[HN Gopher] Companies may be punished for paying ransoms to sanc...
___________________________________________________________________
Companies may be punished for paying ransoms to sanctioned hackers
Author : ryan_j_naughton
Score : 246 points
Date : 2021-05-18 15:54 UTC (7 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| robbrown451 wrote:
| I still like my idea of keeping it legal to pay the ransom, but
| you have to pay an equal amount as a fine/fee to the government.
| Deter the bad guys by driving the market price up (so in effect,
| the bad guys will collect less money because they can't ask for
| as much), and incentivize prevention (i.e. making systems more
| secure) by making it more costly to address after the fact.
|
| https://news.ycombinator.com/item?id=23659729
| rectang wrote:
| This is a national security issue -- malicious actors based in
| other nation-states are raiding American companies. It seems that
| US defense forces are not up to the task of repelling these
| invaders -- yet we're expecting individual companies to go up
| against them??
|
| It will be a long, long time before the marketplace evolves
| sufficient technological measures to guard against state-
| sanctioned/possibly-state-sponsored malicious actors operating
| with impunity in a lawless environment.
| happymellon wrote:
| I guess that they could always have backups.
|
| Then they also don't need to pay the ransoms.
| uses wrote:
| Backups are no longer a cure-all. Because now the attackers
| threaten to publish the data.
| CogitoCogito wrote:
| Yeah I think this is the way it should be interpreted. If you
| get yourself in the position where you need to pay the
| ransom, your security practices have failed. This makes that
| possibility more expensive. This is not a ridiculous idea.
| dd82 wrote:
| backups are a one-way hash unless you've tested your
| restoration
| Spivak wrote:
| While it's always good to state the importance of testing
| your backups the fear that HN seems to have surrounding
| backups seems really out-of-touch. You would believe that
| everyone's backups are teetering on the edge of failure
| constantly. If your backup process is so brittle and
| complex that you assume that it will be broken when you
| need it you should probably do something about _that_. It
| 's not that hard to have the things that store your data
| spit it out on a schedule to be transferred somewhere
| write-only and durable.
| marcosdumay wrote:
| > You would believe that everyone's backups are teetering
| on the edge of failure constantly.
|
| Hum... Backups aren't normally "at the edge of failure",
| the procedure either works or doesn't work. One must test
| to ensure the procedure works and continue working after
| all the environment changes done today.
|
| That is, except for proprietary formats, like Exchange.
| Those can fail at any time, retroactively.
| tolbish wrote:
| There is a difference between verifying that your data is
| backed up and verifying that you can do a complete
| operational restore on a moment's notice.
| kuratkull wrote:
| Getting it back into a fresh live server without warnings
| and errors is the tricky part.
| davidgh wrote:
| But if you have a backup of the data, at least _it's
| possible_.
| bluGill wrote:
| Oh sure, but if you have the data you can hire people to
| get it done. The important part is having the data, if
| the data is there (meaning not encrypted) money and time
| can get it working. I'd much prefer to have a good backup
| media vs having to find someone who knows how to read
| faded data from a way overused and well out of date tape,
| but there is technology to get back data from such bad
| backups.
|
| The important part is having the backup in some form.
| Having a well tested restore ability is a great idea, but
| not nearly as important as having the backups in the
| first place. Most backup programs are designed for
| restore, even if you screwed up, odds are you can get the
| data back later.
| kuratkull wrote:
| Having a downed database server for eg. 24h (while you
| are out trying to hire people to fix the failing restore
| for you) will probably mean you lose many of your B2B
| service users. Your clients might also try out that shiny
| new SLA you promised them.
|
| Backups also ensure business continuity - which might be
| more important than past data for some workflows.
| marcosdumay wrote:
| If you can't automatically restore, it's because you've
| lost data. There is a huge variance on the data value and
| difficulty or recreating it, but a backup should let you
| clearly and unambiguously recreate whatever system you
| are backing up.
| balabaster wrote:
| And really it only takes a bad actor inside a company to
| circumvent most of the security on-site anyway. Until companies
| treat every accessor to the network as malicious, this will
| continue to go round in circles. Most businesses just don't
| have the budget to deal with security this way.
| emteycz wrote:
| Perhaps it's time for network police then. We don't expect
| businesses to deal with other crimes...
| balabaster wrote:
| There needs to be something. I'm curious what we will come
| up with. Some kind of sentinel that sits on the network and
| does behavioural and threat analysis of all network traffic
| and prevents damage before it can happen perhaps?
| nradov wrote:
| Such sentinel devices have been available for years. The
| trouble is they can't reliably identify attempts to
| exploit zero-days because the patterns are unknown.
| aaronax wrote:
| When I hear something like "network police", I start
| drawing parallels to the real world. In the physical
| world, you generally don't have anonymous people running
| around (or at least most cases you have a way of linking
| any actions/crimes committed to a real, permanent
| identity), disguises aren't allowed, and trespassing is
| not permitted.
|
| So the Internet could be like this if it was more
| regulated. Anonymous traffic could be prohibited...no
| more TOR nodes, no hands-off proxying of traffic, no
| "it's an open access point, I _totally_ don 't know who
| was creating that torrent traffic".
|
| Would these sorts of laws be accepted, or would they
| simply result in more attempts to anonymize traffic?
|
| I imagine that this is sort of what things are like in
| more authoritarian places like China. Is it effective
| there?
| sneak wrote:
| Suggesting that this is a government problem to solve, or an
| invasion, leads to a type of framing that harms you and
| everyone else in your country that has or uses computers.
|
| It's also not really a national security issue. The USA will
| continue to exist and function as the USA even without gas
| pipelines and power generation.
|
| "National security" isn't some blanket term to mean "large
| infrastructure required for major industries", it has a
| specific, defined meaning. Just because the feds use it as a
| blanket justification for a bunch of stuff doesn't mean we
| should embrace that usage, otherwise when everything is a
| matter of "national security" than nothing is. It's just like
| the overuse of the term "terrorism" to mean "any big crime".
| throwawaygh wrote:
| _> The USA will continue to exist and function as the USA
| even without gas pipelines and power generation._
|
| Temporary outages, maybe. Sustained outages (or destruction)
| of gas pipelines and power generation, if systemic, would
| almost certainly mean mass starvation.
| sneak wrote:
| I agree. That's not at all what ransomware does or is even
| within the realm of possibility here, however.
| bluGill wrote:
| It leads in the direction. The better we get at defending
| against these "lesser" attacks, the better we are at
| defending against the bigger attacks that might happen.
| Also the less likely it is someone will develop those
| attacks in the first place because there is less
| incentive to learn how they work.
