[HN Gopher] U.S. to give ransomware hacks similar priority as te...
___________________________________________________________________
U.S. to give ransomware hacks similar priority as terrorism,
official says
Author : mjreacher
Score : 218 points
Date : 2021-06-03 20:50 UTC (2 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| JumpCrisscross wrote:
| Curious if this will result in extraterritorial enforcement. For
| example, it's clear Moscow is either unwilling or unable to
| prosecute cyber criminals within its border.
| ocdtrekkie wrote:
| That's one possible reading. Another is that the US will start
| working on their own Great Firewall, such that your packets
| need to be cleared by a metaphorical digital TSA to enter the
| country.
| AnimalMuppet wrote:
| All that takes is the adversary bringing one person within
| the firewall (that is, within the country).
| handrous wrote:
| 1) All security has weaknesses or work-arounds. That
| doesn't mean that all security is worthless. Forcing
| adversaries to take more risks and expend more effort is
| kind of the whole point, and that's exactly what you're
| talking about.
|
| 2) Are you arguing that the actual Great Firewall, a real
| thing we see actually working on a massive scale, does
| _not_ make it much harder for foreigners to cyber-attack
| China?
|
| 3) See my other post on this thread--there's work toward
| re-designing the Internet to make evading state- or bloc-
| level origin control, including communicating with existing
| compromised nodes inside a state, remotely, _way_ harder
| than it is now. I 'm talking at the node-to-node routing
| and backbone level. It's interesting/terrifying stuff.
|
| 4) Couple 3 with some other minor and fairly obvious tweaks
| to how Internet access works, and even getting a foreign
| device with its own infinite-range radio into the target
| state would be reduced to step one of _several_ to gain
| access to a target state 's network, and that access would
| likely not last long if you start doing anything weird with
| it.
| smhost wrote:
| it's just a metaphor. in reality, they're just going to use
| the old Patriot Act mass surveillance infrastructure, which
| sits inside ISPs and processes every packet.
| handrous wrote:
| Something like SCION may be in the "Western" Internet's
| future, is my guess. I don't expect protection-at-edge or
| pervasive atop-the-current-Internet surveillance to be the
| solution for the OECD.
|
| https://en.wikipedia.org/wiki/SCION_(Internet_architecture)
| bityard wrote:
| I read that as "extraterrestrial enforcement" which sounded way
| more exciting.
| ffhhj wrote:
| They still need research on Elerium-115
| failwhaleshark wrote:
| How are we going to have enough turns to intercept all of
| these flying white TicTacs? No really, if we don't even
| have anything fast enough to keep-up with whatever the heck
| these are (if they're real).
|
| (Just don't equip your army with only nuke missiles because
| they destroy all of the good stuff and psy attacks would
| cross the streams.)
| myohmy wrote:
| I mean its armageddon either way
| failwhaleshark wrote:
| I read and heard that as a Def Leppard ballad.
| rhodozelia wrote:
| To what tune?
| thereare5lights wrote:
| We already do have extraterritorial enforcement.
|
| https://en.wikipedia.org/wiki/Extraterritorial_jurisdiction#...
|
| In fact, I would be surprised if we *didn't* have
| extraterritorial enforcement of any ransomware laws.
| JumpCrisscross wrote:
| > _We already do have extraterritorial enforcement_
|
| Hackers in Russia extorting Americans is illegal under U.S.
| law; that's extraterritorial _jurisdiction_. The U.S.
| government going into Russia (or Pakistan or Ethiopia) to
| punish those hackers without the home country 's permission
| is extraterritorial _enforcement_.
|
| We have a lot of precedence with the former. The latter's use
| is more limited, for obvious reasons.
| sharken wrote:
| It looks like a hard problem, there are a lot of details in the
| book Sandworm.
|
| https://www.goodreads.com/book/show/41436213-sandworm
|
| And here's an interview with the author
|
| https://www.theverge.com/21344961/andy-greenberg-interview-b...
| f38zf5vdt wrote:
| I'm sure the Russians are as interested in these crooks as the
| Americans, as it would be attractive to seize their assets.
| They will not extradite them, but they might wish they had
| been.
| ryanhuff wrote:
| Why? They bring in millions of dollars to the Russian
| economy.
| Buttons840 wrote:
| Before the yacht was launched, before it was first put in the
| water, there was a big problem with rats entering through the
| large holes in the bottom of the hull. To remedy the situation,
| the yacht builders began feeding a large number of cats around
| the base of the yacht while they finished the furnishings and
| painted the gold trims. The rat problem was solved and the happy
| day of launch is near.
| pkulak wrote:
| That is really great, haha. What's it from?
| failwhaleshark wrote:
| They'll just hire a million little Dutch boys with SCUBA to put
| their fingers where less wholy materials up to ship-building
| _codes_ belongs. Problem solved!
| excalibur wrote:
| You mean they're going to be poorly defined, highly subjective,
| and abused to further a questionable agenda?
| paxys wrote:
| So we are going to launch a trillion dollar war on ransomware
| which inevitably leads to more ransomware before patting
| ourselves on the back and saying "mission accomplished"? Are we
| also going to make ordinary citizens take off their shoes and get
| probed before using their computer?
| freeflight wrote:
| If the war on terror is anything to go by, then that would
| indeed be the most likely outcome [0].
|
| [0] https://ourworldindata.org/grapher/fatalities-from-
| terrorism...
| jessaustin wrote:
| Man, you're not supposed to take the authoritarians
| _literally!_
| markhahn wrote:
| There's a huge difference: ransomware "attacks" are due to sloppy
| security by the victim.
|
| That's not the case for terrorism.
| mullingitover wrote:
| Ehh, you can have reasonable security and still be a terrorism
| victim, you can have reasonable security and still be a crypto-
| ransomware victim.
|
| This is like tut-tutting arson victims for using wood in the
| construction of their buildings.
|
| I'm okay with encouraging reasonable levels of security while
| also making life horrifically miserable for people engaged in
| criminal enterprises that attack those victims.
| duxup wrote:
| Food supply, fuel, utilities.
|
| I get it, this is serious stuff.
| chapium wrote:
| Hospitals are routinely hit by ransomware too.
