Mostly the hackers aren’t targeting anyone in particular. They try every IP address for every exploit they want to / every phone number for every social engineering trick they want to. Once they find something that works (e.g. they have broken into your PC / email) then they will opportunistically target you i.e. try to leverage one exploit in order to extend it into something that makes them money - whether that is by ransomware, or by other extortion, or by unauthorized bank transfers, or by misdirected bank transfers. Other times they might just sell any information that they have harvested on the black market.
So in the context of the specific scam being discussed in this topic … the hacker himself performs the login (having grabbed your password) and intercepts the SMS code (having hijacked your phone number) and hence successfully logs in (the 300 seconds, if that is the limit, is not a problem therefore), and hence successfully does whatever you can do when logged in.
Obviously it is also true that sometimes particularly companies and governments are specifically targeted.
absolutely NOT … i will simply use the www adress and make a web-app out of it … it works already under PureOS Byzantium with latest web-browser updates on my LMini so why should i use Anbox for it ?
i just asked them to see if they were AWARE of Purism as a company but you know how support can be … depends on who you have the ‘honor’ of speaking with …
I think the trick is that unbreakability is designed in at every stage. Not making yourself a target sounds like “victim blaming”. In any case, many attacks are completely untargeted i.e. hit as many people as possible in the hope of getting some successes.
An interesting facet of that is the expectation that “baddie” will look for the easiest target, a target of opportunity. There is some merit to, that if there are no defences and “doors are wide open”, it’s below the expected norm in modern networks. But that shouldn’t be seen as an invitation. What the norms are and should be, is another matter - it may fluxuate.
Pass 1: They don’t look for the easiest target. They target everybody. They are just scanning for vulnerabilities.
(I run Linux exclusively but I see attacks that are obviously intended for Microsoft Windows - and no doubt others that are likewise intended for Windows but I just don’t know it. I also see attacks that are 100% definitely targeting Linux only. Most hackers don’t know or care. They just try everything everywhere until they find a vulnerability.)
Pass 2: Where they find a vulnerability they will target for closer attention and potential successful attack.
For most people it is far more likely that you will be hit by this “scatter gun” approach, than that you will be personally targeted. However personal targeting does definitely happen (dissidents, outspoken critics of government, people of influence, industrial espionage, …).
So having a vulnerability is what makes you a target. Avoiding vulnerabilities is what we should be working towards.
ok but keeping world-wide lockdowns in place is what encourages this type of vulnerability … people having no other means of expressing themselves through speech than through some obscured technology (most cell-phones, ‘smartphones’ , internet, phone land-lines etc.)
the idea is that whereas before people could express speech in the most direct and natural way possible (eye-to-eye, face-to-face, smoke-signals, etc.) now they are forced to resort to other less “secure” means … the path is wide now because the attack surface has been widely exposed (more people, more attack surface …)
That I do agree, although I’d word it a bit differently. By default, any system is insecure at some level (“infinite time, processing power and money…”) if it allows any connection or login - it’s matter of degrees how insecure. If you are more insecure than others, it increases chances to be targeted (personally or by “scattergun”). But that doesn’t change the fact that it shouldn’t be seen as an invite, as a partial acceptability or any permission to breach a system, even if they have a weak password or silly security. This is where reality and principle meets.
That’s true but then you have to look at motivation. Most attacks are petty scammers. It has to make economic sense. There’s no point spending millions of dollars trying to break into one potential target in order to scam $10,000 when you scan 100,000,000 potential targets looking for easy vulnerabilities for much lower cost. It’s only when you get to targeted attacks that substantial resources might be thrown at one potential target.
A lot of the attacks that I see are old vulnerabilities that have long since been fixed. So the hackers are just looking for people who can’t even be bothered keeping their software up to date (or the manufacturer has dropped support for a device and owner can’t be bothered / can’t afford / doesn’t know to replace the device).
That’s true. Unauthorized access is unauthorized access even if you have accounts without passwords that are internet-accessible.
Yeah, cost is a variable. But there is more than one types of attack and more than money to be gained - although for this, that is enough. Surely it can be agreed that inablity to patch isn’t an invite nor permission either, and that it’s not always that easy. It should be easier and SW should be better designed (in principle I’d prefer meticulous planning and secure design over agile and fast methodologies, but have to pick battles - too many windmills already). Meaning, there are often unrelated obstacles to being able to have and create and upkeep a secure system. One being, that limited resources (incl. time) may require to bolster against some threats and take a chance with others.
