MPEx breach - post mortem

Monday, 07 October, Year 5 d.Tr. | Author: Mircea Popescu

It's been a week since coming back online. All is calm and so I suspect we may regard the incident as over, and look back towards it as a thing of the past and part of history, with a view to draw morals and conclusions. You may draw your own, but if interested in mine they are below.

I. Social engineering is the #1 threat you face. Appallingly coded pieces of crap made by mentally feeble dorks (such as Tor or Bitdaytrade) are defeated through technical means all the time, sure. Nevertheless, if you're not mentally feeble and you're not coding a piece of crap the possibility of technical breach shall be and should be the least of your concerns. Mind that BitInstant lost a few hundred BTC in a social engineering attack last year, mind that Lavabit ended up closed through a social engineering attack last monthi, mind that even the NSA, for all its lavish expenditure out of ill gotten proceeds and all its advertised (if false) abundance of young bright minds and qualified engineer hands has pretty much abandoned technical attacks and is concentrating primarily on social engineering tactics.

They can't break RSA so they plant moles on implementation standards committees to make sure it never gets implemented, and they try to get the consumer to use Tor for the exact reason they were trying to suppress PGP and push DES back in the day. For that matter, gleefully ignorant people like J P Koning gleefully failing to realise that gleefully discussing a well known, well documented collection of scams and scammers as if it were a Bitcoin stock exchange does a lot of damage to the future of the poor saps reading him as if he were an expert that thinks before opening his mouth. It's not MPEx that suffers from this sort of stupidity any more than PGP suffered from all the effort to push DES, any more than secure online communication suffered from all the pushing of Tor. It's the saps that believe the pusher - whether he's honestly clueless or earnestly doing his job - that get the shaft.

Social engineering is your enemy, social engineering will stay your enemy. Permanently, your biggest enemy. If you don't have plans to fight this beast in all its multifacetious forms you don't have plans to survive, and that's how it is.

II. A breach is massive psychological trauma. I've had people throw up over it. The last time I had seen grown humans throw up like stressed out cats we were in a ditch and being fired upon. There is no real difference at work, trauma exists in the brain as a function of the mind not in the body as a function of sensata, and as such a breach is going to hurt your best and most dedicated people the most. You'd better be prepared.

You'd better be prepared, because the momentary impression of everyone doing the everyday job of making the thing you've made breathe and digest and slowly grow and move around its environment in response to stimuli will be that it's the end of the world. It's the CEOs job to keep calm and provide anchors for everyone else to work from, and if you're not capable of doing this, and doing it well, you're no CEO and you should never have been called that in the first place. This is what the job is.

III. Keep the channels clear. The people doing the thankless, unknown and unrecognised job of handling the communications of your project, preparing drafts you throw across the room eighteen times in a row because you've never read something this stupid this year, trying to make some sort of sense of what may be said and what may not be said and how to say it in such a way that it's even worth saying in the first place will do what they do : lock up. They'll want to make a statement "once all is finished". They'll want to deny everything. They'll want to do all the wrong things to do at such a time, as everyone else does them, all the time. Look around and see which corporations handle crisis well on a communications perspective and you'll see why humanities departments are in such poor shape everywhere.

So you're going to have to provide an anchor for them too. You're going to clear for publishing a lot of material that will have comms experts protest with big wide eyes that "with all due respect they don't think" etc. You're going to do all that and do it all the time without exception not just when you remember about having read this on Trilema sometime, and the result will be that it gets very easy to do for one and that attacks actually strengthen you, whether successful or not. Because guess what, when I say "well they got lucky on the 6th try" I have the goods to back it up with. Because I disclosed at the time, although "we don't really need to". Sure we don't, and for that matter we don't really need to do our homework or even show up for work. Rent's not even due yet, right ?

That's about it. Sure, you'll take measures so this particular thing doesn't happen again. Maybe it won't. Maybe it will. You don't know the future, and you can't get emotionally invested in knowing the future. That's not your job, a CEO is not a sort of digital age shaman, we're not a primitive horde living in a scavenger world atop artifacts we don't understand but can sort-of use, reconstructing our ancestral, tribal habits out of bits of silicon and cable optics. And for that matter, something else will happen. Definitely.

A breach is a test, but not of the everyday processes of your project, not of its normal respiration, common digestion, usual metabolism. A breach in an exceptional event, and as such it is a test of your project's exceptional qualities, wide reaching plans, deep and flawless understanding and self representation of the world it lives in. It's a test of you.

May you pass it rather than merely pretend like you had.

———
  1. Yes, the fiat courts and their orders are no different from the famished Ghanaian and his friends in this context : thieves, the lot of them. []
Category: 3 ani experienta, MPEx
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

11 Responses

  1. "Social engineering is the #1 threat you face" even if you're the NSA: http://yro.slashdot.org/story/13/11/08/163245/snowden-used-social-engineering-to-get-classified-documents

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Saturday, 9 November 2013

    Definitely.

  3. What aout for the TSA that just hurts people while it makes them werk?

  4. Mircea Popescu`s avatar
    4
    Mircea Popescu 
    Saturday, 9 November 2013

    I'm kinda surprised there's not a lot more TSA pranking going on tbh.

  5. I know you want to be NSA which has no teeth. Still lawful New Mexico style pranks...

  6. Mircea Popescu`s avatar
    6
    Mircea Popescu 
    Saturday, 9 November 2013

    Wait, what ?!

  7. NSA just watches. TSA injures, unlike the T&A.

  1. [...] and independent ideas, quite unlike everyone else." [↩]And by the way, allow me to remind : Social engineering is the #1 threat you face. Which social engineering includes COMSEC disinformation planted by enemy agents. Jus' sayin'. [...]

  2. [...] the hell happened here. Sorry for the downtime! ———MPEx security breach ; MPEx breach - post mortem [↩]If we're not cheapskates content to just format the failed drive and reconstruct [...]

  3. [...] me just reiterate and thickly underscore an older observation : I. Social engineering is the #1 threat you face. Appallingly coded pieces of crap made by [...]

  4. [...] for you, it's not like the NSA works more because stupid people than because [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.