[HN Gopher] New technology has enabled cyber-crime on an industr...
___________________________________________________________________
New technology has enabled cyber-crime on an industrial scale
Author : hhs
Score : 142 points
Date : 2021-05-09 14:26 UTC (8 hours ago)
(HTM) web link (www.economist.com)
(TXT) w3m dump (www.economist.com)
| lucasyvas wrote:
| I'm about done with articles that complain about cryptocurrency
| as a source of this "brand new problem"
|
| Also why don't we talk about tax havens while we're at it?
| fcantournet wrote:
| They're not unrelated subjects. A lot of crypto operates much
| in the same way dark pool finance operates. It's unregulated &
| opaque. This is prime territory for both scams and other
| criminal activities.
| lucasyvas wrote:
| You're not wrong - but considering we failed to stop p2p file
| sharing how does anyone expect us to stop this?
|
| The music industry railed against stuff like Napster and got
| literally nowhere in the grand scheme of things.
|
| We are watching a repeat of history and apparently nobody
| learned a thing the first time.
| pyrale wrote:
| Most of p2p was not running for profit.
|
| On the other hand, as soon as you interact with money,
| there are well-established means to control money flows. If
| the banking system stop interacting with crypto exchanges,
| much like they're banned from serving cartels or countries
| under embargo, cryptocurrency will essentially go back to
| the fringe status it had a few years ago.
|
| Sure, some people may still use it to buy pizzas. But it
| will essentially lose its interest when it comes to
| unregulated banking.
|
| That kind of regulation may actually be a good thing when
| it comes to blockchain operations, or at least the few of
| them that can actually demonstrate a benefit in isolation.
| arcticbull wrote:
| Easy: crypto operates on the basis of real money entering
| and exiting the system. Real money is one of the most
| regulated things we have. Turn off the spigots, no new
| money in, miners cannot be paid for their services, value
| drops, people get bored and move on to the next speculative
| mania. Most people are only in the space for number go up.
| ethanbond wrote:
| I don't think I know anyone who frequently pirates music
| anymore...
|
| Mostly due to superior products coming out (Rdio, Spotify)
| but given that a founder of Spotify was involved in the
| torrent community, don't think it's a crazy theory to say
| the legal pressure created product pressure.
| syshum wrote:
| For music yes, largely because the music industry has
| been unable to resist the devaluation of their product in
| the modern era..
|
| the Public simply is unwilling to pay $20 for a CD that
| maybe has 1 good song on it any more.
|
| Other entertainment has been better able to resist this,
| those COVID has dealt a much needed blow to the value of
| Movies it is yet to be seen if this industry will
| recover.
|
| Unauthorized distribution of non-music media is still
| very much alive and more popular than ever really. It is
| also becoming more popular since unlike the music
| industry the video industry is creating 10's even 100's
| of walled gardens, that are IP and Geographically locked
| to hold on to old outdated distribution models
|
| I know many people that are growing tired of the "Which
| streaming service has the show or movie I want" which
| question that changes on a monthly basis, a Netflix may
| have it today, but Prime may have it tomorrow, then Hulu
| may get it later, as it leaves each of these platforms.
|
| Most people subscribe to a single music service, however
| today you need to sign up to 3 or 4 or 5 Video services,
| that will drive more people back to unauthorized sources
| that are more convenient
| lucasyvas wrote:
| You hit the nail on the head for this particular example.
| It took YEARS for the industry to suck it up and make it
| as convenient as it needed to be, though.
|
| The difference here is that TSLA is already accepting
| Bitcoin, and the financial sector is already building on
| Ethereum. So is it really going to be illegal or are
| there just going to be smoother experiences layered on
| top that the average user will flock to? Because I'm
| guessing, based on where we are, that it has to be the
| latter at this point.
|
| Illegal use will be minimized by a new breed of
| middleman. It's not ideal, but it's right for the
| majority of people I think.
| pyrale wrote:
| What happens the day Tesla or the platform that processes
| payments for them gets subpoenaed for accepting coins
| from a ransomware attack? I suspect they will quietly
| drop their coins and stop accepting new ones, especially
| since that's unlikely to be a common payment method.
| doktorhladnjak wrote:
| The way out of p2p music sharing was record companies
| agreeing to provide their content through iTunes music
| store, Amazon MP3 store, and eventually streaming services.
| P2P sharing is still around but not like it was because
| record companies found a new way to make money by giving
| people mostly what they want.
|
| Maybe it'll be something similar where government or bank
| backed crypto becomes the only legal crypto, pushing what's
| left even more to the margins.
| throwaway6734 wrote:
| Was there ever massive energy put into stopping p2p file
| sharing?
|
| Stopping crypto just seems like it would take pols
| committed to taking action:
|
| * Attack mining nodes using cyber + military force
|
| * Disallow transactions between USD + crypto in the
| US/Europe/Any other country that is willing to join or can
| be leaned on
| crumbshot wrote:
| The article isn't wrong though. The main uses of
| cryptocurrencies, other than as speculative assets, are online
| drug dealing and ransomware payments.
|
| For almost every other application, real money is more useable,
| convenient and reliable.
| paulsutter wrote:
| Actually bitcoin is terrible for illegal transactions.
| Everything is traced and logged for all time
|
| > The beauty of Bitcoin, from a detective's point of view, is
| that the blockchain records all. "If you catch a dealer with
| drugs and cash on the street, you've caught them committing
| one crime," Meiklejohn says. "But if you catch people using
| something like Silk Road, you've uncovered their whole
| criminal history," she says. "It's like discovering their
| books."
|
| https://www.sciencemag.org/news/2016/03/why-criminals-
| cant-h...
| dsyrk wrote:
| Not for much longer the upcoming taproot feature will
| dramatically improve on-chain privacy.
| tromp wrote:
| Taproot is a decent improvement, but hardly a dramatic
| one. Dramatic improvement requires hiding amounts, such
| as the Liquid sidechain does.
| meowface wrote:
| For Monero, yes, that's by far the predominant use. For a
| time, that was the predominant use for Bitcoin, but I'm
| pretty sure it isn't anymore as of like ~7 years ago,
| probably. (The article mentions Bitcoin - probably because
| ransomware operators know ransomware victims can more easily
| acquire Bitcoin than Monero - but for other kinds of serious
| black market activity it's almost always Monero.)
