[_8j50]

A hacking unit is offensive. It's like saying, "america's elite nuclear force failed to stop an ICBM". Blowing up things (attack) is a different ballgame than defenfing things. Think of it this way if you are a hacker devoting 40hrs a week carefully studying and planning to infiltrate a network, you will succeed. APT actors have entire groups of teams dedicated to infiltrating one target at a time. Getting in is feasible, persisting,lateral movement and exfiltration without getting caught is very difficult but even commercial tools like cobaltstrike are built to allow different teams to focus on different stages of a hack.

[thephyber]

It's more analogous to saying "the defense contractors for a new stealth plane failed to protect the designs and prototypes, so the enemy now has all of the detailed info they need to build countermeasures against this stealth technology". Securing the plans for stealth is a key requirement of the stealth continuing to work.

Also, I'm sure those members of "the hacking team" weren't allowed to discuss their work with their family/friends, so it's not terribly unrealistic to expect them to use even just basic security hygiene (eg. don't share admin passwords).

[_8j50]

No, that's not what the analogy at hand. The designers of a stealth plane are just that. The right analogy would be if the navy seals designed a secret weapon, someone infiltrated their ranks and exfiltrated the weapons plans. Navy seals are not immune to moles. No org is.

Your implication that this was due to lack of proper security hygeine is unfounded. Security hygeine reduces risk it does not eliminate it. Risk is proportional to threat and attack surface, for an org like the CIA they have not-so-small attack surface and the whole world as their threat, so reduction in risk by means of common security controls and hygeine will not reduce risk from the most persistent and resourceful attackers.analogy to your reasoning would be "Google has an army of devs and security pros, so Chrome should never have a remote code execution vuln" ,no, as much as they may have money and talent, modern software is too complex for those resources to eliminate all bugs. Perspective is important.

[thephyber]

I agree that your analogy works better.

> Your implication that this was due to lack of proper security hygeine is unfounded. Security hygeine reduces risk it does not eliminate it.

Nope. No security professional will admit that anything ever eliminates risk, so that's a strawman fallacy.

The point is that sharing admin passwords is a blatant violation of cybersecurity hygiene which every employee of the CIA is capable of understanding and avoiding. If the org can't enforce even just the basic stuff, there's not much hope of raising standards above that.

> from the most persistent and resourceful attackers.

Here's a secret that everyone already knows: the most persistent and resourceful attackers will always get in given enough time.

[_8j50]

I agree on both of your last two points. Not sure where disagree then.

[phoe-krk]

You screw up at offense if your weapons are destroyed or disabled. In case of exploits, this is exactly what happens when they leak out. Your ability to attack in this case is equivalent to keep your arms useful.

[_8j50]

This isn't what happened, their weapons were exposed and adversaries now know about them. Their effectiveness is still greater than 0. Digital weapons are copied not stolen, this is the equivalent of russians sendig spies to the US to steal nuke secrerts and the they developed their own nuke. The fact that the US has nukes has nothing to do with their ability to keep secrets and keep out spies. Furthetmore, russians having nukes did not make american nukes ineffective, they simply lost an advantage and to be frank it was only a mattet of time. Just like with the cia hack. And it will happen again!