The way I describe it to friends and family is that there are basically two levels of protection:
- Protecting yourself from rub of the mill malware that is looking to make money off of you. You can do this pretty effectively by always updating your software as soon as you can and avoiding sketchy and unnecessary apps and websites
- Protecting yourself from an attack by a nation state level agency. I don't think there is any way to be safe from this, and people who are targeted like this need to use protection that go well beyond the choice of cell phone or chat app
Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff
at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN’T REAL. When it rains, it pours.
I think this understates the threat of privatized hacking tools. Governments that can barely tie their shoelaces now have access to capabilities that only a few heavy hitters used to have. One example: In Mexico NSO software was used to target anti-obesity activists who were pushing for less soda pop consumption.
The funny thing is that despite all of this high end, super secret, extremely sophisticated technology used against them, those activists won in the end.
> Protecting yourself from an attack by a nation state level agency.
My personal data was hacked by a nation-state level agency. The only way I could’ve prevented that is by not working in a national security position for that country’s geopolitical rival.
Now the only thing I can reasonably do is avoid ever stepping foot in that country lest they detain me for “extra questioning.”
Eh, thanks but don’t feel bad for me. There’s hundreds of other countries I can visit. I feel bad for the dissidents who are targeted within their own country and have no hope to leave.
This is sort of in the middle. NSO Group's exploits are surely expensive, but they are also not pinpointed. The states buying these exploits aren't spending the unlimited resources at their disposal to do the exploitation, it just costs them cash. This is one of the thing that likely promotes proliferation of this stuff, since it is so easy to pick another target.
So I do think there is a level between these two where you can be defended against nation states that will use COTS-equivalent exploits against you even if you won't resist an active attempt by a full team targeting you very specifically.
But doing this is hard as hell in the modern world, because so so so much of our device surfaces is riddled with memory errors.
“Nation state” is a well-defined term in the political sciences, and we misuse it here on HN all the time. To quote Wikipedia:
“A nation state is a political unit where the state and nation are congruent. It is a more precise concept than "country", since a country does not need to have a predominant ethnic group.”
Nation-state is often used in a different sense to distinguish the participants in the Westphalian system of sovereignty from other entities that might be labelled nations and/or states; this use derives in part from the fact that the Westphalian system is itself considered the turning point to nation-states (in the sense the parent describes) as a general norm, and that the participants in that system are generally also nation-states in that primary sense. (While “state” alone is often used for this where context makes it clear that this sense of “state” it s intended, there are lots of other uses of “state”—particularly for subordinate units of certain Westphalian sovereigns—which can create ambiguity, and “Westphalian sovereign” is a lot more cumbersome than “nation-state”.)
But the Westphalian system explicitly emphasizes the importance of the boundaries of the state vs the size of those boundaries. The HN usage tends to imply that “nation state” is something particularly impressive. But “an attack by a San Marino-level agency” doesn’t convey that same level of impressiveness.
Yeah, in security, “nation-state level actor” is used to mean “the most capable category of attackers, most (all?) of whom are particularly powerful nation-states [0]”, not “attacker at the level of at least the least-capable nation-state”.
Russia is 81% ethnic Russian, per Wikipedia. I think that's close enough to qualify for "nation and state are congruent".
Sure, it might make more sense to define this as "state-level agency", but that would confuse things for Americans. My internet security threat model ignores the state agencies of Montana just as much as yours ignores those of San Marino.
Well, perhaps the original poster was using it accurately.
In my experience, the common HN usage really translates to “country with a big military budget”, which is not at all what the term means.
Neither the US nor Russia are nation states. China and San Marino are both nation states. I’m guessing the poster meant “countries like the US, Russia and China”, and not “countries like China and San Marino.”
Honestly I think they just mean "state". Yes, some states have more resources than others, but the ones without a lot of resources generally aren't engaging in cyber attacks, and "state" as a general category is good enough summary.
I think people say "nation state" in part just because it flows better rhythmically, and in part because of that whole "westphalian" thing; and because the word "state" has other confusing meanings (including in CS, state as in 'state machine'; and the 50 USA states).
But really on HN when talking about "threat actors", they mostly just mean "state-level". (See I had to add -level to make it rhythmically like 'nation state' again, the one syllable 'state' is just too short it just plops into your sentence ruining it)
[Hey, why is it called the United Nations instead of the United States anyway? Oops, cause there already is a United States. But the UN is clearly an organization of States not Nations. But the things are conflated and confused generally in European nationalist ideologies of the 18th-20th centuries, that have affected our vocabulary and concepts for these things, it's not just HN. "Nation" is often used as a synonym for "State", so "nation state" ends up just kind of doubling down]
I say "state-level actor".
Almost any contemporary liberal democracy (and not only those) at least formally defines itself as a state of it's citizens, not belonging to any particular "nation" (ie ethnicity basically) in particular. I don't see the point in distinguishing between states that are "nation" states or not in the 21st century, or think that it has a clear distinction.
>Hey, why is it called the United Nations instead of the United States anyway? Oops, cause there already is a United States. But the UN is clearly an organization of States not Nations.
States are sovereign political entities; of course modern countries tend to have a federal state made of several constituent states (see: USA, Germany, etc) where each claims certain jurisdiction. In ancient times there were city-states like Athens, Sparta... and even in 18th century Europe cities like Venice were states (Republic of Venice).
Nations are people united by something they have in common. That could be shared history, language, culture, the geographic area they live in, or something more abstract like fandom of certain sports teams or other hobbies.
There is considerable overlap between nations and states, and given state is already overloaded, extra words are added for clarity.
I like "state-level" because these sorts of exploits and attacks are really about resources, not sovereignty, territory, etc. The fact is a rich person or company could fund a team that does vulnerability research and get results on par with the top tier folks already doing it.
And, the UN should be called the "United Countries" since it is really about territorial areas. They admit members based on geographical claims; I don't see any ethnic, cultural, or fandom group (that isn't in control of some territory and thus also country/nation) as a member.
It's to distinguish the hypothetical attacker and their resources from an individual or group of individuals. The threat to my personal health if Mossad is after me vs a particularly violent jilted ex-lover vs if I took down the local gang/cartel/drug dealer (ie they all want to kill me) but the level (and possibility) of defense against each of those threats are vastly different.
> I don't think there is any way to be safe from this
Apple could certainly do a lot more to protect their customers, and we generally let Apple off far too lightly here. For starters: using their enormous revenues to bid up the prices for these cracks. Writing better software, eg using well-known techniques to harden imessage. etc.
Also they could treat their employees better so there’s less churn. Every newly-hired kernel engineer is bound to repeat the same technical mistakes that their predecessor made a decade ago.
But is this because computers fundamentally cannot be made secure, or due to backdoors and sloppy coding? I’ve heard BSD is pretty secure right? Couldn’t we make phones that secure if we didn’t bloat them with flashy new features every six months?
- Protecting yourself from rub of the mill malware that is looking to make money off of you. You can do this pretty effectively by always updating your software as soon as you can and avoiding sketchy and unnecessary apps and websites
- Protecting yourself from an attack by a nation state level agency. I don't think there is any way to be safe from this, and people who are targeted like this need to use protection that go well beyond the choice of cell phone or chat app