|
| For others, I think it's totally untrue even from the start.
| It's actually usually a lot easier to launder USD than it is
| to launder something like Bitcoin or Ethereum, given every
| transaction is completely public and traceable.
| ethanbond wrote:
| The important feature of traditional accounts is that
| they're all individually tied to _some_ real-world entity.
| It's hard to understand what money ultimately went where in
| a chain of 10,000 purposely convoluted transactions even if
| you can see the entire transaction record. Good luck
| creating 10k bank accounts to shuffle money around.
| meowface wrote:
| True. But if someone's goal is to launder, they're just
| going to use Monero - no need to do any kind of shuffling
| and mixing like that. It's simply untraceable by default
| and way more anonymous than USD or Bitcoin.
| meowface wrote:
| (I should've said "nearly untraceable".)
| dogman144 wrote:
| You're going to have to cite that claim if you want it taken
| seriously. At this point it's an old criticism with
| frequently used and valid counterpoints.
|
| Given paying with crypto is as easy as a QR scan these days
| once someone is onboarded, the other claim that you use,
| convenience, is about to go out the window: see venmo,
| PayPal, CB integrations. You might not be following the
| industry much though?
|
| The problem with your approach here is I hear that, and then
| I think of HSBC opening a branch for the Sinaloa Cartel,
| laundering absurds amount of money for them, and no one ever
| going to jail.
|
| If the reason not to use crypto is not to support crime, have
| you or your friends used HSBC, and did you advocate for them
| to stop? There are several other banks on this roster as
| well. Two wrongs != right, but I'm not the one saying stop
| using fungible USD that has for certain touched crime.
| crumbshot wrote:
| > _Given paying with crypto is as easy as a QR scan these
| days once someone is onboarded, the other claim that you
| use, convenience, is about to go out the window: see venmo,
| PayPal, CB integrations._
|
| But why would you want to? In most cases, there's simply no
| benefit to using cryptocurrencies instead of real money.
|
| Even if we could pay for our groceries, clothing, water,
| electricity, rent/mortgage, taxes, etc. with
| cryptocurrencies (which, for the most part, we can't)
| rather than real money, there's no compelling reason to do
| so.
| dogman144 wrote:
| That's another pretty common criticism, and it's a fish
| don't know water is wet situation for USA/lot of western
| counties.
|
| Adoption reasons (and evidence) are fairly well known and
| proven in other parts of the globe that don't have
| currency safety.
|
| Fwiw Andreas Antonopolous's content from early 2010s is
| good for working through this territory.
| seaourfreed wrote:
| $32 Trillion is stored in Tax Havens, for tax evasion by the
| wealthy.
|
| SOURCE: Routers. https://www.reuters.com/article/us-offshore-
| wealth/super-ric...
|
| BBC: https://www.bbc.com/news/business-40442595
|
| Forbes: https://www.forbes.com/sites/kenrapoza/2017/09/15/tax-
| haven-...
| henvic wrote:
| Because tax havens really doesn't exist. What exists are tax
| hells! The fact that some countries have lower taxes means that
| society can produce more without having parasites in the state
| robbing everyone as easily!
|
| If anything, we need more tax havens.
| throwaway3699 wrote:
| Tax havens keep other countries accountable from
| overspending, because they know people will move away from an
| overzealous jurisdiction. Just look at CA.
|
| I would move my money to one if I could reap the benefits and
| I suspect people hate them only because they're not able to
| also do the same thing.
| linspace wrote:
| But why not move yourself?
| henvic wrote:
| Asking him to move because of this is pure fascism
| ideology. You should reconsider that.
|
| There are many reasons why someone might want to live in
| a place, despite the state there.
|
| The state and the country/state/city/whatever are
| different things.
| linspace wrote:
| I don't know what happened to me, lately I'm becoming
| more and more fascist. I thought you should pay where you
| live but I apologize. Clearly not paying taxes was with
| the best intentions, for a better world.
| throwaway3699 wrote:
| My government spent the better part of two decades
| bombing children in the Middle East. Why should I support
| that if I can choose not to?
|
| Also, can you say I'm not being swindled if I'm spending
| nearly half my income on taxes?
| varsketiz wrote:
| I'm sure your government was also doing other stuff, like
| providing schooling, roads and other infrastructure to
| you. You are freeriding at the expense of other fellow
| citizens, who pay taxes.
| throwaway3699 wrote:
| Taxation without representation causes wars. Tax evasion
| is civil disobedience.
| pyrale wrote:
| That's a _very_ convenient way to exercise civil
| disobedience.
| drummer wrote:
| Taxation is robbery, extortion and slavery.
| jrockway wrote:
| I suppose your free kindergarten through grade 12
| education, the water you drink from the municipal water
| system, the roads that were driven on to deliver a
| computer that can post to HN directly to your door, the
| DARPA project that became the Internet, etc. are
| "robbery, extortion, and slavery" as well. Now that we
| are all robbing, extorting, and enslaving each other...
| pay your damn taxes.
| throwaway3699 wrote:
| None of that requires a 50% tax rate like you see in some
| places. I don't think you realise just _how much_ is
| wasted. Go look at national debt figures, we could get
| the same things with half the tax.
|
| The infrastructure argument is moot, too. Just look at US
| infrastructure crumbling to bits.
| varsketiz wrote:
| Are you not able to vote?
| henvic wrote:
| I bet you wouldn't say that of someone who achieved a lot
| in life but was also a serial killer.
|
| "Sure the guy murdered a lot of children with poison, but
| let's not forget he also was the best ice cream maker in
| the neighborhood."
| varsketiz wrote:
| Why wouldn't I say that? I might.
|
| Are you comparing taxes to murdering children with poison
| and roads you drive on and schooling that you get to ice-
| cream? That is a bit of an oversimplification, don't you
| think?
| henvic wrote:
| It is. Taxes are slavery. Not paying them is better for
| everyone.
| arcticbull wrote:
| I didn't realize public schools, fire departments, police
| stations, roads, highways, bridges, army, water, a
| regulated EM spectrum, a managed airspace, a managed
| border and NASA, was slavery. It's gonna be tough to
| explain to my kids how the Mars Helicopter was slavery.
