If your premise is that the article might tip off attackers to the idea that they have been caught, these points are moot. Either they have been caught, or the article is actually bullshit.
But that's okay, I'm going to hold your hand for a bit. Pretend the article said "three hidden microphones were found to be added to this board." That tells the attacker which board is being tested, that they are testing for microphones, and how many of their microphones have been found.
If your job is to hide microphones every day, do you see how this information could help you moving forward? Do you see why this is more than a binary caught/not caught?
There was no reason not to answer straightforwardly at the beginning. Weird that you didn’t.
Yes, it’s possible there is more than one attack and they want to avoid revealing which ones have been detected.
This may be the class of information they are protecting.
If so, the journalism leaves us in the same position as the attackers - the number of attacks we know have been detected is in the range 0 - n.
I.e. it’s possible the article is complete bullshit. Another possibility is that the article is itself disinformation. If attackers can’t tell then neither can we.
>it’s possible the article is complete bullshit. Another possibility is that the article is itself disinformation.
Okay, that's fair.
Your question was about what kinds of information an attacker can use. I didn't think of your question in the context of the entire article being disinformation.
I need to think more about that.
>Yes, it’s possible there is more than one attack and they want to avoid revealing which ones have been detected.
>This may be the class of information they are protecting.
>There was no reason not to answer straightforwardly at the beginning. Weird that you didn’t.
I'm glad I didn't, and I'm glad you took the time to puzzle that through.
>Nice try
You want to give your attacker as little information as possible. Even information about the kinds of information you're restricting can be used against you.
> I'm glad you took the time to puzzle that through.
I didn’t puzzle anything through. I just kept asking until you responded straightforwardly.
I just wanted to know what classes of information people thought the journalists might be protecting.
>Nice try
> You want to give your attacker as little information as possible. Even information about the kinds of information you're restricting can be used against you.
At some level yes, but not at the level of this discussion. The ideas we’re talking about here are widely present even in pop-culture.
> I just wanted to know what classes of information people thought the journalists might be protecting.
I just made a joke. You didn't get it (?), so I encouraged you to think through some possible answers to your own question. If you can think of more than one class of information that you wouldn't want your attacker to know you have, then you can arrive at the punchline yourself.
It's not too late to try it, by the way. Thinking like the attacker is a good exercise. The attacker doesn't even have to be real.
>At some level yes, but not at the level of this discussion. The ideas we’re talking about here are widely present even in pop-culture.
I'm not sure what you mean by this, but operational security would still apply even when you have to make press releases. Companies juggle this all the time, e.g. sharing just enough about their proprietary technology to attract new employees/customers without giving everything away.
> I just made a joke. You didn't get it (?), so I encouraged you to think through some possible answers to your own question.
If you really were making a joke, you could have just said so when I ‘didn’t get it’. I’d probably have said something like ‘fair play’, or ‘nice’.
Because you didn’t we are left with other possibilities to consider:
1. You were just being condescending from the beginning, and are now trying to claim it was a joke to save face.
2. It was a bad joke, and you doubled down on condescension to save face.
The evidence supports either of these because ‘encouraging someone to think something through’ when you haven’t engaged in good faith conversation is an ignorant and condescending move.
Have you considered the possibility that I am asking what other people think because I want to know what other people think, and that ‘being encouraged to think it through’ will simply not answer that question?
There is nothing to suggest that you are an expert on this topic. Your own knowledge of it is limited despite having ‘thought it through’, proven by the fact that my response to your first real answer immediately showed you had missed something.
There is nothing wrong with making jokes, even bad ones, but following up with condescension makes it look like you weren’t actually joking.
We’ll never know now.
> I'm not sure what you mean by this, but operational security would still apply even when you have to make press releases.
Are you trying to create the impression that you are in personal possession of secrets about this attack?
>If you really were making a joke, you could have just said so when I ‘didn’t get it’. I’d probably have said something like ‘fair play’, or ‘nice’.
Lol ok
>Have you considered the possibility that I am asking what other people think because I want to know what other people think, and that ‘being encouraged to think it through’ will simply not answer that question?
Had you considered the possibility that you asked a low-effort question? "What kind of useful information [might malicious actors look for]?" is about as deep as "hey how long should my password be". You are on Hacker News. I honestly thought you were joking when you asked it.
Do you really just want to talk about how the article makes China look bad? That's legit, but not at all related to the question you asked.
>There is nothing to suggest that you are an expert on this topic. Your own knowledge of it is limited despite having ‘thought it through’, proven by the fact that my response to your first real answer immediately showed you had missed something.
Nobody said I'm an expert? You asked about very basic threat modeling and I tried to walk you through a very basic exercise.
The thing I missed (the article itself is disinformation) wouldn't actually change much about the threat model. The writers still have to decide what/how much information about their business practices to share, and the attackers still gather every bit of info they can. The attack in the article could be a lie. The article could still accidentally revealed something new (or confirm something old) to any potential attackers. If the article mentions a specific factory, for example, another data point an adversary can use to model their supply chain. If it mentions a name and that name leads to a LinkedIn profile, the attackers get a little bit of the company's org chart. Those little leaks add up and must be actively managed.
>There is nothing wrong with making jokes, even bad ones, but following up with condescension makes it look like you weren’t actually joking. We’ll never know now.
I invite you to puzzle that one through yourself :-)
>Are you trying to create the impression that you are in personal possession of secrets about this attack?
> Had you considered the possibility that you asked a low-effort question?
As I said - condescending - and now we can see that your answer was in bad faith. That’s not encouraged on hacker news.
> "What kind of useful information [might malicious actors look for]?" is about as deep as "hey how long should my password be". You are on Hacker News. I honestly thought you were joking when you asked it.
Obviously not. You can’t claim to know much about the subject.
> is about as deep as "hey how long should my password be"
You don’t actually know what range of answers a good faith commenter might have.
You are simply confirming that your response was in bad faith, as it appeared.
> Do you really just want to talk about how the article makes China look bad?
What classes of information wouldn't be immediately useful, but would be useful in aggregate?