https://newrepublic.com/article/162589/ban-bitcoin-cryptocur...
Imagine encypting whole Maersk network and then asking ransom in cash? Wherever you decide to do the exchange there will be couple Apache/Eurocopters/Mis hovering around and watching you. With crypto just send them your XMR address, then wait couple years for heat to come down before mixing/cashing out.
Many store open after 19:00 don't have much cash on hand so robbing them is not really attractive any more. There are almost no bank robberies, as even banks doesn't actually have cash.
The people who get mugged are normally forced to go to an ATM to withdraw cash.
I'm not suggesting we just randomly ban stuff to avoid the criminals from exploiting it, but it is working.
By "Ban" I mean they no longer make them, and possibly destroy them once they get circulated back to the central bank. They're still legal tender.
See also 500 euro note... (edited to clarify "ban" meaning)
Banning crypto exchanges is actually a much more effective solution to the problem because it at least forces someone to show up in person to collect the money.
If you ban paying ransoms, desperate people will just do it in secret, something bitcoin works hard to enable.
Enable activity instead of futilely trying to ban activity. Instead of focusing on punishing the victims and unrelated third parties, focus on punishing and disrupting the perpetrators.
Or if not letters of marque, they could at least just issue a notice that certain activity will have a blind eye turned towards it, to mirror the policy of some of the governments that bear most of the responsibility for ransomware activity.
A ban on ransomware payment also has the nice side effect of banning ransomware insurance, which has been making the problem worse so far.
By "enable activity" I just mean "instead of taking a general approach of trying to ban things to solve a problem, take a general approach of trying to enable certain other kinds of things to solve a problem". Not "enable ransomware activity".
Stores don't generally have as much protection, but even then they never have a large amount of money on hand. Robbing a store and getting $300 isn't really worth the risk.
Even on HN it's the same knee-jerk reactions every time one of these stories hit.
This is one of the most pressing technology issues of this moment and the discourse just sucks.
* Does banning ransom payments do anything? Good idea/bad idea? Historical analogues?
* Do we need to pay rewards to cyber privateers to take down cyber criminals?
* Is this an issue that can only be solved at the geopolitical level because of the role states play in enabling this activity?
* Will the hardening brought about by this eventually outpace the crappy attacker software?
* Is this a phase or the new reality?
* How much of this is enabled by technology vs the geopolitical situation?
And in my opinion it's only a matter of time till something so crucial will be affected that the big guns will be rolled out. (I.e. targeted 3 letter agencies efforts) The podcast argued that touching the energy delivery / pipeline was already it - Fox asking daily how the current administration fails to deal with securing energy may be the point when some real action happens.
I remember reading how supposedly adding a Russian or a few other keyboard layouts might fool some of the malware to ignore the machine [1].
I guess one idea for the Western intel agencies could be to play off of that, and somehow disable that check (infect their malware) such that it can and does attack the Russian infrastructure.
[1] https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
Show: https://www.risky.biz/RB624/
Media: https://chtbl.com/track/383384/media3.risky.biz/RB624.mp3
[1] https://www.wired.com/2010/03/manipulated-stock-prices/ [2] https://www.reuters.com/article/us-cybercybersecurity-hackin...
It wouldn’t surprise me at all if our systems are on average far less secure simply because so much more is online now, to speak nothing of increases in the complexity of and opportunities for errors and misconfigurations in today’s systems.
I am inferring (perhaps incorrectly) that you're saying this is an argument against cryptocurrencies. I think that's beside the the point: even outright outlawing cryptocurrencies wouldn't stop the technology from existing, and wouldn't discourage extortionists from using it to anonymously receive payments.
It would make it harder to pay, since you'd have to go outside of safe, legal channels to get money into the system.
If the best strategy when being extorted is to never pay or negotiate, then I suppose that could be a benefit. But, in that case it would be more efficient to just make it illegal to cooperate with extortion in the first place.
For all I know, this is already true. If not, let's try that first. If it is, it doesn't seem to matter, since people are paying ransomware hackers. Still, if paying at all is illegal, but people still do it, then making paying less convenient probably won't make much of a difference: they'll still ask for payment in crypto, and leave the logistics up to the victim.
'Don't negotiate with terrorists' or:
> It is wrong to put temptation in the path of any nation,
> For fear they should succumb and go astray;
> So when you are requested to pay up or be molested,
> You will find it better policy to say:—
> "We never pay any-one Dane-geld,
> No matter how trifling the cost;
> For the end of that game is oppression and shame,
> And the nation that plays it is lost!"'
Of course, even better would be a physical switch for incremental backups, so a disk drive works like tape - it can physically only be appended to if that switch is "off".
Come on, security professionals. None of this has any technical or cost barriers. Demand it from drive vendors. My older drives have such a switch.
This is "there are no backups."
(Even if you don't anticipate a problem with your IT staff, it's just good engineering to automatically turn off the write-enable. Nobody's perfect. I've gone to the airport without my passport once. It really sux when you do that.)
Many (if not most) companies have file shares with fairly wide-open access and/or a complete lack of backups so peer-to-peer spreading within the company is enough to cause a lot of trouble.