| adrianN wrote:
| What alternative definition of "national security" do you
| propose?
| shoto_io wrote:
| Yes. It's called asymmetric warfare. It's very cheap to attack.
| And it's very expensive/resource intense to defend.
|
| Most probably "state actors" are taking advantage of this
| asymmetry to extort money and bind resources. It's a hidden
| "war" going on out there.
| wearywanderer wrote:
| The military can't stop it, the police can't stop it, companies
| can't stop it, and the marketplace can't stop it.... so what
| are you proposing? Surrender? Escalating to a hot war?
| tw04 wrote:
| > It seems that US defense forces are not up to the task of
| repelling these invaders -- yet we're expecting individual
| companies to go up against them??
|
| They aren't? Has NORAD control been hacked? Any battleships or
| predator drones?
|
| I admit it's a bad look when, for instance, a VA database is
| compromised and private information for millions of government
| employees are exposed, but I'd also be SHOCKED if the NSA were
| dedicating resources to protecting that data.
|
| Outside of Snowden, what leaks of stuff "the US defense forces"
| are actually attempting to protect have been captured?
|
| >yet we're expecting individual companies to go up against
| them?
|
| The companies in question appear to not even be doing basic
| things like taking backups and making them immutable. I don't
| think anybody is expecting them to have perfect security, but
| it doesn't take a lot of effort to backup to a tape and stick
| it in iron mountain for 2 years, it just takes money.
| roywiggins wrote:
| _Has NORAD control been hacked?_
|
| If it was, how would we know?
|
| (outside of, uh, kinetic consequences)
| eagsalazar2 wrote:
| The US military doesn't exist to protect its own assets. That
| is a secondary concern.
| xpe wrote:
| No. The old adage tells an important lesson: you cannot
| take care of others if you cannot take care of yourself.
|
| Even a cup of water cannot function if it cannot maintain
| structural integrity.
| dataangel wrote:
| > Any battleships or predator drones?
|
| yes actually over ten years ago this happened already https:/
| /www.cnn.com/2009/US/12/17/drone.video.hacked/index.h...
| bilbo0s wrote:
| I can't find it, but I'm pretty sure Iran has also lifted a
| drone of ours using a security hack. So if Iran can do it,
| I'm sure that means others have the same capacity.
|
| Maybe security holes are just part and parcel to the whole
| enterprise. So you have to accept them and center your
| preparation around your response to such losses. How do you
| get back up and running? How do you operate without the
| asset that was compromised? And so on.
| dec0dedab0de wrote:
| it was GPS spoofing
|
| https://en.wikipedia.org/wiki/Iran-U.S._RQ-170_incident
| [deleted]
| adrianN wrote:
| Right, so we replace every companies' IT department with a
| division of the military, as a first step.
| eagsalazar2 wrote:
| There are so many levels on which our own govt is complicit in
| foreign crimes. There is no way our govt ever "fights" these
| attacks until we first eliminate the deeply corrupt forces that
| currently control it. Also very unlikely.
|
| OTOH, this isn't _just_ about bad actors raiding. This is also
| about terrible security practices that are easily avoidable
| with an ounce of expertise and giving a shit.
|
| In addition to your idea (let's make believe for a moment...)
| how about the US govt _itself_ sponsors these attacks, and then
| instead of demanding ransom, they just levy huge fines against
| the companies who have carelessly let this happen? Extending
| your analogy, this would be no different than fines or lawsuits
| for carelessness and failures in physical infrastructure.
| munk-a wrote:
| A socialized defense force against these sort of ransom attacks
| seems a bit antithetical to the American culture - taxes would
| go up and profits down to provide a service that only exists
| for a few "market losers".
|
| I suspect this bill will face significant lobbying against it
| by companies involved in secured backups along with the
| ransomware distributors themselves.
| hollerith wrote:
| It is not a bill/legislation: it is an action of the
| executive branch.
| leecarraher wrote:
| I agree, this is a classic do as I say not as I do situation.
| Punish businesses for paying out ransomware ransomes meanwhile
| the government(mainly local, but sometimes larger) pay out
| routinely when their systems are compromised.
| cortesoft wrote:
| "Government" is not a monolith.... the group trying to punish
| for paying ransoms is not the same group paying out ransoms
| Ottolay wrote:
| Much of the proposed legislation applies to local governments
| too.
|
| E.G. http://pulse.ncpolicywatch.org/2021/05/12/as-nc-
| lawmakers-fa...
| birdyrooster wrote:
| In the US, as long as you pay the IRS, you can do the same and
| raid our military adversaries. There should be some militias
| like in the old days.
| baybal2 wrote:
| > sufficient technological measures to guard against state-
| sanctioned/possibly-state-sponsored malicious actors
|
| You mean an average person will uninstall MicroSoft Windows?
|
| Peope were telling of the inevitable downfall of MicroSoft
| since before I was born.
| throwawaygh wrote:
| _> It will be a long, long time before the marketplace evolves
| sufficient technological measures to guard against state-
| sanctioned /possibly-state-sponsored malicious actors operating
| with impunity in a lawless environment. _
|
| Unfortunately, the marketplace -- at least certain segments of
| it -- are _far_ beyond .mil /.gov in terms of capacity and
| sophistication. E.g., AWS's formal tools for code-level
| security is what DARPA's been yelling about doing for decades,
| but gov't contractors and the branches/agencies are
| unable/unwilling to catch.
|
| I'm not sure how to fix gov or mil, but a good starting point
| within mil is to stop making career officers with theology and
| polisci degrees but zero CS training the first-line managers of
| cyber commands.
| bee_rider wrote:
| It seems more that the most competent government agencies and
| private organizations are in the same general ballpark, but
| anyway that doesn't matter, because the ones getting hacked
| are the least competent of either group.
| Phrodo_00 wrote:
| What AWS tools? This [1]? If so, it looks interesting, I need
| to take a closer look at it.
|
| [1] https://aws.amazon.com/security/provable-security/
| StrictDabbler wrote:
| The first time I ran into somebody who was in charge of a
| technical department but had only degree in Applied Theology
| my jaw hit the floor.
|
| _Applied_ theology.
|
| By the third time I had to seek out existential comfort.
| krisoft wrote:
| In Vernor Vinge's scifi novel "A Fire Upon the Deep"
| applied theology is the study and appeasement of superhuman
| sentient AIs. :) Its a field where the study subjects
| either completely ignore the practicioners, or squashes
| them like bugs. Also by the sound of it it involves a lot
| of software archelogy. Who knows, if they studied, and
| survived, that kind of applied theology they might be good
| for technical leads.
