Just two days ago the BBC published[1] a story about how a ransomware group tried to infiltrate their network by.... approaching their cybersecurity correspondent.
We were still in the EU when GDPR came along, and we haven't repealed our implementation of it, the Data Protection Act ( 2018 ), which has mandated disclosure in line with GDPR.
Even pre-GDPR we had much stronger data protection than most countries with the Data Protection Act ( 1998 ), although I don't remember that having disclosure rules, it did have a lot of things that companies only freaked out about post GDPR and the weight of the EU behind severe penalties.
https://www.bbc.com/news/articles/c8d70d912e6o indicates that the recently announced breach was separate from the one in May (for which the attackers were arrested in July?). I think the one in May leveraged CVE-2025–31324.
From a brief review, it looks like the underlying platform they use is https://www.scayle.com/ (though I'm not sure its the one that was attacked) its just the one I found while looking at their site.
I know very little about cyber security in the wild - little Bobby Tables is about my level.
Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side? There has been a sleugh of cyberattacks recently and I don't know what to make of it.
If it's kind of like getting burgled - get good home security but a determined burglar will get in anyway - then it's a systemic problem we have to somehow tackle as a society. And if it's shoddy workmanship, again, it would appear so widespread that we have to do something about it.
I'm not passing judgment, just trying to understand.
IMO it's shoddy. Anybody can get hacked, that's true. But a modern corp that has tried to defend itself should have multiple layers of defenses against complete pwnage.
If you've paid attention in the last 10 (or even 5) years as a company, and did some pentests and redteams, you've seen how you could be breached, and you took appropriate steps years ago.
A non-shoddy company will have:
- hardened their user endpoints with some sort of modern EDR/detection suite.
- Removed credentials from the network shares (really).
- Made sure random employees are not highly privileged.
- Made sure admin privileges are scoped to admin business
roles (DBA admin is not admin on webservers, and vice-versa).
- Made sure everyone is using MFA for truly critical actions and resource access.
- Patched their servers.
- Done some pentests.
This won't stop the random tier 2 breach on some workstation or forgotten server still hooked up on prod/testing, but it will stop the compromise _after_ that first step. So sure, hackers will still shitpost some slack channel dumps, but they won't ransomware your whole workstation fleet...
I guess you forgot the most important part: making sure your security and devops teams and people in company management follow exactly the same protocol as everyone else with no exception.
Because big bosses hate it when their PC don't just let them run whatever they want and they are not allowed to VPN into network from their home or their grandma desktop because they like her very much.
Also any Linux nerd sysadmin dude (like me) who know better is another type of person who hate following rules.
There is no system in use by a commercial entity in the world that can stop criminals with ~10 M$ from completely bypassing all of their security and doing arbitrary amounts of damage. If the attackers can on average derive more than 10 M$ of return, then you are guaranteed profitable to hit.
For instance, in the 2023 casino hacks of MGM and Caesars, Caesar paid a random of ~15 M$, making them profitable. In the JLR hack, JLR has incurred ~500 M$ of damage to date. These attacks cost less than 10 M$ to create and deploy guaranteed.
However, most commercial systems are vastly easier to hit than even 10 M$. I would venture that most of these high profile attacks are on the order of merely ~10-100 K$ to actually create and deploy making them wildly profitable with a ROI in the 10-1000(!) range. And, if you have the choice of spending 100K to get 15 M$ or 10 M$ to get 15 M$, it is pretty obvious who you would prioritize.
It is like the story of two people and the hungry bear. Even if you can not outrun the bear, if you can outrun the other person then the bear will tear you apart second.
So it is both. Everything is shoddy. Some are dramatically more shoddy than others. And the hungry bears are breeding so they can eat all the dodos.
No doubt there are some professional cyber criminal groups like ones from North Korea, but I seriously doubt that most of high-profile attacks even cost $10-100k. I mean you could say that if salary of random black hat researcher from Turkey, ex-USSR or Nigeria was $100,000 / year. But they obviously have no salary whatsoever and just trying and trying until they finally find suitable target.
Most likely all that was used is $50 / month server for nmap and other tools, bunch of $3 / month VPNs. Or might be everything that was needed is $10 for a eSim and one scam call.
