It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you,
we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
We've known for hundreds (thousands?) of years that paying ransom only encourages more demands for ransom in the future. The solution to this is backups and improved security. I know that's expensive. Pay that cost now or continue paying more dane-geld proving over and over again that you are a mark that will pay.
> or, increasingly, to prevent them from being leaked
Why did high-risk data exist in the first place? Maybe stop gathering so much risky data.
Imagine for a moment that, despite all the precautions you yourself take, a clever crook manages to lock you out of some important files and demands a ransom. What do you do? It's easy to say cost is no object, but what if no amount of money, even far exceeding the cost of the ransom, can recover your files?
The attitude that people who are hacked should have taken better precautions and should fend for themselves is a big part of what makes us soft targets to cybercrime. Imagine if we treated murder this way. "Oh, sure, he was killed, but he was walking down the wrong street at the wrong time of day. He should have known better! Let's start an educational initiative to make sure other people know what streets they shouldn't walk down at night!"
We must expect the state to do a competent job of protecting citizens from cybercrime but, in most jurisdictions, governments do not devote adequate resources to this task. That needs to change.
New technology and inadequate response from governments is what has created this bonanza for a new kind of criminal.
We should avoid real world analogies. That's how we got into the culture of throwing people in jail for reporting a security bug (why were you snooping around on my property!) and stuff like "you wouldn't download a car".
The specific problem with the murder analogy is that governments have effective ways to reduce local crime. You can't do anything similar for stuff happening on the internet. Criminals come from all over the world.
Even if you can get every government to agree, not all of them have the resource to implement any effective form of deterrence. It also seems like the solution will be way worse than the problem. You either firewall yourself off from the world (what china does) or add so much spying that you can always catch the "bad guys". I can't think of any other solution. If we want a free internet, we just have to accept some are going to abuse their freedom to do bad things and deal with it.
IMHO there should be a separate, encrypted-only, ID-required network for "serious internet business". Keep the free and open part open and free (and semi anonymous), but have another area which is more controlled. I'm not saying this would solve all problems, but I think it would help.
You can already do that with VPNs. Businesses already heavily leverage them, and consumers are generally not interested in the hassle. You'd also have to be careful with the implementation. If one computer can be connected to both networks (and it sounds like they'd almost have to be), hackers will bounce their connections of someone else's computer. C&C traffic comes in via the insecure connection and out via the secure connection.
It would probably hamper script kiddies, but it's not going to do much in the face of a targeted attack. And even a semi-motivated script kiddie could probably buy a service from a botnet to route their traffic onto the secure network.
Not sure why you think the way China does it has to be the only way it can be done. It's exactly like shouting "COMMUNISM!!!!" at every social policy idea. Get a grip.
> The specific problem with the murder analogy is that governments have effective ways to reduce local crime. You can't do anything similar for stuff happening on the internet. Criminals come from all over the world.
Extradition for murderers is incredibly common, as are cross-boarder fraud investigations (look at the case of Frank Abagnale) so tracking down people internationally isn't a new thing.
> "Oh, sure, he was killed, but he was walking down the wrong street at the wrong time of day. He should have known better! Let's start an educational initiative to make sure other people know what streets they shouldn't walk down at night!"
There's nothing inherently wrong with that. It is a fact that violence often can be avoided. This doesn't absolve the criminals of their guilt but it does mean people can learn to recognize danger signs and avoid many instances of violence. When faced with warning signs that a situation is developing, a lot of people feel like something is a bit off but they proceed anyway because they think they're just being paranoid.
Punishing people after the fact does nearly nothing to help victims. It doesn't undo any trauma, it doesn't bring the dead back. Avoiding violence is always the best option if possible.
Paying any sort of ransom should be illegal with severe criminal penalties. If that means that some businesses or people are ruined then so be it. That would be an acceptable cost to reduce similar attacks against others in the future.
Also imagine how well this would go - your child was kidnapped, but now you have to go to prison because you had the gall to make sure they go home safe.
Like, I get your point, but it's one of those armchair social science ideas that can go into a cabinet full of really cool and really obvious ideas that won't ever be implemented in reality.
The people who do have the power to decide that, the FBI in the case of live children and the Department of the Treasury in the case of ransomware, have in fact decided that these payments are illegal for precisely these reasons. Kidnap for ransom is effectively no more in the states, due to the FBI's high rate of solving these cases. If crimes using computers were taken seriously, we might have a chance at actually reducing their rate as well.
>If crimes using computers were taken seriously, we might have a chance at actually reducing their rate as well.
They often are taken seriously. The problem is most of the ransomware gangs operate out of Russia, and Russian law enforcement permits the activity if Russian citizens aren't targeted. (There may be a short blacklist for citizens of some other countries allied with Russia, as well, but targeting and profiting from citizens and companies in America and Western Europe is explicitly allowed.)
If you're the FBI, there's absolutely nothing you can do about that if the ransomware operators never leave the country. You can try to lure them out of the country - and this does happen sometimes - but if they're smart enough to never leave, they're basically immune to all repercussions.
The Justice Department can publicly indict them, and they sometimes do, but they're just going to laugh at it; it simply increases their street cred and respect among their peers. "I'm on the FBI's Most Wanted lol." You can go after the infrastructure, but as long as the people involved are allowed to operate freely and continue to have lucrative incentivizes, it's only a minor annoyance at most.
We could issue letters of marque and reprisal. Basically, if Russia won't prosecute their cybercriminals the US will permit cyber crime against Russian targets.
The problem with this logic is that not paying the ransom doesn't guarantee future children not being kidnapped, but it nearly guarantees your own child being killed.
So if the choice is presented as "do I not pay the ransom to reduce the chance of further kidnappings by some completely undefined %, or have my child harmed with nearly 99% certainty", who could ever chose not to pay it? What sort of mind gymnastics would you go through to justify not paying it in that case?
My logic is most people would put themselves first at the cost of the greater good. So if it is well established logically that the greater good is for everyone to cooperate and not pay ransoms then it needs to be enforced for everyone.
It’s like pollution or recycling. Why spend the effort and cost to do it if the benefit is only to future generations or society as a whole (ignoring the few who do it for their own sense of self-satisfaction)? That’s why we have things like penalties for pollution and carbon credits.
These people are externalizing the cost of their actions. At the very least we shouldn’t allow ransom payers to externalize the real cost of the ransoms to future generations and society as a whole.
Yes, but like I said right at the beginning it works fantastically well as a sort of armchair theory. Same way we can sit here and say that drugs should be super illegal and the penalty should be death, voila, no more drugs, right? We know this doesn't work.
Making ransom payments super illegal wouldn't stop them from being made. People(parents in particular) would absolutely try to find a way to pay the ransom anyway to save their children, no matter the consequences. Like I said in another comment - what kind of punishment would stop the parent of a child in danger from paying the ransom? Years in prison? Most parents would gladly make that trade to make sure their kid goes home. There isn't a punishment here that you can establish to absolutely eliminate ransom payments, and as I'm sure you can see - as long as *any" are paid, criminals will keep using them as a tool. So imho, any effort(and therefore money) spent on fighting the ransom payers is completely wasted time and money. Not paying a ransom does not reduce the chance of further kidnappings significantly enough to make it worth it, and I'm nearly certain you can't come up with a punishment harsh enough to scare people away from making the payments.
"No more drugs" is not the goal, neither is "no more ransoms." The goal is to reduce the reward for ransoms so that it is disincentivized to some degree.
If our disagreement is on how to stop X to an absolute degree, then I would agree with you for all Xs that it would be impossible, whether X be ransoms or logical fallacies.
So you need to sacrifice your own child's life for being so stupid as to get abducted and kidnapped in order to hypothetically decrease the probability that hypothetical future kids may be kidnapped?
