
CryptoLocker's crimewave: A trail of millions in laundered Bitcoin - hseldon15
http://www.zdnet.com/cryptolockers-crimewave-a-trail-of-millions-in-laundered-bitcoin-7000024579/
======
pyalot2
I'm actually pretty happy cryptolocker's around. No, wait, don't hang me yet,
stuff your pitchforks, let me explain.

Let's face it, computer security has been pretty bad trough pretty much the
entire personal computing era. I don't need to point any fingers, the guilty
know who they are.

Now unlike some others, Apple and Linux do try to do a few things about that,
in different ways, with varying degrees of success. But it's better, by far,
than the teeming mess on that other platform we won't be mentioning.

I believe if we want to use IT in the future, that this stuff's got to get
pretty much bullet and foolproof. And without a credible threat it won't get
there. Now, one of the things that held the development of a credible threat
back, was the limited ways in which security holes could be monetized.
"Fortunately" that's no longer a problem.

And now that I think we have a credible threat. Will we now, please, with
suggar on top, get computer security right? Isn't like, kinda time?

~~~
ryanjshaw
Computer science solved this problem (the "Confused Deputy" [1]) _decades_ ago
[2] [3] with capability-based security [4].

I don't have the time to find the exact reference I'm thinking of right now,
but consider taking a look at one of the papers that give a background to
CapDesk [5]:

> Which addresses, among other things:

> "All Windows and Unix operating systems (referred to as “Winix” hereafter)
> utterly disregard the concept of POLA [Principle of Least Authority]. When
> you launch any application—be it a $5000 version of AutoCAD fresh from the
> box or the Elf Bowling game downloaded from an unknown site on the Web—that
> application is immediately and automatically endowed with all the authority
> you yourself hold. Such applications can plant Trojans as part of your
> startup profile, read all your email, transmit themselves to everyone in
> your address book using your name, and can connect via TCP/IP to their
> remote masters for further instruction. This is, candidly, madness." [6]

Since then, things have changed _slightly_ \- UAC under Windows, for instance,
means applications now only have the ability to steal and hold your highly
valuable and personal documents for ransom, but hey at least these sneaky
trojans don't have admin rights! Which is of course the exact scenario that
Cryptolocker happily exploits.

There's really no reason a piece of junk attached to your email application
should execute _any_ more authority than you _explicitly_ grant it. (And no
that doesn't require clicking a bunch of buttons to "Allow" access --
intelligent UI design can make much of this completely transparent, _provided_
the host platform is capability-based.)

It's not that companies like Microsoft aren't well aware of capability-based
security [7], it just seems to be that the appetite isn't there to _really_
solve user's problems (breaking stuff like the Start Menu appears to be more
important), despite the valiant efforts of some really smart people [8]. To be
fair, shifting to a capability-based system would be a significant engineering
effort, but definitely well within the realms of Microsoft or Apple's
capabilities.

(Interestingly, some of the ideas on erights.org were influenced by Nick
Szabo, who created "Bit gold" and who a few people think might be Nakamoto
himself [though he denies it] [9])

[1a]
[http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html](http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html)

[1b]
[http://erights.org/elib/capability/deputy.html](http://erights.org/elib/capability/deputy.html)

[2]
[http://www.cis.upenn.edu/~KeyKOS/Gnosis/Gnosis.html](http://www.cis.upenn.edu/~KeyKOS/Gnosis/Gnosis.html)

[3]
[http://www.cis.upenn.edu/~KeyKOS/Key370/Key370.html](http://www.cis.upenn.edu/~KeyKOS/Key370/Key370.html)

[4a]
[http://www.skyhunter.com/marcs/capabilityIntro/index.html](http://www.skyhunter.com/marcs/capabilityIntro/index.html)

[4b]
[http://erights.org/elib/capability/3parts.html](http://erights.org/elib/capability/3parts.html)

[5]
[http://www.combex.com/papers/index.html](http://www.combex.com/papers/index.html)

[6]
[http://www.combex.com/tech/edesk.html](http://www.combex.com/tech/edesk.html)

[7] [http://research.microsoft.com/en-
us/projects/singularity/](http://research.microsoft.com/en-
us/projects/singularity/)

[8] [http://en.wikipedia.org/wiki/Capability-
based_security](http://en.wikipedia.org/wiki/Capability-based_security)

[9a] [http://erights.org/related.html](http://erights.org/related.html) [9b]
[http://unenumerated.blogspot.com/2011/05/bitcoin-what-
took-y...](http://unenumerated.blogspot.com/2011/05/bitcoin-what-took-ye-so-
long.html)

~~~
ufmace
This sounds a lot like how Android does security - each app requests a
specific list of permissions at install time, and you can either accept or
reject it. That, and the apps being signed to prevent tampering, and by
default can only be installed from the Play store.

I think Android security has proven to be pretty solid - there have been a few
spyware apps, mostly killed quickly, but nothing that was able to spread on
it's own like the big desktop viruses.

