

Nokia 'paid millions to software blackmailers six years ago' - rpledge
http://www.timminspress.com/2014/06/17/nokia-paid-millions-to-software-blackmailers-six-years-ago-tv

======
swatthatfly
I always wondered how you do paperwork for something like this. It must be a
nightmare from an accountant perspective. What is the bill code for
"blackmail" when you file the income tax and you write a 6 figure expense. In
the end your cash has to balance out, you cannot not declare it. Anybody with
experience in something like this?

~~~
Demiurge
isn't there something fringe like 'theft' or miscellaneous losses?

~~~
TheCoelacanth
Having a code for theft is definitely a thing. For many businesses, having a
small amount of theft is just an unavoidable cost of doing business.

------
a2tech
'the money was delivered but the police lost track of the culprits'

A solid showing by the Helsinki police

~~~
theg2
It's almost out of a movie. One of your larger national companies is being
extorted and you fail to follow the people doing so?

It also had to be a pretty big vulnerability for them to have to pay that much
in the first place.

~~~
ohashi
It makes it sound like it was the keys to the castle.

~~~
grrowl
It was. They could have signed _any_ phone application to pretend like it was
developed by Nokia, and therefore could have done anything to the phones
(hence the malware angle).

------
0x0
That's absolutely insane! Even after paying the ransom, how could they be sure
noone were still sitting on the keys? Assuming it's code signing keys, it
sounds incredibly irresponsible to not (force) update all devices anyways.

Is really the only thing protecting the safety of those devices the promise of
a blackmailer to not abuse the private keys they were sitting on?

... makes me wonder what else we don't know about all the other vendors...

~~~
josh2600
In 2008, forced updates of mobiles, particularly of the s40 and s60 variety,
was not a thing.

It turns out that when an operating system is in service for a very long time
without updates, bad things happen. Now if you want a real scare, consider for
a moment all of the code running on embedded hardware that makes up the
entirety of the world energy grid.

~~~
0x0
Maybe not forced, but I did update several s60 devices as they had new
firmware published. So they should at least have made the updates public and
explained that everyone must upgrade.

Imagine, for example, openssl being told about the heartbleed vulnerability,
then being pressured into paying big money to prevent disclosure, and then
keeping their mouths shut about it for six years. Except this is even worse
because at least then someone could look at diffs. I can't even think of a
proper analogy here.

~~~
Maakuth
Nobody but the nerdiest of phone users bothered to ever connect their phones
to a PC and over-the-air updates were not supported. The risk of malware
signed with the key showing up was probably weighted against the hassle
updating everything would have caused.

------
fidotron
I can fully see how this could happen. Too many companies don't understand the
value of keys like this, and won't until they have a similar situation.

I wonder how exactly the criminals came to have them in the first place, but
would be willing to bet it was ultimately incompetence by someone at Nokia.

~~~
asmosoinio
Having done a few code signings physically at Nokia Tampere back in the
Symbian days, I would say they were pretty serious about these codes. Not that
the security was 100% tight, but it did involve having to go to a single
locked up computer with someone looking at you, keys to the safe in different
places, required two separate persons from the signing to be there etc.
Impressed myself at least.

------
broolstoryco
Ah yes, the good old days when software extortionists demanded cash in parking
lots. To me Bitcoin seems much older than it actually is.

------
pdenya
Wow, that's rough. Not much you can do against a vulnerability that'll destroy
the trust of your entire customer base. A DDOS is one thing but I probably
would have paid the millions in this case.

~~~
mbreese
I wonder how much it would have cost to push out an update to all of the
Symbian devices in the wild at the time. It wouldn't have been easy, and would
have been a PR nightmare, but it could have been done.

The question is: would it have been worth it? I don't know, but hiding things
rarely goes well. Then again, I don't know of any public instances where this
has happened, but I'm sure Nokia aren't the only ones to have been hit by
this.

~~~
0x0
Code signing key compromise has happened at least for Red Hat and Adobe quite
publicly. Plenty of malware use code signed windows device drivers with
stolen(?) hw manufacturer keys, too.

------
cornholio
> Had it done so anyone could then have written additional code for Symbian
> including possible malware which would have been indistinguishable from the
> legitimate part of the software.

Like a rootkit then ? It's a classic case of robbing the mob, as in 'the
people who actually own the phone you think you've bought'.

------
fucktheid
they got the buckets, they got the source, they are anonymous.... release the
code!

------
hyperion2010
I'm trying to imagine this happening to someone like Red Hat.

BM: "We have the keys to your software repos give us money or we leak." RH:
"Here's a tarball of the sources it make your life easier, knock yourselves
out! Maybe we'll even get some new developers!"

Obviously there are reason's why companies choose to keep their software
closed source, but sometimes I wonder.

~~~
porpoisemonkey
I think the analogy is a little off.

This would be like someone having the GPG signing key for the Red Hat official
repositories. It would give them the ability to insert their own (malicious)
software package into the Red Hat update stream without the signature throwing
any warnings.

~~~
hyperion2010
Isn't that why we keep revocation certs around? That doesn't really work for
blackmail anyway because it is dependent on preventing the organization from
knowing that you have access.