| mikewarot wrote:
| Let's look at the chain of events. Computing machinery becomes
| exponentially cheaper, and it gets pushed into all corners of
| industry.
|
| Shared computing becomes a thing, and the need to have a better
| model of security is realized as a lesson from Viet Nam, and the
| Capability Based Security model is born.
|
| Microprocessors again exponentially decrease the cost of
| computing, and Capability Based Security isn't required because
| all of the installations tend to have one or a handful of users.
|
| The internet is born, and the cost of networking becomes
| exponentially cheaper, now all of those low security end users
| are connected together.
|
| Systems become more powerful with the continuing drop in the cost
| of processor, memory and storage, so they become more complex.
| Nobody writes their own software any more, almost all coding is
| outsourced in some fashion. Security is only a concern if it
| trickles back to the original source as a problem.
|
| A culture of "move fast and break things" pervades Silicon
| Valley, and the internet, and thus newer is always seen as
| better.
|
| The lack of a security model at the base of all these systems is
| exploited for financial gain. Band-aid layers are added to try to
| patch the obviously inferior operating systems that pervade the
| land.
|
| Because the lessons of capability based security were ignored for
| decades, and not taught, the common consensus is that computers
| can never be made secure, and your best hope is to hire the
| smartest people in the world, at less than the average market
| rate, to secure your systems.
|
| And we repeatedly blame criminals, corporations, programmers,
| users, and now _other countries_ , instead of solving the problem
| by properly implementing security.
| cyrrus wrote:
| As someone who isn't a security expert, If you had a magic
| wand, what does this future look like to you?
|
| What is properly implemented security?
| onethought wrote:
| The irony of this post on a VC hosted forum. If you believe
| this, couldn't/shouldn't you pitch it get funding and live the
| Silicon Valley dream and "make the world a better place"?
| rsj_hn wrote:
| The title is a bit misleading. It is the U.S. _Department of
| Justice_ that is promising to give the prosecution of these hacks
| a similar priority to terrorism. Not the entire United States
| government. Please keep this in mind before speculating about
| military actions or SEC regulation or new lays being passed or
| the intelligence community getting involved. This is about DoJ
| priorities.
| Semiapies wrote:
| Yes, just DOJ. So not drone strikes, but undercover FBI agents
| spending months trying to cajole and harass coders into writing
| ransomware so that they can bust them.
| hayst4ck wrote:
| Every business owner is either ignorant (default), has made the
| wilful calculation that risk < cost, or is so busy barely
| surviving that things like security are not high priority enough
| to get attention. Security is fundamentally a resource
| attribution problem. Overspending on security results in high
| opportunity cost. Under-spending on security results in high risk
| in terms of trust and money, as well as poor national security.
|
| A valley company that takes security seriously will: Hire
| experts. Scope attack surface/risks. Implement direct
| mitigations. Implement policy. Implement defense in depth.
| Develop a system capable of discovering indicators of compromise
| (IOC's). Verify security via bug bounty and pen testing, both
| internal and external.
|
| Clearly most of these things are not "features" and therefore are
| a cost. Furthermore, since every company must impeliment these,
| the cost of security for society at large is an O(N) problem.
|
| We must set up a system that mitigates the unpayable O(N) cost of
| security.
|
| Pen testing/Bug Bounty/verification is probably the most easily
| scalable problem to solve. Whether you unleash hackers on
| companies by indemnifying them or specifically pay for Project
| Zero like entities or turn our own nation-state attackers against
| US companies with the weight of the US government behind it, it
| seems quite feasible to create scaled cybersecurity monitoring
| which can then better inform both technical solutions and policy
| solutions.
|
| Once companies know they have poor security and once a business
| can see being breached as a certainty rather than a potential
| risk, I think the free market can probably solve the problem.
| ExcavateGrandMa wrote:
| I'm gonna throw the truth to ya big entertaining crew :D
|
| get skilled... FIRST... before assuming you are a service :D
|
| damn nab crying... => again :D
| chongli wrote:
| What about the other side of this? Instead of seeking backdoors
| and using them to spy on Americans, the NSA should be stepping up
| their game and securing vital infrastructure and domestic
| businesses against these attacks.
| ocdtrekkie wrote:
| Generally speaking, you'll find the federal government has a
| litany of agencies, on both the offensive and defensive side
| of... everything. There are absolutely government resources
| working on securing American infrastructure.
|
| And shifting from one to the other appears to be happening, to
| some degree: https://breakingdefense.com/2021/06/dod-budget-
| appears-to-cu...
| LegitShady wrote:
| I agree, but I also don't mind the idea of drone striking
| ransomware guys...
| spookthesunset wrote:
| Forum spammers too.... they are parasites who cost website
| owners tons and tons of time.
| axlee wrote:
| I'd rather not see taxpayers have to foot the bill for the
| profit of megacorps neglecting proper cybersecurity while
| sitting on mountains of tax-evaded offshore cash, thank you.
| The industry should be magnitudes larger than it is currently,
| and we shouldn't encourage corporate recklessness by
| socializing the costs.
| paxys wrote:
| In a lot of cases along with the "megacorps" there is also
| critical national infrastructure going down.
| mc32 wrote:
| Not all corps are mega corps. Some might be mom and pop, your
| corner grocery, mechanics shop, tailor, dog groomer, etc.
| papito wrote:
| Sure, but they are up against state-sponsored, highly trained
| actors, and that's not a fair fight. This requires the
| resources of the US Government as their bodyguard.
| DowsingSpoon wrote:
| Or, alternatively, the NSA could be tasked with constantly
| pen testing US companies' computer security. If they find a
| problem then they would mandate fixes and assess a hefty
| fine. The fine would be used to cover the NSA's costs and to
| pay a bounty to the individual who discovered the weakness.
| meetups323 wrote:
| If other States sent proper Armies over to attack critical
| infrastructure the US government would surely foot the bill
| to aid in security. Why should cyberarmies be treated more
| leaniently?
| axlee wrote:
| Because proper cybersecurity should be treated as a cost of
| business, unlike the use of force which is an exclusive
| prerogative of the state. If large companies want the state
| to step in to absorb some of their costs, they should stop
| trying to avoid contributing to said state at every step of
| the way. If said public involvement came at the cost of
| partial ownership of companies requiring it, with complete
| disclosure of their financials including offshore, I would
| not mind at all. I am simply extremely tired of
| corporations running to daddy at every inconvenience -
| sometimes of their own doing - while actively trying to
| crash the whole system into the ground by starving it. You
| can't have your cake and eat it too.
