[HN Gopher] Interview with a ransomware group
___________________________________________________________________
Interview with a ransomware group
Author : stereoradonc
Score : 107 points
Date : 2021-08-03 10:56 UTC (12 hours ago)
(HTM) web link (therecord.media)
(TXT) w3m dump (therecord.media)
| dcow wrote:
| This is an interesting topic because BM claims to have a moral
| compass and is only interested in targeting wealth not impacting
| humans. Let me ask the question: "if companies paid for in-house
| security professionals competitive with what one might imagine BM
| pays, would people still choose the grey work?". I presume in a
| dichotomy between clearly unethical and ethical, it's easy for
| many to choose ethical. But when you add a grey option, it
| certainly changes things since I imagine most people are
| ethically grey. Let's assume what BM is doing is effectively
| legal in the country where they operate.
| dylan604 wrote:
| >would people still choose the grey work
|
| some people are just outlaws and choose to do things because
| they are not allowed normally. so I'd say yes.
| xh-dude wrote:
| I think it's fair to assume that adding ethical gray is a well
| understood tactic in this world. And just that - a tactic.
| pizza234 wrote:
| > if companies paid for in-house security professionals
| competitive with what one might imagine BM pays, would people
| still choose the grey work?
|
| Interestingly, they answer very clearly:
|
| > We have not been involved in legal pentesting and we believe
| that this could not bring the proper material reward.
|
| They're in only for the money, so the answer is "yes".
|
| Ransomware is not "grey" work though, if this is the
| implication; it's extortion, which is illegal.
| dcow wrote:
| > Let's assume what BM is doing is effectively legal in the
| country where they operate.
| sys_64738 wrote:
| These people are terrorists so why are they being interviewed?
| pmoriarty wrote:
| Know your enemy.
| CleverLikeAnOx wrote:
| It is not uncommon for journalists to interview terrorists and
| gangsters. I found it insightful.
| imwillofficial wrote:
| Terrorists, cartels, and criminals of all shapes and kinds are
| often interviewed. As to the bigger question of "why"? It gives
| us a unique insight into a strata of society most of us are not
| privy to, opening our minds to new ideas.
| mimixco wrote:
| There's an elephant in this room and its name is _ethics._
|
| When I was a mainframe programmer at IBM, one of they first
| things they taught us was how to stop the processor of a
| System/370 machine. If you can do that, ladies and gentlemen, you
| can bring down Bank of America, the US Army, the Social Security
| Administration, etc. So everyone there knew how to be a "black
| hat" hacker if we wanted to.
|
| Was there money to be made in that? Surely. More money than IBM
| ever paid anyone! But the reason neither I nor any of my
| colleagues would ever dream of using our skills to hurt people is
| that last part of the sentence: _it hurts people_.
|
| Yes, IBM did some awful stuff from helping Nazis to keeping
| apartheid alive in South Africa (over employee objections while I
| was there), but overall, the "corporation" provided valuable
| goods and services to real people who had to slog on in real jobs
| every day to get the world's real work done.
|
| Oil companies are in the same boat. The world runs on oil and
| some ransomware attacks aren't going to change that. The idea
| that terrorism (and black hat hacking is absolutely a form of
| terrorism) is a useful way to change corporate behavior is so
| ill-informed that it's pathetic.
|
| When asked about taking a "white hat" approach and selling legal
| pen testing (or even PTaaS), these developers declined saying
| they probably couldn't monetize their skills at the same level
| that way.
|
| Well, I say, too _effin '_ bad. If everyone optimizes solely for
| himself, there will be no one left. It's appalling to me that
| criminal organizations now recruit, have price lists, and get PR
| placement. These people and their products (and their
| communication channels) need to be turned off ASAP for everyone
| else's sanity and self-preservation.
| draw_down wrote:
| Seeing the word "ethics" emphasized, followed by "sure they
| helped Nazis but..." was really something. Congratulations, I
| guess.
| fleddr wrote:
| What elephant in the room?
|
| They are self-admitted criminals. They admit to be in a
| destructive industry to line their own pockets. The only reason
| they are selective in their targets is because critical targets
| will increase the chances of them being caught.
| mimixco wrote:
| I was referring mostly to the suggestions that attempted to
| justify this behavior by saying the targets are "bad
| companies."
| fleddr wrote:
| Ah ok. When reading the article, I don't get the impression
| that they try to frame themselves as somewhat ethical, I
| think that may be an interpretation by some of us here.
| dcow wrote:
| > These people and their products (and their communication
| channels) need to be turned off ASAP for everyone else's sanity
| and self-preservation
|
| But they can't be because enough people don't share your
| worldview. Do you believe private communication is a human
| right? Well then you can't stop them communicating either. How
| would we achieve a world where these products and services
| could be universally banned immediately?