At its root these are technological problems that we could choose to solve:
1. The program is not the user. Code running as a user shouldn't necessarily have permission to access everything the user can access. 2. New code is not treated with suspicion when it should be. New code should have its file access throttled in proportion to how many files it accesses. 3. Our systems do a terrible job of spotting unusual behavior. How many processes actually need to rewrite every file the user has access to? Almost none... rewriting 10% of the user's files should trigger an automatic throttle/stop and raise red flags. 4. As a variation on #3, most OSes these days ship parsers for a lot of common file formats... if the OS sees lots of user documents being rewritten and the parsers can no longer parse them stop allowing new rewrites and alert the user. If the user is encrypting their content on purpose they can approve it. If not you can at least limit the damage. 5. Similarly a network user that usually accesses a limited set of files should not be able to suddenly start rewriting thousands of files without some kind of intervention. 6. Our systems completely fail to take advantage of ancient technology called "file versions" (see VMS). Excess disk space should store old versions of files in a way that cannot be deleted (or the ransomware would just call that API or generate random writes to consume the space). Combine with 2/3: when there is suspicious activity on the system move into CoW mode and preserve previous versions of all files or an entire system snapshot and don't allow purging the snapshot without special intervention (eg rebooting into a special mode). 7. To go along with all of the above code should be tagged with its provenance in a system-tracked way. If a process writes a new binary to disk track that responsibility. Track it all the way back to the URL or email it came from. This entire audit trail should be attached to any of the mechanisms listed above. It should also be attached to any sort of activity monitoring program that shows you disk accesses, including historical accesses. If I see 50GB of disk reads/writes from a process group "JGjthjsfgl.exe, downloaded from p0wnme.example.farts" that is a huge red flag. Let me suspend that entire process group with a single click.
I'm sure smarter people could come up with even better ideas... but ransomware is absolutely something we can and should make nearly impossible. We could engineer operating systems to be resilient and limit the damage (eg: macOS prompting you to approve access to Desktop/Documents/Downloads) but it means giving up some sacred beliefs about how desktop operating systems should work that tends to make a subset of the HN audience extremely angry.
Zero days are indeed often not required, however, IMHO the initial attack is less preventable than that lateral movement and further exploitation - if attackers are in your systems for a week while they spread everywhere and kill your backups preparing to pull the switch to "ransomcrypt" everything at once, then that was your opportunity to detect it and kick them out, but the victim organizations obviously were not capable of that. This needs to be fixed, perhaps by methods similar as you describe.
As how much is being spent on these payments overall each year? How would that compare to the massive IT fortification project people are demanding?
We don't meaningfully fight bike theft for this reason. The cost of doing so relative to the benefits is just too high. We can debate whether that is reasonable, but that is essentially what has been decided as a society. Most low level crime is not meaningfully investigated.
And this erodes trust in society and rule of law, and gradually leads to vigilantism, privatization of security, and segregation due to middle-class flight from high-crime areas.
Having a physical write-enable switch on the backup devices costs about three cents.
War analogies are inapplicable, privateer analogies are inapplicable. Create the incentives, organizational and software structure required to stop this or it will continue. Holding single companies accountable shifts the burden without solving the problem.
Have standards, standards bodies, defensive organizations.
Like for foods, hostels, stuffs on the roads. There is some analogies.
Or do you mean banning both the US on-ramps and the foreign off-ramps? Are you optimistic that the US could get, for instance Russia, to enforce such a ban?
I'm not necessarily opposed to this "just ban cryptocurrency" talking point, but I'm never sure I understand what people mean by it in practice.
We need to start holding companies criminally liable having security vulnerabilities that get breached. It is true that there will always be exploits but the issues are usually much more wildly irresponsible security practices and not “didn’t know about the latest 0day”
There needs to be a statutory liability to customers and required insurance. Let the insurance company figure out the regulations instead of bureaucrats and politicians, insurance company rules are optional and noncompliance is just more expensive.
It is an increasing trend but the current uptick in awareness is mostly media coverage. This stuff has been going on forever, a few particularly newsworthy things happened now everyone is going out of their way to report each new instance. Trends in reporting instead of trends in exploits (to a degree)
Sure, whitelisting is annoying to say the least, but these are critical systems, you don't need to install new software daily or even monthly.
To protect your company, application whitelisting needs enough usability to be easily supportable for the workstations of your accountant, office receptionist, and the VP of Marketing (those three are all good examples of valuable entry points for targeted attacks), which all may get management approval to throw out application whitelisting if it inconveniences them enough - there's no reasonable tradeoff between security and usability, you must get both as usability is mandatory and usability deficiencies will result in security features getting removed in all but the most critical circumstances.
I’d guess that recognizing that a given computer is now critical infrastructure is also part of the problem.
Whitelisting is the cool buzzword again, but it doesn't do much against human operated ransomware. It's a huge effort to implement (I know you want to say it isn't; try it and learn) and it's not very useful.
That's why most shops skip it.
To ensure that you don't have holes in your security posture... The technology you deploy is important, but also important that your security and governance model on top of the technology is also in place.