And of course a lot of time of a person who can't get properly paid job anyway. Obviously might be only few people succeed, but in the end each particular attack cost peanuts.
> Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side?
That's a really good question and one that I've asked (myself) many times. What I can't understand is that on one side you have an IT division that (probably) has a substantial budget, security hardware and software layers, security strategies and probably hundreds of personnel. On the other side you have a group of hackers/crackers who have none of the above, but often succeed. How does that work? Srsly!
It's likely already happened, but we will never hear about it. Their attack surfaces will be clustered and broken up, through an inhomogenous distribution of various systems and layers and networks, and the entirety of the system will be protected through disjoint connections, both the intentional and the bureaucratic and structural that follow from the mere fact of being really big organizations. Any particular unit within the whole that gets pwned will have recovery tactics available, but reporting will probably be kept as private as humanly possible, even to the extent of avoiding reporting to government, so as to avoid "damage" to markets, loss of reputation, runs on the bank, and so forth. If they don't have a near instant recovery and mitigation of the attack, they'll be much more likely to pay and recover, quietly, than most other organizations. There are laws and regulations and boxes that get checked to ostensibly hold them to a high cybersecurity standard, but that's a lot of theater and pomp for public confidence over anything practical. Where they benefit is from being able to pay for teams and high quality security personnel and being incentivized to avoid getting hacked.
It's not in anyone's interest to make a lot of fuss or noise in the public eye, so us chickens out here won't ever hear about anything that happens.
That comes with the caveat that the big banks can afford to pay really nasty people to go find hackers and turn them over to authorities, or worse options in more lawless parts of the world, and the public will never hear about those actions either, which disincentivizes the hackers. There are easier ways of getting more money with less risk of catastrophic personal outcomes, with the technical difficulty of even attempting anything serious filtering out the impulsive and stupid.
Just because you never heard about, say, the BancoEstado ransomware attack doesn't mean it was covered up. It's actually pretty much impossible to cover up impactful ransomware events for several very obvious reasons.
For sure, but these are the level of organizations that have PR firms on hand to put in a lot of work to suppress news, to frame things in as bland a manner as possible, to use all the available tools to ensure that even if things get reported, they're noticed as little as possible. Authorities often work with them to suppress and gag reporting of specific institutions that get hit, for a variety of reasons, but obviously including corruption - it's easy to convince politicians that they don't want pension funds or mortgage lenders or whatever to take a hit from negative publicity.
Over the last 5 years, dozens of huge financial firms - banks, hedge funds, credit unions, mortgage lenders, etc - have been hit, and about 15-20% pay the ransoms.
Even if public notice is mandated, there are probably cases where it's an obscure notification on some official government website, or a 3-4 page deep "announcement" on a company page phrased to look innocuous and routine. "We experienced a cybersecurity incident which was resolved" or what have you.
It's fairly trivial for them - routine - to cover things up, right out in the open, and with the speed of the news cycle, it's only gotten easier.
We should probably mandate disclosure by big corporations, institutions, and banks through a glaringly obvious, top half of the front page of their website, blunt declaration for 30 days, with a government page listing incidents and responses for 5 years. "XXX Corp was hit by ransomware and paid $123 in bitcoin to the APT Group AwfulAsshats"
Mandating by law that ransom not be paid puts the onus of maintaining proper disaster and ransomware recovery on the insitutions - if you're handling a huge scale of resources, you're on the hook for responsibly managing your employees security and livelihoods, your users and customers assets and data, and not incentivizing ransomware as a viable avenue of attack. If you can't handle the responsibility of securing against ransomware, you've no business handling people's data and money, frankly.
This would wipe out a whole slew of nonsense businesses, I think.
"Bank runaway" and "Loss of confidence in markets" does it.
That works for your country. Why aren't banks in smaller countries affected? Their security is not good, and markets aren't important.
In Costa Rica there was an incident where the equivalent of the IRS was held ransom and the government didn't pay. (Thumbs up to them.) Again, why doesn't that happen to banks there?