| emptysongglass wrote:
| This upsets me a bit because I graduated from art school
| but got into DevOps because I was a Linux nerd since I was
| in my early teens. There is room for us. It doesn't make us
| terrible fits for the job. On the contrary, I think people
| with unconventional backgrounds can offer unconventional
| insights into software architecture.
|
| What you got a degree in shouldn't be the make or break of
| your career.
| longhairedhippy wrote:
| I totally agree with this and for a entry-level job, with
| no experience, I would be totally cool with ignoring the
| degree is the person was right. For a manager or higher
| level engineer, I believe some amount of prior experience
| is necessary, the degree is not a requirement but it may
| influence how much experience I am willing to accept as
| requisite for the position.
| throwawaygh wrote:
| _> DevOps because I was a Linux nerd since I was in my
| early teens_
|
| You are an exception.
|
| In the military and certain parts of the corporate world
| ("enterprise" companies mostly), there is a wide-spread
| and systemic problem with horrendously unqualified people
| managing software/IT groups. E.g., Susan Mauldin for a
| recent example.
|
| We can allow space for self-taught people without opening
| the flood gates. No one should be in charge of IT
| security without first developing deep technical
| expertise at some point in their career.
| derivagral wrote:
| > Susan Mauldin
|
| For anyone as confused as I was, this is probably
| referring to the Equifax security officer. My local
| search engine mostly brought up a murder case.
| DoreenMichele wrote:
| FWIW, I read this as a joke in part about _how common_ it
| is in their experience to run into people without CS
| degrees who are in this field.
|
| (And in part just an opportunity to play with language. I
| grew up in the Bible Belt. Gentle humor about
| religion/spirituality is something I am no stranger to.)
| StrictDabbler wrote:
| I've never objected to being managed by anybody with an
| arts degree and never will. English, communications,
| philosophy, have at it. Some of my best technical
| managers majored in English.
|
| Theology says something specific about how you process
| reality.
| enkid wrote:
| How do you apply theology?
| Me1000 wrote:
| Pray your infrastructure is secure?
| maxrev17 wrote:
| Pray your infra is secure haha brilliant!
| DoreenMichele wrote:
| Practice what you preach?
| bilbo0s wrote:
| _career officers with theology and polisci degrees but zero
| CS training the first-line managers of cyber commands._
|
| Is this true?
|
| This can't be true. Surely they must have some CS experience?
|
| I took my last bus off a USMC base so long ago I've raised a
| kid who's in med school since. Can someone with more recent
| experience chime in on whether or not this is hyperbole?
| thatfunkymunki wrote:
| I was a cyber operator in the USAF for years, and finished
| up my active duty in late 2019. This is completely
| accurate. Not only are the first-line officers generally
| uneducated in CS/IT/security, the people training them are
| equally uneducated. This is apparently by design.
| dataangel wrote:
| > AWS's formal tools for code-level security
|
| what tools?
| someguydave wrote:
| yeah what tools?
| sodality2 wrote:
| https://aws.amazon.com/security/provable-security/ as one
| example
| sodality2 wrote:
| https://aws.amazon.com/security/provable-security/ as one
| example
| Mitzi wrote:
| On whether it's being unable or unwilling: one could argue
| that various gov agencies actively invest in keeping software
| insecure, e.g. by buying up zero-days.
| jollybean wrote:
| Another idea would be to require breaches to be made public.
|
| And of course, the government coordinating with good companies a
| series of best practices and models, and working with MS, even
| Linux versions to help get the message out and implement good
| policy.
|
| Like a 'tiered strategy' for home, small biz., mid biz. and 'high
| touch enterprise'.
|
| Basically some kind of 'board' that exist to help train,
| coordinate and communicate the things that need to be done.
| jacquesm wrote:
| Apologies to people from China, Russia, Ukraine and so on on HN
| ahead of everything else: It would not be a bad idea to get
| countries that routinely shield bad actors and/or active engage
| in electronic warfare across the net to be blackholed as long as
| they don't cooperate in bringing the perps in these cases to
| justice.
|
| People will get killed because of these actions, if it hasn't
| already happened.
|
| Of course that works both ways: the countries on the other side
| of that divide would have to stop doing the same thing, to each
| other and to countries on the other side of the divide.
|
| It's sort of an 'electronic curtain', the iron curtain of cold.
| China already erected one half of such a barrier, the GFW
| _definitely_ reduces the chances of foreign hackers attacking
| Chinese infrastructure, it doesn 't seem to do anything to keep
| attacks from China out of the rest of the world though.
|
| So regardless of the origin of these hackers, I'm all for a bit
| more isolation until we've figured out how to deal with this
| problem, cross border digital crime is going to be (and already
| is) a real headache.
| srswtf123 wrote:
| Personally, I believe we're living through the events that will
| lead to the permanent fracturing of the Internet as we know it,
| along state or bloc lines.
|
| I'm torn as to this being a pro or con for humanity.
| bellyfullofbac wrote:
| If the hackers are brave... "Our IT security firm can solve
| infections of this particular ransomware, but only this one. We
| charge 20% of what the 'hackers' demand."
|
| And the solution would be for this security firm to have Russian
| (allegedly ;-)) friends that deploy the ransomware and give them
| the decryption key. See, hacked company, you're not paying the
| hackers, you're paying IT security experts that are able to
| recover your data!
| LanceH wrote:
| This is how bribes are paid. You hire a local consultant who
| will pay the bribes.
| penagwin wrote:
| I'm not 100% sure but I'm pretty sure that the sanction laws
| cover proxies like that.
| amelius wrote:
| Especially if the entire communication goes over the internet
| via an obscure channel.
| baybal2 wrote:
| A very good way to put it: FUD in action.
|
| _We may put you in jail for paying sanctioned criminals, but we
| will not tell you explicitly what constitutes a sanctioned crime,
| who those criminals are, or we can pull it right out of thin air_
|
| This way they evade the need to go to the legislature to
| institute a new class of ban list for them to run.
|
| As an any "pull out of thin air" type privilege, it's a bad thing
| jl6 wrote:
| It's like Spectre all over again. Just as many of the CPU
| performance gains of the last 25 years turned out to be based on
| taking insecure shortcuts, perhaps we will find many of the
| economic gains of the information economy are founded on
| similarly insecure practices.
|
| Maybe handling data at scale is unaffordable for most businesses,
| who rely on those shortcuts, and wouldn't be profitable if they
| had to hire competent infosec staff.