One thing that I'd like to see added that Android doesn't seem to have right
now is a more limited Internet permission. Right now, apps have to either
request full permission to send and receive anything on the internet, or no
connection at all. Why not a permission to communicate only with specific
domain names? Like Evernote can request permission to only communicate with
addresses resolved from evernote.com, instead of anything on the internet. It
might also have the effect of pushing apps to use the Android ad API instead
of their own.

~~~
derekp7
Only problem is that I don't know of anyone that examines that list of
permissions, and will reject an app if those permissions seem to much. How is
a regular user to know if it is bad for an app to access your phone book, or
internet connection? Depending on the app, this may be necessary for the app
to function. Or for it to serve ads.

What is needed, is for trusted third parties to verify if a given list of
permissions is needed, and give (via a security software add-on) a popup with
an assessment of how safe it is to install that app -- green, yellow, or red,
for example. That is about the only thing that most end users (and even busy
geeks) can really comprehend.

~~~
ufmace
There's at least some truth to that, but that's the point that I was trying to
get to. GP claims that "Computer science solved this problem decades ago" in
reference to capability-based security. Android is the only OS that I'm aware
of implementing anything like that on a mass scale, and while security there
has proven to be at least decent, I'd hardly call it a solved problem.

Capability-based security is ultimately just another buzzword, no more of a
perfect solution than any of the others. I don't think you can call any type
of security problem solved by your pet technology until it is deployed at
scale in the real world and proven to work. Until you have had tens of
millions of users and hundreds of thousands of developers bashing away at it
for years, you just don't know if you've really solved the problem.

Android's capability-based security is good, but IMHO the more important
security innovation is secure app-specific data stores. You might request more
permissions than you should, and some clueless users might install it anyways,
but you still can't ever get access to the data or credentials stored by the
banking app, the social media app, etc.

~~~
derekp7
Ah, so instead of asking the user for permission to access something, an app
also would need another app's permission to access that data. Of course, this
has already been pioneered by companies implementing DRM, but still, I wonder
how this can be implemented in a general sense.

~~~
ufmace
Er, what I meant is that Android already does this. All apps' data stores are
private to that app by default. The only way for any other app to access them
is for the owning app to specifically set up an interface and permissions to
access it, and the accessing app to request those permissions at install time.

I don't have much experience with iOS, but I expect it does something similar.

------
zequel
In a (more) perfect world, the NSA would put considerable resources towards
stopping this activity as opposed to spying on their own citizens and allies.
A guy can dream...

~~~
powertower
In a more perfect world, the people would understand that for the NSA to be
able to find/track/stop this type of activity, they would have to have access
to a large amount of global traffic, mine it, throw away what they don't need,
keep the rest.

You can't have your cake and eat it too.

~~~
dasil003
No they wouldn't need that, there is plenty of evidence to investigate here
without the need to buy half of the world's production of hard drives in
perpetuity. What's needed is law enforcement's cooperation to bring the
perpetrators to justice—that might be a little harder to do actually, but as
the scale of this sort of things increases even the most crooked of eastern
bloc countries are going to start getting a few offers they can't refuse.

~~~
wmf
If you imagine the NSA minus the espionage, isn't that basically the FBI
computer crimes division?

~~~
tedivm
But with a real budget and people who are actually trained for the job.

------
f3llowtraveler
Hell, that's nothing. Here's something truly criminal:
[http://www.rollingstone.com/politics/blogs/taibblog/outrageo...](http://www.rollingstone.com/politics/blogs/taibblog/outrageous-
hsbc-settlement-proves-the-drug-war-is-a-joke-20121213)

~~~
retube
There is no evidence anyone at HSBC was willfully assisting or complicit in
money laundering. The fines are for weak controls that failed to detect money
laundering.

~~~
shiven
Oh please! The fines are for _disabling_ the controls that would have
automatically flagged money laundering transactions. Source: the link OP
posted.

Still, it is a mere slap on the wrist that is guaranteed to have no permanent
repercussions to deter such behavior. It's a clusterfuck and I don't see a
solution emerging without both the _war on drugs_ ending and multi-year
incarceration becoming mandatory for financial crimes.

~~~
retube
Oh Please! Matt Taibbi is in no way a credible source.

> Disabling

Or alternatively, just not enabling tougher controls. There's no evidence, or
indeed suggestion by prosecutors, that controls were deliberately set low to
deliberatly faciliate money laundering.

------
tyoma
Why does Windows still let arbitrary applications downloaded via email run?
I'm sure the vast majority of cryptolocker victims have no desire to share
binary executables via email.

I wish there was an "only run Microsoft approved applications" option I could
enable for my parents. Kind of like OS X's Gatekeeper.

------
jrockway
Is the file with instructions on how to decrypt your files named "REAMDE"?

~~~
jaxb
That novel has too much Russian mafia inside.

------
adrianwaj
Could the bitcoin network reverse spends into the attacker's address(es) if
everyone came together and agreed to do so? Or at least prevent spending out
of it?

~~~
tinco
If _every_ miner would join in, preventing spending would be possible.
Reversing the spending is near impossible (it would take cooperation of not
just the miners, but also every address that was in a transaction since the
offending transaction).

