We’ll never have perfect security. Secrets can always leak. Almost everyone’s one hack away from being blackmailable.
We can minimise the opportunity for blackmail in two ways: better security, and a more liberty-focused society — for example, you can’t be blackmailed for doing weed if nobody cares you did weed. (Same applies to many non-drug laws, but all this will vary from jurisdiction to jurisdiction).
3rd way: only store what is absolutely necessary, purge when not required anymore. (And if you are trying to sell me some webmail or photo gallery service, why do you need my shoe size anyway?)
There is a distinction between what is legal to do and what is socially acceptable to do. While black mail over illegal actions are the most common example used, a society that is very liberty focused in the law but who has strict standards on what is considered acceptable behavior can still lead to blackmail.
A society would need to be both liberty focused and tolerance focused to reduce the potential for someone to be blackmailed, but this runs counter to the notion that the fallout of blackmailable material being released is a just occurrence.
Blackmail is a side effect of punishment, legal, social, or otherwise, and the only cases where I think the majority will agree to reduce punishment to reduce blackmail is cases where people already believe the punishment isn't deserved.
If you read the article, the data includes information on informants (which is probably a ton). I'd imagine there is Grand Jury information in there as well.
Plus, there is probably personal information (payroll). Not that it matters how much anyone makes (that's probably public record already), but ACH banking details and things like that.
Some of these things we can't really reduce, need to be kept online for significant time frames, and can't be made public.
That being said, I agree that we should plan on having less perfect security (and then design for that sort of world).
I actually think "defense can win", unlike with real war where thanks to nuclear weapons "offense wins".
C and Unix is absolute dark age crap. We know how to prove programs correct. We just don't want to pay for it. There still be social engineering, etc., but that is much harder to pull off.
I also think better programming techniques will eventually make programming more productive, as there is less to mentally worry about, and good libraries with lemmas exist. That means rather than being a expensive defense -- expensive offense escalation, it's a 1-time capital investment for defense vs permanent increased operational costs for offense.
This is a quite unpopular opinion with security people, I'll grant, but people are also not used to thinking about technology as demand-constrained not supply constrained in general, which is exactly what's going on here and in so many other ares.
A better understanding of economics and development not CS I think will be the thing that corrects this.
You used to not be able to get a security clearance if you were a homosexual because you could be blackmailed. That's stricture has been dropped and that specific thing is no longer an issue mostly.
>and a more liberty-focused society — for example, you can’t be blackmailed for doing weed
This just covers the current crop of behaviors we can imagine (e.g. your weed example). But, as long as you have a society, you'll have/need some laws, behavioral norms and a social contract. Violation of any of these would be blackmailable.
Showing that you were willing to pay but the price was too high seems like the worst way to handle ransomware. Comparatively, the hackers are running an excellent PR campaign, providing the police enough time to protect those at risk and providing early leaks of data likely to upset the public.
I can't see how they're still protected really. If you're in organized crime in Washington DC then surely you get in contact with the ransomware gang and offer to pay for any relevant names.
Even if they pay the ransom those people are not 'safe'.
This is just conjecture and blue sky thinking, but privacy and security look like they might travel hand in hand. The issue is we have valuable data - and it is not protected as well as it should be.
Somewhere, somehow I think there is a data storage approach that encrypts data (lets say a pandas dataframe) and the authorisation is your ownership of relevant key. All data changes start to become eventually consistent, sharded and passed around as single atomic units....
>> the authorisation is your ownership of relevant key.
I tend to agree and go a step further. We need to eliminate "anonymity by default" and switch to communications where it is a default to verify the identity of whom you're connected to. No more spam emails, or at least you'd have a verifiable origin. Better still would be verification increase sender costs. Proof of work would be useful, and people on our whitelist could be given less work or no work. Just an idea.
If we have good identity verification, places like reddit or HN could strip that off to maintain anonymity but criminals attacking would have to offer up some identity.
Once strong identity handing is possible your encrypted data access become much simpler too.
I don't think this will happen because too many parties from ISPs to governments don't want it. Strong identity also makes end to end encryption easy.
(I'm new to this topic, so I apologize if this has been discussed to death elsewhere...)
Wouldn't it make sense for governments to make it crushingly illegal to pay a ransom? I would think that drastically changes the calculations of would-be ransomers.
I agree. Also better PR work. The article is based on information the criminals have released, it's pure speculation that negotiations have even happened in the first place. If it would be categorically illegal and if they would clearly communicate that it is so, there wouldn't be much of a discussion and people could focus on the main issue - the security breach.
"Online vigilante Deric Lostutter helped expose the cover-up in the Steubenville rape case. Now he’s facing more jail time than the convicted rapists."
Yep, the rapists got 1 and 2 years for the rape, and the hacker got 2 years for that hack. Clearly shows what the society's priorities are.