Most of the blame is going to Russia, though North Korea is a possible source of this, as are a few random countries scattered around. Most stand to lose more than they gain from allowing such crime. (their military might be interested in the ability, but those will be more careful about who they target)
Unforced error.
I'm not sure what it would be called, but has there been any investigation in a sort of "transparent by default" database system? Ideally if this were possible people wouldn't need to care about data being stolen (though in this case it's unclear what the attack did, but many times it's more like we'll reveal/block your data unless you pay up)
Crypto is really what's made ransomware at the scale we see it now possible.
Ransomware in cryptocurrency could be easy to stop naturally. Miners just need to know that there is a nonzero chance of their blocks being forked off if they help them. It’s a technical problem of out-of-band governance protocols among miners, not unlike what is already being done for positive gain (MEV) by FlashBots. That’s the incredible possibility of cryptocurrency. It’s designed to turn selfishness into a public good, with no coercion, recognition, or good will. And sure, they could include a massive reward to convince miners to include the block, but then that also goes for every coinbase and transaction afterward, until there is nothing left, and no incentive at all for ransomware.
The present reality, of course, is that miners are just not that sophisticated. For the most part they’re just aping the repos that are released by the foundations. But the foundations certainly should understand that it’s in their interest to protect their currency by at least giving the miners information about transactions in the mempool or utxos, and perhaps some kind of out-of-band signaling mechanism to indicate unwillingness to accept blocks that include them. Perhaps better yet, a price for inclusion demanded in the form of an MEV burn added to the next block, which would of course fetch its own price. There is some criticism of the foundations here, as there is also some criticism of some PoS implementations that do not allow fork selection, but ultimately I think that they can solve it.
So that takes care of economic hackers. I’m far more concerned with non-economic or peri-economic agents. There is a doctrine of “unrestricted warfare” that everybody should know about. It explains many things about how and why things do not make sense. It is because we are under attack, and it’s a truly brilliant offensive, for which all of our defenses only work in their favor. I don’t have the answers for this. But it does give a warning. The effect they seek is not the damage they’ve done, but our reaction to it. Our reaction, by regulation that cripples our competitiveness, by restricting our own freedoms, could be disastrous to our country and our way of life, which is exactly what they want. And these attacks, although they may be carried out by economic agents, almost certainly find their roots in exploits created by long-standing programs of infiltration. Nature too, has learned this trick; SARS kills by turning the immune system against the host.
When the real failure is somewhere else: bringing these perps to justice. The fact that they can get away with this over and over again hiding behind anonymity is what enables these crimes.
If major infrastructure continues to be hit I think we will eventually see this happen, but we absolutely cannot count on foreign states to 'do the right thing.'
I agree the problem is that these criminals are sheltered from prosecution.
I get that you might not be able to do anything about it if they are sheltered from prosecution where they cash out.
But I don't get why we can't at least, to some reasonable degree of accuracy, say Address A took the ransom and eventually it ended up with Address Z cashing out through Exchange B. Then if either Exchange B or Address Z has anything at all to do with the US-dominated international financial system, you've got serious leverage.
If I'm Coinbase, am I not worried about unwittingly laundering money for terrorists? Don't I have a staff trying to prevent that?
Just like when they hit the vehicle inspection system in March, the wealthy hemmed and hawed about how nobody should get away with thumbing their nose at state authority but the little guys were just happy it wasn't them getting the shaft for once.
Or is it more like "well as long as it doesn't hit us we don't care"
It's the classic antagonist to the Colonial pipeline hysteria, which stopped their pumps because they would not be able to account for the exact gallons delivered to which customer. So they rather stopped a critical infrastructure. Hilarious. Plus Windows.
Here again the Windows office PCs were affected, but the steamships themselves didn't care much. They kept going, you only had to pay for your ticket onboard, not online. Online reservations were not honored.
I don't think this is really anything new. Just different targets.
1.) There is a cottage industry in this space that sells kits for these randomware compromises. Everything provided is off the shelf, this is why you’re seeing such an emergence in this space. It’s not that the barrier to exit from a ransomware attack cost decreased (cryptocurrency). The barrier to entry lowered, any jerk can pay a small amount of funds to buy a software kit and instructions on how to do it.
Furthermore this is also why you’re seeing so many public defacement go politically neutral (ironic given the times). It’s simply a relatively lucrative, with a low amount of risk, and only requires the technical aptitude of someone capable of using BitTorrent/Tor/Warez.
2.) Hiring / Managing security teams - unless you’re in technology or selling security as a part of a product you can’t afford a quality team/tools. Most business are trying to optimize their cost centers to maximize their profits. As such most of the time that means it’s a race to the bottom to get them to be “insurable”. Salary + Software is expensive. 500k minimum investment for an meat processing company or whatever is not the easiest pill to swallow.
3.) companies that pay this are not good judges of security talent. They don’t know if the herjavec group really is an effective detection company. They judge almost entirely on feeling. Same with that one fast talking hoodie wearing self proclaimed hacker talking out of their ass.
Not understanding what you’re hiring for also creates friction, since any deviation from the fantasy security hire they imagined will be met with extreme resistance. “I thought they were going to sure up our servers, why do we have to log in on our email every 8 hours now”. Often times when an executive leader does not understand why security trade offs are made they just make the decision themselves (pro tip they’ll accept the risk) and you’ve failed regardless as an employer and employee.