| 3GuardLineups wrote:
| public ownership of tech companies is the last thing we
| need. I'm with you on paying their taxes, but partial
| public ownership is a bridge too far
| ineedasername wrote:
| That assumes all cyber threats can be averted by private
| corporations. It's difficult for a company to play
| effective defense against nation-state levels of cyber
| attack R&D. Yes, companies need better security than they
| have now, but they cant do it without help.
| axlee wrote:
| This is where the threat of retaliation comes in as a
| deterrent, and the country should be equipped to do so.
| But publicly subsidizing private cybersecurity is both
| impractical (how would that work exactly?) and would
| encourage underspending even further.
|
| Why do you think China or Russia prefer to hack foreign
| private competitors rather than sending a bunch of
| missiles on their infrastructure?
| jeffbee wrote:
| Because that analogy doesn't hold. These cyber attacks are
| all but literally one bored kid and a computer. If the
| Russians sent one bored kid over here to blow up Hoover
| Dam, and that actually worked, we'd blame the people who
| put up the dam.
|
| The fact is that the correct and secure working of computer
| systems and networks has been severely neglected by
| companies in favor of their profit. If we are to have state
| response to such neglect, it should be funded by a huge tax
| on every copy of Windows.
| spookthesunset wrote:
| > These cyber attacks are all but literally one bored kid
| and a computer.
|
| Are you sure about that? A lot of this stuff is way more
| than just some bored kid. For the company I work for,
| there is almost certainly a group of well paid people who
| sit around every day trying to figure out new ways run
| scams using our site.
|
| When there is financial motivation, people go through
| great efforts to get that $$$.
|
| "Security" isn't some catch-all box you can check. It's a
| non stop game of whack-a-mole where your adversary spends
| each day getting around whatever you put into place.
| 3pt14159 wrote:
| The incentives are all misaligned and the solutions aren't
| obvious. How is the USG going to secure some random admin
| access password? Are they going to update the code in the
| repo?
|
| I agree with hack-back. I agree with a number of proposed
| solutions, but at the very end of the day the problem with
| cybersecurity is that most orgs don't have the fiscal
| allocation that they need if they were to have any hope of
| stoping foreign states.
|
| Rather than compare it to armies, I think we should compare
| it to spies. If this is truly at the army level we could
| send a couple dozen missiles and the attackers would get
| the message. But there are reasons we don't do that though.
| First, we're not always sure who did what. Second, it's a
| political quagmire. Armies don't come to your house and
| help secure it from air strikes. Armies understand attack
| asymmetry and they hit back.
|
| But when it comes to dealing with foreign spies there is a
| different playbook. The government helps organizations that
| are critical to national security secure their entry points
| and resources. They help, but they don't do everything.
|
| This only works if the parties involved are interested in
| working with the government. Long after Nortel was first
| told of the Chinese hacking / stealing of their IP they
| were still woefully insecure. They went from being a third
| of the Canadian stock index to bankruptcy in a couple of
| years.
|
| I don't actually think cybersecurity is possible. I've
| tried very hard to get governments to change, and there is
| some progress on the most fragrant violations, but the
| space is growing too fast and the domain is too
| maneuverable. I don't think it is possible. All we can hope
| for is some combination of more defence and realignment of
| incentives of the actors involved limiting the eventual
| damage.
| virtue3 wrote:
| I think the threat of a tomahawk missile entering your
| building is a pretty good incentive to not fuck with US
| infrastructure but that's just me.
| _jal wrote:
| Except you can't do that, which is why the army metaphor
| doesn't work.
|
| (If you want to argue that this is a realistic response,
| please explain how doing so would not be acts of war,
| inviting both retaliation and much worse acts then
| justified by ours.)
| ocdtrekkie wrote:
| I mean, it can be argued that trying to damage our
| infrastructure by hacking our computers is just as much
| of an act of war as firing a missile at our
| infrastructure. In some cases, the effect of the damage
| is the same. (I admit the 'cleanup' of the Colonial
| Pipeline problem is much less than it would be if someone
| blew up the pipeline, but the impact it had on our
| country was similar.)
|
| I don't expect the US to start handling this that way any
| time soon, but I'm not sure it'd be irrational for a
| nation to decide a cyberattack is, in fact, an act of
| war.
| ocdtrekkie wrote:
| This probably won't be viewed as an incentive until the
| US demonstrates any sort of willingness to employ this
| strategy.
| hatchnyc wrote:
| This is well within the scope of what the government should
| be doing--just as a country's navy protects merchant ships
| from pirates and the police protect shopkeepers from
| burglary. If a foreign military were launching physical
| attacks on your business we'd expect any government in the
| world to intervene.
|
| Realistically even with government support, effective
| cybersecurity is going to require significant private effort
| and investment as well.
| axlee wrote:
| Should our society collectively pay for walls, doors and
| locks for every company in the country? How about paying
| for private security on every site? How about paying for
| personal bodyguards for every CEO? How about we all chip in
| to buy a password manager subscription for every private
| employee in the country?
|
| We should regulate and punish, not subsidize. The same way
| we have dealth with corporate recklessness for decades.
| [deleted]
| cpncrunch wrote:
| The ones sitting on that cash (MS, Apple, Google) arent at
| risk.
| JoshTko wrote:
| You can't expect a regional coal plan to be ready for a
| nation state backed attack.
| pasabagi wrote:
| The costs are already socialized - it's our data that gets
| stolen in hacks. The problem is, the megacorps who lose it
| must only pay a negligible reputational penalty.
|
| If you could claim compensation for data lost, if businesses
| had to foot the bill for everybody who's security and privacy
| is impacted by data breaches, then it would quickly become
| something they would have to insure against, then the
| insurers would demand they take reasonable precautions. A
| system of fines would work well, for instance - an aggressive
| enforcement of the GDPR or similar, for instance, could
| create this kind of virtuous circle.
| Kalium wrote:
| Let's say you're a CEO at Big Pipeline Co. One day your phone
| rings. It's the NSA.