| Boy was I mistaken!
| 55555 wrote:
| They generally tax their own populace at a relatively
| standard rate (20-40%+) while taxing the offshore corps based
| there at 0% (or more). Hong Kong, for example. In a sense
| it's economic subterfuge/sabotage.
|
| This is a response to one possible reading of your comment.
| meowface wrote:
| If you read the whole article, I don't actually see any
| complaints about cryptocurrency or that it's the source of the
| problem. I think they're just stating the situation as it is
| and aren't casting any value judgment.
|
| I like cryptocurrencies, and I also work in information
| security and malware analysis. I acknowledge ransomware is a
| massive problem and that ransomware would be stupid to not use
| cryptocurrency. Technology isn't inherently good or bad; it
| just is what it is.
|
| I think one of the main sources of the problem here is
| international law enforcement. The Russian government and
| security/law enforcement services have a pretty open agreement
| with cybercriminals: don't target Russian citizens and we won't
| impact your business. A lot of these organizations are now
| complementing the ransoms with harassment and blackmail, too,
| like threatening to release sensitive documents, directly
| harassing CEOs, etc. And some directly target health care
| facilities, knowing there'll be more urgency to pay up.
|
| So if you're a Russian citizen, you have carte blanche to steal
| millions from people around the world, in an organizational
| structure that mostly resembles a kind of standard office job,
| with almost no anxiety that it'll ever come back to bite you
| (as long as you never travel outside of the country).
|
| It reminds me a little of old-school naval piracy and
| privateering in many ways.
|
| If you're in the US or UK or France or many other places and
| want to start a lucrative ransomware operation, there's a high
| chance you'll eventually get caught, so the risk of long-term
| imprisonment is enough to deter you even if easy millions may
| tempt you. If you have no moral qualms, great incentives, and
| nothing to deter you, the possibilities are limitless.
|
| I'm not saying that all countries should extradite - just that
| they should at least make a good faith effort to cooperate with
| other countries' law enforcement and stop serious cybercrime
| like ransomware. Though I can understand why an "underdog"
| nation-state may want to have good relations with some talented
| criminals within their borders who they may be able to recruit
| or order around as needed.
| ChrisMarshallNY wrote:
| _> If you read the whole article_
|
| That would be lovely, but I don't subscribe to _The
| Economist_.
| meowface wrote:
| Yeah, don't blame you or anyone else for clicking the link,
| seeing the paywall, and immediately closing the tab. It's
| what I did, as well.
|
| Some commenters posted non-paywalled links below. Not sure
| of the legality, but I wish HN would/could automatically
| replace paywalled article links.
| jaclaz wrote:
| As well, no idea about the legality, but this particular
| article is readable with Javascript disabled, JFYI.
| paulpauper wrote:
| >If you're in the US or UK or France or many other places and
| want to start a lucrative ransomware operation, there's a
| high chance you'll eventually get caught, so the risk of
| long-term imprisonment is enough to deter you even if easy
| millions may tempt you. If you have no moral qualms, great
| incentives, and nothing to deter you, the possibilities are
| limitless.
|
| easy? hardly. you only hear about the successful ransomware.
| The twitter btc giveaway scam is way more profitable, harder
| to detect, and easier than trying to code ransomware. People
| make 1 btc/day undetectable with giveaway scam
| meowface wrote:
| Yeah, I shouldn't have said easy, but easier to make
| millions that way than trying to create a legitimate
| startup or something.
|
| And you're right, there are certain kinds of scams that are
| possibly more lucrative for way less effort. A lot of these
| ransomware gangs started years ago when such scams weren't
| quite so lucrative. I wouldn't be surprised if many are
| pivoting into cryptocurrency-related scams and heists.
|
| If you're ignoring effort, though, that one Twitter hack
| with the BTC-doubling scam made about $100k over a few
| hours, and that was with access to the top accounts on the
| platform.
|
| According to a random Google search, a ransomware operator
| makes an average of $300k per company-ransoming. If you're
| getting 5 companies to pay you an average of that much per
| week, it's probably more lucrative than any giveaway scam,
| even if it takes a lot more effort and skill. And if you're
| getting more than 5 companies per week, it might be more
| lucrative than almost any kind of scam.
| mountainb wrote:
| It is exactly analogous to piracy in the 17th and 18th
| centuries including that pirates operate out of states that
| are too strong to just outright destroy. When the states were
| no longer too strong to destroy, they were destroyed as in
| the 1816 destruction of Algiers by naval bombardment.
|
| It's not just Russia but anywhere that is outside the reach
| of US court orders and extradition treaties.
| meowface wrote:
| Exactly.
|
| >It's not just Russia but anywhere that is outside the
| reach of US court orders and extradition treaties.
|
| Indeed. It just so happens that the vast majority of these
| ransomware gangs operate out of Russia and neighboring
| states. Probably in part due to the confluence of good
| technical education options, a huge population, and a
| government that permits the activity. (Not trying to say
| anything about Russia or Russians but just its government's
| policy. If it were the US that had this policy, I'm sure
| the biggest ransomware gangs would operate in the US,
| instead.)
|
| Another thing that reminds me of piracy (and also EVE
| Online piracy, for anyone who's played that game) is the
| strict adherence to the basic pirate code of honoring
| ransoms so that future victims will be willing to pay.
| They're as ruthless as they can be before payment, but if
| the victim cooperates and pays, then they'll keep their
| word - they provide the decryption key, don't release any
| of their data, and mark them to not be targeted in future
| ransomware campaigns. It's solely about making as much
| money as possible.
| anonymousDan wrote:
| Hi, I would be super interested in any evidence you could
| provide that ransomware authors won't target victims in
| future ransomware campaigns.
| TedDoesntTalk wrote:
| Especially since that implies they all work together and
| maintain lists of forbidden targets.
| bloak wrote:
| > It's not just Russia but anywhere that is outside the
| reach of US court orders and extradition treaties.
|
| Extradition is not a requirement. France, like Russia, will
| not extradite its own citizens, but you don't see so many
| criminal gangs operating out of France.
