Ask HN: What is this cyber attack scenario?

CAs are a horrendous weakness, but are still a "pillar" weakness and not even a "base" problem. In other words the threat exists not because of a base technological capability or necessity, but because we _choose_ to stick our fingers in a blender and play with the switch. Like the liquidity deadlock persisting the post 1929 depression these things happen because humans, collectively are clinically insane in surrendering before systems (hubris, pride, social control). No one dares to override the system. In reality decisive emergency action can mitigate such sticky situations.

We also worry about existential threats from "class" points of weakness. Like a mathematical breakthrough that makes factoring large primes or mapping elliptic curves trivial. Again here, one can imagine that were it possible to entirely switch-off encryption and return to early 1990s operation, even a catastrophic class failure would not be that bad - we'd just have a massive cybercrime and infosec problem instead of a systemic failure.

Real dangers come from systems where logical regression is strictly not possible. A base weakness like a backdoor or fault in every ARM or Intel processor that could brick half the devices on Earth is a likely cause of widespread civic harm - because it could be unrecoverable, turning devices into e-waste overnight. Crowdstrike had a flavour of this because it reminded us that computers are actually pieces of hardware in data centres that can need manually rebooting or need human physical intervention at scale.

It's not about a single point of failure. It's about lots of different systems, each with their own unique set of vulnerabilities, and a well-resourced adversary picking them off one-by-one, escalating privilege, gaining persistence and then... doing nothing, because they're not at war... yet.

It's like building up an arsenal of ICBMs without ever using them, but when they do get used, they're launched all at once.

Shodan [1] is not the only place active vulnerabilities are stored up. Each nation have systems that track vulnerabilities and scripts can be stored up to mass exploit all these systems all at once. And that is just for internet facing crap. There are also systems designed to be weak. Anything with SSH default settings especially multiplexing and sudo with weakened lazy settings such as passwordless or passwordless with timeouts are easy targets for phishing and establishing a RAT without any additional software meaning no malware is required, no bugs are required and nothing would be detected, ever. The existing state of the internet was not designed to handle nation state level attacks and fixing that requires adding friction that people simply will not accept. It's a hackers paradise.

TL;DR The biggest weakness of the internet is human nature.

[1] - https://www.shodan.io/

Ah yes, the classic “society collapses because a TLS cert expired” scenario. I love that one.

To be fair, you’re not wrong -root CAs, DNS, cloud infra… we’ve basically built the modern world on top of a Jenga tower made of YAML files and third-party APIs. And yeah, a well-coordinated takedown of a few dozen orgs could make things very spicy.

But let’s not pretend it’s that easy. Most critical systems have failovers, redundancy, and monitoring. Banks aren’t going to fold just because Let’s Encrypt has a bad day. (Unless you’re Silicon Valley Bank… then maybe.)

Still, the scary part isn’t a single failure. It’s that all our “redundancy” loops back to like 50 companies we pray don’t screw up at the same time. It’s like putting all your backups on the same USB stick… and then losing it.

So yeah - not doomsday just yet, but definitely not great. Maybe worth more than zero attention.