|
| They say your systems are vulnerable as hell. That you're very
| likely going to be breached in a quite expensive way very soon.
| It could shut down all the pipes on which Big Pipeline Co
| depends!
|
| They offer to patch your systems for you. Do you accept,
| knowing that your staff will have to hand over hundreds to
| thousands of credentials? Knowing that the employees of the NSA
| care more about patching than if your systems work afterwards,
| and you have no real recourse if they screw up?
|
| If you don't accept, what would you prefer the NSA do to secure
| your company's systems?
| derefr wrote:
| The NSA's mission-statement in domestic civic cybersecurity
| is to ensure the flow of commerce, i.e. to protect GDP. They
| aren't going to patch things in a way that makes them not do
| their jobs any more. That'd be an "attack on commerce" just
| as much as exploiting the vuln would be.
| Kalium wrote:
| That's true in broad strokes, but I'm trying to portray
| things from the position of an executive. Having a bunch of
| outsiders that you have no real influence over in charge of
| your systems is terrifying.
|
| The alternatives are a regulatory system for information
| security or offering advice and hoping companies implement
| it. There's a lot of advice on offer.
| quantico wrote:
| The law should require certain minimums of security for
| infrastructure deemed vital, like oil pipelines. If
| entertainment companies and HIPPA can ensure those they work
| with practice good cybersecurity, why can't the government do
| the same?
| Kalium wrote:
| https://www.energy.gov/national-security-
| safety/cybersecurit...
|
| There's already branches of cabinet-level departments that
| try to do this. In my opinion they're having about the same
| level of efficacy as one might expect in any other set of
| large-scale changes in very large old companies with a wide
| variety of internal systems and needs. If you look you'll
| find a plethora of government-led attempts to secure
| various critical industries.
|
| You'll also note that entertainment companies and hospitals
| are routinely breached. There's perhaps room to question if
| they are indeed practicing good cybersecurity.
| chongli wrote:
| I'd prefer the NSA put in the hard effort to shed their
| reputation as spies and start by offering plain security
| advice in the open that can be verified by independent
| experts. The best way forward is for the NSA to focus on
| providing high quality security advice, best practices, and
| guidance to critical infrastructure. This doesn't involve
| handing over the "keys to the kingdom".
| Kalium wrote:
| https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-
| Tech...
|
| The NSA seems to agree with you. So do the Departments of
| Energy, Commerce, and Defense, all of which have various
| efforts to provide independently verifiable high quality
| security advice, best practices, and guidance. In some
| cases, they've been doing so for years.
|
| But let's skip the NSA bit. Let's say you, CEO of Big
| Pipeline Co, have been called up by someone at The Office
| of Cybersecurity, Energy Security, and Emergency Response
| within the Department of Energy. They offer you all the
| advice and guidance you could wish for. Now it's up to you
| to budget resources. What do you do?
|
| Realistically, you probably hand that advice off to your IT
| or software staff and hope for the best. Though I realize
| that reasonable people may differ on this point.
| mastax wrote:
| Surely the NSA can _tell_ companies about their
| vulnerabilities without having to actually log in and fix
| them? "You have a server on 23.117.25.208:3999 which is
| vulnerable to CVE-2021-1120, fix it."
| Kalium wrote:
| Sure!
|
| Realistically, I find it not credible to believe that
| nobody in big infrastructure companies with IT departments
| is aware that they have vulnerable systems. I find it far
| more likely that people are aware and people in positions
| of leadership making decisions about risk have decided that
| these risks are acceptable.
|
| Do you think getting an email from the NSA telling IT what
| they already know is going to change those calculations? My
| experience with bug bounty programs is that leaders who
| make risk decisions are more likely to shrug and say "I
| know, we're OK with that risk".
|
| I realize that this is a personal judgment, and other
| people may have had wildly different experiences.
| pdonis wrote:
| _> an email from the NSA telling IT what they already
| know_
|
| No, that's not what the email from NSA would say. It
| would not say "there is a risk of your systems being
| compromised by cyberattack" in general terms, which is
| what IT already knows. It would say "your systems are
| vulnerable to these specific attacks", which IT does
| _not_ know. So yes, getting this new information _should_
| change the risk-benefit calculation dramatically.
| Kalium wrote:
| I've been on the receiving end of various emails like
| that. They have details on specific systems and specific
| attacks. They're occasionally useful, but often not.
| Knowing that a particular app is vulnerable to XSS might
| be useful, if I have staff that can fix it and they have
| the spare cycles.
|
| For example, a hospital IT department might get an email
| telling them that their MRI is exposing remote desktop to
| the internet with default credentials. They know that.
| They don't change it because if they do, their vendor
| will drop support. This is a real thing that real medical
| hardware has to deal with, and it's only slowly getting
| better.
|
| A big industrial company might easily have it worse than
| a hospital. Fixing the specific CVE on a specific port on
| a specific machine might mean having to retire a whole
| series of obscure, niche bits of SCADA hardware that
| don't support anything modern. It's like all those IoT
| gadgets that don't support 5GHz, writ large.
|
| https://en.wikipedia.org/wiki/SCADA#Security_issues
| screamingninja wrote:
| > They offer to patch your systems for you.
|
| That is certainly not how it works. See the links others
| posted for context. NSA is more likely to inform you of the
| vulnerabilities and associated mitigations.
| Kalium wrote:
| I understand that's not how it works. I'm constructing a
| deliberately absurd example to show both how the NSA could
| help and why companies wouldn't accept it.
| pdonis wrote:
| Let's say you're the Chairman of the Board of Directors at
| Big Pipeline Co. One day your phone rings. It's the NSA.
|
| They say your systems are vulnerable as hell, and they told
| the CEO about it, but he did nothing. He didn't allow the NSA
| to come in and fix anything; he also didn't take any action
| on his own to have people internal to the corporation fix it.
|
| What's your obvious response? Fire the CEO and install a new
| one who will direct the appropriate resources to fixing the
| problem.
| viraptor wrote:
| They do that already. They're not going to come to your company
| and configure things for you, but they'll report
| vulnerabilities (https://www.cnet.com/news/major-
| windows-10-security-flaw-rep...), give guidance on policies
| (https://us-cert.cisa.gov/ncas/current-
| activity/2021/02/26/ns...), create security frameworks (https:/
| /web.archive.org/web/20201022103915/https://www.nsa.g...) and
| many other things.