| meowface wrote:
| Yeah, it's not merely a matter of Russia not extraditing;
| they simply don't address the problem at all unless the
| cybercrime is also affecting other Russian citizens. And
| in some cases the security services seem to have direct
| relationships with some cybercriminals. (I'm not sure how
| friendly or close the relationships are, but there's
| definitely some tit-for-tat: we let you operate and make
| all this money, and in return you do us favors when we
| need them. I believe laundering is one example, like in
| the BTC-e case.)
| loa_in_ wrote:
| It's a very efficient way to operate. This is mostly
| unrelated, but it reminds me of all those claims of how
| free market and capitalism promote efficiency wherever
| they reign.
| DyslexicAtheist wrote:
| agree with all points but this one: >
| Technology isn't inherently good or bad; it just is what it
| is.
|
| I think we need a new framework for looking at this. All of
| technology creates different variations of the trolley-
| problem. So it's like saying: Trolley-company
| isn't inherently good or bad; it just is what it is.
|
| In most cases we don't even know there is a trolley so we get
| away by framing it like this but it's deeply problematic IMO.
|
| Those who write the history books and get to frame things for
| the future are always the representatives of the trolley
| company. But just because we have framed it this way
| throughout human history by using terms such as good, bad or
| neutral doesn't help either. I'm not saying that tech is bad
| I'm saying that saying any insinuation of presenting Tech as
| neutral from a moral (not legal) pov is problematic. Because
| if we use this by looking into the past then we must also
| acknowledge all the medical breakthroughs that were created
| during WWII. (I'm using a flippant point for purpose of
| illustrating just how problematic this statement is and we're
| not gonna find a solution by focusing on Technology because
| it's above all not a technical problem)
|
| Especially people in security would be well positioned to
| think about this because of the bird-eye pov and adversarial
| thought that's required to analyse it. But perhaps it's not
| enough and we also need to integrate people from other
| domains (or at least stop being hostile to the social
| sciences as an "inferior science" ... because this is exactly
| the place where we don't see the forest because of the trees)
| meowface wrote:
| >I'm not saying that tech is bad I'm saying that saying any
| insinuation of presenting Tech as neutral from a moral (not
| legal) pov is problematic. Because if we use this by
| looking into the past then we must also acknowledge all the
| medical breakthroughs that were created during WWII
|
| (I totally understand your point, but my understanding is
| that actually very little of medical significance happened
| to be learned from the human experimentation conducted by
| Nazi Germany and Imperial Japan during WWII, if that's what
| you're referring to. But for the sake of argument we can
| assume it did result in medical breakthroughs. Or if you're
| just referring to all the breakthroughs that occurred due
| to the pressure of the war, then that works, too.)
|
| You're right, it's difficult to consider all technology as
| objectively neutral. If someone invents a device that lets
| any random teenager easily and cheaply release an
| aerosolized neurotoxin into a city center and kill
| thousands of people, it's hard to steelman the "it's the
| people, not the technology" argument in that case.
|
| Philosophically, my post wasn't too rigorous or accurate. I
| think in the case of cryptocurrencies, though, there's
| enough of a balance of positive and negative that it's
| foolish to discard and vilify the entire concept, even if
| there are many uses (e.g. scams) that do deserve the
| critical reaction. If something has some positive utility
| to it, those always need to be kept in mind. Otherwise, all
| the politicians arguing in favor of banning encryption
| would have a much easier time, for example.
| TeMPOraL wrote:
| > _If someone invents a device that lets any random
| teenager easily and cheaply release an aerosolized
| neurotoxin into a city center and kill thousands of
| people, it 's hard to steelman the "it's the people, not
| the technology" argument in that case._
|
| Let me try, though, because I think it's important.
|
| Technology doesn't grow on trees. There are about two
| ways such a deadly device could be made available to a
| random teenager:
|
| 1. Accidental convergence of unrelated technologies.
| Somehow, it becomes cheap and easy to acquire a potent
| neurotoxin (an exotic animal or plant, perhaps?), tools
| to isolate, clarify and refine it (some toolkit from a
| chemistry lab?), a refillable spray can, a compressor,
| protective gear. A random teenager could then,
| technically, use all these to perform a chemical attack
| on a budget - if they knew how, and had a will to.
|
| 2. Turn-key solution. Somehow designs and makes widely
| available a device for cheaply release aerosolized
| neurotoxins.
|
| In the first case, it's hard to blame any individual
| piece of technology involved. It boils down to the person
| willing to weaponize them, or one teaching others how to
| do it. Worth noting is that all the technologies
| mentioned (except maybe the neurotoxin itself) are
| already widely and cheaply available, and necessary know-
| how is part of high school chemistry curriculum - and I
| don't think anybody sees any real risk in this.
|
| In the second case, the turn-key solution was explicitly
| designed with malicious intent - designed by someone who
| knew the end goal. Most likely commissioned by someone
| else, who also knew the end goal. Also made available to
| random teenagers by someone who knew what it is. That's
| at least three people with ill intent, without whom the
| technology would not exist (or it wouldn't be a threat).
| It seems to me that in this case, it's also the humans
| should be the center of focus.
|
| With respect to real, instead of hypothetical,
| discussions about technological neutrality, I feel the
| constant focus on technologies and technologists in
| general is one big flock of red herrings - it exists to
| deflect the focus from the real problem, the people who
| commission and use these technologies with malicious
| intent.
| bumbada wrote:
| Let me guess: You are from the US of America.
|
| How do I know? Because the Russia is evil mentality. This
| comes from media in the US and lack of knowledge of History
| and geopolitics.
|
| Let's take some History lessons:
|
| Who sank the USS Maine? It was probably a false flag
| operation or the ship sank itself because of gas leak.We know
| it was not Spain, but it was used as an excuse to enter a war
| against Spain for taking Cuba and Philippines from them and
| committing genocide of at least a million people in the
| Philippines.
|
| Who killed Rasputin? The British Government. Why? Because
| Rasputin was very influential in making sure Russia did not
| enter the WWI. Because they wanted Russia to enter they
| propagated all kinds of lies against him that even today
| remain and eventually killed him.
|
| Who supported the Volsevisk revolution in Russia? The German
| Govertment so Russia would abandon WWI as they did after the
| Lenin coup.