Come on. You would really make that decision if your child were kidnapped?
It would work about as well as banning abortion - of course it would still happen, just outside of the view of the law. Like, come on. If the life of your child was on the line, you wouldn't figure out a way to pay the ransom even if there was a potential for prosecution later?
Also I'm not sure how the fine would even be decided to be effective? 3 years in prison? Would absolutely gladly trade it for the life of my child. Probably any amount of time in prison would be spent gladly in order to save your child. And once we start throwing ideas like life imprisonment(because really, can't go much higher than that) it would be struck down as not proportionate to the crime.
> It would work about as well as banning abortion - of course it would still happen, just outside of the view of the law. Like, come on. If the life of your child was on the line, you wouldn't figure out a way to pay the ransom even if there was a potential for prosecution later?
By this logic the Great Firewall of China is a massive failure because some guy, somewhere, was able to access illegal content from China. But that's not the case. It works quite well to control public opinion and it doesn't have to be 100% effective at blocking content to do so.
The same applies to disincentives to ransoms. Of course some people will still pay ransoms. But why let criminals have a monopoly on the market? The total ransom someone can pay is fixed by the market (basically how much your child is worth to you and how much money you even have, otherwise there'd be no ceiling on ransoms). Since the government is in on the action, the revenue from ransoms is split between fines/jail time/criminals. If the government's actions are decided ahead of time, and cannot be changed based on any single ransom attempt, then kidnappers will know that their potential income from ransoms will be severely cut, thereby disincentivizing ransoms by some degree. The degree to which it is disincentivized depends on how good of a competitor the government is in the market (enforcement/detection of ransom paying events).
> Also I'm not sure how the fine would even be decided to be effective? 3 years in prison? Would absolutely gladly trade it for the life of my child. Probably any amount of time in prison would be spent gladly in order to save your child. And once we start throwing ideas like life imprisonment(because really, can't go much higher than that) it would be struck down as not proportionate to the crime.
These are implementation details. If there is no ceiling to what you will pay/rob/steal/do then don't let the kidnappers out there know! But also, you'd be a massive liability to society assuming other people don't care about your kid as much as you do, since criminals can leverage you to a 100% degree. If they know this about you, they don't even have to estimate your net worth. They can get you to go rob a bank instead!
Which are what a plan is made of. If you live in a democracy and not a dictatorship, you have about a 0.0002% chance of keeping the parents of a kidnapped, murdered child in jail for more than a day for the crime of "attempted ransom paying" without you and your family becoming pariahs and being screamed at in public places, and your political party being annihilated from politics even after press releasing your expulsion.
It's not just the parents that would have to sacrifice.
And yet here we are imprisoning people for simply using drugs. Whether you agree that's good or bad it should be obvious that criminal penalties for drug use at least disincentivize a lot of potential drug use.
Sure; criminal penalties for criticizing the government disincentivizes a lot of potential dissent, too. Works well in China.
I think you're right that imprisoning people for paying ransoms would probably decrease the probability that a victim would pay a ransom. And imprisoning people for blasphemy would probably decrease the probability that someone would take Jesus's name in vain. But I'm not sure how useful it is to discuss things like this. (And, for the record, I also think it's unconscionable that the US imprisons people for simply using drugs.)
And then there's the question of overall efficacy: it disincentivizes a lot of potential drug use, but does it also disincentivize drug sales? Does banning drug possession decrease the amount of drugs sold? I don't know. They could always just try to sell to more people than they otherwise would have.
Similarly, ransomers could just go for more of a spray-and-pray approach and ransom more victims per unit time to offset the fact that there's a lower probability that any one victim would pay. They could also hike up ransom prices to offset it, so that each victim is hurt more even if there may possibly be fewer total victims.
I think even if it did objectively, inarguably decrease the amount of ransoms - which I acknowledge is plausible - it'd still be completely unethical and an extremely terrible idea. But I'm not even sure if it would. We aren't exactly winning the War on Drugs by penalizing drug use, and I'm not convinced we're going to win the War on Ransomware by penalizing ransom payments. And even if we could win both those wars that way, I think it'd still be really fucked up and major governmental overreach.
There are a lot of issues with this idea, too, but I'd be more sympathetic to the ideas some others have suggested in this thread: bring back letters of marque and reprisal and provide some legal structure for American/European citizens to target international cybercriminals in certain countries and perhaps also take money from them and keep a percentage of the proceeds, etc. I'd be way more in favor of vigilante justice against perpetrators as a remedy compared to draconian punishments against victims. These people currently face absolutely no repercussions, so adding some repercussions may help deter them.
And what if your child, who you save at that time, goes on to be an elite police officer specialising in child kidnappings and saves dozens of later children's lives without paying ransoms?
These situations involve complicated moral dilemmas, but thought experiments never take into account all possibilities, and at some point idealistic principles about the general problem have to give way to pragmatism about the immediate problem.
To give an extreme example, if someone had a button they could push that would end the world as we know it, and they demanded you pay them $1B or they'd push it, are you really going to argue that paying that billion dollars is the incorrect response because it would encourage future people with the ability to end the world as we know it to demand ransoms?
> And what if your child, who you save at that time, goes on to be an elite police officer specializing in child kidnappings and saves dozens of later children's lives without paying ransoms?
Well he wouldn't have been kidnapped in the first place if we disincentivized ransoms!
> To give an extreme example, if someone had a button they could push that would end the world as we know it, and they demanded you pay them $1B or they'd push it, are you really going to argue that paying that billion dollars is the incorrect response because it would encourage future people with the ability to end the world as we know it to demand ransoms?
Your example is indeed extreme. It posits a game with 2 players, the world, and the entity trying to end the world. In a 2-player scenario where you lose if you don't do some requested action then you would have no choice but to do it. However, in an n-player scenario where n > 2 and player "x" being the one wanting to win by ending the world, and assuming all other players can win by cooperating, then yes the world government should indeed forbid all players from paying the $1B ransom.
It's a well established fact that if ransom demanders know that ransom payers are subject to significant fines and penalties, their power to demand ransoms drastically diminishes.
No it doesn't. It just changes form. See money laundering and the mob.
Can't collect in cash? That's a-ok. Do me a favor and you get your kid back.
You are not talking a lick of sense. Crime finds a way. It always will. You can't tax law abiding people to invalidate criminal economic models. All you do us disadvantage the victims, undermine the legitimacy of your legal edifice by implicitly raising it above those it serves in importance, and completely do away with any semblance of sanity, and maximize tge cost in human lives exacted from the pool of the falsely accused and victimized. Game theory doesn't apply. Rational Actor Theory doesn't apply. Addressing crime via draconian laws doesn't work if you're at all interested in any State even nominally centered around the concepts of Freedom and Liberty.
And a Ransom tax? Do you want tax collectors tarred and feathered? Or are you just trying to ensure that any remaining credibility in the government is irrevocably lost? Taxes lend legitimacy to things. You're basically admitting that a ransom is even a valid transaction by enshrining it in your tax code.
Well he wouldn't have been kidnapped in the first place if we disincentivized ransoms!
This is a bizarre and emotive discussion, so I'm not sure how much more it's worth saying, but I will leave you with one final question. What law could you possibly make and what "severe criminal penalty" could you possibly impose that would be greater than the natural law that parents would do almost anything to protect their children and what a parent would suffer if they lost a child? I don't believe anyone could ever implement the policy you've been advocating effectively, and at that point, the entire deterrent argument collapses anyway.
Simply increase the cost of the ransom. I don't think it's necessary to make it even a criminal thing, it could just be a tax: Ransom Sales Tax. Of course if you try to pay under the table then it'd become a criminal tax avoidance issue.
