S
Story
Simple Sabotage for the 21st Century – Specific Suggestions
You see this happening in russia these days.

My favourite was from the start of the war when the guys who were supposed to plant incriminating evidence on the scene were they arrested some "terrorists" put the Sims 3 game on the scene instead of 3 sim cards and literally signed the fake documents they planted with "Signature Unclear". (Yes, real story, just search for Sims 3 and Signature Unclear.)

As I understand it I understand this was FSB (or someone elses) way of "getting even" after their boss had been publicly humiliated for proposing to not invade Ukraine. (But that - except for the public humiliation which is well documented - is just speculation on my part although I might have heard it from someone else thinking loud.)

Although sometimes I wonder if it was a genuine misunderstanding. I feel I have unusually many Russian friends and ex-colleagues, people who live outside of russia for good reasons and do not support it. Z-russians on the other hand does not strike me as the brightest bulbs in the box.

  • lukan
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
"just search for Sims 3 and Signature Unclear"

I did, but got lots of vague rumor stories, but nothing solid.

Here you go:

https://www.businessinsider.com/russian-agents-the-sims-vide...

This article in turn links to russian state sponsored RIA Novosti, and while I generally don't trust russian state sponsored media, I make exceptions for when they admit embarrassing things, because they have little incentives to lie to get people to ridicule them.

> fake documents they planted with "Signature Unclear"

"Signature Unclear" is actually a real pseudonym of a pro-Nazi author. So this particular part was at least believable.

The "Sims 3" disks (3 of them) and Bandera's books were far less so.

> "Signature Unclear" is actually a real pseudonym of a pro-Nazi author.

That was interesting, thanks!

Do you know if he is an actual Jew-hating nazi or just someone who opposes russia?

(I've learned over the last 3 years that for most russians when they think of nazism they don't think of genocide of minorities, mega-projects, Lebensborn and all that bit rather only about "war against russia")

He's a real "inferior races must be exterminated" Nazi. I searched for his works when this story first came out, and yeah, he's bad.
ouch.

That is evil.

Then again, that alone us not enough for russia to strike at someone: they have more than one group of openly nazi (by western standards) soldiers fighting against Ukraine, most famously rusisch.

> Log users out frequently for "security reasons".

This is exactly what happens on a contract I work on. Any software that is authenticated through our OKTA SSO very frequently signs users out and redirects to a logout page. This is especially annoying when using the project management software, where you typically have many tabs open to see various requirements, epics, stories, tasks, etc. Any inactivity more than 15 minutes, and all the tabs are logged out. Just like that, everything is gone. It forces us to use strategies such as saving redundant copies of things in notes and spreadsheets. I don’t think it’s necessarily sabotage but it feels extremely negligent. Moreover it’s completely unnecessary since everything is behind a VPN anyway.

Another similar thing that does feel as if it’s somewhat malicious is the very aggressive logout and shutdown policy of our virtual desktops - these are the desktops we do everyday active development on and where we set up IDEs, database clients, web servers, testing tools, API references - anything you can think of. We use this in combination with our regular desktops where we attend meetings or do other non-development tasks such as using the above-mentioned requirements software. It takes a lot of time to set all of this up! If you’re inactive for more than 2 hours, your session is not only closed, it’s completely destroyed so that it can be reclaimed for another user. I don’t need to explain to experienced developers how incredibly frustrating and counterproductive this is, but leadership has been extremely dismissive of any complaints, and tell us that we should use our time more wisely or that we shouldn’t be inactive for so long (which is complete BS, there are a thousand valid reasons foe this). Apparently this is done for cost-cutting reasons, but something feels more nefarious here, because this very obviously leads to reduced productivity and demotivation. This has actually lead to me purposefully overestimating complexity and demanding a user story for every single little trivial action I take, whereas before I used to just go in and make quick fixes or knock out certain operational things in my spare time. It’s a waste of time for us and ends up being worse for our customers.

Logging you out in 15 minutes is ridiculous as is losing your places/work but "behind a VPN" is not considered secure anymore.

"BeyondCorp comes from a realization that VPN perimeter network security is obsolete. As soon as an attacker breaches the perimeter, they have unrestricted access to the resources."

https://goteleport.com/blog/how-teleport-extends-beyondcorp-...

no idea if that's a good resource, it's just the first hit for "beyondcorp"

Maybe I should accuse our security team of sabotage for signing us out of Slack every day?

After all ‘Teams’ is fine.