|
| Governments have always supported crimes when they benefited
| from those crimes, and that has not stopped in modern times.
|
| I asked Reverte, an old war news reported who killed his
| friends and colleagues:
| https://en.wikipedia.org/wiki/Arturo_P%C3%A9rez-Reverte
|
| He told me:"Half Russian secret services, half the US secret
| services"
|
| In today's world, the US Government is behind way more crimes
| than Russia, because they are 10x or 20x more
| influential,specially after Berlin Wall's fall. Russia has
| the GDP of Spain.
|
| The second biggest criminal is China, for the same reason.
| But US media loves China though.
|
| Now when African activist that oppose a US multinational
| because gas or oil gets killed. Who do you believe is
| behind,Russia?
|
| Who do you believe is behind when people is killed protecting
| the Amazon Jungle against the people that want to plant soy
| so Chinese pigs(and Chine that eat pigs) could be fed?
|
| Who is behind all the chaos that is in north of Africa today.
| Who supported the war in Libia that made the Libyan army to
| infiltrate in all the Sahel.
|
| Who supported the war in Syria? Afghanistan, Iraq.
|
| How is that all those new weapons magically appear out of
| nothing?
| meowface wrote:
| This isn't about Russia or the US or politics or anything
| else you're talking about. It's about the Russian
| government's particular stance on cybercrime perpetrated
| against other countries. Unlike most other countries in the
| world, they explicitly choose to permit it as long as
| Russian citizens aren't targeted by it.
|
| That's the only thing I'm referring to, here; not anything
| else their current or past governments or any other
| country's governments have done or are doing.
| zozbot234 wrote:
| > And some directly target health care facilities, knowing
| there'll be more urgency to pay up.
|
| This is a pretty serious allegation, it might be considered
| terrorist activity depending on how you exactly define that.
| Same for attacks that intentionally target other critical
| infrastructure. Putting human lives at risk makes a very real
| difference here.
| meowface wrote:
| Absolutely. Not all ransomware gangs do; like pirates of
| old, some have a strict ethical code. Some also hate that
| others are doing it because it attracts more negative
| international attention towards them. Some care purely
| about money, though, and see hospitals as easy paydays.
|
| Here's a September 2020 interview with one operator:
| https://talos-intelligence-
| site.s3.amazonaws.com/production/...
|
| >The actor appears to have a contradictory code of ethics,
| portraying a strong disdain for those who attack health
| care entities while displaying conflicting evidence about
| whether he targets them himself. This is probably
| representative of many adversaries engaged in illicit cyber
| activity.
|
| >Hospitals are considered easy targets, making ransom
| payments 80 to 90 percent of the time during a ransomware
| attack.
|
| When easy money's in front of you and there are no
| deterrents, the sole thing holding you back is your ethics,
| and given a large enough number of people, some are going
| to have very little in the way of ethics.
|
| They're so brazen that many don't even care much about
| privacy. If there are no possible repercussions, why bother
| trying to conceal yourself?
|
| >During our initial conversations, we shared what we
| believed to be Aleks' identity and location based on our
| own research, which he confirmed.
| runawaybottle wrote:
| I'm concerned about this. America has shown since Vietnam
| that we don't win in unorthodox wars. The Taliban beat us.
|
| The only analogy I can think of is if a smaller power
| constantly harasses a larger powers trade routes. Eventually
| America gets exhausted because we only know how to win a
| direct war.
|
| They will exhaust us with this over time and continue
| building leverage. What are we seriously going to do? Goto
| war with Russia or China?
| meowface wrote:
| I don't think anyone wants to go to war over something like
| this. I definitely don't. There aren't a lot of options,
| though. You definitely can't do "extraordinary rendition" /
| kidnapping, for example.
|
| One is sanctions against specific individuals, which the US
| does do. So at least it's harder for them to participate in
| the international banking system.
|
| And from my understanding, US law enforcement will often
| try to trick these cybercriminals to travel to a seemingly
| more neutral country (sometimes areas that are common
| vacation choices for Russians), where they'll get arrested
| after arriving. Some of them have gotten nabbed this way -
| notoriously Alexander Vinnik, the owner of BTC-e and
| launderer behind the Mt. Gox hack [1], though I'm not sure
| if he was lured there or just happened to be there. But as
| long as someone is smart enough to never leave the country,
| I think they're pretty much untouchable.
|
| General geopolitical pressure and sanctions is probably the
| only viable option. Keep collecting evidence of the Russian
| government's permissive stance and bring it to the
| negotiating table. If enough pressure is exerted, they
| might eventually relent and actually start cracking down on
| the big actors.
|
| If they could pressure Russia to permit extradition to the
| US for serious crimes, that deterrence would probably stop
| a lot of operations overnight. I doubt that'll ever happen
| under Putin, though. (And it'd probably be unpopular enough
| in Russia that I doubt it'll happen under Putin's
| successors, either.)
|
| [1] https://www.justice.gov/usao-ndca/pr/russian-national-
| and-bi...
| bradleyjg wrote:
| Go after the financial links. If the only way the ransom
| can be paid is traveling to Russia with gold bars you'll
| see a lot fewer ransoms paid. And before you say
| cryptocurrency there's lots of ways Western governments
| could intervene if they got serious.
| runawaybottle wrote:
| I guess the question is, what does Russia want from the
| leverage gained from facilitating chaos?
| edoceo wrote:
| The leverage. One wants the leverage for the leverage.
| Then you can use it for all kinds of other things,
| including things you didn't think of before. Like money,
| save it up and spend on whatever you want at the right
| time.
| XorNot wrote:
| Something like 70% of the Russian population say Stalin
| was a great leader in surveys. Stalin killed by his
| orders more Russians then World War 2 did, far more
| people total then the Holocaust.
|
| Russian's in general are pushed towards this idea that
| they want to be a "great power" on the international
| stage again, that this will fix their problems - it's
| certainly how Putin actively thinks. Of course it's never
| made any sense: Russia is _huge_. Domestically there 's
| nothing it _needs_ internationally to be a wealthy
| prosperous nation, and all it 's problems _are_ internal.