Depends on the confidence and appetite for risk of the leadership, what they're instructed to do by boards, what they think they can or should get away with. If it's a hesitant political creature who wants to hide weakness it's going to be much different outcome than a strong leader with a principled stance, like Costa Rica.
Lots of shitty behavior is grounded in what weak people imagine other people will think of them, and them bending over backwards to hide and cover up and obfuscate. Those are the ones that pay ransomware gangs, and they're also the ones that don't plan ahead and prepare responsibly.
Luckily, the Venn diagram overlap of black hat hackers and greying IBM mainframe programmers who understand things like JCL, RPG, COBOL and VSAM is a very small one indeed.
It is this grammatical "mistakes" that make it so obvious a scam is a scam. I often raised my eyebrows at phishing messages and wondered if they knew grammar, but then realized in Nigeria this is their most appropriate grammatical structure and language begins with "Dear Sir..."
It's because shops were traditionally named after the people who owned them. There are still loads of shops bearing people's names, even now.
"Sainsbury's" supermarket used to be "J. Sainsbury's" named after its founder John Sainsbury, &c. "Morrisons" was "Wm Morrison" founded by William Morrison. So when you refer to a shop you say Sainbury's as in [Mr.] Sainsbury's shop, or "Morrison's" as in Mr. Morrison's shop.
Then this becomes so ingrained it gets misapplied sometimes. I don't think I'd ever say Asda's though. But I would say Tesco's, even though Tesco is the initials of three people.
> A new cybersecurity and resilience bill will make it mandatory to report more incidents. The bill’s slow progress is frustrating security experts, according to Jamie MacColl, a senior research fellow at Rusi. However, ministers have been reluctant to impose more regulation on businesses, but having “major cybersecurity incidents is not good for economic growth,” he said.
A minister's bill is less effective than a Ukrainian soldier's bullet.
> In July, four people including a 17-year-old boy were arrested on suspicion of being involved in cyberattacks on Harrods, the Co-op, and Marks and Spencer, and were bailed pending further inquiries.
Your proposal is we have a foreign army come over and start executing children? What is this Bush era nonsense.
My proposal is the Western world do more to support the Ukrainian military, defeat the Putin regime militarily, and usher in the collapse of the russian federation.
You can't have state-sponsored cyber-attacks if the state sponsoring the cyber-attacks goes away.
No, I am not proposing anyone start killing children. What a ridiculous misinterpretation of my words. It's the russian military who kill kids[0], and nobody should be ok with that. It's also the russian government recruiting children to commit acts of sabotage[1] abroad.
I generally agree with your stance about the situation in eastern Europe, but there's no particular reason to connect that to this incident. There's no public evidence that this was state-sponsored or even connected to Russia at all. They definitely provide sponsorship and cover to a lot of attacks, but still are not the only source of online crime. We have plenty in the US and the UK and everywhere else.
You know more than one thing can be true at once though right?
I.e.some combination of state sponsored, opportunistic script kiddies and better reporting. After the earlier attacks subsequent ones get more press as well.
> Although cyberattacks have become more high profile, there is little reliable data on how many attacks take place in the UK each year. Hackers are drawn from a mix of organised criminal gangs, those sponsored by state actors including Russia and China, and hacktivists with a political agenda, according to a report by the Royal United Services Institute (Rusi).
The UK and EU has seen a significant increase in cyber-attacks and acts of sabotage since February 2022. In some cases, evidence has been found that the attacks were orchestrated by the russian government.
Nothing screams newspeak-like thinking than western 'pacifists' that thinks self-defense, from an enemy that explicitly wants to harm us and destroy our way of living, is somehow violent. This kind of opinions are literally killing people.
Yes and no. That's the problem. It was a war pushed at every point by the US and other powers because Ukraine was the buffer state to weaken Russia.
If I was Ukrainian I'd be naturally angry at russians but also at everyone who caused the partial destruction and displacement of my country for geopolitical profit. Now BlackRock et Al will swoop in to make money "rebuilding".
All the lives lost, for nothing.
It's tough to swallow.
Now, what I can't stand is someone who keeps propping the "just more war casualties and money and we'll finally win". Just more forcible drafting and cannon fodder and we'll win.