|
| You are right, the problem _is_ ethics. The problem is that it
| 's not universally criminal to attack other countries'
| _wealth_.
|
| If it came out that this group ran their infrastructure on IBM
| cloud, and you still worked at IBM, what would you do? It seems
| you think that the generation of wealth for IBM's shareholders
| is more important stopping genocide therefore it's okay to be
| complicit. So you seem to have some general notion of ethical
| total harm.
|
| > The idea that terrorism (and black hat hacking is absolutely
| a form of terrorism) is a useful way to change corporate
| behavior is so ill-informed that it's pathetic.
|
| It _does_ change behavior, though, whether you like it or not.
| mimixco wrote:
| I certainly can't argue that you're wrong!
|
| Private communication, even for business, is a human right. I
| was not suggesting that some authoritarian arm "shut them
| off," but rather that a profusion of businesses and
| individuals simply chose to ignore them. Death by recission.
|
| It's also one's right to choose to be in an ethical business
| or not. I've rejected many customers and employers because I
| didn't want to help in their aims.
|
| I was among the people who protested IBM's continued
| involvement in apartheid and it did end before I left.
| Companies can chose to "not be evil" or they can just say
| that.
|
| And yes, sadly, everything changes human behavior. What I was
| going for is that ethics is a _practical_ phenomenon as well
| as nice one for other people. I still believe that more can
| be accomplished through volunteerism (including volunteer
| agreements about money and work rather than coercive ones)
| than through violence. Perhaps that 's naive or hopeful but I
| hope a few of us persist in keeping the idea alive.
| cutler wrote:
| Totally naive but what would it take to protect a disk from
| unintentional encryption or maybe make encryption impossible?
| LadyCailin wrote:
| Good, offlined backups.
| blankface wrote:
| reminds me of the Bin Laden interview(s) before 9/11,
| specifically the one with Robert Fisk where Bin Laden was saying
| he was going to start attacking America
|
| https://www.bbc.co.uk/programmes/w3csvtth
|
| https://www.cbsnews.com/pictures/osama-bin-laden-tora-bora/
| icemelt8 wrote:
| That was strangely fascinating
| unixhero wrote:
| So basically he interviewed a Romulan.
| unnouinceput wrote:
| From last phrase: "...but we believe in our motherland..."
|
| So yeah, a Russian.
| thrwyoilarticle wrote:
| >Moreover, LockBit encrypts the first 256 kb of the file (which
| is pretty bad from the point of view of cryptographic strength).
| We, on the other hand, encrypt 1 MB. Essentially, that's the
| secret to their speed.
|
| So I can just pad all my valuable data by 1MB?
| dylan604 wrote:
| wouldn't it just be easier to have duplicate back ups of your
| "valuables"?
| jbverschoor wrote:
| Or just have 1 padded disk image you mount.. Emm no wait,
| that's be an fs, so they'd f that up too
| imglorp wrote:
| As for repercussions, notice they indicated "fear of the United
| States and its planning of offensive cyber operations". We don't
| hear a lot about US offensive operations. Maybe they're ongoing
| but they don't get a lot of press. If that's the case maybe the
| need more for deterrence purposes. Does anyone have any
| visibility?
|
| Also, notice they did not mention any concern the FSB would
| invite them for tea, pay respects to their families, or any other
| ... imperial entanglements. This says a world about their
| standing in Russia, whether tolerated, encouraged or some other
| arrangement.
| wongarsu wrote:
| Russia's policy is to leave cybercrime alone as long as they
| don't attack Russia.
|
| A hacker group in Russia declaring to only target companies in
| the USA and Great Britain is like a US group that only targets
| Iran and China. US agencies probably wouldn't find time in
| their busy schedules to go after someone targeting Iran either.
| nradov wrote:
| Hence why some malware programs won't activate if they detect
| the computer's keyboard layout is set to Russian.
| sudosysgen wrote:
| *Russia and it's allies, CIS states are also off-limits.
|
| But yes, you are correct.
| the-dude wrote:
| Stuxnet and Windows are pretty well known I would say.
| mcguire wrote:
| You might check out _Inside Cyber Warfare_ by Jeffrey Carr from
| 2011. It 's ancient, predating (AFACT) the rise of ransomware,
| and technically illiterate, but goes into considerable detail
| about the Russian cyber-crime/-war (they're the same, really)
| groups and their relationship to the government.
| 4gotunameagain wrote:
| I find myself puzzled by organizations like these. Let's say they
| do not attack infrastructure or other critical services, and only
| leech off huge companies.
|
| I cannot argue against it?
| CleverLikeAnOx wrote:
| If a robber steals one grain of rice from each person in a
| town, was anyone harmed? If you think not, then what if a
| thousand robbers do the same?
|
| Leeching off of companies is kind of like stealing a grain of
| rice from everyone. The company's costs increase and the price
| eventually makes its way back to the consumer.