|
| Hence the chaos: to Russian strategic thinking (that 70%
| isn't just "the people" its far more concentrated amongst
| the leadership), one way to be a great power is to knock
| America and the EU down and chaos suits just fine for
| achieving that.
| hhs wrote:
| Didn't feel like a complaint about cryptocurrency, but more of
| an update on empirical points. And agree, both tax havens and
| cryptocurrency seem important to consider.
| lucasyvas wrote:
| You're perspective is not wrong - these write-ups are just
| getting tiring because they almost sound like propaganda
| pandering to an audience that doesn't know any better and
| needs to be protected.
|
| The world's problems are well-documented and fighting
| technological progress is a waste of time. We need capable
| law makers and regulatory bodies. None seem fit to the task.
| ethanbond wrote:
| Which is why need broader dialogue on these problems. So
| people who are not already deeply invested in those
| problems (or underlying technologies) can start thinking
| about how to manage them effectively.
| shillforhumanty wrote:
| I couldn't reach the article from some error, I assumed from
| the title they were talking about IoT. I am surprised you
| mentioned it's about cryptocurrency. Yikes
| Spooky23 wrote:
| Cryptocurrency enables it.
|
| Tell me how you, the CFO of a small US city, would send $1M to
| Russia in 2006?
| api wrote:
| "New technology enables the unwashed masses to engage in
| financial crime at an industrial scale. That's supposed to be
| reserved only for oligarchs and politicians."
|
| This new technology also enables a degree of financial privacy
| that's a fundamental threat to civilization. It's... uhh...
| significantly less private than cash and (depending on the
| cryptocurrency used) often less private than bank wire. Never
| mind.
|
| FTFY
|
| Financial crime is one of those things that becomes less
| criminal as the scale gets larger or as one approaches
| influential political circles. Launder a hundred grand for a
| street drug dealer? Go directly to prison. Launder _billions_
| for drug cartels through major banks? You might get a fine and
| have to apologize.
|
| https://www.buzzfeednews.com/article/anthonycormier/hsbc-mon...
|
| Yes this last part is part whataboutism, but not without
| reason. 2008 proved that meaningful financial reform is
| virtually impossible. A riot is the last resort of the
| powerless.
| arcticbull wrote:
| > Also why don't we talk about tax havens while we're at it?
|
| Tax havens aren't a party to ransomware. This is just
| whataboutism.
|
| We can talk about tax havens too, but that's a different
| conversation for a different time.
| NotEvil wrote:
| Without crypto they were the things to go to. And also many
| criminals make use of them
| arcticbull wrote:
| I sincerely doubt most people who are today carrying out
| ransomware scams were wealthy enough 10 years ago to
| benefit materially from tax havens haha. If they were, they
| wouldn't be committing crime today.
| loa_in_ wrote:
| You shouldn't claim to know who does and who doesn't
| commit crime based on how wealthy are or were they.
| arcticbull wrote:
| It's more about rational self-interest. Do the wealthy
| regularly steal bread from the grocery store? Probably
| not. The risk-reward profile is all wrong - they have
| many much easier ways to make money. I suppose you're
| right that I don't know this for a fact, I'm saying the
| incentives are wrong.
| loa_in_ wrote:
| The way I see it, wealthy people have: more ability to
| evade being caught and they can operate on a scale that
| exceeds capacity of ordinary police. Their risks are also
| somewhat diminished because they have some way to
| persevere and something to fall on, even with a hefty
| fine. I imagine that there are people parking in illegal
| places every time because the fine is marginal to them.
|
| All I'm saying is that the way I see it, there's no
| correlation between wealth and affinity to crime.
| [deleted]
| [deleted]
| Merrill wrote:
| The problem is that politicians, being lawyers, believe that
| cybercrime can be controlled by after the fact detection,
| apprehension, and punishment.
|
| This does not work for cybercrime. Cyber systems must be designed
| so that crime cannot happen.
|
| But a large part of the government does not want that level of
| security built into systems.
| ______- wrote:
| There is a theory floating about that some ransomware attacks
| were done purely to damage a country's infra and making money was
| a bonus, but not the main aim. So the perpetrators used
| ransomware as a _front_ and the real goal is to destroy and
| disrupt a country 's computer infra.
|
| But then we could argue ransomware is just going to bolster and
| make our systems antifragile and resilient against such attacks
| in the future, so the ransomware attacks could backfire since in
| the future it would be much harder to attack the US for example
| with other types of malware.
|
| It also means people are going to be storing mission critical and
| crown-jewels type data in airgapped systems and making
| filesystems read-only. The data would also be encrypted and
| compartmented into separate containers so attacks can't affect
| the whole filesystem if the airgap was breached.
|
| Thank you ransomware authors for forcing people to have better
| security!
| enkid wrote:
| I mean, notPetya claimed to be ransomware, but you couldn't pay
| the ransom, so yes, at least some ransomware is politically
| motivated instead of financially motivated.
| suifbwish wrote:
| The problem with recent ransomware is that they get ahold of
| sensitive data then threaten to leak it if you don't pay. This
| is problematic because you can't be rid of it. Depending on the
| gravity of the data, if you pay them it's perfectly plausible
| for them to show up later and demand another payment or even
| force you into a perpetual payment system.
| anigbrowl wrote:
| Funny, I've been hearing that argument since the 1990s yet here
| we are. This concept isn't new, military aircraft were been
| hardened against electronic attack for years by limiting them
| to very simple software loaded from tape.
|
| There's a kind of product life cycle where people build tough
| robust systems with state-of-the-art technology, then those
| become dominant to the point where it seems superfluous, and
| people see opportunity in reducing inefficiency,
| overengineering etc., and adding new and genuinely beneficial
| features instead.
| petra wrote:
| >> then those become dominant to the point where it seems
| superfluous
|
| Interesting. Can you give an example that happening over the
| large scale in some non-military field?
| Spooky23 wrote:
| Apropos to ransomware, network filers.
|
| As the network gets more dangerous, old mechanisms aren't
| safe to operate, so you transition to a cloud file
| solition.
| pdkl95 wrote:
| It's just a variation of the Normalization of Deviance. See
| this[1] short talk by Richard Cook for a very good
| explanation of the mechanism that causes the transition
| from "robust" to "superfluous".