Come on, when is enough enough?
And now, I'm not hippie. I believe in defending yourself but this didn't play out as simply as that.
I understand the personal anger of individuals, but pushing for the war and misery in a blackn and white manner.
Yes, the russian regime started the war. There isn't more to it than that.
> Come on, when is enough enough?
Enough will be when the russian federation collapses, and the russian military is removed from all of Ukrainian territory, including Donbas and Crimea. Clearly, you don't think this is realistic, but that's because you're ignorant, wilfully or otherwise. The current Ukrainian military strategy of destroying russian crude oil refinement facilities is accelerating the collapse of russia. This will be what reverses course on the broader global trend of war and authoritarianism. Western diplomacy didn't do this. Peaceful protest didn't do this. Economic sanctions didn't do this. Ukrainian military strategy is doing this.
> And now, I'm not hippie
I don't think you're a hippie, but I do think you're delusional.
You sound like a propagandist for a war that has no chance of a good outcome and every moment that passes, more lives are lost pointlessly. Your speech is not new. We've heard it all along.
Give me a date of when will it happen and we can talk again then.
And going back to my original point, it's extremely unfair that you get to push a war you're not fighting because you're not fighting it. Collaborating to it and getting commended for it is not fighting it. You don't die. Your child doesn't die. Your risk profile is definitely not the same.
So your bravado doesn't move me. I do hope for the war to end and the life loss to end and the post war era to not be too cruel on the people who get screwed over by the "rebuilding" vultures.
But that will be diplomacy and not your "total victory will come through our strength, we just need more money to kill more".
I like how your wording doesn't actually say that you actually fought in the war as a soldier, which would only get my commiserations for being used as a pawn for the benefit of geopolitics. The partial destruction of the country is extremely sad to see but I won't support the manufacture of wars nor be impressed by bullshit bravado or war jingoism.
I know what pointless violence is and don't glorify it. It never looks good. It's not a movie. It's not something to be proud of, and it depends a lot on luck.
Just two days ago the BBC published[1] a story about how a ransomware group tried to infiltrate their network by.... approaching their cybersecurity correspondent.
I wonder if it was the same group.
[1] https://www.bbc.com/news/articles/c3w5n903447o
From the article, it sounds like this was earlier in the year, but they're only revealing it now? Isn't that way beyond the deadline for such things?
Does the UK actually have a mandated deadline for any kind of infosec disclosure?
If the breach contains personal data then you are supposed to report it within 72 hours:
https://ico.org.uk/for-organisations/report-a-breach/persona...
We were still in the EU when GDPR came along, and we haven't repealed our implementation of it, the Data Protection Act ( 2018 ), which has mandated disclosure in line with GDPR.
Even pre-GDPR we had much stronger data protection than most countries with the Data Protection Act ( 1998 ), although I don't remember that having disclosure rules, it did have a lot of things that companies only freaked out about post GDPR and the weight of the EU behind severe penalties.
Terrible tech reporting, as is the norm.
https://www.bbc.com/news/articles/c8d70d912e6o indicates that the recently announced breach was separate from the one in May (for which the attackers were arrested in July?). I think the one in May leveraged CVE-2025–31324.
Thank you, from that article:
> A spokesman for the store said that its own system had not been compromised, and that the breach is not connected to a cyber attack in May
From a brief review, it looks like the underlying platform they use is https://www.scayle.com/ (though I'm not sure its the one that was attacked) its just the one I found while looking at their site.
I know very little about cyber security in the wild - little Bobby Tables is about my level.
Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side? There has been a sleugh of cyberattacks recently and I don't know what to make of it.
If it's kind of like getting burgled - get good home security but a determined burglar will get in anyway - then it's a systemic problem we have to somehow tackle as a society. And if it's shoddy workmanship, again, it would appear so widespread that we have to do something about it.
I'm not passing judgment, just trying to understand.
IMO it's shoddy. Anybody can get hacked, that's true. But a modern corp that has tried to defend itself should have multiple layers of defenses against complete pwnage.
If you've paid attention in the last 10 (or even 5) years as a company, and did some pentests and redteams, you've seen how you could be breached, and you took appropriate steps years ago.