|
| Another way to think about it is the total amount of labor
| needed for the world to operate as it does. In a world that has
| no ransomware, the labor needed is X. In a world with
| ransomware it is X + cost of building ransomware + cost of
| dealing with ransomware.
| CharlesW wrote:
| > _Leeching off of companies is kind of like stealing a grain
| of rice from everyone._
|
| I'm sure the criminals console themselves by thinking about
| it that way, but as someone who had to use an emergency room
| and was denied other services during the month+ Scripps was
| down (during a global pandemic, no less), it was easy to see
| how ransomware attacks can directly hurt an enormous number
| of employees and customers.
| CleverLikeAnOx wrote:
| To clarify my point, even _if_ leeching off companies is
| like stealing a grain of rice from each person, it is still
| wrong.
|
| My point was that ransomware is wrong even in an idealized
| abstract scenario where it only targets non-critical
| companies.
|
| Thanks for providing your experience. It drive home that in
| practice it is much more like beating and robbing many
| people than it is like stealing just a single grain of rice
| from them.
| danpalmer wrote:
| > and only leech off huge companies. I cannot argue against it?
|
| Medecins Sans Frontieres is a huge company. Their annual budget
| is around $1.6bn. Are you ok with them being subject to
| ransomware attacks?
| boomlinde wrote:
| In this instance, they claim that they will not attack non-
| profits, which puts organizations like MSF out of harm's way.
| rory wrote:
| Allegedly BlackMatter is not.
|
| > _It would not extort healthcare, critical infrastructure,
| oil and gas, defense, non-profit, and government
| organizations_
| danpalmer wrote:
| That's good. I wonder if they'd extort the company that
| manages the building I live in. If they did the most likely
| negative outcomes are that I'll receive worse service and
| pay more for my service charge. That's not too bad for me,
| but I have vulnerable neighbours for whom that may be a
| significant problem.
|
| There is so much collateral damaged created by this sort of
| attack against any company of sufficient size. It's easy to
| wave your hand and say they're a rich company they can
| afford it, but no company exists in isolation, they're all
| part of economies, and ultimately it's real people
| somewhere who take the damage.
| BrianOnHN wrote:
| Good luck getting much sympathy. There is still some
| asshole making off like a bandit even when the lowly
| employees get hurt at the same company.
| anthony_r wrote:
| Let's inverse the question: please provide a list of companies
| that would be OK to target, according to you.
| mcguire wrote:
| As a general rule, theft is considered a bad thing. Why do you
| think it's acceptable?
| jnorthrop wrote:
| Are you really intending to condone illegal activity? Just
| because their targeting "wealthy" companies? That is like
| condoning a mugger because he is working in a rich neighborhood
| and not targeting the impoverished.
| everyone wrote:
| The rich people in that neighborhood have acquired their
| wealth in an unfair injust way.
| trasz wrote:
| Bit of an advocatus diaboli, but... Crimes are crimes because
| they hurt people. Here we're talking about just lowering
| company's profits; same thing happens naturally due to market
| forces and nobody complains.
| TchoBeer wrote:
| Usually lowering a company's profits due to market
| competition produces value. Just stealing money does not
| produce value.
| trasz wrote:
| The stolen money don't have a value to the thief?
| TchoBeer wrote:
| The amount of value it produces for the theif is equal to
| the amount of value it takes away from the company
| Hjfrf wrote:
| Generally much less, if you're taking into account all
| the wasted time/energy.
| trasz wrote:
| Million dollars stolen from, say, Bezos, is worth less
| than that to the thief?
| TchoBeer wrote:
| We can have a discussion about ethics and utility if it's
| a starving person stealing from Jeff Bezos, but these
| ransomware firms are large-scale organizations just like
| the companies they're stealing from.
| 4gotunameagain wrote:
| I was looking for a solid argument, since I am not able to
| provide one. So far there are none presented here either.
|
| Are we really going to justify this just by "it is against
| the law"? So many things are against the law, so many ancient
| laws demonstrate the inability of humans to create the
| absolute corpus of ethical behaviours(tm).
| mcguire wrote:
| Since you asked,...
|
| The Kantian categorical imperative goes something like,
| "act as if the basis of your actions would be made
| universal law." What happens if everyone conducts denial of
| service and ransom attacks against anyone they perceive as
| a legitimate target?
|
| https://www.aamc.org/news-insights/growing-threat-
| ransomware...
|
| https://www.wsj.com/articles/the-ruthless-cyber-gang-
| behind-...
| dcow wrote:
| We'd probably have a society that is really good at
| building safe redundant software services such that this
| is no longer a threat (;
| typon wrote:
| If I heard news that Jeff Bezos bank account was hacked and
| $50 million dollars were stolen, I don't think I would even
| bat an eye. When I hear of ransomware shutting down hospital
| computers I'm furious and want to see these clowns rot in
| jail. There's clearly a spectrum here of where it starts
| becoming a heinous act.