| Hermel wrote:
| What's next? Using anti-terror laws for copyright enforcement?
| chickenpotpie wrote:
| Ransomware is actually a legitimate threat to the well-being
| and health of all people. They lock down government and health
| records. It a huge risk to the American people
| AnimalMuppet wrote:
| Sure. But laws for dealing with legitimate threats sometimes
| get co-opted to _also_ deal with extraneous matters.
| viro wrote:
| do you live under a rock? have you missed the ransom ware
| attacks on critical infrastructure....
| stonepresto wrote:
| If the USG treats this even close to the way they treat terrorism
| in regards to policy and funding, I'm curious what that will look
| like and how nation-states harboring those people will react.
| hfjfirkrkrj wrote:
| I remember reading many years ago that US gov said it reserves
| the right to physically go after cyber attackers, ie: kill the
| hackers behind the hack.
|
| What's the current official policy, is this still on the table
| (probably only for massive attacks)?
| rejectedandsad wrote:
| They absolutely should. We are in the midst of a cyberwar against
| criminal gangs sheltered by a kleptocracy that already attempted
| political sabotage against this country. All options must be on
| the table including physical retaliation - the threat isn't going
| away.
| kgeist wrote:
| Everyone points at Moscow as if they are behind the attacks,
| when, in fact, all we know is that the hackers are probably
| based in Russia (if treating Cyrillic keyboards specially isn't
| a silly false flag). They say Russia is unwilling to do
| anything etc. But did the FBI actually reach to their Russian
| counterparts for assistance? Or are they waiting for Moscow to
| come forward and fix all their security problems on its own? 10
| years ago when mail bride order scams were popular (targeted at
| US/Canada/Australia), Russian police actually did catch and
| imprison a lot of scammers after American/Canadian requests;
| some of them in my own town
| okareaman wrote:
| I think a lot of people don't realize this, because I never see
| it mentioned, but when the Soviet Union dissolved we (U.S.)
| convinced the Ukrainians to give up their loose nuclear weapons
| with the promise that we would protect them going forward. I
| may be time to ratchet up on that promise and help the
| Ukrainians drive the Russians back across their border. Crimea
| will stay gone because it belonged to Russia to begin with
| (https://en.wikipedia.org/wiki/1954_transfer_of_Crimea) There
| are a lot of things we could do with Ukraine to punish Russia.
| ian_lotinsky wrote:
| Bruce Schneier, our country needs you! If you--or someone with
| your mindset--isn't in authority and we get the technical
| equivalent of the TSA, we're in for a world of hurt and trouble.
| [deleted]
| cma wrote:
| How about a crypto-wealth tax to pay for ransomware disruptions?
| paxys wrote:
| Yes, that definitely won't provide an incentive for hacker
| groups to release more ransomware
| cma wrote:
| Can you explain how so?
| paxys wrote:
| Because the more we pay the hackers the more funding they
| get to launch further attacks
| coliveira wrote:
| So let's look at the chain of events: companies start to become
| monopolies, make billions of dollars that way. They become "too
| big too fail", important "infrastructure" for the US. Then, start
| to expose their user's data on public networks, and don't follow
| proper security procedures. Now, the public has to pay for the
| government to secure the magacorp networks! It's a non-stop scam,
| where they fail their (already small) responsibilities and use
| public funds to increase their monopolies!
| genmud wrote:
| Nailed it in the first try!
| A4ET8a8uTh0 wrote:
| It is good, but it still does not beat JIT. First MBAs various
| JIT acolytes did everything to make sure there is nothing on
| hand or manufactured in US just in case it ate into the profits
| and then when the 'everything shortage' happened, they had the
| balls to run to the government asking for bailou.. sorry..
| incentives to move manufacturing to US. It is fascinating to
| watch, because it is done with a very straight face and
| expensive lawyers.
| coliveira wrote:
| It is all another chapter of the US war against its own
| people. All the money is going to scammers, I mean, mega
| corps.
| xibalba wrote:
| The Colonial Pipeline is a monopoly? It appears to be a joint
| venture between at least 5 energy companies. Or to what
| monopoly are you referring? There is not mention of any other
| companies in this article.
|
| When hackers start to interfere with American food and energy
| supply chains, it rises to the level of national security,
| IMHO.
|
| With all due respect, it seems like you might be jamming this
| story into a pre-chosen narrative.
| ginja wrote:
| I too dislike megacorps, but you could say the same thing about
| a business being robbed - they most likely could have done
| something to prevent it but police will still respond and not
| charge them for it.
| genmud wrote:
| Sure, the cops will also say your a dumbfuck for transporting
| hundreds of millions of dollars on an open bed truck in the
| middle of Detroit.
| rawtxapp wrote:
| Well it's one thing getting robbed when you took precautions
| like securing your back entrances, putting security cameras
| in your store, putting the cash in some kind of safe and it's
| a different if you take no precautions whatsoever and
| everything is out in the open.
|
| Many of these companies that get hacked haven't even done the
| bare minimum, so it's not even remotely comparable to a
| robbery imo.
| wearywanderer wrote:
| My heart goes out to the people of Iraq, who apparently are once
| again going to get bombed for no good reason.
| coolspot wrote:
| Here is the proof ( _shakes an USB flash drive_ ) that they are
| hiding malware of mass destruction in there and we shall
| invade!
| andred14 wrote:
| these cyberattacks are lies. i work for an essential utility and
| none of their control systems are on the internet.
|
| we had water, power, etc before computers so the computer part is
| not essential to operation.
| sharkweek wrote:
| Time to bring back the chart that never dipped below yellow! [1]
|
| [1] -
| https://upload.wikimedia.org/wikipedia/commons/thumb/1/10/Hs...
| chickenpotpie wrote:
| I really hope this copies the principal of not negotiating with
| terrorists. Everytime we pay out ransomware it just encourages
| more ransomware.
| stonepresto wrote:
| The downward trend in bug bounty payouts and frustration from
| researchers might also sweeten that deal for more experienced
| persons.
