[ixaxaar]

Any org? Would, for example, openai be included in your definition of "any org"?

Look, "in principle" stuff is not how the real world works. AFAIK, hacks happen mostly because of carelessness. No one cares because no one cares if they care (and the compensations etc reflect that). I know enough such cases in fintech (forget about other verticals), which are mostly stupid like wrong RBAC, open firewall, AWS keys taken by roommate etc and not public of course.

[nradov]

Foreign governments are almost certainly trying to insert intelligence agents as employees in OpenAI, and other high profile technology companies. We already know that Saudi intelligence infiltrated Twitter. There are likely many other such agents in other companies.

https://www.nbcnews.com/tech/security/former-twitter-employe...

There are certain security measures which can minimize insider threats. But ultimately it's just hard to guard against agents who are willing to commit felonies in order to carry out their missions. Even defense industry companies which have tight security over classified information have been repeatedly penetrated.

[cduzz]

The Saudis gave a pile of cash to Musk so they likely have their own Room 641A now. No need for subterfuge.

[Veserv]

Yes. Any org. A few million dollars guarantees you unrestricted access to any network-connected system.

The upper bound of security is unable to make attacks with a 10 M$ return unprofitable. Raising the lower bar just raises the barrier to entry for new participants, it does not stop existing ones.

Most attacks do use basic techniques since a 10 M$ payout on 10 K$ cost is still better than 10 M$ payout on 1 M$ cost. No point wasting the good stuff when the basic and cheap stuff works just as well. But if you get rid of all the cheap ways in they will still attack using the more expensive stuff since the payout is still wildly profitable.

[Aerbil313]

I’d like to see evidence if this. Because it seems unrealistic, even a well protected org? Ok, say the employees are the weak chain. What about those with zero trust access policies?

[Veserv]

My knowledge derives from personal experience, but if you want digestible evidence you can go read the books: “Click Here to Kill Everybody” by well known cryptographer Bruce Schneier or “This Is How They Tell Me The World Ends” by the lead cybersecurity reporter of the New York Times, Nicole Perlroth.

[qaq]

I mean OKTA was breached, Mandiant was breached it doesn't get more protected than those.

[qaq]

Almost 90% of breaches start with an email so code your developers write have very little to do with primary attack vector. You have to realize that well resourced APT like say APT-29 actually run research labs where among other things they test their exploits against all top tier Endpoint security solutions. So if you are a target of well resourced group they are going to get in.