If we can agree the act is in self-interest, and we can agree that society has a role to play in disincentivizing certain self-interested actions that harm the greater good, then we can agree that society should apply those disincentives to ransoms.
I totally disagree. I consider myself a consequentialist, and I absolutely think the net positive utility would come from paying the ransom and rescuing your child. The problem isn't consequentialism but merely an insufficiently nuanced analysis of potential actions one could take and their potential consequences.
If a cartel kidnaps your child and says they'll be killed if they don't receive a ransom payment within 72 hours, guess that's goodbye to them, then?
This kind of punishing of victims is draconian, unethical, and, in my opinion, basically insane, in addition to being impractical and very difficult to enforce. In some cases the victim's negligence is largely to blame, but sometimes it isn't.
And even when they are negligent, I think threatening to imprison them for paying a ransom in order to remedy something that may upturn their entire life and cost them far more (financially and otherwise) than not paying is just ridiculous.
There should be some kind of accountability and regulation for negligence, and any company that's hit with a ransomware attack should be legally required to report the attack to authorities and disclose it to their customers, but I don't think you can or should punish people for paying ransoms. You should try to punish the ransomers, and the people who obstruct punishment and shield the ransomers (like countries whose law enforcement permits the attacks and extortion and whose financial industry permits the payment handling).
That's very easy to say from a highly ordered country with effective law enforcement and a strong tradition of low violence. Other countries, much less so. There are many in the world (I live in one) where if you're "asked" for a ransom payment because a family member was kidnapped or as a threat against your business being burned to the ground, your only even partly decent chance of escaping the situation in a way that minimizes tragedy is to simply pay. Anything else, including going to the thoroughly useless, corrupt police, will mean that whoever you love enough to sell your house for will die, or something you spent years building is destroyed. Avoiding future incidents is something you'll think carefully about afterward, but paying is the first and usually only choice for saving a life or property. Ponder that in the context of how you would feel with your own family before giving flippant, simplistic absolutisms.
I almost got murdered in Africa, the general consensus is that this is expected behaviour for night time and I was at fault. For what it's worth I agree with that...
Cybercrime isn't so much crime as a basic reality of these systems. The level of policing we'd need is a ridiculously high cost in comparison to improving the public infrastructure that is computer security.
"New technology and inadequate response from governments is what has created this bonanza for a new kind of criminal. "
Just what government response would be appropriate here. From where I sit, government already meddles way too much in this area.
"Oh, sure, he was killed, but he was walking down the wrong street at the wrong time of day."
It is an odd comparison, but also very apt. You are at fault for walking South Side Chicago, while waving wads of hundred dollar bills looking like a mark. Just because it is illegal to take from you, does not mean it is not stupid to flaunt your idiocy around.
The victims' only mistake was the way they underfunded their IT security. It's not a small mistake though, and the financial losses of the victim itself can in certain cases easily be dwarfed by losses of people who got their data exposed.
It's more than that, though. Many of the modern ransomware gangs are filled with talented, dedicated attackers who specifically target certain companies.
You could invest a ton into security, have a competent security team, follow best practices, set up lots of security appliances and software, have lots of analysts monitoring and responding to alerts and actively hunting for threats and writing custom SIEM rules etc., and there could still be one small mistake that lets a sophisticated attacker in.
As the adage goes, the defenders have to win every time and the attackers only have to win once. A group of sufficiently motivated, dedicated, resourceful, and talented attackers who face zero risk of any sort of repercussions will very likely get in if they put enough time and effort into it.
This isn't just old-school ransomware that merely tries to infect as many computers as possible in general and just happens to land on a corporate machine and automatically spreads from there. These are trained, experienced red teams manually targeting companies and everyone who works at them. In many cases the victims do indeed have poor security, but a company doesn't necessarily need to have poor security to fall victim to ransomware.
There is no need to justify it. Cybercrime is a relatively small price to pay compared to the value provided by private cryptocurrencies. Their usage by criminals is actually a great way to see if they really work.
1. Store any amount of money easily and securely
2. Transact quickly, easily, cheaply, globally, limitlessly
3. Nobody knows your balance
4. Nobody knows transaction amounts, senders, receivers, history
5. Nobody knows about anything you do
6. Nobody can randomly freeze your assets
7. Nobody can move those coins without the key
Have you ever had your money taken away from you? My country suffered through hyperinflation in the 90s, the government got desperate and just froze the bank accounts of everybody. The amount of disruption this caused is legendary.
It doesn't matter how much energy it consumes or how much crime it enables. If it allows us to escape government stupidity it's more than worth it.
I mean roughly each of those points doesn’t apply to every major crypto. But also no, I’m properly invested. You get to escape government stupidity into the open arms of criminals and scammers. Out of the frying pan and into the fire so to say [1]
It’s like replacing the local police with the Sicilians. They even have a comparable customer service policy, i.e. SFYL.
> roughly each of those points doesn’t apply to every major crypto
Monero currently has all of these properties.
> You get to escape government stupidity into the open arms of criminals and scammers.
This is does not justify sacrificing everybody's financial privacy and independence. The police should track the criminals via other methods. They shouldn't be able to surveil everybody's transactions at all times or freeze people's accounts over the slightest suspicions until they prove their innocence. It's better to let some criminals escape than suffer these injustices.
> This is does not justify sacrificing everybody's financial privacy and independence.
Agree to disagree haha. Financial records are private unless revealed to authorities in a 4th-amendment compliant probable-caused based warrant. Seems like the right place to draw the line.
> The police should track the criminals via other methods.
Why? I mean it's pretty easy with basically every crypto other than Monero, and Monero is basically Narco-dollars, which are unlikely to find any acceptance.
> They shouldn't be able to surveil everybody's transactions at all times or freeze people's accounts over the slightest suspicions until they prove their innocence.
You mean... probable cause? And offer due process to resolve? Some would argue that's the foundation of the criminal justice system.
> It's better to let some criminals escape than suffer these injustices.
You're just subbing one kind of criminal for another.
ransomware is full disk encrpytion but you dont know the key. this is hard to do with modern bios settings. Upgrading to windows 10 makes ransomware much harder to install.
If your options are 1) company is ruined and has to shut down temporarily or permanently, with much higher total costs than the ransom payment, or 2) pay the ransom, of course you're going to pick option 2.
Backups aren't necessarily enough. Sure, a lot of companies don't backup. And sure, a lot of companies backup but keep the backups on network shares that the ransomware can reach and encrypt. And sure, a lot of companies keep isolated backups which aren't encrypted, but which are missing the past few days of production data.
But even if you have a perfect backup solution up to the minute before the attack occurred, you'll still be coerced to pay. These ransomware operators are general extortionists - they manually target specific companies and come up with the most impactful threats to pressure you to pay.
They screenshot all of the sensitive documents, emails, IMs, trade secrets, and PII they've gathered and say they'll post it online and mail it to every local, regional, and national press outlet, every company you partner with, and every customer email they've harvested. (And they do indeed make good on this threat if you don't pay by a deadline.) They call all your executives every hour of every day and target their personal devices. They might SWAT your executives' houses.
If you don't have backups, the overall, reputational, and financial cost is probably way higher than the ransom payment. But even if you do, it still might be higher than the ransom payment. Even if you really want to take the moral high ground and inform your customers, partners, and the media of your choice and that you won't negotiate with terrorists or whatever, all of the damage (especially to your reputation and trust) may still be so extreme that you have to shutter your company.
I don't think you can fault someone for paying the ransom when they're being explicitly targeted by sophisticated attackers and when so much is at stake.