| paxys wrote:
| Companies which fall victim to such attacks aren't normally
| the kind which have bug bounties or engage with security
| researchers.
| [deleted]
| ctdonath wrote:
| US Constitution empowers Congress to issue "Letters of Marque and
| Reprisal" - to wit grant permission for private entities (people,
| companies) to wage war on other private entities. Enacted to help
| shipping companies deal with pirates, applies today for the likes
| of ransomware perpetrators.
| fartcannon wrote:
| If I wanted to make encryption illegal, and I ran a 3 letter
| agency, how could I get my population to support me?
| rawtxapp wrote:
| If encryption was illegal, all these corporate secrets would be
| even more out in the open, not sure how that's better.
| sebyx07 wrote:
| ... Just don't allow users run stuff as administrator... If 0days
| are found by nsa they should report it and fix it, not exploited
| y04nn wrote:
| For me "Terrorism is, in the broadest sense, the use of
| intentional violence to achieve political aims", there is no
| political aims here, their goal is to extort as much money as
| they can from their victims. This is a criminal activity and any
| small or big companies that pay for it are feeding the monster
| and should be persecuted. But the US has been ignoring it for
| years and now it comes right back to them.
| bostonsre wrote:
| The willful ignorance and non-action by states that provide a
| safe haven for launching these attacks seems to be potentially
| political to me. If the attackers are state backed, then its
| definitely political. If the attackers are not state backed, it
| seems plausible that the state has made a decision to allow the
| attacks to take place because sowing chaos and discord in the
| united states is an aim of their government.
| viraptor wrote:
| It's the international "finger in front of the face, I'm not
| touching you" game. But by any reasonable interpretation,
| yeah, it looks the lack of prosecution of ransomware groups
| is lacking for one reason or another.
| elliekelly wrote:
| They haven't said ransomeware _is_ terrorism, only that they're
| going to prioritize it _like_ terrorism. As in, it will follow
| a similar centralized reporting process. I don't think the goal
| is to start sending hackers to Guantanamo or categorize
| ransomware as WDMs. Not yet, at least.
| PicassoCTs wrote:
| Finally we going to get security research paid properly and
| companies punished for not fixing their zero-day-sponges. Oh, its
| just another monstrous deterrence Three letter agency.
|
| But yeah, in a game-theory sense, its the cheapest option, to
| have a nuclear counter strike, instead of building all cities
| like underground bunkers. Security, by strike team. That would
| actually work, if all countries agreed on that.
|
| Or the internet is expected to break into allegiance-sized parts.
| The server only connects to country, who will extradite cyber-
| criminals and adhere to this connection contract.
|
| It was a nice dream, while it lasted.
| maniatico wrote:
| Wonder if this also means that at some point there are going to
| be kinetic responses
| anti-nazi wrote:
| that's a pretty big joke
| ocdtrekkie wrote:
| Whelp, that's the end of cryptocurrency... probably should sell
| your HODLings now. If we're going to Patriot Act the crud out of
| ransomware, Bitcoin is gonna be illegal.
| WrtCdEvrydy wrote:
| Yeah, that's what happened with drugs. The price of drugs
| actually dropped to zero and it's now impossible to get LSD.
| ocdtrekkie wrote:
| I mean, does Bitcoin give people the sort of high that they'd
| risk going to prison for? I'm not sure nearly-random numbers
| has the staying power compared to addictive substances.
| WrtCdEvrydy wrote:
| Yeah, opening it up and seeing 30%+ gains in a day does
| give me a sort of high.
| chitowneats wrote:
| You won't be seeing 30%+ gains when they're throwing
| people in prison for it.
|
| Most drug users are never prosecuted. But the threat of
| prosecution does very little to affect the quality of
| their purchase, relative to what it would do to BTC
| market as a whole.
| bouncycastle wrote:
| Do you know how absurd that would be? Crypto like Bitcoin
| are just a database in essence. Throwing someone in
| prison for running a database on their computer would
| probably spell the end of general purpose computers. You
| will not be allowed to run databases anymore unless they
| are approved.
| dragonwriter wrote:
| > Do you know how absurd that would be? Bitcoin is just a
| database in essence
|
| It's really bot unusual for the law to treat things
| differently based on the purpose for which they are used
| when they are "just a database, in essence".
| bouncycastle wrote:
| I know, in theory you can have a law for everything. For
| example, in the Soviet Union basic electronics such as
| radios were restricted and you were not allowed to tune
| your sets to western stations.
| chitowneats wrote:
| You can also have a total free for all. Murder,
| kidnapping, etc, all legal.
|
| See? I can do it too.
| WrtCdEvrydy wrote:
| Yeah, illegal things definitely don't end being sold
| above market price.
| chitowneats wrote:
| If you can't exchange BTC for dollars other than in
| person, and if you can't use it to purchase goods online
| other than via TOR, that is not going to increase the
| price. It's going to crash it.
| handrous wrote:
| I think this dynamic will play out very differently with
| something the value of which is mostly determined by
| current and future-expected transaction velocity & volume
| (to the extent that it's not sheer speculation). Now, the
| cost for _services_ involving Bitcoin, like converting it
| into dollars, would probably shoot way up.
|
| Outlawing Bitcoin (or cryptocurrency generally) would
| cause a _huge_ demand reduction. Some coins might adjust
| supply to compensate, but total crypto "market cap"
| would surely plummet.
| jessaustin wrote:
| _...when they 're throwing people in prison for it._
|
| I _thought_ I smelled authoritarianism! Here we see the
| ultimate purpose of this entire desultory exercise.
| Having problems online? No backups? Don 't fix your
| pathetic shit; just be the excuse for the USA military-
| enforcement-imprisonment-industrial complex to oppress
| everyone on earth. Good grief.
| chitowneats wrote:
| https://drewdevault.com/2021/04/26/Cryptocurrency-is-a-
| disas...
|
| Nations make laws against bad things. People who violate
| those laws go to jail. A ban on cryptocurrency (or
| rather, exchanging it for dollars) will be a hell of a
| lot easier than banning popular intoxicants.
|
| We're done putting up with this particularly pernicious
| iteration of tulip mania. Time to pull the plug before it
| does any more damage.
