I think we should expect this kind of thing from teenagers: there's a certain level of out of the box thinking and risk to reward inversion that comes from youth. Brazen solicitation of associates / operatives on public forums is certainly unique, and not a tactic which most other actors would pursue due to the risk involved.
I also think that things aren't as bad as we think security wise. The attacker's lack of industry experience helps with marketing to media who also lack industry experience. Somehow "Lapsus$" are "the world's most dangerous hacking syndicate", but in reality they've fully compromised several Portuguese companies with poor information security to begin with, released a treasure trove of mostly only curiosity-interesting source code from some big names, and posted some screenshots of restricted-access customer support tools. Breathless excitement about each new discovery has whipped the media into a frenzy over disclosures which sound juicy but ultimately aren't altogether that impactful - another accidental benefit of youth, I think.
To me the scariest thing in "cyberspace security terms" probably isn't that a minor has done all this - that seems reasonable to me - but what happens when an adult is inspired to adopt the same approaches? IMO this is the leading edge of something, an innovative approach pioneered by an outsider, less so than it is the trailing edge of "even a teenager could do this."
I think the biggest insight here is the power of chat tools like Slack. These tools need much more robust controls than are currently present at most companies. At most large enterprise software companies I've seen, there is little-to-no role based or level based access control applied to chat, and a vast amount of information is accidentally available in messaging logs, even to employees like contractors or low-trust employee accounts which have been locked out and just "need to Slack someone to get back in." Chat apps need much more access control from both a role and trust level point of view.
> I think we should expect this kind of thing from teenagers: there's a certain level of out of the box thinking and risk to reward inversion that comes from youth. Brazen solicitation of associates / operatives on public forums is certainly unique, and not a tactic which most other actors would pursue due to the risk involved.
Hoping to earn himself expulsion from the school for his ruthlessness, he sacrifices his entire fleet to fire a Molecular Disruption Device at the planet. The Device completely destroys the planet and the surrounding bugger fleet. He is shocked to hear the I.F. commanders cheering in celebration. Mazer informs Ender that the "simulations" he has been fighting were real battles, directing human spacecraft against Formic fleets via an ansible's instantaneous communication, and that Ender has won the war.
I also think that things aren't as bad as we think security wise. The attacker's lack of industry experience helps with marketing to media who also lack industry experience. Somehow "Lapsus$" are "the world's most dangerous hacking syndicate", but in reality they've fully compromised several Portuguese companies with poor information security to begin with, released a treasure trove of mostly only curiosity-interesting source code from some big names, and posted some screenshots of restricted-access customer support tools. Breathless excitement about each new discovery has whipped the media into a frenzy over disclosures which sound juicy but ultimately aren't altogether that impactful - another accidental benefit of youth, I think.
To me the scariest thing in "cyberspace security terms" probably isn't that a minor has done all this - that seems reasonable to me - but what happens when an adult is inspired to adopt the same approaches? IMO this is the leading edge of something, an innovative approach pioneered by an outsider, less so than it is the trailing edge of "even a teenager could do this."
I think the biggest insight here is the power of chat tools like Slack. These tools need much more robust controls than are currently present at most companies. At most large enterprise software companies I've seen, there is little-to-no role based or level based access control applied to chat, and a vast amount of information is accidentally available in messaging logs, even to employees like contractors or low-trust employee accounts which have been locked out and just "need to Slack someone to get back in." Chat apps need much more access control from both a role and trust level point of view.