4.) the industry does very little in a practical sense in preparing people for these job functions (with a few exceptions). Security engineers often have technical skills in spades.However, if they don’t understand anything outside of security they are going to fail. Civil Communication/ debate, the ability to navigate political issues, understanding the business etc are actually super important. The biggest tragedy was that someone internally probably saw this coming but couldn’t actually get the messaging across.
When you combine all of these elements you have a confluence of shit. It’s once again getting less expensive to perform a wide attack with little know how intersecting an industry that has yet to course correct.
For cities, recurring plauges began occurring during Roman times and limited maximum city populations to about 1 million until the advent of modern sanitation, hygiene, public health, waste removal, and food quality. (Actual medical care and treatment had little to do with this, though vaccines and antibiotics helped.)
Industrial pollution lagged industrial development by about 50--100 years, with air and water quality and material contamination (heavy metals, asbestos, organic solvents, synthetic hormone disruptors and other bio-active contaminants, etc.).
Increases in travel, transport, and communications almost always directly facilitate fraud. The Greek/Roman gods Hermes/Mercury represented communication, messages, travel, transportation, commerce, trickery, and theives. The term "Confidence Man" arose from Herman Melville's novel of the same name, set on the first great highway of the United States, the steamboat-plied Mississippi.
Mail begat mail fraud. Telegraph and telephones begat wire fraud. Cheap broadcast radio and television, payola and game-show fraus. Email begat spam and phishing.
The 1990s and 2000s computerised business practices employed computers with shitty security, but those systems were saved by the general lack of networking, the relatively small size of global computer networks, limited disk storage, limited network bandwidth, and the effectual air-gapping of paper-driven steps in processing. Billing might be submitted or computed electronically, but a paper check still had to be cut and signed. Draining accounts or data simply wasn't possibly without running up against the inherent limitations of computer infrastructure at the time even had a payment mechanism similar to today's cryptocurrencies been available.
If my assessment is correct, we'll be seeing much more of this.
Attackers have low costs. Victims have highly-interconnected, but poorly-defended systems, comprised of multiple components, each complex on its own, and lacking any effective overall security accountability. End-to-end automation exists, facilitating both productive work and effective attacks. A viable and tracking-resistant payment mechanism exists. Regions from which attacks can be made with impunity exist, and are well-connected to global data networks.
Backups alsone are not an effective defence as these protect against data loss but not data disclosure. Full defence will require radically different thinking, protection, risk assessment, and law-enforcement capabilities.
Until then, get used to more of this, at both large and small scales.
There are some potential bright lights.
- I suspect attackers aren't targeting specific facilities but are instead conducting automated and scripted attacks against vulnerable facilities.
- For data-encryption ransom attacks, this means that the decryption key is all but certainly derivable from information on the attacked system, perhaps encoded as filenames or contents. Determining this mechanism may at least allow for data recovery. (It of course does nothing against data disclosure, long-term surveillance, or access denial attacks.) The likelihood that attackers have some database of victims + passwords seems low.
- Attackers are themselves subject to trust and suspicion attacks, and turning members or safe-harbours against attackers is probably a useful countermeasure.
- State-level sanctions, flling short of military attacks, may also prove effective.
This may be our last chance to maintain global power through the use of force at all, given that so many competitors are gaining foothold in every other area.
We need bullet proof IT infrastructure, instant backtracing, and effective retaliatory responses ready to deploy, yesterday!
Why the hell isn't the attacker's computer compromised when they access the data? (rhetorical)
The countries protecting these criminals are behaving like the taliban when they controlled Afghanistan.
Poisoning dissidents, hijacking airplanes, crashing hospitals and pipelines, we'd better be careful because eventually someone's going to get hurt.
... Right.
We have to protect our satellites, see what other nations are up to (perhaps even intercepting their sat comms), and make sure our hypersonic game is on point.
It's worth noting that "cyber warfare" is what the NSA already does.
Are there CTOs or IT heads going into board meetings or other meetings, and telling people that these systems are secure? Because if so, they need to be tried for fraud.
If it's on the internet, it is not secure.
Imagine if all the hacks we've seen in the last year happened all at once. We'd be screwed.
Writing a law with proper disincentives is also trivial -- forget about fines. Proper jail time for senior execs and board members.
Execs and boards will be damn sure not to pay ransoms, and additionally damn sure that any company they hire to help knows in no uncertain terms that they are also not to pay any ransoms.
It really isn't that hard to write laws that disincentivize paying ransoms and aren't possible to route around with wink-and-nod bullshit.
Loopholes exist, but in general the government is not terrible at figuring out basic schemes like this and adapt administration of the law.
Insurance. Back-ups. Bail outs. Go out of business. That ransom paid has negative externalities that manifest nationally.
There is definite economic attack damage incentive still in place.
In fact - if ransoms are banned - then it would seem that such types of attacks become more of a state sponsored attack to affect the economy of your enemy/competition
What if it were apple attacking FB or something like that. Surely we will see this in the future, just as originally foretold in Neuromancer.