A non-shoddy company will have:
- hardened their user endpoints with some sort of modern EDR/detection suite.
- Removed credentials from the network shares (really).
- Made sure random employees are not highly privileged.
- Made sure admin privileges are scoped to admin business roles (DBA admin is not admin on webservers, and vice-versa).
- Made sure everyone is using MFA for truly critical actions and resource access.
- Patched their servers.
- Done some pentests.
This won't stop the random tier 2 breach on some workstation or forgotten server still hooked up on prod/testing, but it will stop the compromise _after_ that first step. So sure, hackers will still shitpost some slack channel dumps, but they won't ransomware your whole workstation fleet...
I guess you forgot the most important part: making sure your security and devops teams and people in company management follow exactly the same protocol as everyone else with no exception.
Because big bosses hate it when their PC don't just let them run whatever they want and they are not allowed to VPN into network from their home or their grandma desktop because they like her very much.
Also any Linux nerd sysadmin dude (like me) who know better is another type of person who hate following rules.
In these times of ransomware, also (off-site) backup / restore / disaster recovery.
There is no system in use by a commercial entity in the world that can stop criminals with ~10 M$ from completely bypassing all of their security and doing arbitrary amounts of damage. If the attackers can on average derive more than 10 M$ of return, then you are guaranteed profitable to hit.
For instance, in the 2023 casino hacks of MGM and Caesars, Caesar paid a random of ~15 M$, making them profitable. In the JLR hack, JLR has incurred ~500 M$ of damage to date. These attacks cost less than 10 M$ to create and deploy guaranteed.
However, most commercial systems are vastly easier to hit than even 10 M$. I would venture that most of these high profile attacks are on the order of merely ~10-100 K$ to actually create and deploy making them wildly profitable with a ROI in the 10-1000(!) range. And, if you have the choice of spending 100K to get 15 M$ or 10 M$ to get 15 M$, it is pretty obvious who you would prioritize.
It is like the story of two people and the hungry bear. Even if you can not outrun the bear, if you can outrun the other person then the bear will tear you apart second.
So it is both. Everything is shoddy. Some are dramatically more shoddy than others. And the hungry bears are breeding so they can eat all the dodos.
No doubt there are some professional cyber criminal groups like ones from North Korea, but I seriously doubt that most of high-profile attacks even cost $10-100k. I mean you could say that if salary of random black hat researcher from Turkey, ex-USSR or Nigeria was $100,000 / year. But they obviously have no salary whatsoever and just trying and trying until they finally find suitable target.
Most likely all that was used is $50 / month server for nmap and other tools, bunch of $3 / month VPNs. Or might be everything that was needed is $10 for a eSim and one scam call.
And of course a lot of time of a person who can't get properly paid job anyway. Obviously might be only few people succeed, but in the end each particular attack cost peanuts.
> Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side?
That's a really good question and one that I've asked (myself) many times. What I can't understand is that on one side you have an IT division that (probably) has a substantial budget, security hardware and software layers, security strategies and probably hundreds of personnel. On the other side you have a group of hackers/crackers who have none of the above, but often succeed. How does that work? Srsly!
The defenders need to score every time to win the game. The attackers only need to score once.
It's almost like they earned enough from the data that the risk was worth it
How much time before a large bank will be held hostage by such an attack?
It's likely already happened, but we will never hear about it. Their attack surfaces will be clustered and broken up, through an inhomogenous distribution of various systems and layers and networks, and the entirety of the system will be protected through disjoint connections, both the intentional and the bureaucratic and structural that follow from the mere fact of being really big organizations. Any particular unit within the whole that gets pwned will have recovery tactics available, but reporting will probably be kept as private as humanly possible, even to the extent of avoiding reporting to government, so as to avoid "damage" to markets, loss of reputation, runs on the bank, and so forth. If they don't have a near instant recovery and mitigation of the attack, they'll be much more likely to pay and recover, quietly, than most other organizations. There are laws and regulations and boxes that get checked to ostensibly hold them to a high cybersecurity standard, but that's a lot of theater and pomp for public confidence over anything practical. Where they benefit is from being able to pay for teams and high quality security personnel and being incentivized to avoid getting hacked.