|
| [1] https://www.youtube.com/watch?v=PGLYEDpNu60
| [deleted]
| neonate wrote:
| https://archive.is/qWIxr
| TheGigaChad wrote:
| No Coiners, charge into the breach!
| [deleted]
| djoldman wrote:
| https://outline.com/jpaTRm
| ExtraE wrote:
| > The phones were seemingly designed to hide criminal activity,
| with end-to-end encryption, disappearing messages and no gps
| data. Subscriptions were paid in Bitcoin.
|
| Some of this is unusual (no gps) but the rest is standard, no?
| iMessage is e2e encrypted and lots of platforms have disappearing
| messages.
| paulpauper wrote:
| Why cant arrests be made during the cash out process. surely it
| cannot be that hard to trace some of the money
| throwaway3699 wrote:
| Money laundering online is quite seamless. Just launch an
| online store or something.
| miohtama wrote:
| Most of operators are more or less well-known. But Russia lacks
| incentive to go after its own citizen who damage American
| companies.
| meowface wrote:
| Monero transactions are extremely difficult to trace.
|
| Bitcoin transactions are traceable and can often lead you to a
| real person or organization, but if you're the FBI and you're
| tracing some Russian resident cashing out some extortion
| payments at a Russian exchange and transferring that money to
| their Russian bank account, there's nothing you can do about
| it.
|
| The vast majority of these ransomware gangs are in Russia
| and/or neighboring states, so that means you can't really do
| anything about any of them, besides trying to periodically go
| after some of their infrastructure in a whack-a-mole manner.
| You can't actually do anything about the criminals themselves.
|
| (I wrote more about this here:
| https://news.ycombinator.com/item?id=27096715. Not saying about
| Russia or its people, of course, and I know there's a lot of
| anti-Russia writing in the West, but this particular issue of
| ransomware can definitely be largely blamed on the Russian
| government's stance of not addressing it as long as Russian
| citizens aren't targeted.)
| tromp wrote:
| They're mostly untraceable, but not completely. That's why
| Monero devs keep trying to increase the ring size.
| meowface wrote:
| Thanks, I've clarified my post.
| csomar wrote:
| They get arrested as soon as they land on US-friendly soils.
| (ie: https://en.wikipedia.org/wiki/Alexander_Vinnik )
|
| But, yeah, otherwise the US can't do much if they are
| currently in Russia or China.
| paulpauper wrote:
| but cross chain tx of millions of dollars of btc to xmr is
| not exacly trivial, unles there is someitng i am missing
| meowface wrote:
| Indeed; it's their country's law enforcement being okay
| with the crimes that's the core of the problem, here.
| mindslight wrote:
| It's almost like the FBI's activities on this matter are
| futile and should be replaced with continual public service
| announcements telling people to not give money to the
| telephone.
| meowface wrote:
| This isn't scamming but rather ransomware extortion. If
| you're the CEO of a company and a ransomware gang targets
| you, encrypts the disks of every single server, including
| backups - leaving you completely inoperable - and messages
| you with screenshots of all the sensitive documents and PII
| they'll release if you don't pay, it's hard to just release
| a PSA telling people to ignore it.
|
| The threat is absolutely real, and the total cost might end
| up being much more than the ransom payment. This happens on
| a daily basis. You might as well inform people to not pay
| when a cartel kidnaps their child and holds them for
| ransom.
|
| A better PSA would be to keep off-site cold-storage
| backups, secure hot backups as much as you can, abide by
| the principle of least privilege, keep sensitive materials
| in as few and secure of places as possible, general network
| and application security advice, etc. But no matter how
| much you try to inform people, there'll still be thousands
| of companies that won't win against organized crime gangs
| filled with sophisticated, dedicated attackers who are
| constantly scouring for potential new victims and who know
| they have no risk of being hampered by any law enforcement
| organization in the world.
| richwater wrote:
| > If you're the CEO of a company and a ransomware gang
| targets you, encrypts the disks of every single server,
| including backups - leaving you completely inoperable -
| and messages you with screenshots of all the sensitive
| documents and PII they'll release if you don't pay, it's
| hard to just release a PSA telling people to ignore it.
|
| If a company is this incompetent once, it will happen
| again. Paying a ransom is just giving the company the
| opportunity to cover it up and collect more PII without
| punishment or oversight.
| meowface wrote:
| They should indeed be required to report such incidents.
| But banning the paying of ransoms is also foolhardy, I
| think, even though the US has now officially declared
| that paying ransoms is illegal.
|
| They're hoping to game-theoretically reduce ransomware
| attacks with this policy, but I'm not sure if it'll work.
| (It might be working to an extent, though, because in the
| interview I reference in
| https://news.ycombinator.com/item?id=27097061, the
| ransomware operator says he's concerned about this
| policy.)
| anigbrowl wrote:
| I think the prohibition is on _facilitating_ payment of
| the ransom (eg to a previously sanctioned individual or
| organization).
|
| So what we could see is a situation where Alice kidnaps
| Bob and tells Carol to pay a ransom; Carol attempts to do
| so but when she goes to withdraw money from her bank
| account Dave, her banker, puts a hold on the transaction
| or even freezes her account if the fact of Bob's
| kidnapping is widely known.
|
| Bob doesn't make it but Eve, Frank, and Gary tell Carol
| that his life is a small price to pay for standing up to
| Alice's terrorism.
| mindslight wrote:
| The public article just mentions phone scams, but now
| having read the Outline link I see the private version
| goes into much more. Obviously PSAs aren't an approach to
| ransomware, but talking about the need to take software
| security seriously isn't as directly actionable.
| pdkl95 wrote:
| It is always a temptation for a rich and lazy nation, To
| puff and look important and to say: -- "Though we know we
| should defeat you, we have not the time to meet you.
| We will therefore pay you cash to go away." And that
| is called paying the Dane-geld; But we've proved it again
| and again, That if once you have paid him the Dane-geld
| You never get rid of the Dane. It is wrong to put
| temptation in the path of any nation, For fear they should
| succumb and go astray; So when you are requested to pay up
| or be molested, You will find it better policy to say: --
| "We never pay any-one Dane-geld, No matter how trifling
| the cost; For the end of that game is oppression and shame,
| And the nation that pays it is lost!"