| jessaustin wrote:
| I am _shocked_ that I can 't find the term "backup" at
| that authoritative link
| okareaman wrote:
| Opening it up and seeing 30%+ losses in a day must be
| quite a come down
| WrtCdEvrydy wrote:
| You're not wrong.
| rsj_hn wrote:
| Bitcoin is just math. The US isn't going to be able make
| holding bitcoin illegal, and I very much doubt it will ever
| be able to make the buying and selling of it illegal --
| there are even free speech issues here. But what it can do
| is tax the hell out of it, regulate the exchanges as
| investment platforms, but they will have a hard time trying
| to make it illegal to pay someone to sign a cryptographic
| hash.
| hocuspocus wrote:
| The US very much decides who, where, and what can be
| bought or sold in USD. Worldwide.
| JumpCrisscross wrote:
| > _that 's what happened with drugs_
|
| Drugs are renowned as a special case when it comes to states'
| enforcement power. Currency control is not.
|
| Outside failed states, capital controls and foreign currency
| restrictions have been historically well enforced and
| followed.
|
| The U.S. banning cryptocurrencies, sanctioning connected
| individuals and firms and committing to leveling repeated 51%
| attacks would functionally destroy most cryptocurrencies.
| (There is zero indication this is being contemplated.)
| vmception wrote:
| I laughed so hard without my mask that I almost got kicked
| out of this WeWork
| randomhodler84 wrote:
| Agree -- These ban happy nocoiner rantings about outlawing
| math are funny if they weren't so damn authoritarian.
| chitowneats wrote:
| We're not outlawing math. You can still run your little
| calculations on your machine. You just can't exchange
| them for dollars. That's what we're proposing here.
| Currency control.
|
| Are you confusing this with the debate around encryption?
| That wouldn't surprise me coming from someone who uses
| the phrase "nocoiner".
| colecut wrote:
| I have to admit, it is harder than I would like
| MattGaiser wrote:
| You generally can't exchange cash for Bitcoin all that
| easily. You need some part of the fiat electronic banking
| system to get from cash to Bitcoin.
| dan-robertson wrote:
| I think if you're a criminal with a lot of Bitcoins you can
| do it. One way is through exchange insiders taking a bunch
| of your balance and giving you a bag of cash (but you sell
| your coins to them at a discount of course.) See eg
| https://cybernews.com/security/how-we-applied-to-work-
| with-r...
| cammikebrown wrote:
| It's funny you say that, there actually was a huge LSD bust
| in 2000 that did make it harder to find for awhile.
|
| https://en.m.wikipedia.org/wiki/William_Leonard_Pickard
| WrtCdEvrydy wrote:
| Right, but in 2021, I'm sure you can find LSD at an
| inflated price due to government action.
| kingTug wrote:
| LSD was and still is one of the cheapest black market
| drugs you'll find. There is no shortage. Imo it's easier
| to get and test for safety than ever before.
| reader_mode wrote:
| Difference is if corporations and funds can't hold
| bitcoin/crypto - you're back to $1/BTC. The whole value
| proposition of BTC hype bubble bursts if it's illegal in a
| major market like USA. Don't doubt some cyberpunk nuts will
| keep playing with it.
| NtGuy25 wrote:
| Monero is banned by nearly every US exchange, and hard to
| buy with USD as a US National. It still maintains value and
| has seen growth.
|
| While BTC may burst, it wouldn't go to $1/BTC. it would go
| to a small percentage of what it is now, but still retain
| some value.
| reader_mode wrote:
| Yeah, not sure what it would be worth, obviously US is
| just one part of the BTC story, 1$ is just a random
| number to say it would crash super hard.
| selsta wrote:
| Kraken lists Monero in US. Other US exchanges don't have
| Monero listed, but that does not mean that they "banned"
| it.
| dcolkitt wrote:
| We have plenty of historical and current examples of
| governments imposing capital controls to restrict access to
| foreign currency. Very rarely does it result in the market
| price of the foreign currency going down. Usually quite the
| opposite.
|
| Heck, even in American history we once tried to ban private
| ownership of gold bullion. The black market price of gold
| rose substantially.
| reader_mode wrote:
| > We have plenty of historical and current examples of
| governments imposing capital controls to restrict access
| to foreign currency. Very rarely does it result in the
| market price of the foreign currency going down. Usually
| quite the opposite.
|
| That's a nonsense comparison. When governments impose
| capital controls it means their currency is already
| sinking and it's a last ditch attempt to prevent this
| inevitable scenario.
|
| BTC valuation is entirely based on narratives about how
| it's going to replace standard currency in whatever story
| is popular, and from what I can see right now it's being
| pumped up by funds who can't find other good investments
| in this markets and are willing to play with crypto. If
| it's illegal for US funds/citizens to hold it/be involved
| with it - the selloff alone would kill the market
| instantaneously.
| dcolkitt wrote:
| The US only constitutes 15% of global GDP. There's no
| reason to think that US investors represent an outsized
| position in crypto holdings. American _funds_ may have
| large positions, but that 's largely because the American
| asset managers tend to attract substantial overseas
| positions.
|
| There's no reason to think that, say a Japanese pension
| fund, that's invested in Grayscale is going to say, "oh
| shoot, guess there's no possible way to allocate to this
| asset class now". They'll just reinvest that same
| allocation in a UK or Caymans domiciled fund.
|
| If anything the 85% of crypto investors who aren't
| invested, will most likely hoard in anticipation of the
| policy being reversed. For better or worse the US
| government has extremely low credibility when it comes to
| long-term policy consistency. Almost any US policy can
| simply be waited out until Congress/White House flips
| parties.
| dragonwriter wrote:
| > The US only constitutes 15% of global GDP. There's no
| reason to think that US investors represent an outsized
| position in crypto holdings.
|
| Holdings would seem to be more reasonably assumed to be
| proportional to wealth, not GDP. The US has a
| significantly larger share of global wealth than it does
| of GDP.
| ocdtrekkie wrote:
| And presumably if nobody can easily convert large
| quantities of crypto to and from USD. Sure, you find an
| international exchange, willing to give you some other
| fiat, but American KYC laws are still going to be chasing
| you all over the globe.
| daxfohl wrote:
| I mean, it could still be used as an IOU of sorts for
| illegal activities. But if this is the sole remaining use
| case, I'd imagine there are better means for this than
| hosting on a public ledger.