| ohhhhhh wrote:
| this is a you problem
| mcguire wrote:
| The global median household wealth is about $7,500. The
| median income is around $10,000. To much of the world
| (making some assumptions based on your presence here on
| HN), you have more in common with Jeff than you do with
| much of the world; they might take the same attitude to
| you.
| throwaway672000 wrote:
| It's possible the only reason we would disgree if the
| rest of the world took this attitude is our own greed.
|
| To me what's more obviously wrong whether I'm rich or
| poor is leaking personal info on employees, HR
| correspondence etc. I don't know whether this group would
| since they say it hasn't got that far yet but other
| groups have.
|
| Extortion, mugging, burglary etc are worse than the
| "perfect theft" where you move some numbers from one
| account to another.
|
| I wonder if the people involved believe their own spin
| that "your boss is the one at fault, would rather you
| suffer than pay"
| devnull3 wrote:
| > it was seeking to recruit partners and claiming that it
| combined the features of notorious groups like REvil and DarkSide
|
| I wonder if they have leetcode style interviews :)
| flerovium wrote:
| This is free advertising for criminals.
|
| Correction: this is free advertising for criminals _actively
| looking to recruit associates to assist them in committing
| crimes_, and helps them commit crime.
|
| Don't upvote "Weapons Smuggling, Inc. (YC21) is hiring a
| coordination specialist for EMEA operations"
| btbuildem wrote:
| I wonder why they refuse to rip off oil companies? Too well
| connected & therefore too risky?
| GuB-42 wrote:
| > DS: What do you think about the attacks carried out against
| Colonial Pipeline's infrastructure or JBS? Does it make sense
| to attack such large networks?
|
| > BM: We think that this was a key factor for the closure of
| REvil and DarkSide, we have forbidden that type of targeting
| and we see no sense in attacking them.
|
| I think it is your answer, too risky.
| nradov wrote:
| Russia depends on oil revenue to survive. They don't want to
| put any part of that supply chain at risk.
| caffeine wrote:
| Imagine if they shut down every Shell gas station or something
| similar.
| danpalmer wrote:
| I feel like giving criminals a platform like this is wrong.
|
| I'm all for reformed criminals giving interviews in the context
| of what they did being wrong, but this is an interview about how
| they're getting better at their crimes.
|
| Regardless of how easy it might be given security practices,
| these are crimes, and they are crimes for a reason: they cause
| damage. Their impact is felt beyond the ransom money paid, it's
| felt by employees who may be put in terrible positions as their
| work is held ransom and who might pay up personally to avoid
| problems at work, it's felt by customers of these companies who
| end up with higher prices, it's felt by countries as their output
| is hit. The fact that this "industry" is getting more
| "professional" does not change the fact that it's harmful. They
| don't deserve the publicity and attention that this sort of
| platforming provides them.
| vmception wrote:
| I think making companies and the industry more aware that their
| bug bounties are undervalued is important. It raises the bug
| bounties and creates more opportunities.
|
| This is an approach of like "okay lets just ignore your
| rational for _not_ doing that and give the hackers a platform
| until you change "
| SCHiM wrote:
| I think this is a good thing. It might show potential victims
| that their opponents are not a bunch of smelly teenagers
| hopping online after midnight.
|
| These are multi-million (billion?) businesses. There's
| strategic leadership, target acquisition pipelines, R&D, talent
| recruitment and coordination with other businesses in the
| space.
|
| There's every indication that with a little bit of protection
| money, you can even run your business with no interference from
| the law, as long as you don't mess around in your own backyard.
|
| You can see from the blog post, that this "company" has done a
| product-market-fit analysis. They've taken a look at their
| competitors' work, considered the pros/cons, and decided that
| they can do better. Since they are a b2b company (hehe) you can
| be reasonably sure this is not some PR aimed at consumers. I
| think it reads as a recruitment pitch to their lead generators
| (read: hackers whom infect other networks for them).
|
| You can see the pitch, it almost reads as a vacancy post:
|
| - We make a lot of money
|
| - We're new to the scene but already have had success
|
| - We only work with the best hackers
|
| - We pay you lots of money to infect a network, if you got what
| it takes
| PaulDavisThe1st wrote:
| > as long as you don't mess around in your own backyard.
|
| Based on the recent pipeline incident, it seems that these
| crime groups realize there are other places you'd better not
| mess around.
|
| Screw with Bank A or Company B ... fine. Screw with
| infrastructure of a country with a large scale military,
| control over large chunks of global finance, and so much more
| ... probably not a good idea.