I'm not an expert, but I do work in information security and I personally would tell people to pay, too. I strongly believe there needs to be a way to reduce the frequency of and counter these attacks, but I don't think banning ransom payment is the way.
Off-topic, but I really hate this poem - it's a geopolitical equivalent of "Why don't they eat cakes instead?"
Many small and weak nations are barely clinging on for survival by any means necessary - they cannot afford to not pay Dane-geld, and I think they'd appreciate not being mocked as a weakling by someone born to the British Empire.
Kipling is a "Dane" pretending that how his country got that way is because of its moral superiority and toughness, which makes it's own demands for geld justified by the burden of maintaining its flawless character.
There is a theory floating about that some ransomware attacks were done purely to damage a country's infra and making money was a bonus, but not the main aim. So the perpetrators used ransomware as a front and the real goal is to destroy and disrupt a country's computer infra.
But then we could argue ransomware is just going to bolster and make our systems antifragile and resilient against such attacks in the future, so the ransomware attacks could backfire since in the future it would be much harder to attack the US for example with other types of malware.
It also means people are going to be storing mission critical and crown-jewels type data in airgapped systems and making filesystems read-only. The data would also be encrypted and compartmented into separate containers so attacks can't affect the whole filesystem if the airgap was breached.
Thank you ransomware authors for forcing people to have better security!
Funny, I've been hearing that argument since the 1990s yet here we are. This concept isn't new, military aircraft were been hardened against electronic attack for years by limiting them to very simple software loaded from tape.
There's a kind of product life cycle where people build tough robust systems with state-of-the-art technology, then those become dominant to the point where it seems superfluous, and people see opportunity in reducing inefficiency, overengineering etc., and adding new and genuinely beneficial features instead.
It's just a variation of the Normalization of Deviance. See this[1] short talk by Richard Cook for a very good explanation of the mechanism that causes the transition from "robust" to "superfluous".
I mean, notPetya claimed to be ransomware, but you couldn't pay the ransom, so yes, at least some ransomware is politically motivated instead of financially motivated.
This isn't considered ransomware, though, and I think it doesn't count and doesn't apply for this argument. It was just a disk wiping and infrastructure disruption operation by the Russian state against Ukraine that happened to appropriate aspects of some known ransomware family for deception/confusion/misdirection/misattribution/plausible deniability purposes.
Because it's not an instance of politically-motivated ransomware. It's an instance of politically-motivated disk wiping. The parent poster said that it's possible the goal is not just to make money, but in this case no money could even be made. So it's just not relevant to their point.
The question is if actual ransomware may be politically-motivated, e.g. if the big ransomware gangs are being encouraged by the Russian security services to generally disrupt other countries' businesses and infrastructure for geopolitical reasons. NotPetya doesn't help answer that question; it just shows the Russian government does sometimes disrupt other countries' infrastructure.
The problem with recent ransomware is that they get ahold of sensitive data then threaten to leak it if you don’t pay. This is problematic because you can’t be rid of it. Depending on the gravity of the data, if you pay them it’s perfectly plausible for them to show up later and demand another payment or even force you into a perpetual payment system.
>Depending on the gravity of the data, if you pay them it’s perfectly plausible for them to show up later and demand another payment or even force you into a perpetual payment system.
Game theory-wise, though, a ransomware operator knows that a victim won't pay in the first place if they have credible reason to believe the ransomer won't stay true to their word.
My understanding is that most of them genuinely want to maintain a reputation of honesty (like old-school pirates who would hold ships/items/people for ransom), despite the obvious immorality of what they're doing. In some cases this is partly due to a code of ethics/honor (like old pirate codes), but in general it's because their goal is profit, and total profit can be impacted if many victims don't believe there's any point to paying the ransom.
If you read the whole article, I don't actually see any complaints about cryptocurrency or that it's the source of the problem. I think they're just stating the situation as it is and aren't casting any value judgment.
I like cryptocurrencies, and I also work in information security and malware analysis. I acknowledge ransomware is a massive problem and that ransomware would be stupid to not use cryptocurrency. Technology isn't inherently good or bad; it just is what it is.
I think one of the main sources of the problem here is international law enforcement. The Russian government and security/law enforcement services have a pretty open agreement with cybercriminals: don't target Russian citizens and we won't impact your business. A lot of these organizations are now complementing the ransoms with harassment and blackmail, too, like threatening to release sensitive documents, directly harassing CEOs, etc. And some directly target health care facilities, knowing there'll be more urgency to pay up.
So if you're a Russian citizen, you have carte blanche to steal millions from people around the world, in an organizational structure that mostly resembles a kind of standard office job, with almost no anxiety that it'll ever come back to bite you (as long as you never travel outside of the country).
It reminds me a little of old-school naval piracy and privateering in many ways.
If you're in the US or UK or France or many other places and want to start a lucrative ransomware operation, there's a high chance you'll eventually get caught, so the risk of long-term imprisonment is enough to deter you even if easy millions may tempt you. If you have no moral qualms, great incentives, and nothing to deter you, the possibilities are limitless.
I'm not saying that all countries should extradite - just that they should at least make a good faith effort to cooperate with other countries' law enforcement and stop serious cybercrime like ransomware. Though I can understand why an "underdog" nation-state may want to have good relations with some talented criminals within their borders who they may be able to recruit or order around as needed.
It is exactly analogous to piracy in the 17th and 18th centuries including that pirates operate out of states that are too strong to just outright destroy. When the states were no longer too strong to destroy, they were destroyed as in the 1816 destruction of Algiers by naval bombardment.
It's not just Russia but anywhere that is outside the reach of US court orders and extradition treaties.
>It's not just Russia but anywhere that is outside the reach of US court orders and extradition treaties.
Indeed. It just so happens that the vast majority of these ransomware gangs operate out of Russia and neighboring states. Probably in part due to the confluence of good technical education options, a huge population, and a government that permits the activity. (Not trying to say anything about Russia or Russians but just its government's policy. If it were the US that had this policy, I'm sure the biggest ransomware gangs would operate in the US, instead.)
Another thing that reminds me of piracy (and also EVE Online piracy, for anyone who's played that game) is the strict adherence to the basic pirate code of honoring ransoms so that future victims will be willing to pay. They're as ruthless as they can be before payment, but if the victim cooperates and pays, then they'll keep their word - they provide the decryption key, don't release any of their data, and mark them to not be targeted in future ransomware campaigns. It's solely about making as much money as possible.
I'm specifically referring to a single group/gang/operator.
It doesn't mean a different operator - perhaps using the exact same ransomware software as the initial attacker - won't target them. It might exist, but I'm not aware of any list-sharing between unaffiliated operators.
I can't find a source right now and don't know for a fact how many do this, but I know I've read in at least one interview that a ransomware operator at least claimed they did this.
And regardless of what actually happens in reality - in my opinion, the most economically rational choice would be for all ransomware operators to do this (and to punish other ransomware operators who don't). In general, many of them seem to try to maintain a reputation of honesty and integrity, despite the obvious juxtaposition with the very immoral behavior. I wrote more about this here: https://news.ycombinator.com/item?id=27102646
I'm specifically referring to a single group/gang/operator. It doesn't mean a different operator - perhaps using the exact same ransomware software as the initial attacker - won't target them. It might exist, but I'm not aware of any list-sharing between unaffiliated operators.
> It's not just Russia but anywhere that is outside the reach of US court orders and extradition treaties.
Extradition is not a requirement. France, like Russia, will not extradite its own citizens, but you don't see so many criminal gangs operating out of France.
