Re: ThyssenKrupp said the attack was not attributable to security failings
"But some security failings can never be effectively policed, like moles."
No, but according to the accounts of people who worked there, they had extremely bad security.
https://www.heise.de/forum/heise-online/News-Kommentare/Massiver-Hacker-Angriff-auf-Thyssenkrupp/ThyssenKrupp-und-das-Maerchen-aus-der-Pressemitteilung/posting-29614397/show/
They didn't update their firewalls, they still used DES for their VPNs, they didn't separate their production LAN from their office LAN, etc...
"Is it really a security failing if it's one beyond anyone's ability to secure?"
You could as well ask if someone who hasn't learned to drive is responsible for the accidents they made. If you are unable to do something, maybe you should not do it... particularly not at such a company.
"Just like is it really anyone's fault if someone gets killed by a bolt out of the blue?"
No, but this is more like having your car unlocked and parked at a busy parking lot... and then complaining about it being stolen.
Biting the hand that feeds IT