Unencrypting for vicitims in the US that couldn't pay would just add more exposure risk to them of getting caught, so they would have no incentive to actually do it. It would take a large bit of money out of the system, but it seems like you need all countries to coordinate and that one country doing so on its own, enforcing a no pay out rule, won't have much effect on non-targeted attacks.
How many of these attacks are fully automated in the initial attack/encrypt phase vs. human operators explicitly working to more fully infiltrate a target?
Given the effectiveness of social engineering in hacking's history, that's a very good question. I wouldn't be surprised if randomized attacks are used to create a "sales funnel" of high value targets with poor IT ops/outdated equipment/etc that can be exploited for big payouts. All it takes is a few hundred or thousand dollars to bribe a low level employee so the vast majority of the cost is likely in finding targets. Once they've identified a target, the exploitation process is probably mechanical.
The argument for banning payment of ransom for a ransomware attack applies just as much to any other situation where a ransom is demanded.
No, that’s what our military is for. That said, we have limited evidence any of these recent attacks were state backed.
For those of us who make money when cybersecurity dollars are spent, yes. Practically, you’d get a federal agency writing checklists.
Ban cryptocurrencies. They are the cause of the ransomware epidemic.
This is meant sincerely, not glibly: How? How can cryptocurrencies be banned in any meaningful sense?
We can "ban" them in a legal sense ("Use of cryptocurrencies are illegal after 1 Jan 2022"), great. But how can they be practically banned so long as computers themselves are not invaded by governments to observe every detail of their operation and private overlay networks are still technically feasible?
In what world does a ban on paying ransoms get wantonly evaded while a ban on cryptocurrencies does not?
Whether they'd listen to them still is another matter but that's the same with a regular cybersecurity team.
And that is to say we have institutional standards where unsafe practices are considered OK and will be followed because they save X dollars and time now.
For example, let's look at the recent major Colonial Pipeline case. Their pipeline systems weren't connected to the Internet, and did not get compromised. What got compromised was their business billing and customer communications systems - and those do need to be connected to internet, that's their whole point, and they apparently were critical enough to make them shut down the (uncompromised) pipeline anyway.
It doesn't matter if your meat packing plant machinery SCADA systems are isolated, your inventory, logistics and sales systems are critical for your operations and need to be connected to the internet, so a ransomware attack will kill you even if your plant equipment works fine.
It doesn't matter if your chemical plant sensor network is isolated, your payroll and shift scheduling system is critical to your operations and needs to be connected to the internet.
Heck, for so many companies their email systems are critical to their operations (and leaking the contents would cause a massive liability) and those obviously need to be connected to the internet.
Not connecting is helpful in some cases, but it's nowhere close to a sufficient solution.
Another interesting shift is that complete administrative takeover is often less compelling: Software is more secure covering administrative functions, but users, which have access to all of your business data, are vulnerable as ever.
The remote server knows to unlock your computer and cleanse it of the ransomware upon receipt of payment.
Many also leave a marker on your system/network preventing reinfection. Most ransomware is from the same vendor rented out which prevents reinfection, for now.
My impression is that most of these start with phishing, and probably even tailored phishing for larger organizations. A particular phishing campaign then just needs to include an encryption key, while the decryption key is kept elsewhere; this process is still quite easy to automate.
Hell, you could even just let loose lots of malware with different encryption keys, with the decrypting keys stored in a spreadsheet. When one succeeds, display a hash of the encryption key to the victim, and have them read it back to you when they call in to negotiate. And then just look up the paired decryption key when it's needed. No need to track anything, or bother with command+control.
Releasing "lots of malware" either means a finite keyset, or a key-generation mechanism. At least as I see it.
(I'd really like to find a detailed analysis of the malware software. There was an earlier version of the Darkside attack which used a weak mechansim for key generation.)
The attackers no longer steal a password and log in with it, they kindly ask someone to please run their malware.
Otherwise have fun editing scripts with Notepad++ because IT never cared to allow VSCode, unzipping using Windows Explorer's feature because your request for 7zip was denied since the feature exists on paper, navigating the web without content blocker, being restricted to Python 3.1 because the responsible doesn't care about updates, not being able to run your own compiled scripts, being unable to run your keyboard macros, having to manage your passwords in a txt file, having only Excel to analyze data…
Some of this can be blamed on Windows IT admins finding it normal to download random binaries and run them for diagnostic information or configuration management, but that is not an easy problem to solve.
Maybe mandatory high-cost, high-limit cyber insurance, with dramatically lower rates provided you can prove x/y/z, would make for an incentive?
The point remains that a ferry service cut will be felt. Snark-infested waters or not.
I agree that things should be kept off the internet unless they absolutely need to be there, but realistically companies need to have internet connected services to be able to do business.
With this wacky invention known as a telephone. Merely three years ago I used a telephone to order tickets on the Alaska Marine Highway (a ferry service operated by Alaska) while driving through BC. No websites needed; it was utterly painless.
I'm not sure a perfect solution, but the standard of living was pretty good before the internet. Doing away with reliance on infrastructure for critical things like food processing, energy, and transit does not seem like a high price to pay to avoid a Thanksgiving turkey conundrum.