It's not in anyone's interest to make a lot of fuss or noise in the public eye, so us chickens out here won't ever hear about anything that happens.
That comes with the caveat that the big banks can afford to pay really nasty people to go find hackers and turn them over to authorities, or worse options in more lawless parts of the world, and the public will never hear about those actions either, which disincentivizes the hackers. There are easier ways of getting more money with less risk of catastrophic personal outcomes, with the technical difficulty of even attempting anything serious filtering out the impulsive and stupid.
Just because you never heard about, say, the BancoEstado ransomware attack doesn't mean it was covered up. It's actually pretty much impossible to cover up impactful ransomware events for several very obvious reasons.
For sure, but these are the level of organizations that have PR firms on hand to put in a lot of work to suppress news, to frame things in as bland a manner as possible, to use all the available tools to ensure that even if things get reported, they're noticed as little as possible. Authorities often work with them to suppress and gag reporting of specific institutions that get hit, for a variety of reasons, but obviously including corruption - it's easy to convince politicians that they don't want pension funds or mortgage lenders or whatever to take a hit from negative publicity.
Over the last 5 years, dozens of huge financial firms - banks, hedge funds, credit unions, mortgage lenders, etc - have been hit, and about 15-20% pay the ransoms.
Even if public notice is mandated, there are probably cases where it's an obscure notification on some official government website, or a 3-4 page deep "announcement" on a company page phrased to look innocuous and routine. "We experienced a cybersecurity incident which was resolved" or what have you.
It's fairly trivial for them - routine - to cover things up, right out in the open, and with the speed of the news cycle, it's only gotten easier.
We should probably mandate disclosure by big corporations, institutions, and banks through a glaringly obvious, top half of the front page of their website, blunt declaration for 30 days, with a government page listing incidents and responses for 5 years. "XXX Corp was hit by ransomware and paid $123 in bitcoin to the APT Group AwfulAsshats"
Mandating by law that ransom not be paid puts the onus of maintaining proper disaster and ransomware recovery on the insitutions - if you're handling a huge scale of resources, you're on the hook for responsibly managing your employees security and livelihoods, your users and customers assets and data, and not incentivizing ransomware as a viable avenue of attack. If you can't handle the responsibility of securing against ransomware, you've no business handling people's data and money, frankly.
This would wipe out a whole slew of nonsense businesses, I think.
"Bank runaway" and "Loss of confidence in markets" does it.
That works for your country. Why aren't banks in smaller countries affected? Their security is not good, and markets aren't important.
In Costa Rica there was an incident where the equivalent of the IRS was held ransom and the government didn't pay. (Thumbs up to them.) Again, why doesn't that happen to banks there?
Depends on the confidence and appetite for risk of the leadership, what they're instructed to do by boards, what they think they can or should get away with. If it's a hesitant political creature who wants to hide weakness it's going to be much different outcome than a strong leader with a principled stance, like Costa Rica.
Lots of shitty behavior is grounded in what weak people imagine other people will think of them, and them bending over backwards to hide and cover up and obfuscate. Those are the ones that pay ransomware gangs, and they're also the ones that don't plan ahead and prepare responsibly.
Please tell your creator to enable --prefer-concise-replies.
Luckily, the Venn diagram overlap of black hat hackers and greying IBM mainframe programmers who understand things like JCL, RPG, COBOL and VSAM is a very small one indeed.
> JCL, RPG, COBOL and VSAM
Nobody understands those things, they just take working code and modify it.
Hell a lot of it isn't modified. I've recently seen cobol files with a last modified entry of '85.
Like ICBC? Already happened
Bad news, folks: the erudite hackers have added an apostrophe to Harrod's logo
For some reason the "no apostrophe" thing is common in UK company names.
The greengrocer’s have taken the entirety of the British High Streets apostrophe supply.
6 orange’s for just £3!
> just £3
Which is of course pronounced: JAST FREE PAAAAAARND
Morny stannit!
I think you will find that is JAST FREE PHAAAAAND
we've used ours on cocktail's for happy hour
https://londonist.com/2016/10/londons-dropped-apostrophes
Happy accident there with the URL.