Yeah, it's not merely a matter of Russia not extraditing; they simply don't address the problem at all unless the cybercrime is also affecting other Russian citizens. And in some cases the security services seem to have direct relationships with some cybercriminals. (I'm not sure how friendly or close the relationships are, but there's definitely some tit-for-tat: we let you operate and make all this money, and in return you do us favors when we need them. I believe laundering is one example, like in the BTC-e case.)
It's a very efficient way to operate. This is mostly unrelated, but it reminds me of all those claims of how free market and capitalism promote efficiency wherever they reign.
> Technology isn't inherently good or bad; it just is what it is.
I think we need a new framework for looking at this. All of technology creates different variations of the trolley-problem. So it's like saying:
Trolley-company isn't inherently good or bad; it just is what it is.
In most cases we don't even know there is a trolley so we get away by framing it like this but it's deeply problematic IMO.
Those who write the history books and get to frame things for the future are always the representatives of the trolley company. But just because we have framed it this way throughout human history by using terms such as good, bad or neutral doesn't help either. I'm not saying that tech is bad I'm saying that saying any insinuation of presenting Tech as neutral from a moral (not legal) pov is problematic. Because if we use this by looking into the past then we must also acknowledge all the medical breakthroughs that were created during WWII. (I'm using a flippant point for purpose of illustrating just how problematic this statement is and we're not gonna find a solution by focusing on Technology because it's above all not a technical problem)
Especially people in security would be well positioned to think about this because of the bird-eye pov and adversarial thought that's required to analyse it. But perhaps it's not enough and we also need to integrate people from other domains (or at least stop being hostile to the social sciences as an "inferior science" ... because this is exactly the place where we don't see the forest because of the trees)
>I'm not saying that tech is bad I'm saying that saying any insinuation of presenting Tech as neutral from a moral (not legal) pov is problematic. Because if we use this by looking into the past then we must also acknowledge all the medical breakthroughs that were created during WWII
(I totally understand your point, but my understanding is that actually very little of medical significance happened to be learned from the human experimentation conducted by Nazi Germany and Imperial Japan during WWII, if that's what you're referring to. But for the sake of argument we can assume it did result in medical breakthroughs. Or if you're just referring to all the breakthroughs that occurred due to the pressure of the war, then that works, too.)
You're right, it's difficult to consider all technology as objectively neutral. If someone invents a device that lets any random teenager easily and cheaply release an aerosolized neurotoxin into a city center and kill thousands of people, it's hard to steelman the "it's the people, not the technology" argument in that case.
Philosophically, my post wasn't too rigorous or accurate. I think in the case of cryptocurrencies, though, there's enough of a balance of positive and negative that it's foolish to discard and vilify the entire concept, even if there are many uses (e.g. scams) that do deserve the critical reaction. If something has some positive utility to it, those always need to be kept in mind. Otherwise, all the politicians arguing in favor of banning encryption would have a much easier time, for example.
> If someone invents a device that lets any random teenager easily and cheaply release an aerosolized neurotoxin into a city center and kill thousands of people, it's hard to steelman the "it's the people, not the technology" argument in that case.
Let me try, though, because I think it's important.
Technology doesn't grow on trees. There are about two ways such a deadly device could be made available to a random teenager:
1. Accidental convergence of unrelated technologies. Somehow, it becomes cheap and easy to acquire a potent neurotoxin (an exotic animal or plant, perhaps?), tools to isolate, clarify and refine it (some toolkit from a chemistry lab?), a refillable spray can, a compressor, protective gear. A random teenager could then, technically, use all these to perform a chemical attack on a budget - if they knew how, and had a will to.
2. Turn-key solution. Somehow designs and makes widely available a device for cheaply release aerosolized neurotoxins.
In the first case, it's hard to blame any individual piece of technology involved. It boils down to the person willing to weaponize them, or one teaching others how to do it. Worth noting is that all the technologies mentioned (except maybe the neurotoxin itself) are already widely and cheaply available, and necessary know-how is part of high school chemistry curriculum - and I don't think anybody sees any real risk in this.
In the second case, the turn-key solution was explicitly designed with malicious intent - designed by someone who knew the end goal. Most likely commissioned by someone else, who also knew the end goal. Also made available to random teenagers by someone who knew what it is. That's at least three people with ill intent, without whom the technology would not exist (or it wouldn't be a threat). It seems to me that in this case, it's also the humans should be the center of focus.
With respect to real, instead of hypothetical, discussions about technological neutrality, I feel the constant focus on technologies and technologists in general is one big flock of red herrings - it exists to deflect the focus from the real problem, the people who commission and use these technologies with malicious intent.
> If someone invents a device that lets any random teenager easily and cheaply release an aerosolized neurotoxin into a city center and kill thousands of people
Replace neurotoxin with chemical weapon and this is already a thing — I may be overestimating the industriousness of teenagers, but there is a toxic chemical a motivated teenager can make in two distinct ways using only things found in a normal kitchen.
Thankfully it was a rubbish chemical weapon even when deployed militarily in WW1, but it is a possibility.
Indeed, but the impact would be pretty limited, as you say. I'm thinking something like the Aum Shinrikyo sarin gas attacks, which potentially could've killed many more people than they did.
> And some directly target health care facilities, knowing there'll be more urgency to pay up.
This is a pretty serious allegation, it might be considered terrorist activity depending on how you exactly define that. Same for attacks that intentionally target other critical infrastructure. Putting human lives at risk makes a very real difference here.
Absolutely. Not all ransomware gangs do; like pirates of old, some have a strict ethical code. Some also hate that others are doing it because it attracts more negative international attention towards them. Some care purely about money, though, and see hospitals as easy paydays.
>The actor appears to have a contradictory code of ethics, portraying a strong disdain for those who attack health care entities while displaying conflicting evidence about whether he targets them himself. This is probably representative of many adversaries engaged in illicit cyber activity.
>Hospitals are considered easy targets, making ransom payments 80 to 90 percent of the time during a ransomware attack.
When easy money's in front of you and there are no deterrents, the sole thing holding you back is your ethics, and given a large enough number of people, some are going to have very little in the way of ethics.
They're so brazen that many don't even care much about privacy. If there are no possible repercussions, why bother trying to conceal yourself?
>During our initial conversations, we shared what we believed to be Aleks’ identity and location based on our own research, which he confirmed.
>If you're in the US or UK or France or many other places and want to start a lucrative ransomware operation, there's a high chance you'll eventually get caught, so the risk of long-term imprisonment is enough to deter you even if easy millions may tempt you. If you have no moral qualms, great incentives, and nothing to deter you, the possibilities are limitless.
easy? hardly. you only hear about the successful ransomware. The twitter btc giveaway scam is way more profitable, harder to detect, and easier than trying to code ransomware. People make 1 btc/day undetectable with giveaway scam
Yeah, I shouldn't have said easy, but easier to make millions that way than trying to create a legitimate startup or something.
And you're right, there are certain kinds of scams that are possibly more lucrative for way less effort. A lot of these ransomware gangs started years ago when such scams weren't quite so lucrative. I wouldn't be surprised if many are pivoting into cryptocurrency-related scams and heists.
If you're ignoring effort, though, that one Twitter hack with the BTC-doubling scam made about $100k over a few hours, and that was with access to the top accounts on the platform.
According to a random Google search, a ransomware operator makes an average of $300k per company-ransoming. If you're getting 5 companies to pay you an average of that much per week, it's probably more lucrative than any giveaway scam, even if it takes a lot more effort and skill. And if you're getting more than 5 companies per week, it might be more lucrative than almost any kind of scam.
I’m concerned about this. America has shown since Vietnam that we don’t win in unorthodox wars. The Taliban beat us.
The only analogy I can think of is if a smaller power constantly harasses a larger powers trade routes. Eventually America gets exhausted because we only know how to win a direct war.