All these services are going to go unhacked, until they're hacked. And it's a complete skewed problem. We get minor conveniences for having them online. We suffer massively when they go offline.
They get by temporarily by doing things manually until they get their services back up, and they get compensated by insurance, but a few day partial loss of business pales in comparison to how much revenue they would lose by going offline. A vast swath of their current and potential users wouldn't even know they existed without them having an online presence. The only solution would be buying that knowledge from someone else such a travel agent. Even with that knowledge, it would be orders of magnitude more inconvenient to book and receive tickets, there would be a lot more fraud, and everything would move much more slowly.
> We get minor conveniences for having them online. We suffer massively when they go offline.
We get MASSIVE convenience by them being online and we suffer transient, relatively painless outages when they go offline. The most serious outage we suffered was that pipeline going down, and it was down for under a week.
When Colonial attack happened, there was a person posting who described Colonial's situation from the inside. Colonial shutdown because their system their billing was compromised and their pipleline could have been compromised.
The pipeline was connected two way in hardware but one-way in software. But software can be compromised. Why not one way in hardware? 'cause the company was. Once billing was compromised, they had to assume the pipeline was compromised.
I suggest you read:
https://news.ycombinator.com/item?id=27101756
Not connecting is helpful in some cases, but it's nowhere close to a sufficient solution.
Sure, my comment above involves some hyperbole. The main point is that companies allow a ragbag of profligate connections between various subsystems to be default OK because this saves them money now and costs other people money later. And then expect outsourced security to solve this.
I'm sure a lot of the companies hit by the solarwinds exploit had cybersecurity teams. It's just these teams can't say something like "don't allow some shitty third party to autoupdate their software into your system - if you view security as important, as maybe a government agency should."
Someone may have paid into that wallet, but who? Was it the attackers themselves, to make it seem to observers as if they succeeded? Did some consultant happen to keep a stash of crypto? Maybe the boss of the hacked organization wisely maintained a wallet for that purpose, funded by embezzling?
As in this case, pointing out a hypothetical way a law could fail, to insinuate that all laws would fail.
Do you use https?
Do you store password hashes instead of passwords?
Is the DB storing passwords in a firewalled network?
Is access to the DB restricted to only "need to know individuals"?
Does the DB send password hashes to other services?
Have you had a penetration test of your authentication system?
Do you sanitize the SQL you send to your DB?
etc.
Unfortunately the majority of security incidents occur due to someone forgetting something pretty basic or assuming "no one will ever find that".
This is the limiting factor in secure coding. We need more efficient ways of scaling out the few teams doing top tier work, as it only takes a single bad code review to open a security hole.
Teams should not need to implement their own authentication mechanism. Most companies should not need to implement their own mechanism. Authentication providers should explicitly and automatically verify that their clients have implemented auth correctly.
For the most part determined actors (many of them state sponsored) are going to be hard to prevent if they target you. Your best defense is early detection and reaction to the initial breaches. If you only do the hardening part and leave out the monitoring/observation part you are going to get owned.
No one expects the check lists to result in a perfect outcome but not having them quite likely results in a worse outcome.
Further, you don’t throw a party with a list of people not invited. It’s super ineffective to try to globally block an infinite list of bad.
Fungibility of a currency is actually important for it to be effective as a store of value. If my 1 USD is somehow worth more at the supermarket because it previously was owned by Elon Musk.
That said it’s not entirely impossible to track the source of origin of a Bitcoin transaction. It’s just computationally very expensive. Since you can programmatically create wallets and transactions that can obfuscate the origin of transactions. So by the time the funds reach any exchange the money has changed hands too many times for them to reasonably be able know if the origins of digital coin came from illegal activity. Then, by the time they do know it was stolen the funds are gone.
Here’s the punchline though, since most exchanges do in fact keep records and the blockchain is an immutable list it’s only a matter of time till the software/computing resources adapt.
We're asking how to tell if the destination of a bitcoin payment is on the restricted list, not the source origin. You are not going to be able to fine/sue someone for making a bitcoin payment to an anymous address by claiming the address is on a sactions list. This is my point. Thus any such laws banning the payment of ransom to restricted entities are unenforceable.
This is true even if, after the payment is made, it is discovered who the wallet belongs to, as the person making the payment under US jurisdiction didn't know who they were paying.
Ransomware appears to be a less profitable and less clever use of hacking.
With the way I understand ransomware works, merely connecting a backup to the system will corrupt it. This is where a write-enable switch really comes into play, it cannot corrupt the backup when you're trying to restore from it. And if you have online archival databases, they can't be corrupted, either. After all, how much of your company data really needs to be writable? Certainly not last week's payroll records.
With append-only incremental backup systems, enforced by hardware, it'll take a lot longer to need to recycle the backups and risk them. Tape backup already does this inherently.
Another thing you can do with a backup drive, is attempt to read it from a clean system that has never been connected to the network. If you can read it, it isn't corrupted. Then, have a process where once a week see if the backup can be read. Then your worst case is a week lost.
Second, where is this idea coming from that corrupted backups are the issue? You're solving a problem that doesn't exist and creating a real one.