[dead]
It is this grammatical "mistakes" that make it so obvious a scam is a scam. I often raised my eyebrows at phishing messages and wondered if they knew grammar, but then realized in Nigeria this is their most appropriate grammatical structure and language begins with "Dear Sir..."
Interestingly, it's common in the Midwest to add "'s" where it doesn't exist when referring to a brand e.g. calling Costco "Costco's".
https://styleblueprint.com/everyday/why-do-people-add-s-to-t...
It's because shops were traditionally named after the people who owned them. There are still loads of shops bearing people's names, even now.
"Sainsbury's" supermarket used to be "J. Sainsbury's" named after its founder John Sainsbury, &c. "Morrisons" was "Wm Morrison" founded by William Morrison. So when you refer to a shop you say Sainbury's as in [Mr.] Sainsbury's shop, or "Morrison's" as in Mr. Morrison's shop.
Then this becomes so ingrained it gets misapplied sometimes. I don't think I'd ever say Asda's though. But I would say Tesco's, even though Tesco is the initials of three people.
Surely this is the same worldwide?
As mentioned above, in Liverpool, Asda becomes Asdas. Whether it has an apostrophe or not I don't know.
Similarly common in the UK, or at least where I am (Glasgow, Scotland).
Completely normal to say "Tesco's", "Aldi's" etc.
Marks and Spencers.
Wait..make that "Markses".
Some companies decided to embrace the pattern: Goldberg became Goldbergs, Morrisons, Dobbies...
Same in Liverpool, it's an Aldis or Asdas, neither of which have an S
[flagged]
Great, that'll be another intelligence review Monday morning.
Can someone give the kids a ping pong table or something so i can eat my breakfast in peace?
> A new cybersecurity and resilience bill will make it mandatory to report more incidents. The bill’s slow progress is frustrating security experts, according to Jamie MacColl, a senior research fellow at Rusi. However, ministers have been reluctant to impose more regulation on businesses, but having “major cybersecurity incidents is not good for economic growth,” he said.
A minister's bill is less effective than a Ukrainian soldier's bullet.
Funny you say this because Scattered Spider is largely made up of Western teenagers, not Russians.
There is a fair bit of grooming going on out there on the private discord channels and similar.
> In July, four people including a 17-year-old boy were arrested on suspicion of being involved in cyberattacks on Harrods, the Co-op, and Marks and Spencer, and were bailed pending further inquiries.
Your proposal is we have a foreign army come over and start executing children? What is this Bush era nonsense.
Honestly, kinda.
I support legalizing drone striking ransomware operators.
My proposal is the Western world do more to support the Ukrainian military, defeat the Putin regime militarily, and usher in the collapse of the russian federation.
You can't have state-sponsored cyber-attacks if the state sponsoring the cyber-attacks goes away.
No, I am not proposing anyone start killing children. What a ridiculous misinterpretation of my words. It's the russian military who kill kids[0], and nobody should be ok with that. It's also the russian government recruiting children to commit acts of sabotage[1] abroad.
[0]: https://www.politico.eu/article/former-wagner-group-commande...
[1]: https://www.justiceinfo.net/en/147402-ukraine-fsb-recruits-t...
I generally agree with your stance about the situation in eastern Europe, but there's no particular reason to connect that to this incident. There's no public evidence that this was state-sponsored or even connected to Russia at all. They definitely provide sponsorship and cover to a lot of attacks, but still are not the only source of online crime. We have plenty in the US and the UK and everywhere else.
Yup, I find I hard to believe kids have suddenly discovered hacking in the last two years.
It's either covertly state sponsored, or outsourcing everything to India is finally showing some results.
You know more than one thing can be true at once though right?
I.e.some combination of state sponsored, opportunistic script kiddies and better reporting. After the earlier attacks subsequent ones get more press as well.
What's state sponsored about a bunch of bored children putting in dummy calls to retail helpdesks?
I dont see what this has to do with russia russia russia
It's literally in the article.