As AGILE as it gets
This is a takeoff on a well known WWII pamphlet, the Simple Sabotage Field Manual.[1]

That's not the real worry today. Today we have to worry about remote sabotage of key systems - water, power, comms. It's quite possible that we will see major blackouts in the US, Russia, Europe, or China as side effects of the various wars in progress.

[1] https://www.cia.gov/stories/story/the-art-of-simple-sabotage...

I thought it was a reference to Brian Eno's co-created project Oblique Strategies.

https://www.enoshop.co.uk/product/oblique-strategies.html

  • ben_w
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
I suspect that if it was possible to do anything significant to Russian infrastructure via hacking, it would have already happened by now.

2 million USD gets you a smartphone zero-day*, according to rumours, something like a single ATACMS missile.

* geometric mean of 200k and 20M: https://techcrunch.com/2023/09/27/russian-zero-day-seller-of...

I'm assuming by "significant" you mean an attack on critical infrastructure.

That's a strategic capability that very likely requires multiple attack chains, not a single exploit. For Western countries, cost is probably the least significant factor in deciding to use it.

One would want to be certain that option is available, but only when absolutely necessary. Using it on a random Tuesday would take that particular option off the table forever. Best case scenario, Russia discovers the means by which the attack was carried out. Worst case, they retaliate with nuclear weapons.

Globally, I believe there are only a few countries capable of executing such a plan.

>I suspect that if it was possible to do anything significant to Russian infrastructure via hacking, it would have already happened by now.

Alternatively, maybe it is possible, but the US doesn't want to escalate? You saw how reluctant Biden was to authorize missile strikes inside Russia.

  • t-3
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
Hacking would just be tit-for-tat at most, and unlikely to be accepted as a good reason for major escalations. Most likely Russian infrastructure is just too old to be vulnerable in the same ways as Western infrastructure.
  • ben_w
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
At the price I've quoted, it isn't Biden's decision, it's something Zelensky could order directly from Ukranian taxes as a rounding error.

At least, if it was possible.

My understanding is that Russian cyberattacks on Ukraine have been rather ineffectual due to Ukrainian cyber defenses.
I've always read that one as satire critique of the American DoD. It has Svejk and Catch 22 all over it.
But it is not. It's quite real! It makes a lot of sense... it's exactly the type of stuff that frustrates people [because it slows down the organization] but happens a lot [because it's not easily detectable/fireable].
I don't question the authenticity, just the intent of the author.
Yeah, professional saboteurs only target key systems since incidental systems are constantly experiencing the kind of "sabotage" the site talks about but mostly through laziness, incompetence and bureaucratic fief assertion.
Posted on April Fools… intentional or ?
  • cjfd
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
Another one: when a colleague asks for something that is wrong, implement it as requested without questioning.
This is not a rare thing in contractor/it service/consulting world.
also know as "malicious compliance"
"Its exactly what we asked for -- but, not what we want"
  • nmwp
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
Looks like government has already implemented a lot of these suggestions.
> Refrain from making decisions until all possible stakeholders can weigh in

> Create overly-ambitious timelines and set impossible-to-keep deadlines

> Send unnecessary meeting invites then cancel them last-minute

> Don't use collaborative software, just email things back and forth

> Introduce burdensome software license approval processes

> Leave off the phone or video call information from a calendar invite

Forget government, this is a summary of standard operating procedure at my last (large, private sector) employer. Maybe they weren't all idiots, they were just fighting the man.

Just like the original Simple Sabotage Manual, this is worth reading just to reflect a painfully clear image of your own organization's dysfunction (and possibly your own role in it).

This is the point. It is very desirable for sabotage to look like standard corporate inefficiency.

Smash equipment, waste thousands and get caught. Delay a big project, waste millions and nobody notices.

Just love this. My particular favorite is sending the http:// version of everything instead of https://.
In my workplace people also set the machines to forget the redirects from time to time¹. So that it's not a given that the http:// will lead to anything.

1 - How? I have no idea. They are more expert than the author.

Don’t most browsers just auto direct to https though?
Only if there is HSTS (=if the site was visited previously and told the browser to always switch to https for the generally-6 months duration).
Yes, but the redirection takes both time and energy, that’s what makes it such a good form of sabotage, the grit in the engine that’s too small to notice but still leads to pain and cost.
That site is kind of a riot.

Click on "Exit".