They will exhaust us with this over time and continue building leverage. What are we seriously going to do? Goto war with Russia or China?
I don't think anyone wants to go to war over something like this. I definitely don't. There aren't a lot of options, though. You definitely can't do "extraordinary rendition" / kidnapping, for example.
One is sanctions against specific individuals, which the US does do. So at least it's harder for them to participate in the international banking system.
And from my understanding, US law enforcement will often try to trick these cybercriminals to travel to a seemingly more neutral country (sometimes areas that are common vacation choices for Russians), where they'll get arrested after arriving. Some of them have gotten nabbed this way - notoriously Alexander Vinnik, the owner of BTC-e and launderer behind the Mt. Gox hack [1], though I'm not sure if he was lured there or just happened to be there. But as long as someone is smart enough to never leave the country, I think they're pretty much untouchable.
General geopolitical pressure and sanctions is probably the only viable option. Keep collecting evidence of the Russian government's permissive stance and bring it to the negotiating table. If enough pressure is exerted, they might eventually relent and actually start cracking down on the big actors.
If they could pressure Russia to permit extradition to the US for serious crimes, that deterrence would probably stop a lot of operations overnight. I doubt that'll ever happen under Putin, though. (And it'd probably be unpopular enough in Russia that I doubt it'll happen under Putin's successors, either.)
Go after the financial links. If the only way the ransom can be paid is traveling to Russia with gold bars you’ll see a lot fewer ransoms paid. And before you say cryptocurrency there’s lots of ways Western governments could intervene if they got serious.
>Go after the financial links. If the only way the ransom can be paid is traveling to Russia with gold bars you’ll see a lot fewer ransoms paid.
>And before you say cryptocurrency there’s lots of ways Western governments could intervene if they got serious.
I was definitely gonna say "cryptocurrency". I see absolutely no feasible way that any government could enforce things such that the only way a ransom could be paid would be traveling to Russia and paying the ransomers with gold bars.
I severely doubt any Western government is going to try to ban any cryptocurrency - even Monero. And if they try, enforcement will be extremely difficult.
No matter how hard they make it for a victim to pay a ransom or obtain the assets needed to pay a ransom, a sufficiently desperate victim and a sufficiently greedy ransomer will find a way to make it work.
Perhaps it could realistically help a bit if they threatened victims with prison time for paying ransoms, but in my opinion this would be pretty draconian and wrong - like threatening to imprison someone whose child is kidnapped by a cartel if they pay a ransom to prevent the child from being killed.
Sometimes the victims can be blamed for major negligence, but not always. And even when they are negligent, I don't think they should be punished or prevented from recovering their business in such an extreme way.
I agree that directly threatening victims, even corporate victims, is a bad look. But you need financial intermediaries—-brokers, platforms, exchanges, and these institutions upstream banks, brokers, clearinghouses, and so on. These are exactly the type of institutions that governments can exert a lot of pressure on but so far have mostly declined to do so.
The leverage. One wants the leverage for the leverage. Then you can use it for all kinds of other things, including things you didn't think of before. Like money, save it up and spend on whatever you want at the right time.
Something like 70% of the Russian population say Stalin was a great leader in surveys. Stalin killed by his orders more Russians then World War 2 did, far more people total then the Holocaust.
Russian's in general are pushed towards this idea that they want to be a "great power" on the international stage again, that this will fix their problems - it's certainly how Putin actively thinks. Of course it's never made any sense: Russia is huge. Domestically there's nothing it needs internationally to be a wealthy prosperous nation, and all it's problems are internal.
Hence the chaos: to Russian strategic thinking (that 70% isn't just "the people" its far more concentrated amongst the leadership), one way to be a great power is to knock America and the EU down and chaos suits just fine for achieving that.
How do I know? Because the Russia is evil mentality. This comes from media in the US and lack of knowledge of History and geopolitics.
Let's take some History lessons:
Who sank the USS Maine? It was probably a false flag operation or the ship sank itself because of gas leak.We know it was not Spain, but it was used as an excuse to enter a war against Spain for taking Cuba and Philippines from them and committing genocide of at least a million people in the Philippines.
Who killed Rasputin? The British Government. Why? Because Rasputin was very influential in making sure Russia did not enter the WWI. Because they wanted Russia to enter they propagated all kinds of lies against him that even today remain and eventually killed him.
Who supported the Volsevisk revolution in Russia? The German Govertment so Russia would abandon WWI as they did after the Lenin coup.
Governments have always supported crimes when they benefited from those crimes, and that has not stopped in modern times.
He told me:"Half Russian secret services, half the US secret services"
In today's world, the US Government is behind way more crimes than Russia, because they are 10x or 20x more influential,specially after Berlin Wall's fall. Russia has the GDP of Spain.
The second biggest criminal is China, for the same reason. But US media loves China though.
Now when African activist that oppose a US multinational because gas or oil gets killed. Who do you believe is behind,Russia?
Who do you believe is behind when people is killed protecting the Amazon Jungle against the people that want to plant soy so Chinese pigs(and Chine that eat pigs) could be fed?
Who is behind all the chaos that is in north of Africa today. Who supported the war in Libia that made the Libyan army to infiltrate in all the Sahel.
Who supported the war in Syria? Afghanistan, Iraq.
How is that all those new weapons magically appear out of nothing?
This isn't about Russia or the US or politics or anything else you're talking about. It's about the Russian government's particular stance on cybercrime perpetrated against other countries. Unlike most other countries in the world, they explicitly choose to permit it as long as Russian citizens aren't targeted by it.
That's the only thing I'm referring to, here; not anything else their current or past governments or any other country's governments have done or are doing.
I sincerely doubt most people who are today carrying out ransomware scams were wealthy enough 10 years ago to benefit materially from tax havens haha. If they were, they wouldn't be committing crime today.
It's more about rational self-interest. Do the wealthy regularly steal bread from the grocery store? Probably not. The risk-reward profile is all wrong - they have many much easier ways to make money. I suppose you're right that I don't know this for a fact, I'm saying the incentives are wrong.
The way I see it, wealthy people have: more ability to evade being caught and they can operate on a scale that exceeds capacity of ordinary police. Their risks are also somewhat diminished because they have some way to persevere and something to fall on, even with a hefty fine. I imagine that there are people parking in illegal places every time because the fine is marginal to them.
All I'm saying is that the way I see it, there's no correlation between wealth and affinity to crime.
"New technology enables the unwashed masses to engage in financial crime at an industrial scale. That's supposed to be reserved only for oligarchs and politicians."
This new technology also enables a degree of financial privacy that's a fundamental threat to civilization. It's... uhh... significantly less private than cash and (depending on the cryptocurrency used) often less private than bank wire. Never mind.
FTFY
Financial crime is one of those things that becomes less criminal as the scale gets larger or as one approaches influential political circles. Launder a hundred grand for a street drug dealer? Go directly to prison. Launder billions for drug cartels through major banks? You might get a fine and have to apologize.
Yes this last part is part whataboutism, but not without reason. 2008 proved that meaningful financial reform is virtually impossible. A riot is the last resort of the powerless.
They're not unrelated subjects.
A lot of crypto operates much in the same way dark pool finance operates. It's unregulated & opaque.
This is prime territory for both scams and other criminal activities.
On the other hand, as soon as you interact with money, there are well-established means to control money flows. If the banking system stop interacting with crypto exchanges, much like they're banned from serving cartels or countries under embargo, cryptocurrency will essentially go back to the fringe status it had a few years ago.
Sure, some people may still use it to buy pizzas. But it will essentially lose its interest when it comes to unregulated banking.
That kind of regulation may actually be a good thing when it comes to blockchain operations, or at least the few of them that can actually demonstrate a benefit in isolation.