If you meant write some software to activate the switch, that kinda misses the point!
A typical key-generation mechanism would be for each malware copy to have a serial number and the keys to be generated by encrypting the serial number, e.g. with AES, using another secret key.
Even if you know precisely the serial number of a copy and how the per-copy keys are generated by the attacker, you do not know the attacker's secret key used for key generation, so this is a dead end.
This is the distributed-secret-key problem.
Additionally, how do you protect against the obvious opportunities for fraud and abuse (business deliberately attacks itself to collect the insurance payout, business hits their competitors to drive them out of business, etc)?
Isnt that what fire/flood insurance is for?
Backups get pushed from devices between 1AM and 3AM each day, so the primary backup server enables it's network card at 1 and disables it at 3.
Primary backup server also has a second network card, that in turn is attached to a small subnet containing it and the secondary backup server only. The secondary backup server pulls a copy from the primary on a weekly basis in a similar manner as the primary, disabling it's network card once it has finished.
Maybe they can hit the primary if the infection takes place overnight, but the odds of getting the secondary are pretty low.
One thing you could do is get one of those mechanical lamp timer clocks from the hardware store, and have it turn the power on/off the network card on schedule.
Solarwind was fun for that. They provide safe update of signed binaries . But their build system is corrupt, builds tampered stuffs and sign them.
I’m a just a user of those things: it seams that cryptography is not what is breaking the chain of trust. It’s the usage? But go fix phishing.
Maybe gov agencies should opt in for some tightly manage environments?
But you're right that it wouldn't help with the solarwind situation. Once installed and given privileges, a trusted app can do whatever it wants.
Yes but once an exploit is found it can be tried on a whole lot more systems and the weakest link becomes a target. There is also a lot more interest hence brains in hacking/ransomware.
I lot of critical systems should simply be airgapped
The main avenue would be by getting rid of the sanctioned on/off ramps for crypto (that is, crypto exchanges), leaving only the illegal on/off ramps which I'm sure exist.
This obviously wouldn't stop everybody, but it would certainly be a deterrent for all but the most motivated and well-connected of buyers. At that point, exchanging a large amount of crypto would be similar to laundering a large sum of dirty money; possible, but not trivial and certainly not an "easy out" for a major corporation experiencing a ransomware attack.
Laws are how you prevent this.
Can you imagine the Massachusetts Steamship Authority paying in cocaine?
Why would paying in Bitcoin be any different?
Bitcoin is parroted largely by a bunch of libertarian speculative grifters that think they're above the authority of our government to manage the monetary supply. They want to soak up all the advantages of building and controlling an economy.
If you look through the covers, it's all speculation and hype. There's noting "decentralized" or "democratic" about it. Bitcoiners are fine with letting social services and the underserved slip through the cracks as long as they get their reward that they feel they earned.
The US is a democracy, and theoretically it helps people of all backgrounds and socioeconomic statuses. It might not be evenly distributed, but at least we can toss out the bad players. Bitcoin is not a democracy. It rewards the Ponzi schemers at the top and leaves everyone else out to dry.
And now look at what it's gotten us -- unprecedented crime from across international boarders that we can't stop. All brought to you by the remarkable "governmentless decentralization".
Just wait until the kidnappings start. Or the murders for hire.
Fucking good for nothing bitcoin. The world was better before it existed.
Are you seriously using the war on drugs as an example of a successful policy? Drugs are easier to get and more numerous than ever, even though we have these magical laws in place for decades.
What are you basing this on?
From what I've read it seems its only the stupidest of criminals who are using exchanges like Coinbase to cash out, because that's the easiest way to get caught.
Even if cryptocurrency<->fiat transactions continue to be legal in other jurisdictions, making it illegal to trade USD for $crypto would make it very hard for a US company to pay cryptocurrency ransoms making such schemes much less lucrative.
By banning them? In the law? Enforcement would probably pay for itself, plus some. Throw in a whistleblower bonus, like the SEC has, if you want it to run on autopilot.
More aggressive: level repeated 51% attacks. This is well within the budget of any of the G7.
The only way to buy or sell cryptocurrency for the vast majority of people is through exchange companies that have the blessing of the US to continue operating. Even LocalBitcoins goes out of their way to follow KYC laws.
Legal/technical framework is already here.
I think a complete ban on cryptocurrencies is unlikely to succeed, for much the same reasons that the US hasn't banned guns and that the war on drugs is such a shitshow. A punitative tax: 10% of every transaction, for example, would still make cryptocurrencies viable for some extreme schemes, but would make the practice much harder and help establish the "real identity" -> Bitcoin address audit trail. Al Capone was busted on tax evasion, after all.
This would immediately destroy the entire cryptocurrency industry, and mining power in most or all networks would collapse to the point that the networks would essentially be defunct. Transaction volume and coin price on surviving networks could collapse to the point that it would be infeasible to pay an $XX million ransom, and ransomware developers would be back to where they were circa 8 years ago, with no real mechanism to untraceably receive millions of dollars.
What differentiates a cryptocurrency key from a non-cryptocurrency key? Would this criminalize the holding of any private key at all, even if intended for non-cryptocurrency applications?