| jrochkind1 wrote:
| There's pretty much no way to know if a bitcoin address belongs
| to someone from a sanctioned country or otherwise sanctioned,
| right?
|
| So this effectively makes paying ransomware an activity with very
| high legal risk.
|
| It will be interesting to see how that all plays out. It's hard
| to imagine the regulators didn't think of this... I wonder what
| they are thinking exactly.
| gnopgnip wrote:
| The government doesn't need to prove a bitcoin address belongs
| to someone on the sanctioned list, the specific intermediaries
| used aren't important. Proving that you know you are paying
| someone on the sanction list is enough.
| bosswipe wrote:
| Ban cryptocurrencies. Cryptocurrencies are all negative
| externalities with few societal benefits.
| throwawinsider wrote:
| Governments want to keep the monopoly of ransomware (aka taxes)
| ryan_j_naughton wrote:
| Related article: Could a Ban on Ransom Payments Have Stopped the
| Colonial Pipeline Attack?
| https://news.ycombinator.com/item?id=27196299
|
| While banning such payments might remove the incentives, that
| also put a huge burden on the victim and the transition to better
| cybersecurity should be less disruptive than an outright ban.
|
| Another solution that has no harms and only benefit is to require
| the reporting of every ransom payment. That would give the
| government the crypto transaction information to conduct taint
| and attribution analysis. It is currently illegal to knowingly
| use funds received from kidnapping or ransoms, and this reporting
| requirement would help the government enforce that.
| wpietri wrote:
| The transition to better security? It's been almost 20 years
| since the Code Red worm. How much longer should we wait?
|
| I think the transition to better security will go faster if
| companies know they can't buy their way out of the problem.
| Sebb767 wrote:
| > While banning such payments might remove the incentives,
|
| They'd pretty obviously not; companies are already forced to
| pay a fine (or a ransom, but it's money spent) and it obviously
| does not incentivize them to properly secure their network.
| Adding a fine to pay to the government on top (or, more
| cynically, a tax) will not change much, except that stricken
| companies now get hit harder, as you said.
| rorykoehler wrote:
| Paying the ransom should make you an accessory to the crime
| with jail time and all for the executive who cleared it. This
| should put an end to it pretty quickly.
| breakfastduck wrote:
| And also put an end to the organisations ability to operate
| making potentially thousands of people instantly and
| needlessly unemployed because their bosses didn't think
| security was important.
| rorykoehler wrote:
| Someone with the correct competencies will get the job
| instead. Or better yet executives the world over will
| start taking security seriously.
| wearywanderer wrote:
| Allowing executives to commit crimes because imprisoning
| them would deprive workers of an executive is just plain
| foolish.
| willcipriano wrote:
| That is the system working as intended. Organizations,
| and those that lead them that can't hack it in the modern
| economy must be removed in order to make room for those
| that can.
| ryanlol wrote:
| So what's the point of restricting ransomware payments
| then? Only organizations that can't hack it in the modern
| economy will be affected anyway.
| edouard-harris wrote:
| I think the grandparent means banning such payments might
| remove the incentives _to hack in the first place_ , since a
| hacker can't expect to make any ransom revenue from a company
| that obeys such a ban.
| abarringer wrote:
| Companies purchase cyber insurance for a small fee and avoid
| risk of paying ransoms directly.
|
| Make cyber insurance paying ransoms illegal and you'll see
| boards start funding IT security.
| toomuchtodo wrote:
| Insurance companies are likely to disallow ransom payments
| in their entirety. Too much risk considering the security
| posture of most organizations.
|
| Boards will, generally, still not fund and support
| effective security culture without steep penalties for
| breaches (i am in infosec and speak to c suite folks as
| part of my gig; breach impact, in their current form, are
| "cost of business"). "Show me the incentive, and I will
| show you the outcome." - Charlie Munger
|
| https://www.insurancejournal.com/news/international/2021/05
| /... (Insurer AXA to Stop Paying for Ransomware Crime
| Payments in France)
| manquer wrote:
| It places on _some_ victims to prevent a lot of others from
| becoming victims. That is fairly standard trade off in any
| society. Also this is always the case for paying ransom for
| hostages, and is only simply being extended for data.
|
| Without a legal way to make payments, companies can no longer
| justify the tradeoff of paying up and fixing the leaks as they
| spring up. This incentivize them to give importance to security
| and actually overhauling their infrastructure properly.
| bernawil wrote:
| it's a textbook prisoner's dilemma paradox.
|
| If everybody agrees not to pay ransom and follows through,
| criminals won't try to hack companies to collect ransom.
|
| But as an individual company, you can't coordinate with
| everybody else to prevent everybody from paying ransom, so
| not doing so puts you on disadvantage.
|
| Philosophically, the usefulnes of government is to threaten
| violence to solve the coordination problems amongst
| individuals.
| ggggtez wrote:
| Yes, thank you for saying so.
|
| People rarely understand that the coordination solution is
| one of the most important powers the government offers over
| privatization.
|
| They can tax/penalize undesired behavior. Individual
| companies may end up worse off, but as a whole the business
| community is better off with the rules in place.
|
| This is why governments have to tackle pollution and
| climate change too. Companies are profit-motivated, and
| will only respond to what the economics demand. When
| governments start imposing demands with penalties attached,
| that's when companies actually start changing behaviors.
| dathinab wrote:
| > Another solution that has no harms and only benefit is to
| require the reporting of every ransom payment. That would give
| the government the crypto transaction information to conduct
| taint and attribution analysis. It is currently illegal to
| knowingly use funds received from kidnapping or ransoms, and
| this reporting requirement would help the government enforce
| that.
|
| Definitely a must have for now and on a international scale
| IMHO.
|
| But a effective ban on ransom payments would still be the most
| effective measurement.
|
| The problem is how do you effectively ban it?
|
| For many countries such thing could never be enforced, so it
| wouldn't remove the sensitive for non-specific target
| ransomware attacks IMHO and as such won't work.
| toomuchtodo wrote:
| > The problem is how do you effectively ban it?
|
| If a corporation pays, and ledger history can provide
| definitive proof, the corporation faces the same penalties as
| if they violated international sanctions. Corporations will
| need to onramp fiat to crypto somewhere, and FinCEN [1] will
| know based on SARs (Suspicious Activity Report)/CTRs
| (Currency Transaction Reports), or SWIFT if international
| monies transfers [2].
|
| [1] https://www.fincen.gov/resources/statutes-regulations
|
| [2] https://www.swift.com/our-solutions/compliance-and-
| shared-se...
