top | item 45913014

(no title)

lexlambda | 3 months ago

The donation is more or less virtue signaling rather than actual insight.

The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.

The amount donated should've rather be invested into better protections / hiring a person responsible in the company.

(Context: The hack happened on a not properly decomissioned legacy system.)

discuss

dspillett|3 months ago

> The donation is more or less virtue signalling rather than actual insight.

I see it more as a middle finger to the perps: “look, we can afford to pay, here, see us pay that amount elsewhere, but you aren't getting it”. It isn't signalling virtue as much as it is signalling “fuck you and your ransom demands” in the hope that this will mark them as not an easy target for that sort of thing in future.

bonesss|3 months ago

It also serves as a proxy for a punishment. They are, from one perspective, paying a voluntary fine based on their own assessment of their security failings.

For customers it signals sincerity and may help dampen outrage in their follow up dealings.

Timpy|3 months ago

Yes but I think it's a good virtue to signal considering the circumstances. If they paid the ransom that would signal that ransoming this company works, incentivizing more ransoms. If they refuse to pay the ransom it might signal that they care more about money than they do integrity. Taking the financial hit of the ransom, but paying it to something that signals their values, is about the best move I can imagine.

satisfice|3 months ago

What is the problem with virtue signaling? By all means signal virtue! Perhaps you are concerned by cheap virtue signals, which have little significance.

The point here is that this is an expensive virtue signal. Although, it would be more effective if we knew how expensive it was.

pjc50|3 months ago

At the stage we're at, I would far prefer virtue signalling to the more widespread vice signalling.

dominicrose|3 months ago

Virtue signaling is an insult that you can for example use against greenwashing or against someone who pledged to donate a lot of money to some charity but actually donated none or much less. Hypocrisy is also a form of virtue signaling.

It's also a term you can use against political opponents because it's much easier to speak well than to actually do good.

Refusing to negociate with criminals and help fund security seems like the proper long-term reaction for everyone.

whimsicalism|3 months ago

Requiring everyone to implement proper practices is one way of addressing the problem, I might call it Sisyphean & impossible.

Making it illegal to pay ransom is likely a much easier to implement and more effective solution.

And this isn’t virtue signaling - they literally did the virtuous thing that is better for society at the expense of their bottom line. That is just virtue.

walletdrainer|3 months ago

It is virtue signaling, especially considering the fact that doing the hard to swallow thing of paying the ransom would probably be the best outcome from a customer perspective.

Yes there are negative externalities in funding ransomware operations, not paying is still much more likely to hurt your customers than paying.

whimsicalism|3 months ago

Doing the positive externality thing at expense of your bottom line is to be praised. It is not ‘virtue signaling’ - it is actually doing a virtuous thing.

saberience|3 months ago

Paying ransomware fines is never the smart move to do unless you happen to trust what cyber criminals tell you.

You send them the payment, they tell you they deleted the data, but they also sell the data to 10 other customers over the dark-web.

Why would you ever trust people who are inherently trustworthy and who are trying to screw you? While also encouraging further ransomware crimes in the future.

make3|3 months ago

Sidenote, it's interesting how the term "virtue signaling" is arguably objectively an individualistic right-wing dog whistle these days.

I would argue that it is being used all over the media to complain about anyone showing any signs of not being purely individualistic, as if individualism is the only true thing people actually honestly feel. This is obviously incorrect, empathy, professionalism, a desire for a sense of purpose, are all things that people objectively feel in the real world, everyday, everywhere.

I would argue that the expression "virtue signaling" is used systematically in individualistic right wing media by the right about anyone who say, for example, that they care about minorities or less fortunate people or to take action to support them, as if it was false. I would argue that this is harmful.

People do care a good fraction of the time, and they should be recognized for their positive actions, and encouraged. I would argue that we should definitely strive for a culture where individualism is not seen as the only true emotion that people can feel.

So, knowing the negative political and philosophical baggage, I would not use that expression, especially if you don't have actual proof that they don't care about security, professionalism, etc.

blitzar|3 months ago

They should have watched Ransom (1996).

https://www.youtube.com/watch?v=xllIU0lPgqs

technion|3 months ago

I was just thinking of this scene as I read their report.

marcosdumay|3 months ago

> Proper practices for protections are well established and known

Endpoint security is a well known open problem for what no sufficient practices and protections exist.

AlienRobot|3 months ago

I don't know what virtue signaling means. I think you mean they just did it out of spite.

TacticalCoder|3 months ago

Refusing to pay a ransom and instead giving the money to the "ennemies" of the attackers isn't "virtue signaling" (as someone already commented: it's a "fuck you" to the attackers).

In french we call that a "pied de nez". "Turning the table" / "Poetic justice" / "Adding insult to injury" would all be more correct than "virtue signalling".

If there was no attacker and the company gave half a mil out of nowhere to a security company (or a charity) and boasted publicly about it, that would be virtue signalling.

But refusing to pay the ransom and giving the exact same amount to security researchers is just a big, giant, middle finger.

And a middle finger ain't no virtue signalling.

varispeed|3 months ago

There is not much to research. If companies want security, they should pay for security.

dspillett|3 months ago

> If companies want security, they should pay for security.

Or just properly follow best-practise, and their own procedures, internally.⁰

That was the failing here, which in an unusual act of honesty they are taking responsibility for in this matter.

--------

[0] That might be considered paying for security, indirectly, as it means having the resources available to make sure these things are done, and tracked so it can be proven they are done making slips difficult to happen and easy to track & hopefully rectify when they inevitably still do.

rollcat|3 months ago

Security is an arms race. Don't expect a leap; do your part to stay ahead.

unknown|3 months ago

[deleted]