I don’t think I know anyone who frequently pirates music anymore…
Mostly due to superior products coming out (Rdio, Spotify) but given that a founder of Spotify was involved in the torrent community, don’t think it’s a crazy theory to say the legal pressure created product pressure.
For music yes, largely because the music industry has been unable to resist the devaluation of their product in the modern era..
the Public simply is unwilling to pay $20 for a CD that maybe has 1 good song on it any more.
Other entertainment has been better able to resist this, those COVID has dealt a much needed blow to the value of Movies it is yet to be seen if this industry will recover.
Unauthorized distribution of non-music media is still very much alive and more popular than ever really. It is also becoming more popular since unlike the music industry the video industry is creating 10's even 100's of walled gardens, that are IP and Geographically locked to hold on to old outdated distribution models
I know many people that are growing tired of the "Which streaming service has the show or movie I want" which question that changes on a monthly basis, a Netflix may have it today, but Prime may have it tomorrow, then Hulu may get it later, as it leaves each of these platforms.
Most people subscribe to a single music service, however today you need to sign up to 3 or 4 or 5 Video services, that will drive more people back to unauthorized sources that are more convenient
You hit the nail on the head for this particular example. It took YEARS for the industry to suck it up and make it as convenient as it needed to be, though.
The difference here is that TSLA is already accepting Bitcoin, and the financial sector is already building on Ethereum. So is it really going to be illegal or are there just going to be smoother experiences layered on top that the average user will flock to? Because I'm guessing, based on where we are, that it has to be the latter at this point.
Illegal use will be minimized by a new breed of middleman. It's not ideal, but it's right for the majority of people I think.
What happens the day Tesla or the platform that processes payments for them gets subpoenaed for accepting coins from a ransomware attack? I suspect they will quietly drop their coins and stop accepting new ones, especially since that's unlikely to be a common payment method.
The way out of p2p music sharing was record companies agreeing to provide their content through iTunes music store, Amazon MP3 store, and eventually streaming services. P2P sharing is still around but not like it was because record companies found a new way to make money by giving people mostly what they want.
Maybe it’ll be something similar where government or bank backed crypto becomes the only legal crypto, pushing what’s left even more to the margins.
Easy: crypto operates on the basis of real money entering and exiting the system. Real money is one of the most regulated things we have. Turn off the spigots, no new money in, miners cannot be paid for their services, value drops, people get bored and move on to the next speculative mania. Most people are only in the space for number go up.
For Monero, yes, that's by far the predominant use. For a time, that was the predominant use for Bitcoin, but I'm pretty sure it isn't anymore as of like ~7 years ago, probably. (The article mentions Bitcoin - probably because ransomware operators know ransomware victims can more easily acquire Bitcoin than Monero - but for other kinds of serious black market activity it's almost always Monero.)
For others, I think it's totally untrue even from the start. It's actually usually a lot easier to launder USD than it is to launder something like Bitcoin or Ethereum, given every transaction is completely public and traceable.
The important feature of traditional accounts is that they’re all individually tied to some real-world entity. It’s hard to understand what money ultimately went where in a chain of 10,000 purposely convoluted transactions even if you can see the entire transaction record. Good luck creating 10k bank accounts to shuffle money around.
True. But if someone's goal is to launder, they're just going to use Monero - no need to do any kind of shuffling and mixing like that. It's simply untraceable by default and way more anonymous than USD or Bitcoin.
Actually bitcoin is terrible for illegal transactions. Everything is traced and logged for all time
> The beauty of Bitcoin, from a detective’s point of view, is that the blockchain records all. “If you catch a dealer with drugs and cash on the street, you’ve caught them committing one crime,” Meiklejohn says. “But if you catch people using something like Silk Road, you’ve uncovered their whole criminal history,” she says. “It’s like discovering their books.”
You’re going to have to cite that claim if you want it taken seriously. At this point it’s an old criticism with frequently used and valid counterpoints.
Given paying with crypto is as easy as a QR scan these days once someone is onboarded, the other claim that you use, convenience, is about to go out the window: see venmo, PayPal, CB integrations. You might not be following the industry much though?
The problem with your approach here is I hear that, and then I think of HSBC opening a branch for the Sinaloa Cartel, laundering absurds amount of money for them, and no one ever going to jail.
If the reason not to use crypto is not to support crime, have you or your friends used HSBC, and did you advocate for them to stop? There are several other banks on this roster as well. Two wrongs != right, but I’m not the one saying stop using fungible USD that has for certain touched crime.
> Given paying with crypto is as easy as a QR scan these days once someone is onboarded, the other claim that you use, convenience, is about to go out the window: see venmo, PayPal, CB integrations.
But why would you want to? In most cases, there's simply no benefit to using cryptocurrencies instead of real money.
Even if we could pay for our groceries, clothing, water, electricity, rent/mortgage, taxes, etc. with cryptocurrencies (which, for the most part, we can't) rather than real money, there's no compelling reason to do so.
Didn’t feel like a complaint about cryptocurrency, but more of an update on empirical points. And agree, both tax havens and cryptocurrency seem important to consider.
You're perspective is not wrong - these write-ups are just getting tiring because they almost sound like propaganda pandering to an audience that doesn't know any better and needs to be protected.
The world's problems are well-documented and fighting technological progress is a waste of time. We need capable law makers and regulatory bodies. None seem fit to the task.
Which is why need broader dialogue on these problems. So people who are not already deeply invested in those problems (or underlying technologies) can start thinking about how to manage them effectively.
Because tax havens really doesn't exist. What exists are tax hells! The fact that some countries have lower taxes means that society can produce more without having parasites in the state robbing everyone as easily!
They generally tax their own populace at a relatively standard rate (20-40%+) while taxing the offshore corps based there at 0% (or more). Hong Kong, for example. In a sense it's economic subterfuge/sabotage.
This is a response to one possible reading of your comment.
Tax havens keep other countries accountable from overspending, because they know people will move away from an overzealous jurisdiction. Just look at CA.
I would move my money to one if I could reap the benefits and I suspect people hate them only because they're not able to also do the same thing.
I don't know what happened to me, lately I'm becoming more and more fascist. I thought you should pay where you live but I apologize. Clearly not paying taxes was with the best intentions, for a better world.
I'm sure your government was also doing other stuff, like providing schooling, roads and other infrastructure to you. You are freeriding at the expense of other fellow citizens, who pay taxes.
Are you comparing taxes to murdering children with poison and roads you drive on and schooling that you get to ice-cream? That is a bit of an oversimplification, don't you think?
I suppose your free kindergarten through grade 12 education, the water you drink from the municipal water system, the roads that were driven on to deliver a computer that can post to HN directly to your door, the DARPA project that became the Internet, etc. are "robbery, extortion, and slavery" as well. Now that we are all robbing, extorting, and enslaving each other... pay your damn taxes.
None of that requires a 50% tax rate like you see in some places. I don't think you realise just how much is wasted. Go look at national debt figures, we could get the same things with half the tax.
The infrastructure argument is moot, too. Just look at US infrastructure crumbling to bits.
I don't think crumbling infrastructure has a lot to do with government waste. It's mostly poor prioritization; using funds that should be set aside for maintenance to build new things instead. New projects capture the imagination, maintenance is something that magical fairies do while everyone is sleeping, or something.
This is more of an intrinsic flaw of humanity than something that has an easy fix. Reality and the version in our minds don't align. Privatization isn't the answer: private companies let their infrastructure deteriorate to the point where it kills people all the time. We even rely on the government to prevent this, and get upset when they don't catch every case. Making the government go away, or underfunding it to the point where it's impotent, probably isn't the fix.