| bernawil wrote:
| > For many countries such thing could never be enforced
|
| so it follows that if a country bans ransoms payments
| criminals will just ingnore that country and focus on the
| next easiest target, putting pressure on every country to
| follow the example and ban it too.
|
| I think this will be very effective at stopping the most
| sofisticated targeted attacks but won't have much effect on
| indiscriminate "viral" attacks because those attack
| indiscriminately and wrecking targets from banned countries
| at least would serve as detterrant for victims in countries
| that can.
| xwdv wrote:
| I wonder, if you could insure your business against ransomware
| attacks so that instead of paying out you just file a claim for
| whatever losses, then maybe you could concoct a scheme for
| insurance fraud by having hackers ransomware your business out
| and collecting the insurance money. Basically a 21st century
| version of burning down your business for insurance money.
| oeiiooeieo wrote:
| Can we all take a moment to appreciate the ridiculous picture of
| the "hackers" without desks at the top of the article?
| mhh__ wrote:
| Daft Punk successor?
| read_if_gay_ wrote:
| The masks too. For maximum anonymity online.
| ttt0 wrote:
| I think it's the picture of that famous hacker known as 4chan.
| jl2718 wrote:
| The miners can easily stop this, and they will if the users
| suggest even a tiny bit of infungible preference. I'm not sure
| that government can control this, although I'm sure they will
| try, but some authority may be needed to coordinate information
| sharing between victims and validators.
|
| Not even the most die-hard freedom fighters will side with the
| dishonest and violent. Cryptocurrency will be the worst thing
| that ever happened to them.
| Proziam wrote:
| > Not even the most die-hard freedom fighters will side with
| the dishonest and violent. Cryptocurrency will be the worst
| thing that ever happened to them.
|
| The history of many nations has proven this to be untrue.
| auiya wrote:
| If the USG isn't able to provide protection against ransomware
| attacks, what other choice is there? This is going to be a hard
| sell - especially when the USG continues to pay ransoms
| themselves. Oh they may call it other nonsense like "humanitarian
| aid" to try and save face, but they're ransoms. I'm not in favor
| of kicking the victim when they're down.
| roughly wrote:
| It would be nice if the NSA had spent the last decade or two
| helping shore up cybersecurity, instead of creating, stockpiling,
| and accidentally leaking zero days to later get used in
| ransomware attacks.
| kingsuper20 wrote:
| I've thought exactly this thing for years. I'm afraid that
| you'd have to build a completely separate organization with a
| separate management line up to the top of the chart. and even
| then you'd spend most of your time protecting yourself from the
| NSA and it's brethren.
| williesleg wrote:
| Hey asshole, they're punished by being hacked aren't they? I
| guess the leaders want to get in on the shakedown.
| CivBase wrote:
| Companies would just add the cost of the punishment into the cost
| of the ransom, re-evaluate the risk, and probably decide to just
| keep doing what they're doing.
|
| The problem is not that companies are paying ransoms. The problem
| is that companies who operate infrastructures of national
| importance and who collect sensitive data about us are loosing
| control of said infrastructures and data. If paying ransoms is
| part of the discussion, we're already in a very sorry state.
| Legal action should be focused first-and-foremost on preventing
| that loss of control.
|
| First we need to decide what is important enough that we should
| legally require companies to protect it. Certain data or services
| may require special licenses, depending on scale and importance.
|
| Then we need to decide on how to evaluate whether or not the
| company has provided sufficient protection and what the
| punishment should be for failing to provide sufficient
| protection.
|
| Then we need to establish an government organization of white-hat
| hackers who are charged with evaluating the protection measures
| implemented by companies - much like how a health inspector goes
| around evaluating the conditions of food service companies.
| BiteCode_dev wrote:
| Maybe this new wave of ransomwares and the attention it's getting
| will finally force IT on a more quality driven path. Right now I
| see a lot of projects with small budgets sent to fast lane to
| finish asap, security be damn. Or project with big budget wasted
| on middle men paying scraps to interns sold as experts.
| Tempest1981 wrote:
| Sure, but it's like asking a gambler to stop gambling. Or a
| driver to obey the speed limit.
|
| They've gambled, "successfully", for a long time. They embrace
| the risk.
| kuratkull wrote:
| Security almost always gets attention only after the fact.
| yubiox wrote:
| Companies should be punished for choosing windows for mission
| critical applications. Everyone knows by now that windows is just
| for games and malware.
| philjohn wrote:
| Ransomware will target whichever is the dominant platform. If
| more companies switch to Linux it's not like there haven't been
| 0 days there before that could have been exploited.
|
| IMHO, reducing it to "stop using windows!" is a crude reduction
| of the forces behind this.
| whydoyoucare wrote:
| The inherent difference in design philosophies of both
| operating systems will make it arguably difficult to target
| Linux in the same manner Windows is being targeted today.
| ajkdhcb2 wrote:
| Monero is often accepted (such as in the pipeline situation). It
| is an interesting usecase that the company could try to pay
| privately to avoid legal action themselves.
| [deleted]
| dehrmann wrote:
| Interesting use of an auto-antonym in a headline.
| paulpauper wrote:
| then what are companies supposed to do then. in hindsight it is
| easy to find what went wrong, but hackers are always coming up
| with new tricks.
| VLM wrote:
| Responsible IT operations in the 20s, is optional in the same
| sense as OSHA compliance was optional in the 70s or SOX
| compliance was optional in the 00s.
|
| Ignore at your own peril.
| jimbob45 wrote:
| Have robust and secure backup systems ready to go.
| Scoundreller wrote:
| brb, making copies of all my mobo eeprom chips now. Who
| thought soldering these things to the board would be a good
| idea.
| moftz wrote:
| Replacing hardware is much easier than trying to make
| backups of embedded systems.
| Scoundreller wrote:
| Not if everyone is trying to buy the same parts at the
| same time.
| zepto wrote:
| Invest in better security and resilience. Insure against the
| losses associated with an unpaid ransom.
| thisisnico wrote:
| A lot of times the losses result in the loss of the business
| entirely.
| derekp7 wrote:
| Hard drives crash eventually. Other corruption events
| happen also, along with user error. Do these business go
| under when they get other non-ransomware data loss events?
| What is it about ransomware that is different than any
| other type of data loss event -- is it the fact that
| ransomware affects a wider footprint?
| zepto wrote:
| Only if you don't have adequate security and insurance.
| piptastic wrote:
| Which is why they should invest in these things before they
| happen, rather than respond.
|
| Not every business deserves to be in business, either.
| ryan_j_naughton wrote:
| No business "deserves" to be in business. There is no
| entitlement to being a successful business. Supply and
| demand should govern this.