Kind of bad that it doesn't preload the target, though. I don't want to have to wait for ten seconds to exit if I'm in a slow connection.
  • Natsu
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
Without this site, I never would've realized that I could fight for climate justice by leaving rotten fruit in the break room.
rotting fruit emits carbon dioxide though
Hehe it's got a whole bunch of exit links. How to be a 10x developer lmao
The best way to solve 10x more tickets is to create 100x more than anyone else
"These seem kind of dated.. I feel like you could have more speci-"

> Require wet signatures (ink on paper) for documents instead of digital

Jesus Christ.

Sorry, the document has been rejected. We require signatures in blue ink, as specified in the employee handbook section 132.86.9c(3), so we can tell the scanned copy from the original. Please sign again. We’re also sending over a form (G03.2) that acknowledges we received your signature but that it was incorrectly processed. This will ensure you don’t get written up for turning in the document late (section 075.53.7). Please also signed the attached form (form Y64.5) that verifies that the original signature was yours. All forms must be received by the end of the business day. Please also scan the documents and upload the copies to dev.null@fcorp.com
I always carry around a black & blue pen (and sometimes red, I like pens*). At some point I got into the habit of always using blue to sign; not clear why. I distinctly remember signing something in blue and then having to do it all over again because they insisted that I only use black ink. I am now suspicious of this this past event..

*not the expensive kind either, I've tried pens that were $50+; fav is still a $2.75 Uniball Jetstream 1.0mm. Smooth pens make pen&paper writing/signing fun

Opinions vary. Some people say legal documents should never be signed in blue. Others say they always should. In either case, it’s mandatory.
The legal team has battles similar to ‘tabs vs spaces’ too :)
So this is what they meant when they said that war is hell
This is very funny. I just wish the Slack unfurls showed the specific suggestion from the link.
heisenhelpful.
  • Oarch
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
We are all now immediately suspicious of certain coworkers...
or our suspicions are now confirmed.
No, we're protected by Hanlon's razor.
I may be having an old fuddy duddy moment but I really dislike this site. My first suggestion was at least interesting. My second was to superglue things into place.

Will supergluing things in place actually help the oppressed? Are you the Harriet Tubman of adhesives? Or will someone who makes minimum wage get yelled at and then forced to clean it?

This is Tik Tok level pranks applied to serious political issues and frankly, oppressed people deserve better than this.

The point is to have plausible deniability (just like the original simple sabotage manual). So they have to be realistic enough. Superglueing stuff down isn’t a plausible unless you’re on a boat. But requiring a signature with pen and paper is. Take it a step further and require blue ink (because “its distinguishable from a printed version” or choose a more obscure color for similar reasoning). But make sure to not tell them that until after the signature is received, so that they have to do it all over again.
The intent is for it to appear like childish pranks, mild incompetence, or best of all, nothing. The purpose is to delay and degrade harmful organizations and processes by a thousand tiny cuts.

It bears a strong resemblance to a handbook that went around during WW2 for workers within Nazi occupied territories.

At the very least it doesn't seem like sand-in-the-vaseline tactics are equally useful when applied everywhere, monkeywrenching some random business is not going to bring about the fall of late capitalism exactly, but if they managed to inspire millions of saboteurs it might - of course tough luck about those hospitals and food trucks we depending on.
[dead]
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
This reads like a guide on how to get fired for cause. Additionally its quite childish. Why not just throw a tantrum and save the trouble?
It's not for you; it's for people who are forced to work for an occupant. During WW2 the CIA actually published a manual for this specific purpose; it's declassified and available here:

https://www.cia.gov/static/5c875f3ec660e092cf893f60b4a288df/...

I'm quite sure this one is a joke. But yeah, the other one may have been that thing you said (or may have been a joke too, I don't think even the CIA knows by now).
Why on earth do people think this is a joke? How else would you recommend people working in adversarial organizations slow them down?
> How else would you recommend people working in adversarial organizations slow them down?

This exact same way. I just don't expect people to recommend slowing down adversarial organizations on the clear, in the public internet.

But then, if you are fighting an unstoppable tyrannical force with superhuman powers, I wish you luck and hope you find the techniques here harmless enough. Maybe there is a better source somewhere with pros and cons of each action, but I don't know how to find it. Either way, I think whoever created this site did so as a joke, so second-guess anything you see here.

> But then, if you are fighting an unstoppable tyrannical force with superhuman powers

Huh? Who mentioned anything even close to this descriptor?

  • exe34
  • ·
  • 3 weeks ago
  • ·
  • [ - ]
You need to write a Jira ticket for that!