There isn't really an easy answer to society's problems. If there was, we'd have already implemented it. Now we have to deal with the hard problems, and we probably have to do that as a collective. The problem is too large for one benevolent visionary to magically solve.
Something that I think of one of HN's blindspots is the general inability to think past what one person can do alone. We sit in front of our computers and make stuff, then we go to work and make stuff that's almost the same, but it takes 10 people to do only 10% more. That's probably another intrinsic reality of the Universe -- to do a project twice as difficult takes maybe 10 times or 100 times as many resources. That's because communication scales poorly, like n! That's why every successful project management book tells you to cut scope; doing a harder project involves adding more resources, and adding more people to the project has dramatically diminishing returns. But the government can't cut scope, so they have to bear this communications cost. It looks like inefficiency, but it's more like an immutable law.
Keep this in mind while you pontificate about how having a society is akin to robbery.
Stealing from people and using some of the money on them does not make stealing morally right. Same goes for extortion. It looks like you want to continue living off of crime.
I didn't realize public schools, fire departments, police stations, roads, highways, bridges, army, water, a regulated EM spectrum, a managed airspace, a managed border and NASA, was slavery. It's gonna be tough to explain to my kids how the Mars Helicopter was slavery. Boy was I mistaken!
Monero transactions are extremely difficult to trace.
Bitcoin transactions are traceable and can often lead you to a real person or organization, but if you're the FBI and you're tracing some Russian resident cashing out some extortion payments at a Russian exchange and transferring that money to their Russian bank account, there's nothing you can do about it.
The vast majority of these ransomware gangs are in Russia and/or neighboring states, so that means you can't really do anything about any of them, besides trying to periodically go after some of their infrastructure in a whack-a-mole manner. You can't actually do anything about the criminals themselves.
(I wrote more about this here: https://news.ycombinator.com/item?id=27096715. Not saying about Russia or its people, of course, and I know there's a lot of anti-Russia writing in the West, but this particular issue of ransomware can definitely be largely blamed on the Russian government's stance of not addressing it as long as Russian citizens aren't targeted.)
It's almost like the FBI's activities on this matter are futile and should be replaced with continual public service announcements telling people to not give money to the telephone.
This isn't scamming but rather ransomware extortion. If you're the CEO of a company and a ransomware gang targets you, encrypts the disks of every single server, including backups - leaving you completely inoperable - and messages you with screenshots of all the sensitive documents and PII they'll release if you don't pay, it's hard to just release a PSA telling people to ignore it.
The threat is absolutely real, and the total cost might end up being much more than the ransom payment. This happens on a daily basis. You might as well inform people to not pay when a cartel kidnaps their child and holds them for ransom.
A better PSA would be to keep off-site cold-storage backups, secure hot backups as much as you can, abide by the principle of least privilege, keep sensitive materials in as few and secure of places as possible, general network and application security advice, etc. But no matter how much you try to inform people, there'll still be thousands of companies that won't win against organized crime gangs filled with sophisticated, dedicated attackers who are constantly scouring for potential new victims and who know they have no risk of being hampered by any law enforcement organization in the world.
> If you're the CEO of a company and a ransomware gang targets you, encrypts the disks of every single server, including backups - leaving you completely inoperable - and messages you with screenshots of all the sensitive documents and PII they'll release if you don't pay, it's hard to just release a PSA telling people to ignore it.
If a company is this incompetent once, it will happen again. Paying a ransom is just giving the company the opportunity to cover it up and collect more PII without punishment or oversight.
They should indeed be required to report such incidents. But banning the paying of ransoms is also foolhardy, I think, even though the US has now officially declared that paying ransoms is illegal.
They're hoping to game-theoretically reduce ransomware attacks with this policy, but I'm not sure if it'll work. (It might be working to an extent, though, because in the interview I reference in https://news.ycombinator.com/item?id=27097061, the ransomware operator says he's concerned about this policy.)
I think the prohibition is on facilitating payment of the ransom (eg to a previously sanctioned individual or organization).
So what we could see is a situation where Alice kidnaps Bob and tells Carol to pay a ransom; Carol attempts to do so but when she goes to withdraw money from her bank account Dave, her banker, puts a hold on the transaction or even freezes her account if the fact of Bob's kidnapping is widely known.
Bob doesn't make it but Eve, Frank, and Gary tell Carol that his life is a small price to pay for standing up to Alice's terrorism.
The public article just mentions phone scams, but now having read the Outline link I see the private version goes into much more. Obviously PSAs aren't an approach to ransomware, but talking about the need to take software security seriously isn't as directly actionable.
> That's why Monero devs keep trying to increase the ring size.
Is there anything stopping them? It is my understanding that larger signature rings are always better. Currently it seems to be fixed at 11 signatures. Why not a larger number?
Monero currently cannot be traced. All known weaknesses currently require correlation with exchange metadata, they can be avoided by simply not transacting through the exchange.
I wonder why pages on archive.is never seem to present the Reader Mode option when opened in Firefox or Chrome. I wish there were a force reader mode option so I could at least try to improve my situation in the case that the archive.is renders some lines of text as 100% overlapping.
> The phones were seemingly designed to hide criminal activity, with end-to-end encryption, disappearing messages and no gps data. Subscriptions were paid in Bitcoin.
Some of this is unusual (no gps) but the rest is standard, no? iMessage is e2e encrypted and lots of platforms have disappearing messages.
Isn’t ransomware trivially preventable by backing up files, and having a completely different security procedure and credentials for modifying backups than doing anything else in the system?
Would be really interested to see a write-up of those poisoning variants. Presuming cold backups are tamperproof, it seems to me poisoning really only make sense when fresh data is significantly more valuable than historical (pre infection) data? If you had a hypothetically secure recovery testing procedure, then it should pick up the data is corrupted right? In which case you could tune the frequency of when you run it to reduce the amount of potential fresh data loss.
> only make sense when fresh data is significantly more valuable than historical
This is the case for basically any transactional/accounting system.
If you lose even one day's data, if often would make more sense to pay the ransom than try to reconstruct the transaction flow for that day (or portion of the day) that was lost.
Only if the victim is 100% sure that the ransomware gained entry to the system recently and by a known security failure, eg you click on a phishing link and then have a problem immediately afterwards. If there's any reason to believe that it could have been placed earlier and then the attacker waited a while to set it off, it means your backups are probably compromised too.
Imagine you restore your backups (taking a whole weekend) but it turns out the ransomware is some kind of kernel-level hack that also patches ls to lie to you about file being there when they aren't (as an over-simplified example). Once you realize this you can switch to another tool and pinpoint where things are going wrong, but now restoration takes twice as long as before plus the farther back you go the more commercially valuable data you lose.
You don't even need to compromise the backup software, as long as it looks like you might have done so.
Also an outage in itself can be a major issue. A health care provider with no working computers is kind of dead in the water these days, and fixing all of this can take days or weeks.
The issue is that getting a competent workforce to maintain your systems is not always easy, especially if you're not in an industry with a connection to tech.
Ransomware also targets individuals, which typically don't have the knowhow to sanitize their computers. Since our industry is kind of not caring about security wrt consumer goods, they're left to fend for themselves.
many technologies bring what they touch to an industrial scale. Nothing unusual.
except maybe that new tech in the information/internet era seem to concentrate power more and more in fewer people. So to me the problem is not the scale but the instability.
We've known for hundreds (thousands?) of years that paying ransom only encourages more demands for ransom in the future. The solution to this is backups and improved security. I know that's expensive. Pay that cost now or continue paying more dane-geld proving over and over again that you are a mark that will pay.
> or, increasingly, to prevent them from being leaked
Why did high-risk data exist in the first place? Maybe stop gathering so much risky data.