| rmah wrote:
| When groups do this in furtherance of illegal activities,
| it's called "organized crime". And such groups need to be
| pursued aggressively because they are corrosive and poisonous
| to society at large. If they are not actively and
| aggressively fought, their negative effects seep into broader
| society and can become entrenched for _generations_.
| dcow wrote:
| What about when your "organized crime" group has a moral
| compass and isn't breaking local laws?:
|
| _DS: Obviously, there are many talented professionals on
| your team. Why is it that this talent is aimed at
| destructive activities? Have you tried legal penetration
| testing?
|
| BM: We do not deny that business is destructive, but if we
| look deeper--as a result of these problems new technologies
| are developed and created. If everything was good
| everywhere there would be no room for new development.
|
| There is one life and we take everything from it, our
| business does not harm individuals and is aimed only at
| companies, and the company always has the ability to pay
| funds and restore all its data.
|
| We have not been involved in legal pentesting and we
| believe that this could not bring the proper material
| reward._
|
| For me the line between organized crime and robin hood is
| very blurry.
| wrs wrote:
| "Robin Hood"?? I must have missed the part of the
| interview where they talk about their charitable
| redistribution activities...
| pmoriarty wrote:
| _" We do not deny that business is destructive, but if we
| look deeper--as a result of these problems new
| technologies are developed and created."_
|
| This is such a transparently self-serving joke of an
| excuse.
|
| A serial killer could likewise say _" Sure, I kill
| people, but as a result of my murders the police develop
| new forensic techniques."_
|
| Right.. as if that justifies anything. These people are
| just interested in money, no matter who it hurts. They
| are sociopaths.
| dcow wrote:
| But they're not killing people. They're extorting foreign
| business which is not explicitly illegal, and in fact
| encouraged, in certain countries. They even go above and
| beyond that with self-imposed restrictions against
| healthcare and infrastructure to try and minimize harm.
| I'm not saying I like what they're doing, but it seems
| hard to outright stop when their own country doesn't
| care. Same with Chinese businesses engaging in fraud with
| foreign investment firms. It's effectively accepted
| practice encouraged by their country. The market is the
| only real punisher. So if these types of activities are
| effectively allowed because people can play by the rules
| and engage in them, then as a society or as a company you
| have to respond rationally. "Well it's illegal where I
| live" is not really an answer. Thus my question is,
| "should companies pay security professionals more to
| combat the economics of these organizations?". People
| seem to think companies should pay out bug bounties on a
| scale much closer to what e.g. ZERODIUM would pay for 0
| days to fix the economics. I guess I'm just asking if
| there's an economic "solution" to these ransomware groups
| in absence of a legal one?
| pmoriarty wrote:
| This is a form of theft.
|
| I guess if you're ok with taking something that isn't
| yours you would see no problem with this. The rest of us
| see this as sociopathy.
|
| That some countries legalize theft of property in other
| countries does not change the ethics of this at all.
| dcow wrote:
| It seems we both agree it's not ethical by our relative
| standards. But you're not actually responding to my
| question. I mean hey even killing is justified against
| foreign actors in the name of war. Doesn't matter. I'm
| asking whether there's an economic solution because I'd
| rather not devolve into some form of war.
|
| > That some countries legalize theft of property in other
| countries does not change the ethics of this at all.
|
| It literally does. Because those people are participating
| in a society where their actions are not strictly
| unethical. Their society does not necessarily view them
| as sociopaths.
|
| Well I should concede it depends on whether your
| worldview accommodates different ethical frameworks or
| not. If you are absolutely ethical then all people must
| adhere to the same ethical standard and you can rightly
| justify punishment of outsiders.
| ohazi wrote:
| Even if your worldview doesn't accommodate different
| ethical frameworks (i.e. I stand behind my own ethical
| principles, and believe that anyone who disagrees with me
| is unethical), surely you have to admit that some people
| will disagree with that stance, will hold their own views
| that are incompatible with yours, and will call
| themselves ethical until the cows come home, right?
|
| We're not arguing about whether that's ethical, we're
| simply pointing out that people like that exist.
|
| You and the parent commenter are no longer arguing about
| what is and isn't ethical (as you've stated, you both
| seem to agree), but instead on what to do about the
| practical reality that society in Russia _does_ see this
| as ethical, and doesn 't give a flying fuck what you or I
| think.
|
| Now the question becomes, what should we do about _that_.
| dcow wrote:
| Yes! Exactly. Maybe I failed to convey this succinctly.
| My original question was "What about when this happens,
| what do we do?"
| jcranmer wrote:
| This is the same kind of "moral compass" that scammers
| use to scam senior citizens out of their life citizens.
| The targets are rich Americans (every American being rich
| compared to where they live), so does it really matter if
| they lose several thousand dollars?
|
| They outright admit that they see the targets primarily
| as money bags, and that they are making the economy
| better in exactly the same way that breaking windows
| makes the economy better, and your opinion is that it's
| ethically blurry?
