Post AcpzVxTlyszH6Drawy by vriesk@hachyderm.io
(DIR) More posts by vriesk@hachyderm.io
(DIR) Post #AcoraK7Ne3psBrgQnQ by briankrebs@infosec.exchange
2023-12-15T00:21:05Z
0 likes, 1 repeats
I've grudgingly come around to the notion that there is only one way out of the ransomware problem: Make paying a ransom illegal. This is not very different from laws that make it illegal for US companies to pay bribes to foreign officials. I really don't see any other way out of this mess. Yes, some victims will unfortunately ignore any laws that say they can't pay, but enforcement probably will not be hard. What will be difficult are the situations where peoples' lives are at stake in ransomware incidents This sounds callous, but we can't afford to take the short view here anymore, and our other alternatives aren't great either. I'm quite certain this is an unpopular view, but we have already seen the cost of doing nothing. At least in the interests of congruity for our financial sanctions vs Russia, we should probably make this change sooner rather than later.
(DIR) Post #AcoraLTObh2YOQzWka by briankrebs@infosec.exchange
2023-12-15T00:53:36Z
0 likes, 0 repeats
I really admire what Bruce Schneier has said about the pay-or-not-pay debacle that ransomware puts companies and individuals in. Because it aptly summarizes the counterpoint to outlawing the payment of ransomware: I'm paraphrasing from memory here, but it was something to the effect of, "it's your data, or your daughter." In other words, the imperative to pay is directly related to your skin in the game.
(DIR) Post #AcoraLU6Z3biQdK5r6 by briankrebs@infosec.exchange
2023-12-15T00:29:50Z
0 likes, 0 repeats
There are 100 ways the current ransomware problem can and probably will get worse and nastier. Every single cybercriminal or aspiring crook is now focused on ransomware or data ransom payments as THE path to financial success. It's no longer just the Russians. It's the Chinese, the North Koreans, and Iran.Either way, these countries don't just want to hurt the United States: They would rather the US died in a fire. For companies to make payments to these regimes -- and their cybercriminal apparatus is always part of the regime -- is bonkers, IMHO.
(DIR) Post #AcoraLUSXjtIRjUNPM by briankrebs@infosec.exchange
2023-12-15T00:37:16Z
0 likes, 0 repeats
In the past month, ransomware douchebags have shut down emergency rooms at multiple hospitals; dinged the US bond market; major shipping ports in Australia closed, e.g. We used to talk about a hypothetical scenario in which cybercriminals are having real-world, kinetic impacts. But that stuff is old news. Kinetic impacts from ransom incidents now happen on a daily basis.
(DIR) Post #AcoraMIRXtsCwksIJk by briankrebs@infosec.exchange
2023-12-15T01:58:35Z
0 likes, 0 repeats
In re the "how ransomware could possibly get worse" response, I have two scenarios (which we have already seen in the playbook/arsenal of ALL of the regimes already mentioned): Deleting data (forget ransoming it: you already pwn the servers); corrupting it (holy crap what blood type is this patient????).
(DIR) Post #AcoraNTp94ZScLCthA by briankrebs@infosec.exchange
2023-12-15T01:39:23Z
0 likes, 0 repeats
In re the idea of how this could all get a lot worse....10 years ago, if a company's employee clicked a malicious link or opened a booby trapped attachment, that company and that employee would have a bad day, or week, or month, or however long it took brainiacs in that organization to realize that some intruder was leeching off their bandwidth, or access, or whatever. At worst, the victim organization had all of that employee's browser credentials stolen. Maybe their machine was a botnet proxy, or relaying spam for a few days. Big deal.We had a really nice period of maybe 3 years between the emergence of ransomware that tried to get victims to pay in $100 Greendot card increments to the explosion of bitcoin and the acceptance of on-roads to the US financial system, which is what ultimately what made large-scale corporate ransomware raids a thing.