> Although cyberattacks have become more high profile, there is little reliable data on how many attacks take place in the UK each year. Hackers are drawn from a mix of organised criminal gangs, those sponsored by state actors including Russia and China, and hacktivists with a political agenda, according to a report by the Royal United Services Institute (Rusi).
That's just a general statement; nothing suggests these children are working with or acting on behalf of Russia.
More likely they are spectrum'd to fuckery or pushing a political agenda.
> More likely
What are you basing this probability on?
The UK and EU has seen a significant increase in cyber-attacks and acts of sabotage since February 2022. In some cases, evidence has been found that the attacks were orchestrated by the russian government.
I suppose it's all one big coincidence?
[dead]
Unfortunately, it's become Bush-Obama-Biden-Trump era nonsense because it seems ingrained now.
Add all your other "western leaders" out there who also seem to love and push for wars fought by others and not their children or themselves.
[flagged]
>1984 style war propaganda
Nothing screams newspeak-like thinking than western 'pacifists' that thinks self-defense, from an enemy that explicitly wants to harm us and destroy our way of living, is somehow violent. This kind of opinions are literally killing people.
Your "they hate us for our freedoms and our way of living" is pure propaganda and doesn't work anymore.
Your opinions to create wars that didn't need to happen are literally killing people.
Boring stuff, really. Update the chip. Stop destroying countries.
The russian regime started the war.
Yes and no. That's the problem. It was a war pushed at every point by the US and other powers because Ukraine was the buffer state to weaken Russia.
If I was Ukrainian I'd be naturally angry at russians but also at everyone who caused the partial destruction and displacement of my country for geopolitical profit. Now BlackRock et Al will swoop in to make money "rebuilding".
All the lives lost, for nothing.
It's tough to swallow.
Now, what I can't stand is someone who keeps propping the "just more war casualties and money and we'll finally win". Just more forcible drafting and cannon fodder and we'll win.
Come on, when is enough enough?
And now, I'm not hippie. I believe in defending yourself but this didn't play out as simply as that.
I understand the personal anger of individuals, but pushing for the war and misery in a blackn and white manner.
We're way past that.
> Yes and no.
Yes, the russian regime started the war. There isn't more to it than that.
> Come on, when is enough enough?
Enough will be when the russian federation collapses, and the russian military is removed from all of Ukrainian territory, including Donbas and Crimea. Clearly, you don't think this is realistic, but that's because you're ignorant, wilfully or otherwise. The current Ukrainian military strategy of destroying russian crude oil refinement facilities is accelerating the collapse of russia. This will be what reverses course on the broader global trend of war and authoritarianism. Western diplomacy didn't do this. Peaceful protest didn't do this. Economic sanctions didn't do this. Ukrainian military strategy is doing this.
> And now, I'm not hippie
I don't think you're a hippie, but I do think you're delusional.
You sound like a propagandist for a war that has no chance of a good outcome and every moment that passes, more lives are lost pointlessly. Your speech is not new. We've heard it all along.
Give me a date of when will it happen and we can talk again then.
And going back to my original point, it's extremely unfair that you get to push a war you're not fighting because you're not fighting it. Collaborating to it and getting commended for it is not fighting it. You don't die. Your child doesn't die. Your risk profile is definitely not the same.
So your bravado doesn't move me. I do hope for the war to end and the life loss to end and the post war era to not be too cruel on the people who get screwed over by the "rebuilding" vultures.
But that will be diplomacy and not your "total victory will come through our strength, we just need more money to kill more".
You're not delusional, you're simply lying.
This thread has become reminiscent of this HN classic: https://news.ycombinator.com/item?id=35079
Not really... If you look at the wording.
"I spent time in bomb shelters". "Got a commendation for my efforts."
I've spent enough nights in bomb shelters in Ukraine, and I have a medal from the Ukrainian military for my contributions.
How about you?
I like how your wording doesn't actually say that you actually fought in the war as a soldier, which would only get my commiserations for being used as a pawn for the benefit of geopolitics. The partial destruction of the country is extremely sad to see but I won't support the manufacture of wars nor be impressed by bullshit bravado or war jingoism.
I know what pointless violence is and don't glorify it. It never looks good. It's not a movie. It's not something to be proud of, and it depends a lot on luck.