What happens if I generate a key for non-cryptocurrency use and then someone later sends cryptocurrency to it? Am I going to jail? Do I need to rekey immediately? Is it my duty to monitor for this situation? If I'm evil, can I cause trouble by "spoiling" an enemy's known public keys in this way?
Here's an exhaustive list of all bitcoin keys; you're now in possession of all bitcoin in circulation: https://lbc.cryptoguru.org/dio/
These are solved legal problems. Cryptographic possession is a well understood legal concept that comes up all the time in contexts like custody of financial instruments or digital evidence.
> What differentiates a cryptocurrency key from a non-cryptocurrency key? Would this criminalize the holding of any private key at all, even if intended for non-cryptocurrency applications?
Intent, primarily, so no. The applicability of intent to the criminality of an action is also a well understood legal principle.
> What happens if I generate a key for non-cryptocurrency use and then someone later sends cryptocurrency to it? Am I going to jail? Do I need to rekey immediately? Is it my duty to monitor for this situation? If I'm evil, can I cause trouble by "spoiling" an enemy's known public keys in this way?
In this thought experiment with this hypothetical ban, this feels analogous to mailing cocaine to someone's house. Again, well-understood legal principles around intent cover this without issue. Based on relevant precedent for physical contraband, you'd presumably have no obligation to monitor for it, but you would have an obligation to report it if you discovered it and turn it over to authorities.
Blockchain ledger technology makes relinquishing contraband very straightforward. Once you discover that you are in possession of cryptocurrency, you can simply send it directly to a government-controlled blackhole address, and investigators will be able to trivially verify that this transaction is the only one you initiated while in possession of the cryptocurrency.
> Here's an exhaustive list of all bitcoin keys; you're now in possession of all bitcoin in circulation: https://lbc.cryptoguru.org/dio/
The legal system has been around the block on this one. The concept of criminalization of the possession of certain bit sequences when they correspond to some meaningful embedding is well understood. Child pornography is the classic example. Any arbitrary sequence of bits could in principle be child porn expressed in some highly unusual binary format, and yet somehow the legal system has successfully avoided criminalizing the possession of arbitrary random numbers. But if you happen to have a decoder for said highly unusual binary format, then you are going to jail.
Likewise if you happen to know that your "random numbers" are in fact cryptocurrency-controlling key pairs and you harbor an intent to traffic in cryptocurrencies, lo and behold, those "random numbers" suddenly transmute into a cognizable thing that can be criminalized.
Intent matters in law.
Take out a port, and screw an entire region.
If they wanted to prevent this kind of behavior there are two straightforward approaches:
- make it also illegal for the consulting company to pay a ransom.
- attach Strict Liability to any ransom payment, even if made through an intermediary. The executives quoted above from the paying company could still face criminal liability for such a payment disguised with plausible deniability https://en.m.wikipedia.org/wiki/Strict_liability
When I read about how ransomware encrypted every drive attached to it, and encrypted the backup drives when they were attached. This was why the ransomware waited some length of time before shutting off access to the user - they wanted to get the backup drives encrypted, too.
> You're solving a problem that doesn't exist
Now you know!
I don't disagree, but I hear very little discussion about low solve rates for smaller crimes.
No, I would say that a few counties have decided this, but the majority of counties have not. In most places, you do get arrested for property crimes, you still serve prison time for this, police still do things like use bait cars and exert resources to catch those who steal, and the idea that property crime should not result in jail time is not widely accepted by the majority of the population.
Previously you said I had to destroy the key. When is key destruction necessary and when is transfer to government necessary?
What if the transaction to my address is timelocked to 5 years in the future? Does that create any custody responsibilities on my end between now and 5 years from now when it becomes spendable and I can surrender it to the government?
What if I'm sent $50,000 worth of "dust" outputs that are only spendable by paying a $49,500 miner fee? Do I really need to pay miners to incur $49,500 worth of carbon emissions in order to cleanse my secp256k1 private key of $500 worth of bitcoin-ness so that I may continue using it in peace?
> Child pornography is the classic example. Any arbitrary sequence of bits could in principle be child porn expressed in some highly unusual binary format, and yet somehow the legal system has successfully avoided criminalizing the possession of arbitrary random numbers
This is true only because the "child pornography-ness" of the data is a property of the data itself, even if it's in an obscure format. Any arbitrary cryptographic key can be imbued with "cryptocurrency-ness" by anyone else, which means that revealing your non-cryptocurrency public keys now exposes you to risk, as long as some cryptocurrency out there uses the same type of public key.
If we're dead-set on banning it, why ban "possession" instead of use? If it's illegal to send cryptocurrency, but still legal to "possess" it, a lot of these problems go away. Making it illegal to sign a bitcoin transaction is a lot simpler than creating a new class of illegal number, and seems like it would be just as effective at ending the behavior it's trying to end. Maybe even better at it, since it would not incentivize additional "surrendering coins to government" transactions.
Linux has a far wider attack surface than my baremetal embedded firmware. Like 10^6 wider. There's a single mqtts service mostly, or just passive senders (sensors, controllers). Zero attack surface.
Linux is way too big, with thousands of drivers, services and patches.