(DIR) Post #AcoraNZ8pIpAsph8z2 by RandomDamage@infosec.exchange
2023-12-15T02:17:26Z
1 likes, 0 repeats
@briankrebs the second case is why EHR is one of the few good uses for blockchainWhen you absolutely must be able to verify the validity of a document Also a great reason for off-line backups to become standard again
(DIR) Post #AcorjbOGnQ06Ml0XS4 by feld@bikeshed.party
2023-12-15T02:19:50.289137Z
0 likes, 0 repeats
@RandomDamage @briankrebs over time you'll finally concede and recognize the other use cases, we just need to suffer from more attacks that can destabilize supply chains and the global economy first
(DIR) Post #AcosdhqC06u2aWowqG by RandomDamage@infosec.exchange
2023-12-15T02:23:19Z
0 likes, 0 repeats
@feld @briankrebs I have seriously looked. Document integrity is really it.A few places are using it for that already, but it doesn't get much hype because for most people it's too boring
(DIR) Post #AcosdiiQkSHvIkCGNk by feld@bikeshed.party
2023-12-15T02:29:53.381127Z
0 likes, 0 repeats
@RandomDamage imho this is the same as when we were like "but we really only need HTTPS for banking and online shopping"
(DIR) Post #Acp5Op3wAQxG2vU0TQ by RandomDamage@infosec.exchange
2023-12-15T02:55:29Z
0 likes, 0 repeats
@feld when we started with https it was a significant load that not every site could bear.But all we get from blockchain is a mechanism for validating document integrity Maybe that will percolate down to news sites and blogs eventually, but that's all we get
(DIR) Post #Acp5OpqVFrnqTYCnAm by feld@bikeshed.party
2023-12-15T04:52:57.089132Z
0 likes, 0 repeats
@RandomDamage I'm not buying that because although the hardware was slower the original ciphers were weak. The problem was the cost of certificates for most small webmasters -- several hundred dollars per year was the real burden.
(DIR) Post #AcpzVvJ43jEWMQq0yu by mathaetaes@infosec.exchange
2023-12-15T06:56:39Z
0 likes, 0 repeats
@feld @RandomDamage weak ciphers do not necessarily mean computationally cheap ciphers… but that’s less relevant.Way back when I used to work at an ISP, we’d have people with colo servers running on single-core pentium chips. Most connections were high-latency, low bandwidth 56K dualup. If a normal page took 3-10 seconds to load due to slow bandwidth, the same page over SSL might take 15-20 due to the number of extra round trips required to negotiate the session over a 100-300ms connection. Add a 333 mhz clock on the server (and a 100-200mhz clock on the client) and you did get a noticeable performance hit.It was enough that people who needed ssl would buy dedicated SSL-offload hardware just to handle the compute, and hope the rtt was low enough that they didn’t lose customers.So yeah, certificate costs were also stupid high, but the compute and bandwidth impact of SSL back in the day was not trivial, and hindered adoption on its own.
(DIR) Post #AcpzVxTlyszH6Drawy by vriesk@hachyderm.io
2023-12-15T09:10:12Z
0 likes, 0 repeats
@mathaetaes @feld @RandomDamage also, multi-hosting (multiple web services hosted on the same IP/port) didn't work with SSL at all, each SSL-enabled service required their own dedicated public IP.(multiple certs on the same IP require SNI which was only fully included in OpenSSL 0.9.8j in 2009)
(DIR) Post #AcpzVyMMhuejpXPC2i by feld@bikeshed.party
2023-12-15T15:21:40.342699Z
0 likes, 0 repeats
@vriesk @mathaetaes @RandomDamage oh yes, I remember, but IPs weren't that hard to come by back then either. It just made configuration and deployment more annoying.
(DIR) Post #AcqJCl79j8ZMKdPI6S by vriesk@hachyderm.io
2023-12-15T16:02:21Z
0 likes, 0 repeats
@feld @RandomDamage @mathaetaes "IPs weren't that hard to come by" is a strange way to say "I haven't worked for a non-US hosting provider".
(DIR) Post #AcqJCm1AMtN98Lc1PE by feld@bikeshed.party
2023-12-15T19:02:25.347101Z
0 likes, 0 repeats
@vriesk @RandomDamage @mathaetaes I worked at an ISP in the US as one of the state network engineers, and the internet outside the USA doesn't exist 🤫What was going on outside ARIN that made it so hard to get addresses? It's not like there was a shortage in the 90s
(DIR) Post #AcqN2YwIXSVjUZio9w by vriesk@hachyderm.io
2023-12-15T19:34:42Z
0 likes, 0 repeats
@feld @RandomDamage @mathaetaes early 2000s in my case. Worked at a hosting provider with around 7k individual websites hosted (around half being e-commerces), and I remember spending a week polishing a "petition" to RIPE to grant us some IPs and the screams of joy when we received a /24 share (from /21 or /22 requested, don't recall now) up from the /27 range we were squeezing in previously.
(DIR) Post #AcqN2Zh5jTwPphcB60 by feld@bikeshed.party
2023-12-15T19:45:22.334386Z
0 likes, 0 repeats
@vriesk @RandomDamage @mathaetaes that's crazy, I have a /27 at home that ATT gives me for $30 😆We never had issues getting IPs. Even out transit providers would delegate tons of addresses to us. I used to have a /23 at home from Sprint and when we dropped them as a transit provider they never took back their addresses so I kept using them for years. Mostly just enabled them all on my router so they'd respond to pings and appear in use, but... that sounds like massive stupid bureaucracy over there