|
| We should fight the rent seekers who believe they are
| entitled to their markets and use regulatory capture to
| maintain their position
| zepto wrote:
| Does this have anything to do with the thread or the OP?
| I can't see how.
| inetknght wrote:
| Like any conversation, the thread's topic of discussion
| can change.
| zepto wrote:
| Yes, but that doesn't answer my question about what the
| statements I am responding have to do with it? They look
| like unrelated political sentiments.
| inetknght wrote:
| Ahh. Well the comment you replied to said:
|
| > _No business "deserves" to be in business._
|
| The grandparent comment said:
|
| > _Not every business deserves to be in business,
| either._
|
| The conversation moved on the word "business deserves to
| be in business"
| zepto wrote:
| When you say 'the conversation moved on', it seems like
| what you mean is, the commenter I replied to took a
| single phrase out of context.
| inetknght wrote:
| Yup that happens sometimes.
| zepto wrote:
| So what did you add here? Seems like just bullshit.
|
| The person I was replying to took a phrase out of context
| and used it as an opportunity to advance an unrelated
| political agenda.
|
| The topic of conversation didn't change.
| bdcravens wrote:
| The article isn't about the companies whose data is held
| hostage, it's about consultants that sit in the middle and help
| those companies with paying ransoms. It's more a matter of
| those consultants being required to register as money
| transmitters.
| ameminator wrote:
| I have some issue with the headline - the article discusses
| "facilitating" so it may in fact target money-transfer firms and
| banks.
|
| That said, if these laws can target the victims of ransomware,
| this sounds self-defeating. Not only will companies continue to
| get hacked (as nowhere do I see any meaningful help in preventing
| "cybercrimes" or shoring up cybersecurity), but now there will be
| incentive to _not_ report that a crime took place at all.
|
| Put another way, if I have been a victim of ransomware and the
| only way to recover the data is to pay the ransom - should I :
|
| A) report the crime and hope I can recover the data some other
| way?
|
| B) pay the ransom, and report the crime and then suffer more
| fines
|
| C) pay the ransom and tell nobody, allowing the crime to go
| unreported, but forgoing the risk of further punishment from the
| government
|
| There is probably a way to help companies and maybe a national
| cybersecurity initiative may be of use here, but
| blaming/punishing then victim is not the way. Maybe preventing
| the payments is reasonable, but even then, it seems that
| prevention of the crime itself is the best medicine (as it is in
| most cases).
| Trias11 wrote:
| Companies should be punished harder for outsourcing or lowballing
| security specialists
| vmception wrote:
| People really out here acting like all of Russia is on the
| sanction list.
|
| Its like the head of Sbersbank and a few companies and a few
| individuals, and that's it.
|
| There is practically no way for this to be a real rebuttal or
| conversation. Companies can pay ransoms, intermediaries can pay
| ransoms. There is no legal quagmire.
|
| Why would you accept a pseudonymous cryptocurrency in a country
| you can't even get financial records from the fiat offramps, and
| use a pseudonym that matched your actual name on the OFAC list?
| Let alone just not being a person that is on the OFAC list. This
| is so improbable, the US Treasury can pound sand.
| Joker_vD wrote:
| > and that's it.
|
| Plus effectively all of Crimean-based Russian citizens and
| companies, but yeah, that's it.
| matheusmoreira wrote:
| The US treasury sanctioned a Monero transaction identifier
| once.
|
| https://www.treasury.gov/ofac/downloads/sdnlist.txt
|
| https://localmonero.co/blocks/search/5be5543ff73456ab9f2d207...
|
| > Digital Currency Address - XMR 5be5543ff73456ab9f2d207887e2af
| 87322c651ea1a873c5b25b7ffae456c320;
|
| Kind of embarrassing...
| vmception wrote:
| lmao, sand is being pounded
|
| for anyone passing by: it is impossible to tell from
| blockchain analysis if anybody sent a payment to a particular
| Monero address, as neither sender, recipient or amount is
| stored in transaction data or onchain anywhere. Even client
| side, the data is limited.
|
| Even if the US Treasury seized the recipient's wallet and had
| it open to look at all transaction history, Monero protocol
| doesn't tell you what address payments were received from, so
| the US Treasury would not be able to use their wallet and
| then compare it to US exchanges or other covered persons to
| say those people violated sanctions.
|
| On the contrary, I do think Monero wallets show what address
| you sent to, so if they seized an exchange or a covered
| person's wallet they could see if they sent to that
| sanctioned address. But of course, the person on the OFAC
| list has infinite subaddresses to rotate to.
| nitrogen wrote:
| If they have seized enough wallets, can they conduct flow
| analysis to infer where money is going anyway?
| vmception wrote:
| Maybe?
|
| All the governments around the world have only seized a
| handful of wallets, so to me it seems like an improbable
| risk. Most of those seizures were only possible via user-
| error and non-chalant storage of these kinds of assets.
|
| You have to go to individuals and force them to give a
| password to derive a private key. Without use of force,
| many governments don't have a legal power to force people
| to open things. With hacking even on-premise, there are
| still extremely high barriers per wallet which makes it
| basically impossible. With use of force they will still
| have a challenge with too high of a crowd and will still
| lack the legal rationale to do so.
|
| And everyone can own this asset without the state knowing
| of it.
| bdcravens wrote:
| This isn't about the companies being hacked; it's about the
| consultants who serve as intermediaries to help pay the ransoms.
| meowface wrote:
| I think that's fair. At a previous job from years ago, we took
| a meeting with one of these ransom payment-facilitator
| companies. I got the impression they were probably legit and
| just trying to help companies who knew nothing about
| cryptocurrency quickly recover from attacks.
|
| However, some percentage of these firms definitely are
| basically part of the ransom racket and essentially act as
| intermediaries for ransomers. And of course, who knows if my
| gut feeling of legitimacy in that one particular case was
| correct or not.
| [deleted]
| tomrod wrote:
| This seems like punishing people for being mugged.
| milkytron wrote:
| Not really. And this is why analogies can be bad.
|
| A better analogy would be that this is like someone's business
| getting robbed, and being punished for paying the robber who
| flew overseas to ship it back to you. But still, this is
| different, more complex, and more nuanced.
| trashtester wrote:
| Imagine the city you live en being bombed daily by an enemy
| airforce. Then you discover (after losing your house) that the
| neighbour paid the attacking airforce to avoid his house.
| axegon_ wrote:
| I'm kind of on the fence here. I see the logic behind it but in
| many cases incidents will simply be swept under the rug and users
| will never find out that their data has been compromised.