| dcow wrote:
| My ethical framework allows for disagreements on the
| nature of what is and isn't ethical. It doesn't matter if
| you and I agree some behavior is unethical. Some other
| group of people clearly consider their behavior to be in
| the realm of ethical given their worldview, location,
| upbringing, etc. So no amount of us whining about how
| unethical it is really changes anything, does it? I
| personally consider massive hoarding of wealth
| unethical... so... from a total harm standpoint... yeah
| it's kinda grey.
| mcguire wrote:
| It's not blurry at all. That's straight up organized
| crime trying to justify its existence.
| nradov wrote:
| How do you propose to pursue organized crime groups in
| Russia who are protected by the local authorities?
| Financial sanctions haven't been effective.
| isaacg wrote:
| One option would be to try to doxx them, either as part
| of a criminal investigation or via private investigators.
| I bet these groups would be much less effective if their
| identities were publicly known. There's a reason they're
| not public.
| zionic wrote:
| It's hard to feel sorry for these companies when they have
| neglected security for so long.
|
| This outcome was inevitable, and hitting the bean counters
| where it hurts (financial bottom line) is the only way to
| effect change.
| danpalmer wrote:
| I don't have metal bars across my windows, should they start
| targeting my house to force me to add them?
|
| I'm being somewhat facetious, but I want to live in a society
| where not being hyper focused on all forms of security at all
| times, and just being _safe_ is an ok way to live your life.
|
| "It's easy so we'll do it" is not a defence of this practice.
| The only reason the security is needed at all is because of
| people like this. I'm not saying security isn't important,
| but being bad at security is not a defence of people who take
| advantage of that poor security.
| Spooky23 wrote:
| The reason security is needed is that we have institutional
| methods for transferring ransom and paying for the rackets.
|
| The reason that it's ok to have a shitty $80 lock on your
| front door or an unprotected window near ground level is
| that the value for a would be burglar to break in for a
| crime of opportunity is low. If you're a well known jeweler
| or gun collector, you typically take other measures because
| you may be a target.
|
| Cryptocurrency made computer crimes profitable crimes of
| opportunity.
| trasz wrote:
| Companies are not people.
|
| If your business is taming wild animals, should you have
| metal bars around them?
| wastedhours wrote:
| > Companies are not people.
|
| No, but employees and customers are, and they feel real,
| human costs as a result.
|
| Just because a management team has underfunded security
| is not an excuse to cause pain on other people.
| trasz wrote:
| Employees are being paid by hour, so they wouldn't care
| at all. Customers - true, this might cause delays for
| them, if the company decided not to pay the ransom. It's
| still just a delayed cost, though.
| wastedhours wrote:
| > Employees are being paid by hour, so they wouldn't care
| at all
|
| Sorry, but that's just not correct. It's always _someone
| 's_ job to clean up this mess, and that falls on
| individuals. If they have to clean up a stressful mess,
| they definitely _do_ care. A lot.
|
| I've had to clear up messes in the past, and it severely
| negatively impacts my mental health. Never, ever think
| that it's a victimless crime. They might not feel the
| force of the actual crime itself, but there are most
| definitely employees out there where the second-order
| effects on their wellbeing are starkly negative.
|
| Again, for customers, you never know what those second-
| order effects of the delayed cost would be. I'm not going
| to whip up slippery slope arguments, but again, you're
| assuming that customer interactions with companies are
| all one-sided "I can do this later" kinds of
| interactions.
|
| We shouldn't hand-wave away bad things because they only
| impact some faceless "company". Companies are made up of
| individuals, most of whom don't want to be there, but
| most definitely care when they're forced to do more work
| by some bad actor.
| trasz wrote:
| Of course it's always somebody's job, but that's it: it's
| their job, they are paid by an hour. There is no "more
| work", it's just the planned work will be delayed.
|
| Unless your company is exploiting you, of course.
| pmoriarty wrote:
| It's much worse than this..
|
| I've seen this happen more than once, where IT spells out
| the risks and recommends tighter security practices, more
| security hardware/software, more backups and redundancy,
| a bigger security team so they're not just running around
| fighting fires all the time and have some resources to
| improve security, etc, but these requests are denied
| because there's not enough budget for them or they're too
| inconvenient (as security is almost always a tradeoff
| against convenience).
|
| Then there's a security incident and suddenly money
| materializes out of nowhere and they'll pay whatever it
| takes to get back online, making the security and IT
| teams work nights and weekends until the incident is
| resolved.
|
| At the same time, security look like incompetent idiots
| for letting the incident happen in the first place, with
| everyone conveniently forgetting that multiple requests
| to tighten security were denied.. and many other people
| in the company don't even know about what happened, but
| consider the security team to have screwed up.