One thing I am still confused about is how the blockchain is supposed to make such ransom payments easily traceable. That apparently must not be the case if organizations keep falling victim to these attacks.
If you can trace the payment to Russia, and Russia refuses to do anything with the criminals, they are safe. The advantage of blockchain payment is that no-one can reverse the transaction once they found out it was illegal. No-one can block the transaction, or prevent it either.
It depends on which blockchain it is. For example, on the Monero blockchain every transaction is signed by at least 11 keys and there's no way to figure out which key actually authorized the transfer.
Seems like the US government could force the Bitcoin devs to lock down any transactions to and from the illicit addresses with a code change to the client. If they don't comply, make crypto illegal and topple the mining rigs.
I have a feeling it was something like an email with an attachment called important_tax_info.docx.exe. People are much easier to exploit than software.
I doubt it. Because governments, just like big corporations are susceptible to important but small things like software updates falling through the cracks. The incentives aren't right so it is allowed to happen.
It's been a week or more since this story first broke. I'm surprised the hackers haven't released all the info as a warning about what happens if you don't pay up in a timely manner.
Blackmail is a gun with one bullet that can only shoot one target. Once you release the information, you can never get paid. Any leverage you had is gone.
So if the goal is to get paid, releasing the information is actually counter-productive.
What are some thoughts about the government or corps posting a bounty on the blockchain for any tips or leads that lead to the identification of these perpetrators? Why not fight fire with fire?
As far as fighting fire with fire, I'd advise the FSB (or whatever relevant law enforcement body) that if you do not ably deter cybercriminals in your jurisdiction we will not enforce cyber crime laws against criminals targeting Russian individuals and companies. Could American hacker groups cause sufficient problems for Russia that it would become worthwhile for Russia to enforce laws against its criminals?
How would you do that transaction though? Police won't pay for bogus tips, and if they already get a valid tip, what's the incentive to pay for it? What recourse would the tip giver have if they didn't pay?
Any thoughts on why this continues to be such an issue? Is it a case of companies not heeding the warnings or are the attacks just becoming more sophisticated?
“ A day after the initial threat was posted, the gang tried to spur payment by leaking personal information of some police officers taken from background checks, including details of officers’ past drug use, finances and — in at least one incident — of past sexual abuse.”
I’m all for leaking this data. It would be a heroic act to let the people know how bad our police really are.
[+] [-] ben_w|4 years ago|reply
We’ll never have perfect security. Secrets can always leak. Almost everyone’s one hack away from being blackmailable.
We can minimise the opportunity for blackmail in two ways: better security, and a more liberty-focused society — for example, you can’t be blackmailed for doing weed if nobody cares you did weed. (Same applies to many non-drug laws, but all this will vary from jurisdiction to jurisdiction).
[+] [-] jlg23|4 years ago|reply
[+] [-] ballenf|4 years ago|reply
[+] [-] SkyBelow|4 years ago|reply
A society would need to be both liberty focused and tolerance focused to reduce the potential for someone to be blackmailed, but this runs counter to the notion that the fallout of blackmailable material being released is a just occurrence.
Blackmail is a side effect of punishment, legal, social, or otherwise, and the only cases where I think the majority will agree to reduce punishment to reduce blackmail is cases where people already believe the punishment isn't deserved.
[+] [-] psychlops|4 years ago|reply
(No, I'm not sure the word infiltrate can be used that way, but it should be)
[+] [-] MR4D|4 years ago|reply
Plus, there is probably personal information (payroll). Not that it matters how much anyone makes (that's probably public record already), but ACH banking details and things like that.
Some of these things we can't really reduce, need to be kept online for significant time frames, and can't be made public.
That being said, I agree that we should plan on having less perfect security (and then design for that sort of world).
[+] [-] Ericson2314|4 years ago|reply
C and Unix is absolute dark age crap. We know how to prove programs correct. We just don't want to pay for it. There still be social engineering, etc., but that is much harder to pull off.
I also think better programming techniques will eventually make programming more productive, as there is less to mentally worry about, and good libraries with lemmas exist. That means rather than being a expensive defense -- expensive offense escalation, it's a 1-time capital investment for defense vs permanent increased operational costs for offense.
This is a quite unpopular opinion with security people, I'll grant, but people are also not used to thinking about technology as demand-constrained not supply constrained in general, which is exactly what's going on here and in so many other ares.
A better understanding of economics and development not CS I think will be the thing that corrects this.
[+] [-] matz1|4 years ago|reply
This is imo the most feasible/pragmatic approach for privacy issue.
Instead fixing it by hiding the information, we should fix the actual issue that cause misery when the information is public.