| 6510 wrote:
| I think things should be more basic. Just make HACCP laws. No
| need to wait until people die from food poisoning.
|
| [000] -
| https://en.wikipedia.org/wiki/Hazard_analysis_and_critical_c...
| dcdc123 wrote:
| Good. Paying off a ransomware hacker should be illegal.
| thayne wrote:
| If a sanctioned individual holds you up at gunpoint and asks for
| your money, is it illegal to give it to them?
| heroHACK17 wrote:
| I've had a stance on this for awhile that paying ransoms to
| hackers is no different than cooperating with terrorists. Like
| others have mentioned here, this is a national security issue.
| CMV.
| maxrev17 wrote:
| This looks like it could work, however what about the cases where
| people decide to pay, and end up in cahoots with the gang in
| order to keep them both out of trouble?
| notorandit wrote:
| What about unsanctioned hackers?
| ttt0 wrote:
| They just need to be taxed, probably.
| belatw wrote:
| There's probably a hell of a market opportunity for stagnant
| businesses to introduce the malware to themselves, ransom
| themselves, pay themselves, collect the insurance then launder
| the cryptocurrency.
| eschneider wrote:
| If you're skilled enough to do that (and not get caught) and
| that ethically compromised, there are easier (and legal!) ways
| to make money. Remember kids, the best way to rob a bank is to
| buy one.
| Threeve303 wrote:
| If you're not able to buy the bank, the second best option is
| to get a job at one and avoid doing any work.
| [deleted]
| kaiju0 wrote:
| First thing that popped in my mind is an employee facilitating
| an attack and getting a cut. Great way to get a quick payday.
| milkytron wrote:
| This does happen. Here's an article on an attempt made
| towards Tesla: https://www.wired.com/story/tesla-ransomware-
| insider-hack-at...
| vmception wrote:
| ah insurance fraud.
| slver wrote:
| So a hacker has your data, and demands money.
|
| The government's proposal:
|
| 1. If you pay the hacker, we want money because you paid a
| hacker.
|
| 2. If you don't pay the hacker, we want money because you leaked
| your users' data.
|
| The bottom-line is that if you're a victim of ransomware, the
| government joins the hacker, both of them kicking you while
| you're down and demanding money.
| kevmo wrote:
| Am i the only one who think this sounds fine? If you're
| collecting user data, then yeah, you should be held to
| heightened level of responsibility.
| californical wrote:
| Or, you can think of it as increasing the incentive to take
| security seriously.
|
| And it seems like they'd have to pay the fine for (2)
| regardless of if they pay to get the data back in this case.
| slver wrote:
| It's also an incentive to pay immediately, and tell no one
| about it.
| adrianN wrote:
| The government should fine the company either way for not
| properly securing their user's data. Security is serious
| business, it's time companies took it more seriously.
| slver wrote:
| You say this as if a disgruntled employee can't compromise
| the security of literally any system at all.
|
| Remember Snowden didn't hack the CIA. He just worked there.
| And has a user/pass.
| throwawaygh wrote:
| Part of a good security posture is protecting yourself
| against insider threats. If you're not doing this, you're
| not taking cybersecurity seriously.
| lghh wrote:
| But _somebody_ has to have clearance to get to the data
| in some way. You can't protect yourself against that
| person. It's not possible.
| JadeNB wrote:
| > Part of a good security posture is protecting yourself
| against insider threats. If you're not doing this, you're
| not taking cybersecurity seriously.
|
| _How_ do you protect yourself? There are ways to
| mitigate, surely, but _any_ failure can be a catastrophic
| incident, and it is literally impossible to protect
| against _all_ internal threats (in the sense of
| guaranteeing that no such threat is ever acted upon). All
| else aside, it just shifts the responsibility one level
| up: now you have to worry about a compromise of the
| people responsible for protecting from internal threats.
| throwawaygh wrote:
| Security is hard, and the difficulty of answering this
| question in any particular org probably takes up a lot of
| the time of any competent and properly staffed CISO
| office.
|
| But, basically, the only mechanisms in play are some
| combination of limiting access and, where that's not
| possible, decreasing employees' ability/incentive to
| defect.
| slver wrote:
| This is a bit like the question how to have a system that
| promotes honest, smart politicians. As you might guess,
| nobody has figured that out yet.
|
| Ultimately the only way is an omniscient, omnipresent CEO
| who does all the important stuff alone. Which is probably
| the core reason why no one has leaked God's files on the
| Universe, yet.
| throwawaygh wrote:
| Yes, it's EXACTLY like that.
|
| Perfection is impossible, but that's also no argument for
| repealing sunshine laws or legalizing outright bribery.
|
| You're letting perfect be the enemy of better.
| slver wrote:
| Oh yeah let's talk about how perfect is the enemy of
| better, when discussing an idea to bury victims of
| ransomware into the ground with government penalties on
| top of ransom and leaks.
|
| Here's another thought in the same vein: let's penalize
| rape victims for attracting male gaze and not fighting
| sufficiently to avert contact. Sure, some women will get
| raped still, but let's not let perfect be the enemy of
| better. That's how they deal with it in some countries
| actually. They blame the victim. It doesn't reduce rape
| at all. In fact it reduces reported rape, because women
| don't want to face the legal and family repercussions of
| getting raped.
|
| Let me tell you what will happen in the case of
| ransomware.
|
| 1. You get hit by ransomware.
|
| 2. Previously you'd ponder contacting authorities. Nope.
| They're gonna close your options and fine you either way.
| Keep your mouth shut.
|
| 3. Pay as quickly as possible and hope the word never
| comes out you were blackmailed at all. As far as the
| world and the government know, your security is fine,
| nothing happened. No fines, no lawsuits.
|
| 4. Result: ransomware proliferates and grows into the
| biggest organized crime organizations of this century.
|
| How's that about not letting perfect be the enemy of
| better?
| slver wrote:
| We must protect ourselves against insiders. Let's hire
| some insiders to do it.
|
| Ah, shit.
| throwawaygh wrote:
| ...In most cases, the CEO and probably a huge number of
| people in upper management can do any number of things to
| nuke a company from orbit. But this doesn't happen very
| often. The things that those people can do to nuke a
| company from orbit are typically tightly controlled
| functions, and the people with those responsibilities are
| carefully selected and extremely well-compensated.
|
| Yes, some employees need to be absolutely trusted. No,
| you don't need to absolutely trust every employee (or
| even most employees).
|
| Turning to your Snowden example, if you're a TLA and find
| yourself completely owned by an outside contractor making
| low six fiures, then you've utterly failed and managing
| insider risk.