|
| So security often wind up looking like idiots, though
| it's not their fault. Or maybe there really was a screwup
| by someone who's no longer with the company. Dealing with
| gigantic legacy systems and endless complexity that no
| one fully understands is common.
|
| When the security incident blows over, those security
| budgets shrink again and the importance of security
| dwindles as other parts of the business take precedence,
| until the cycle repeats again and again.
|
| Or security really is taken seriously at some companies,
| and then the security teams are often seen as the "no
| men", and widely despised because they stand in the way
| of getting work done.
|
| These reasons and more is why I don't like to work in a
| security role. Let someone else take the blame.
| progman32 wrote:
| The lost productivity and general _stress_ due to well-
| intentioned but ultimately counterproductive software
| being introduced by IT after a ransomware attack was the
| last straw for at least two highly qualified engineers I
| know personally. They left their employer after that.
| Being blocked from doing your job is highly stressful for
| people who are motivated by the utility of their work to
| society, a description which I believe fit these
| engineers. This is an example of direct human cost - the
| transformation of a desirable, fulfilling job to one less
| so.
|
| Now, sure, the IT dept in question could have handled
| this a little better. Maybe. But the presence of these
| advanced threats forced IT's hand here.
| dcow wrote:
| Because the employer isn't fixing the problem they're
| deploying bandaids that are known not to work. I wouldn't
| want to work like that either and companies need to learn
| how to effectively secure software. What if companies
| paid like BM probably pays? I bet most people would do
| the work in a less grey fashion. But companies don't
| value security so this is the result.
| wastedhours wrote:
| I'm not sure we're going to get much further here if
| you're arguing on the dichotomy of checked out employees
| punching a clock vs exploitation by the employer.
|
| Suffice to say, this crap has impact on real people, in
| the real world. To imply it's just some neutral action
| doesn't reflect the reality we live in.
| nradov wrote:
| The type of society you want to live in is utterly
| irrelevant. Those ransomware gangs exist and there is no
| way to eliminate them. That is our new reality. Any
| business leader who is bad at security is incompetent. I
| wish it didn't have to be that way but whining about it
| won't accomplish anything.
| rpmisms wrote:
| I completely agree. People should be unaware of ransomware
| attacks, despite the increase in frequency, scope, and severity
| over the last decade.
|
| Platforming criminals and making sure more people understand
| their competence and the threat model is a good thing. We
| should be scared.
| danpalmer wrote:
| There's a difference between educating and warning people
| about attacks, and having the attackers do that themselves.
| I'm not saying we shouldn't talk about these things, we
| absolutely should! It just shouldn't be by interviewing and
| glamorising those committing the crimes.
| schoen wrote:
| I share your concern that people will see this as cool or
| glamorous. But isn't it also helpful for people to try to
| understand the perspective of the attackers, for example
| because they might
|
| * become better able to defend themselves
|
| * become better motivated to defend themselves
|
| * better understand how to deter these attackers
|
| * become more motivated to seek action from government or
| vendors to deter these attackers
|
| * have a more informed debate about the ransomware industry
| or organized crime as a whole
|
| ...?
|
| Edit: for example, things that I had heard that were
| confirmed for me by this interview include that the Russian
| government is consciously tolerant of this activity (maybe
| someone could find ways to change that!?), that organized
| crime fears being caught or attacked by NSA, that
| ransomware attackers are very sensitive to their reputation
| and public image, that you can probably count on them to
| keep their side of their illicit bargains, and that they
| are especially motivated by money rather than ideology. All
| of those seem like pretty interesting ideas that might be
| hard to confirm quite as well in other ways.
| jongorer wrote:
| what makes you so sure ransomware is "wrong"?
|
| let me rephrase this: do you think corporations are "good"?
| TchoBeer wrote:
| Ransomware companies are also corporations
| andruby wrote:
| that is not the same question :)
|
| some corporations provide value to society. some don't. the
| evaluation of this will depend on your personal values.
|
| my personal values do evaluate ransomware as "wrong". and the
| laws of most (all?) countries evaluate ransomware as illegal
| and thus legally "wrong".
| ailef wrote:
| Considering the huge environmental damage created by e.g. oil
| companies (and many others), one could say the same about them?
|
| The only difference is what these people do is illegal while
| what the companies do is not: the damage, though, is arguably
| on the same scale, if not lower for ransomware attacks
| depending on which infrastructure is attacked.
| danpalmer wrote:
| I personally take moral issue with oil companies, but society
| as a whole has not decided that they are deserving of
| punishment, so I save my actions for campaigning, lobbying,
| and supporting groups that are pushing for change.
|
| On the other hand, society has decided, via law making, that
| ransomware attacks are deserving of punishment.
|
| With so many differing opinions it's hard to please everyone.
| I'm in favour of having a range of voices that I might not
| agree with represented in media, but criminals advertising
| their crimes and talking about how they're getting better at
| doing it feels like it's fairly clearly past a line.