[+] [-] thekaleb|4 years ago|reply
[+] [-] freeflight|4 years ago|reply
Watching the number of accounts grow over the years on haveibeenpwned has only reinforced that belief in me.
There's more leaked accounts out there than actual people on the planet, tendency rising fast.
The longer something is out there, the higher the likelihood it will get shared/leaked in some way or another.
[+] [-] unclebucknasty|4 years ago|reply
This just covers the current crop of behaviors we can imagine (e.g. your weed example). But, as long as you have a society, you'll have/need some laws, behavioral norms and a social contract. Violation of any of these would be blackmailable.
[+] [-] kderbyma|4 years ago|reply
first off, privacy and legality and confidence and sharing are all interrelated but different. to merge is to simplify and lose context.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] boomboomsubban|4 years ago|reply
[+] [-] vertis|4 years ago|reply
Even if they pay the ransom those people are not 'safe'.
[+] [-] cout|4 years ago|reply
[+] [-] lifeisstillgood|4 years ago|reply
Somewhere, somehow I think there is a data storage approach that encrypts data (lets say a pandas dataframe) and the authorisation is your ownership of relevant key. All data changes start to become eventually consistent, sharded and passed around as single atomic units....
I need to think about that somemore ...
[+] [-] phkahler|4 years ago|reply
I tend to agree and go a step further. We need to eliminate "anonymity by default" and switch to communications where it is a default to verify the identity of whom you're connected to. No more spam emails, or at least you'd have a verifiable origin. Better still would be verification increase sender costs. Proof of work would be useful, and people on our whitelist could be given less work or no work. Just an idea.
If we have good identity verification, places like reddit or HN could strip that off to maintain anonymity but criminals attacking would have to offer up some identity.
Once strong identity handing is possible your encrypted data access become much simpler too.
I don't think this will happen because too many parties from ISPs to governments don't want it. Strong identity also makes end to end encryption easy.
[+] [-] CoastalCoder|4 years ago|reply
Wouldn't it make sense for governments to make it crushingly illegal to pay a ransom? I would think that drastically changes the calculations of would-be ransomers.
[+] [-] trompetenaccoun|4 years ago|reply
[+] [-] lozaning|4 years ago|reply
[+] [-] trhway|4 years ago|reply
https://www.rollingstone.com/culture/culture-news/anonymous-...
"Online vigilante Deric Lostutter helped expose the cover-up in the Steubenville rape case. Now he’s facing more jail time than the convicted rapists."
Yep, the rapists got 1 and 2 years for the rape, and the hacker got 2 years for that hack. Clearly shows what the society's priorities are.
[+] [-] paulpauper|4 years ago|reply
[+] [-] tolbish|4 years ago|reply
[+] [-] rocqua|4 years ago|reply
[+] [-] matheusmoreira|4 years ago|reply
[+] [-] rawtxapp|4 years ago|reply
> The Babuk group said on its website late Monday
I don't think they care about it being untraceable, they can dump it on a non-US exchange, they probably care about it being un-censorable.
That said, the article doesn't mention if they want the payment in crypto (presumably they do).
[+] [-] TheSpiceIsLife|4 years ago|reply
Bitcoin, for example, doesn't claim to be an anonymous payment system.
[+] [-] fredgrott|4 years ago|reply
LEOs pay millions dollars yearly to have firms do this type of white hacking of using key collisions to unmask crypto coin users.
If you use Google you can find the more than 20 firms that offer their services to LEOs to do this.
Key size was based on number of users not number of transactions big mistake!
[+] [-] echelon|4 years ago|reply
Permanently kill illegal addresses.
[+] [-] david56423|4 years ago|reply
[+] [-] vengefulduck|4 years ago|reply
[+] [-] macinjosh|4 years ago|reply
[+] [-] throwaway0a5e|4 years ago|reply
[+] [-] bena|4 years ago|reply
So if the goal is to get paid, releasing the information is actually counter-productive.
Blackmail is a game of chicken.
[+] [-] paulpauper|4 years ago|reply
[+] [-] chrisco255|4 years ago|reply
[+] [-] ALittleLight|4 years ago|reply
[+] [-] spicybright|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] tjpnz|4 years ago|reply
[+] [-] bastardoperator|4 years ago|reply
[+] [-] diveanon|4 years ago|reply
[+] [-] ChrisArchitect|4 years ago|reply
[+] [-] belatw|4 years ago|reply
I’m all for leaking this data. It would be a heroic act to let the people know how bad our police really are.
[+] [-] TheGigaChad|4 years ago|reply
[deleted]
[+] [-] steve76|4 years ago|reply
[deleted]
[+] [-] liberty-bzmh|4 years ago|reply
[deleted]
[+] [-] andred14|4 years ago|reply
[deleted]
[+] [-] piemadd|4 years ago|reply
[deleted]