|
| https://www.poetryloverspage.com/poets/kipling/dane_geld.htm...
|
| We've known for hundreds (thousands?) of years that paying ransom
| only encourages _more_ demands for ransom in the future. The
| solution to this is backups and improved security. I know that 's
| expensive. Pay that cost now or continue paying more _dane-geld_
| proving over and over again that you are a mark that will pay.
|
| > or, increasingly, to prevent them from being leaked
|
| Why did high-risk data exist in the first place? Maybe stop
| gathering so much risky data.
| arcticbull wrote:
| This sounds a lot like a victim blaming to justify the
| existence of a technology which intentionally seeks to make
| transactions like these easier.
| loa_in_ wrote:
| The victims' only mistake was the way they underfunded their
| IT security. It's not a small mistake though, and the
| financial losses of the victim itself can in certain cases
| easily be dwarfed by losses of people who got their data
| exposed.
| brightball wrote:
| I was shocked when I heard a ransomware expert at a security
| conference tell everybody to just pay the ransom. Shocked.
| ENGNR wrote:
| Maybe he/she has an alter ego who does 'research' into
| ransomware in the middle of the night </conspiracy>
| fungiblecog wrote:
| But it's the right answer for an individual org in that
| situation.
|
| Of course the correct answer for everyone, in the long term,
| is to have backups and not pay.
| Spooky23 wrote:
| What else do you do? If you don't have a backup and need the
| stuff, you're out of options.
| 1vuio0pswjnm7 wrote:
| "As ransomware has grown, so has the industry promising to
| protect firms from it."
|
| In the aggregate, there may be more money being siphoned off
| businesses by offering "protection" as a service than from
| ransom demands.
| beloch wrote:
| Imagine for a moment that, despite all the precautions you
| yourself take, a clever crook manages to lock you out of some
| important files and demands a ransom. What do you do? It's easy
| to say cost is no object, but what if no amount of money, even
| far exceeding the cost of the ransom, can recover your files?
|
| The attitude that people who are hacked should have taken
| better precautions and should fend for themselves is a big part
| of what makes us soft targets to cybercrime. Imagine if we
| treated murder this way. "Oh, sure, he was killed, but he was
| walking down the wrong street at the wrong time of day. He
| should have known better! Let's start an educational initiative
| to make sure other people know what streets they shouldn't walk
| down at night!"
|
| We must expect the state to do a competent job of protecting
| citizens from cybercrime but, in most jurisdictions,
| governments do not devote adequate resources to this task. That
| needs to change.
|
| New technology and _inadequate response from governments_ is
| what has created this bonanza for a new kind of criminal.
| openfuture wrote:
| I almost got murdered in Africa, the general consensus is
| that this is expected behaviour for night time and I was at
| fault. For what it's worth I agree with that...
|
| Cybercrime isn't so much crime as a basic reality of these
| systems. The level of policing we'd need is a ridiculously
| high cost in comparison to improving the public
| infrastructure that is computer security.
| nradov wrote:
| Paying any sort of ransom should be illegal with severe
| criminal penalties. If that means that some businesses or
| people are ruined then so be it. That would be an acceptable
| cost to reduce similar attacks against others in the future.
| gambiting wrote:
| Well, fortunately you don't get to decide that.
|
| Also imagine how well this would go - your child was
| kidnapped, but now you have to go to prison because you had
| the gall to make sure they go home safe.
|
| Like, I get your point, but it's one of those armchair
| social science ideas that can go into a cabinet full of
| really cool and really obvious ideas that won't ever be
| implemented in reality.
| chrischen wrote:
| If you pay the ransom you've doomed future children to be
| kidnapped as well.
| woah wrote:
| Isn't ransomware trivially preventable by backing up files, and
| having a completely different security procedure and credentials
| for modifying backups than doing anything else in the system?
| benjohnson wrote:
| Used to be. Now they grab a copy of the data and threaten you
| with divulging it. That can be a huge problem.
| arp242 wrote:
| Also an outage in itself can be a major issue. A health care
| provider with no working computers is kind of dead in the
| water these days, and fixing all of this can take days or
| weeks.
| pyrale wrote:
| The issue is that getting a competent workforce to maintain
| your systems is not always easy, especially if you're not in an
| industry with a connection to tech.
|
| Ransomware also targets individuals, which typically don't have
| the knowhow to sanitize their computers. Since our industry is
| kind of not caring about security wrt consumer goods, they're
| left to fend for themselves.
| anigbrowl wrote:
| Only if the victim is 100% sure that the ransomware gained
| entry to the system recently and by a known security failure,
| eg you click on a phishing link and then have a problem
| immediately afterwards. If there's any reason to believe that
| it could have been placed earlier and then the attacker waited
| a while to set it off, it means your backups are probably
| compromised too.
|
| Imagine you restore your backups (taking a whole weekend) but
| it turns out the ransomware is some kind of kernel-level hack
| that also patches ls to lie to you about file being there when
| they aren't (as an over-simplified example). Once you realize
| this you can switch to another tool and pinpoint where things
| are going wrong, but now restoration takes twice as long as
| before plus the farther back you go the more commercially
| valuable data you lose.
|
| You don't even need to compromise the backup software, as long
| as it looks like you _might_ have done so.
| koheripbal wrote:
| Newer variants search and destroy backups first, and poison
| systems for a couple weeks before cryptolocking everything
| first.
| anonymousDan wrote:
| Would be really interested to see a write-up of those
| poisoning variants. Presuming cold backups are tamperproof,
| it seems to me poisoning really only make sense when fresh
| data is significantly more valuable than historical (pre
| infection) data? If you had a hypothetically secure recovery
| testing procedure, then it should pick up the data is
| corrupted right? In which case you could tune the frequency
| of when you run it to reduce the amount of potential fresh
| data loss.
| ur-whale wrote:
| https://archive.is/qWIxr
| DangitBobby wrote:
| I wonder why pages on archive.is never seem to present the
| Reader Mode option when opened in Firefox or Chrome. I wish
| there were a force reader mode option so I could at least try
| to improve my situation in the case that the archive.is renders
| some lines of text as 100% overlapping.
___________________________________________________________________
(page generated 2021-05-09 23:00 UTC)