
US police force pay Bitcoin ransom in Cryptolocker malware scam - cellis
http://www.theguardian.com/technology/2013/nov/21/us-police-force-pay-bitcoin-ransom-in-cryptolocker-malware-scam
======
danielharan
"[Police] insisted that the Massachusetts police systems were now clear of
infection, and that essential operational computers were not affected, nor was
there any data stolen."

How the hell would they even know?

~~~
jrockway
According to every article I've read on the Internet, you can't steal data,
only copy it. It's not stealing if the owner is not deprived of the original
copy. Therefore, it's correct to say that no data was stolen.

~~~
belorn
I know i am replying to a troll comment, but here it is.

It is very easy to steal data. Copy the data, and then delete the original.
However, the goal of this malware is to neither delete nor copy the data. It
simply sabotage the data, after which the computer user has to pay in order
for getting the data restored.

~~~
abcd_f
Sarcastic. You are replying to an _sarcastic_ comment.

------
shitlord
It is kind of ridiculous how the police manage to damage their computers. As
people in positions of power, they really need better training on security and
handling equipment. I've seen Toughbooks with severe physical damage... and
those things are REALLY hard to damage. At the very least, they need to be
taught not to open email attachments from people they don't know.

~~~
dmix
I wouldn't be so quick to judge their lack of ability - it seems pretty hard
to prevent spearphising among a broad set of non-technical users.

Training would ideally involve the organization testing by spearphishing their
own employees internally like a lot of security companies often do:

[http://www.darkreading.com/end-user/how-lockheed-martin-
phis...](http://www.darkreading.com/end-user/how-lockheed-martin-phishes-its-
own/240153683)

~~~
nwh
Cryptolocker spreads with a really stupid email message, and an attachment you
have to extract and then execute. You have to be incredibly technically inept
to get hit with it.

~~~
GhotiFish
So lets say you have to be so inept with computers that literally 98% of the
population is more competent on them than you. If you hire 40 people, you have
a better than 50% chance of getting someone that inept.

~~~
thaumasiotes
This is only true if your hiring method is "select people at random and draft
them into working for you". Suppose I chose any 40 people who were currently
developing software for Microsoft. What are my chances of getting one person
among those who is at or below the 2nd percentile of computer literacy?

Followup questions:

How does Microsoft avoid hiring people below the 2nd percentile in computer
literacy? They have way more than 50 developers.

Should the police force screen applicants in any way?

Is using a computer part of a police officer's job?

Are the police even _able_ to compel randomly-chosen people to work for them?
If not, the premise of your numbers is fatally flawed.

~~~
GhotiFish
it's true, my numbers are flawed. Though I would ask, flawed in what way?

Is it more or less likely? The police don't hire on technical skill,
presumably people of high skill in this area end up in different careers?

The accuracy of the numbers is, frankly, unimportant. What I was illustrating
was the multiplicative effect, which remains relevant. I freely admit the
numbers themselves were made up.

~~~
thaumasiotes
Well, you're right about how independent probabilities combine. But the
situation you describe has so little relationship to hiring that I don't see
how it's relevant to anything. In general, I don't expect to see someone at
the 2nd percentile of ability holding down a job at all. Even very basic
screening will keep them away with great reliability, because they're so far
out of the norm. So I don't see this as a case of "sure, I made up figures
that might be off by a factor of 10-100", I see this as you describing a
situation utterly unrelated to any aspect of reality I'm familiar with. You
can't just make some numeric tweaks to the model; the whole thing is
fundamentally at odds with what you're trying to describe.

Now, it's definitely not true that you have to be below the second percentile
to get phished: [http://www.locusmag.com/Perspectives/2010/05/cory-
doctorow-p...](http://www.locusmag.com/Perspectives/2010/05/cory-doctorow-
persistence-pays-parasites/)

But if it were true, phishing would be largely a nonissue for workforces
(other than the police, who often _do_ set ultra-low thresholds for their
screening).

~~~
GhotiFish
>But if it were true, phishing would be largely a nonissue for workforces
(other than the police, who often do set ultra-low thresholds for their
screening).

I think you and I are on the same page.

I am curious on why you think I'm off the mark, even if people under the 2nd
percentile are less likely to get hired, it doesn't really change the math,
it's the same as saying: "but it's only people under the first percentile!"

Side note: I feel that 150 million people are employable in professions that
don't require a competency with computers. At the very least I'm grateful that
same property doesn't apply to carpentry or construction. As I'm easily in the
first percentile for these trades, I'd NEVER get a job. I can't even hang a
picture! Why does it always go wrong? T.T

------
vincie
This is actually the first report of Cryptolocker where "Windows" was
mentioned. I find it strange that most reports of malware I ever read never
mention Windows.

~~~
teddyh
Fish do not know what water is.

------
amalag
I worked with a company which was affected. They opened a phishing email which
claimed to be within the company. We didn't pay any ransom because we
recovered from Crashplan backups.

------
bmslieght
I had though the Police is aiding and abetting a crime by paying ? In the (UK)
not USA - paying a ransom is technically illegal.

------
vincie
Isn't opening an email attachment a standard, right thing to do? Aren't email
attachments supposed to be the main ways to send someone a non-text file, by
design? If so, blaming people for doing it is wrong. It is Windows that is
wrong. It is the way that Windows lets these executables run and do these
things that is wrong.

~~~
akx
Considering the Cryptolocker executable does absolutely nothing to elevate
itself to admin or exploit the system in any other way, it sounds you're
arguing in favor of a walled garden system where only preapproved binaries may
run.

~~~
Luc
Not even preapproved binaries. No binaries at all should run by opening them
from an email. It's simply a usability design decision by the developers of
the email reader.

~~~
heartbreak
If I download a binary from the GMail web interface, the enterprise Outlook
web interface, etc., how does Windows know the difference between that binary
and a legitimate download received from my web browser? Sure, you get the
"This program was downloaded from the Internet" popup (just like OSX), and
group policy could dictate that _no_ binaries from the Internet may run, but
how is Windows supposed to tell the difference between an email web client and
any other file downloaded from the web?

~~~
Mister_Snuggles
I just saved an attachment from GMail. When I go into the Get Info box (OSX),
I can see what URL it came from. I'm sure that Windows attaches similar
metadata when it saves attachments.

Maybe something like this could serve as a basis for what you propose. The
attachment I saved came from [https:///mail-
attachment.googleusercontent.com](https:///mail-
attachment.googleusercontent.com). Maybe the solution is as simple as webmail
providers putting some standard hostname in their attachment URL that
identifies it as an email attachment.

Unfortunately though, there are legitimate reasons to circumvent this (have
you ever emailed yourself something so you could run it on another computer?),
so it would only be a matter of time for attackers to figure out the social
engineering required to convince people to jump through those hoops.

------
officialjunk
anyone find it funny that the article warns about opening email attachments
and at the bottom of the page is a signup form for a "zip file email." poor
wording choice.

------
alexeisadeski3
Speechless...

