvenience tradeoff, so it is always fought against. from every person and every department. rolling out 2fa was worse than pulling teeth, despite it being a single button press ("approve") on the phone, once or twice a day (or less). c-suite is the worst, demanding exclusions and bypasses. its hard to say no to your bosses boss when they refuse to use a password manager, refuse to setup 2fa, or whatever the case is.

2) security offers no immediate or visible return on investment. so, it gets little to no positive attention by c-suite and even less budget. you end up with underpaid, under-qualified, over-worked people trying to figure out which thing they might be able secure out of the 10 things that need securing. half of them will be tied up trying to explain to someone why they cant use the company name as their password or begging someone to use the password manager.

even here, a forum of hackers, security is often put in scare quotes and almost always mentioned beside the word "theater". people brag about still running windows 7, because it was the last good windows. antiviruses arent needed. X security feature is just a lie so that company Z can control my device. people get big mad when a company rolls out mandatory 2fa. and so on.

edit: case in point, on this thread a comment was just posted with "I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things."

> We managed to put buttons on appliances that don't make the appliance explode, but failed to do that in email links, which are just buttons.

Reminds me of the time I accidentally entered my bank PIN into my washing machine and hackers ran off with $500 of my money.

What puzzled me most was the time and energy put into the attack, all for the off chance of a successful attack. Security footage showed them removing my washing while I was at work and replacing it with one the hackers controlled. This "phishing machine"-- as I now call it-- was apparently fitted with some kind of LoraWAN device waiting for me to unwittingly enter my PIN to unlock. Something my washing machine never asked me to do before, btw, but I did it anyway (like an idiot).

I changed my bank PIN, but I still use the old PIN to run the phishing machine-- funny enough it's fully functional and in fact works better than the old one.

All said, the hackers probably lost $1000 on the deal. Police said this is a very common attack on washing machine buttons throughout the Southeast, so I'm wondering if part of our current economic stagnation is due hackers going into bankruptcy from this.

> And then, we still have yet to punish or hold accountable any large party who made things this way. Until we do that, keep expecting this.

This is the key. No incentive to change. It's always "the hacker's fault" and never "the manufacturer's negligence" or "the developer's carelessness" or "the user's gullibility." Combine this with the currently-prevailing Don't Blame The Victim mentality, and it's the perfect environment for never improving cybersecurity.

We just caught our company president, CFO, and head of sales using smuggled Starlink dishes on the roof with wide open wifi because our firewall "broke things".

Thank goodness for all the other layers... the firewall is just doing basic hygiene. The SASE and zero trust policies are doing the heavy lifting.

No one want's to follow any rules and when caught out do not want to take respnsibility for their own actions.

Since it was an open wifi, I hope we get nailed for hosting child porn or cryptocoin scams... ffs

The issue is also one of agency: the public has absolutely no agency in this. There is nothing an ordinary member of the public can do to avoid having their data exposed, there is nothing they can do to cause corporations to have more robust security models nor to cause actual consequences for all the executives that chose profit over security at every possible decision point.

To the public this becomes like the risk of being hit by lightning or being in a car accident, just background noise we avoid thinking about as much as possible. It is just the cost of living in this economy.

> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about

But that's not true. The European Union and many other countries are taking extreme measures to ensure that what happened in the United States never happens with them and they are introducing a bunch of different measures to strengthen control over society, the media sphere, and other measures to ensure that no pedophile rings could be exposed.

As fatiguing as legal breach notices are to lay people, it's equally frustrating as a dev because security is not a distinguishing feature we can advertise in our product so we can't prioritize it at all. Let the lawyers figure it out later seems to be best practice now.

And of course vuln finding is now automated so even if we do a good job locking it down this morning, nothing will not keep out the next wave tonight.

Plus, our current political atmosphere encourages digital chaos, for example gutting CISA.

Its the tech worlds equivalent to eating X causes cancer.

HN is a bit of a bubble in that people here tend to be quite privacy focused and would be horrified at the prospect of their details being leaked.

For a lot of normal people that's not the case and as long as they don't get someone actually stealing their identity etc. they aren't really concerned about these kind of things

Frustratingly, I have my foot in both worlds to a degree. I'm interested enough in tech to pay attention and often lurk the tech bubble that is HN and hear about the raging dumpster fires from the folks who live and work in that domain. But I exist in a mostly non-tech world IRL where this exists among the other burning dumpster fires to the point that I can't care about another data hack, and i hate that I don't have the bandwidth to care. To a more acute degree, my mother was nearly wiped of half her life savings by "hackers"/fraudsters posing as employees of her bank. Being "hacked" is a part of life now, and outrage fatigue is real.

> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about

This was one of the things Trump got 2024 elected on - many Republican voters were extremely keen on this being addressed. I'm glad Trump's fumbled it now so the Democrats are interested in addressing it, though for the wrong reasons.

Yep.

There's nothing abnormal about that.

These were all funded 2-3 years ago (heck I participated in some of these). Companies only go out of stealth when they are publicly announcing their Series A (usually right around the time of a major buyer event like BSides/RSA or DEFCON/Blackhat.

Funding rounds usually happen around 5-6 months before they get announced on TechCrunch or Calcalistech becuase such information are a signal to competition about a specific approach. It's also a massive distraction from building, because then you have to deal with media, press releases, and actually have a product marketing team. You don't want to do this until you can hire a couple PMs and PMMs (which is usually around the seed-to-series A transition becuase you will have hit the $5M ARR mark by then).

This how stuff is done here in SV as well and has been for decades.