| wil421 wrote:
| Whataboutism. Let's respond by bringing up a completely
| unrelated topic to justify the actions of criminal
| organizations.
|
| These are organized crime activities akin to cartel
| kidnappings, Somalia Pirates, mob extortion, and kidnapping
| tourists for ransom. 21st century pirates/mobsters.
|
| How long until ransomware becomes extortion or protection
| schemes? Pay us a yearly fee and we'll not hack you and if
| someone does hack you we'll hack them back.
| ailef wrote:
| You have misunderstood what we're talking about.
|
| Nobody is justifying anything, I'm just saying that if it's
| wrong to give these people a platform, why is it ok to give
| it to oil companies? The latter have caused way more damage
| than a random ransomware group.
| ub99 wrote:
| Seems like the person you are responding to understood
| your point and labeled it (quite correctly) whataboutism.
| ailef wrote:
| Can you point out where I justified the actions of these
| criminal organizations (as parent said)? It's funny that
| the comment labeling mine as whataboutism is factually
| incorrect about what I said.
|
| It's easy to reply by labeling anything you don't agree
| with as whataboutism, because you don't have to go into
| the merit of the discussion. You don't have to articulate
| a reply, you don't need to reason about it.
|
| I made a pretty simple analogy, and the only one who
| actually replied with something sensible was OP, which I
| appreciate.
|
| Everyone else just tried to find logical fallacies (like
| now we need to stop nurses from giving birth) or just
| discredit the argument but without providing any
| meaningful reason.
| wil421 wrote:
| Sorry to offend.
|
| Most of the damage oil companies are making is legal. At
| the moment fracking is legal but IMHO it's very damaging.
| Undersea oil drilling is legal but there are many
| accidents. Shipping oil is legal but there are a lot of
| accidents that cause massive environmental problems.
|
| Ransomeware is never legal and organized crime is not
| legal in the West. They should not have a voice at all
| and should be treated like the criminal organizations
| they are.
| TchoBeer wrote:
| >why is it ok to give it to oil companies?
|
| Why do you assume GP is ok with that.
| ailef wrote:
| There's no assumption in what I wrote, that's just a
| question.
|
| Meanwhile, GP is explicitly putting words in my mouth,
| but I guess it's ok because my comment was just
| whataboutism, right?
| eklavya wrote:
| As much as I loathe our response towards global warming. This
| comment shows why equivalence should not be taken lightly and
| how absurd the result can be.
|
| How about holding people for ransom that is equivalent for
| sure, how about killing people? Well oil industry eventually
| ends up killing some people.
|
| Let's put a stop to oil industry before we deal with the
| kidnappers and killers!!
| ailef wrote:
| > Let's put a stop to oil industry before we deal with the
| kidnappers and killers!!
|
| Nobody said there has to be a priority. Why can't we stop
| both?
|
| Moreover OP comments was not talking about stopping them,
| but about giving these people a platform.
|
| Despite the damage done by oil companies they are still
| allowed to spend billions of dollars in marketing,
| lobbying, etc... Resulting in a much bigger, legalized,
| platform, while still causing way more damage than
| ransomware "companies".
| Avtomatk wrote:
| It's the sad double standard that most companies have:
| Look, I pollute half the planet and I don't give a shit
| about investing in new technology, I just want my ARR of
| 100 million, and I'm willing to lie with cheap marketing
| ... But ransomware It's clearly a priority, we can't risk
| being attacked if we didn't do anything illegal, that's
| morally wrong, and I'm a very moral person.
|
| How stupid people are on our planet, billionaire people
| are really very stupid people ... Put a scientific
| researcher and an entrepreneur to debate on any subject
| and that's when you realize that most "entrepreneurs"
| have the coefficient of a 5-year-old child.
|
| why do we never see Elon Musk debate with researchers if
| he has as much intelligence as he says (the techno king)?
| It must be so as not to make a fool of himself on
| television (or youtube)
| [deleted]
| cjblomqvist wrote:
| Following that logic nurses delivering babies are also on the
| same level considering they're supporting the growth of the
| human race (which causes all the environmental damage)...
|
| There's a huge difference depending on "details"
| ailef wrote:
| That's of course a possible interpretation if you want to
| stretch everything to the extreme. OP thinks it's dangerous
| to publish a blog post with such an interview because it
| gives a platform to people who cause damage.
|
| I'm just pointing out that oil companies have caused way
| more damage than this guy and they have had a massive
| platform for decades, why shouldn't we stop giving them a
| platform as well?
| cjblomqvist wrote:
| What about the nurses then? Because they've definitely
| caused a lot more damage?
|
| Because one thing is illegal and the other isn't? In a
| society that holds laws relatively high that should be a
| super good argument?
___________________________________________________________________
(page generated 2021-08-03 23:01 UTC)