| HPsquared wrote:
| The ransomers seem to perform this function rather
| effectively.
| ozim wrote:
| Not anymore because latest business was, if you don't pay
| they will leak the data:
|
| https://www.forbes.com/sites/thomasbrewster/2021/05/13/rans
| o...
| fpoling wrote:
| No necessary so as the company may just pay for insurance
| from future attacks. Granted insurance companies then will
| demand some compliance with security check lists, but this
| feedback loop is very slow.
| woah wrote:
| Sounds good to me. Why should companies be allowed to save
| money by exposing our personal data and then pay for it by
| funding terrorist organizations, organized crime, and
| totalitarian governments?
| slver wrote:
| You imply as if there's a store where you can go and buy
| yourself 10 pounds of security for 20 money, and that's that,
| your data is safe for life.
|
| Security is a heuristic based on millions of variables other
| than a simple price label. You can pay a lot and still get
| everything leaked.
| FpUser wrote:
| Why do you assume that it is personal data that are at risk?
| Maybe it is your new super-duper tech that hackers will
| threaten to leak to the rest of the world?
| 63 wrote:
| Then the incentive is to avoid becoming a victim to ransomware
| in the first place by making it more cost effective to hire
| decent security than to take the risk and end up getting
| targeted.
| powersnail wrote:
| Or to find more sneaky ways of completing the transaction...
| mcny wrote:
| > your data
|
| I think it helps IT departments to go to upper management and
| put a dollar figure to information security.
|
| Personally, I'd prefer the CEO and the board go to prison for a
| few years for paying ransom.
| hvis wrote:
| Shouldn't you pay the fine for leaking user data either way?
|
| Even if you square things with the blackmailer, there's no good
| way to ensure they don't sell the data to someone else as well.
| deep-root wrote:
| You may be presenting a false choice: Even if you pay hackers
| off, there was still a data breach.
| brandonmenc wrote:
| > if you're a victim of ransomware
|
| ftfy:
|
| if [corporation is] a [target] of ransomware
|
| I don't feel sympathy for them the way I would a person.
| officeplant wrote:
| Hopefully this leads to companies taking IT security seriously
| for once. Hit them where it hurts the most.
| throwawaygh wrote:
| _> The bottom-line is that if you 're a victim of ransomware,
| the government joins the hacker, both of them kicking you while
| you're down and demanding money._
|
| The rationale for outlawing ransom payments is that it
| eliminates the incentive for ransomware attacks.
|
| The real question is whether "no-concessions" policies reduce
| the incidence of ransomware attacks. The answer to that
| question isn't obvious. However, _conditional on no-concessions
| working in the case of ransomware_ , "kicking corps while
| they're down" is not a relevant consideration. The cooperate-
| cooperate quadrant of the game has higher expected value than
| the defect quadrants, so you force cooperation by whatever
| means necessary, even if that means some actors don't get the
| best possible outcome from their own perspective.
|
| NB: there's some evidence that no-concessions policies don't
| work particularly well in the case of kidnapping [1]... I'd
| take care extending this finding to ransomware gangs. If you
| read the whole PDF, it'll become clear why this behavior is
| interesting but might not transfer to today's ransomware gangs.
| That said, when crafting policy on ransomware attacks, it's
| worth keeping in mind that ransomware attackers may or may not
| be of the homo economicus species. At the very least as an
| assumption that you start with but are open to dropping as new
| evidence prevents itself.
|
| [1]
| https://www.rand.org/content/dam/rand/pubs/perspectives/PE20...
| _adamb wrote:
| This will ultimately just create a larger market for ransomware
| insurance. Insurance premiums are likely the lowest cost
| compared to 1) paying the fines or 2) actually improving
| security.
|
| Most businesses already have some form of insurance covering
| their liability in these situations and those will just price
| in whatever fines might need to be paid.
| whydoyoucare wrote:
| This is the most likely outcome in my opinion. I won't be
| surprised if the insurance lobby has made this happen. :-)
| DyslexicAtheist wrote:
| > This will ultimately just create a larger market for
| ransomware insurance.
|
| CEO of _Swiss Re_ to said this[1]:
|
| > _He observed that the cyber insurance market is currently
| worth around $5.5 billion in premium, compared to "gigantic"
| yearly losses that extend into the hundreds of billions of
| dollars.
|
| "There's a cyber market that's very tiny compared to the
| total exposure," he told CNBC. "It's going to grow but only a
| tiny minority of cyber is actually insured."
|
| "And I would actually argue that overall the problem is so
| big it's not insurable," Mumenthaler continued. It's just too
| big. Because there are events that can happen at the same
| time everywhere that are much more worrying than what you
| just saw."_
|
| [1] _Pipeline cyber attack not surprising, says Swiss Re_
| https://www.reinsurancene.ws/pipeline-cyber-attack-not-
| surpr...
| ozim wrote:
| Option: 3. Pay your IT/Security department or hire a consultant
| Pay for licenses and updates of software and hardware Don't
| expect job of 5 people to be done by 1 Don't let bunch of
| trainees run your infra
|
| Government should make companies pay even more so other
| companies understand what the proper way to "not getting
| ransomed" is or spend money finding out. Instead of money going
| god knows where to finance god knows what.
|
| SolarWinds was blaming some intern for a bad password, if it
| would be up to me, I would close down whole company for such
| utter bullshit. I understand at their scale it is still
| possible to have some loose ends but no one was doing any
| audits, no one was doing any security awareness? I bet you
| could blame at least 10 managers there for not even thinking
| about security and not some intern.
| throwaway6734 wrote:
| What's wrong with this?
|
| Secure your users data and your infrastructure
| wpietri wrote:
| That's the first-order effect. The second-order effect is
| companies paying less to ransomware creators, making it a worse
| business to be in. Over time this should result in less
| business pain.
| ttt0 wrote:
| So they now have to pay the ransom twice?
| kbelder wrote:
| Or not at all. Their choice.
|
| I'd rather the feds just make it flat-out illegal, so that
| there was no way the criminals could hope to successfully
| extort anybody.
| ttt0 wrote:
| It's the exact same choice as before, they just have to pay
| twice now.
| meepmorp wrote:
| And since you don't really know for sure if a hacker is
| sanctioned or not, you're at risk if you pay any ransom.
|
| Not quite a ban, but a disincentive to make a deal, for sure.
| davidgh wrote:
| So, basically when a company pays a ransom they'll also have to
| pay a tax. Lovely.
| kingsuper20 wrote:
| or they simply keep it secret.
___________________________________________________________________
(page generated 2021-05-18 23:01 UTC)