| thereare5lights wrote:
| This seems like hyperbole.
|
| Bitcoin is easier than hard cash to track. There's no need to
| make it illegal. I suppose you could argue that government is
| heavy handed enough to simply ban the mechanism by which
| ransomware payments are so easily conducted by. My intuition is
| that government would prefer to regulate it rather than
| outright ban it.
| boxingdog wrote:
| terrorists also use dollars, let's ban that as well
| JumpCrisscross wrote:
| > _If we 're going to Patriot Act the crud out of ransomware,
| Bitcoin is gonna be illegal_
|
| Terrorist financing is illegal. Cash is not.
| ocdtrekkie wrote:
| The majority of the uses of cash are legal. The majority of
| uses of Bitcoin are criminal. And bear in mind, Bitcoin
| hasn't just been a boon to ransomware, it's been a strategy
| to evade financial sanctions by countries like Iran:
| https://www.reuters.com/technology/iran-uses-crypto-
| mining-l...
|
| So there's a lot of reasons the US government just may find
| themselves happier without it.
| jessaustin wrote:
| There's a difference between a proposition one can pull out
| of an orifice and a proposition one can defend in court.
| Vadoff wrote:
| Criminal? Maybe in 2013 Silk Road days.
|
| There's a ridiculous amount of volume on Bitcoin and it's
| mostly moving to and from exchanges. There's no way a
| majority of those are illegal.
| Karunamon wrote:
| >the majority of uses of Bitcoin are criminal Citation
| badly needed.
| selsta wrote:
| Do you have a source for your claim that the majority of
| Bitcoin uses are criminal? Research by blockchain analysis
| companies show that only a small percentage of Bitcoin
| usage is illicit [1][2][3].
|
| [1] https://www.elliptic.co/resources/typologies-concise-
| guide-c...
|
| [2] https://ciphertrace.com/2020-year-end-cryptocurrency-
| crime-a...
|
| [3] https://blog.chainalysis.com/reports/2021-crypto-crime-
| repor...
| labster wrote:
| Cash is a solution to the problem of portable assets. Bitcoin
| is a problem in search of a solution.
| qayxc wrote:
| > Cash is a solution to the problem of portable assets.
|
| Barely. The portability usually ends at country borders.
|
| > Bitcoin is a problem in search of a solution.
|
| Don't you mean "a solution in search of a problem?" Nice
| Freudian slip, though :)
| labster wrote:
| I thought being a solution in search of problem was
| perhaps too charitable. Every joule we waste on hashes is
| another gram of carbon in the air. And it is all waste --
| the only problem cryptocoins solve better than other
| solutions is illicit transactions. It's not even close to
| as anonymous as cash.
|
| Coinage used to be more portable in the days of precious
| metal coins. But honestly I've had very little barriers
| in converting cash. It's a solved problem.
| owenmarshall wrote:
| Sure. But running an exchange where USD goes _to terrorists_
| - or, indeed, where you _can't_ show that USD _does not_ go
| to terrorists - is highly illegal.
|
| If ransomware gangs are directly or indirectly targeted by
| OFAC, that would have massive ramifications.
| JumpCrisscross wrote:
| > _running an exchange where USD goes to terrorists - or,
| indeed, where you can't show that USD does not go to
| terrorists - is highly illegal_
|
| Doesn't existing anti-terrorist financing (ATF) law cover
| this?
| owenmarshall wrote:
| AML, SDN lists - yes, all that is in scope. But
| enforcement has been uneven: it's so far been about
| making US exchanges comply with KYC laws. Nobody has
| really gone further.
|
| What happens when a company is a victim of a ransomware
| attack and OFAC puts the extortion _wallet_ on an
| exclusion list?
| JumpCrisscross wrote:
| > _What happens when a company is a victim of a
| ransomware attack and OFAC puts a wallet on an exclusion
| list?_
|
| That wallets gets tainted? Its coins become less
| valuable? Marked wallets have been an obvious thing
| coming down the pipes.
| owenmarshall wrote:
| The risk isn't just to the person holding the wallet:
| it's the risk of OFAC sanctions hitting the exchanges
| that takes dirty BTC and pays USD.
|
| So now, know your customer turns from "be sure I don't
| send USD to a specially designated national" to "be sure
| I never accept crypto from a burnt wallet."
| mullingitover wrote:
| Except you can't choose whether you accept or not - the
| transactions sending BTC into your wallet are not at your
| discretion, you can't 'reject' them.
| myohmy wrote:
| Try taking $10,001 in cash into the US and tell me that again
| owenmarshall wrote:
| or take that and deposit $5000 of it today and $5001 in a
| week ;)
| TameAntelope wrote:
| How much success, historically, has the US government had at
| regulating math? I can't think of any, but it's not really my
| specialty so I'm curious if anyone's encountered a successful
| example.
| khuey wrote:
| They don't have to regulate math, they just have to regulate
| where cryptocurrency touches the "real" financial system
| which they're actually really good at.
| rsj_hn wrote:
| I would assume most diehard bitcoin holders are just fine
| with no financial system entity touching them. After all,
| that's what many of them are trying to route around. They
| want peer-to-peer transactions independent of state actors,
| and have very little desire to hold BTC in their Fidelity-
| managed 401K portfolio.
|
| Rather it's been the banks that have been clamoring to get
| a piece of the bitcoin action, not the other way around.
| NationalPark wrote:
| Quite a lot? The SEC and ITAR both come to mind.
| TameAntelope wrote:
| If you think the ITAR has stopped any math from dropping
| into "disallowed" hands in any meaningful way, I have a
| bridge to sell you.
| ping_pong wrote:
| They fucked up by targeting infrastructure. If they stuck with
| small companies they could keep doing it till the cows came home.
| But now they have governments against them so now they will be
| hunted down.
| paxys wrote:
| These groups aren't really "targeting" anyone. These ransomware
| attacks are as sophisticated as nigerian prince emails. Send
| out a lot of spam, wait for someone who clicks on it and is
| running outdated software and boom. Sooner or later you will
| encrypt something important enough to pay for.
___________________________________________________________________
(page generated 2021-06-03 23:00 UTC)