
Cyberattacks in 12 Nations Said to Use Leaked N.S.A. Hacking Tool - ghosh
https://mobile.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r=1&referer=https://www.rt.com/news/388153-thousands-ransomeware-attacks-worldwide/
======
ComodoHacker
Edit: Botnet stats and spread (switch to 24H to see full picture):
[https://intel.malwaretech.com/botnet/wcrypt](https://intel.malwaretech.com/botnet/wcrypt)

Live map:
[https://intel.malwaretech.com/WannaCrypt.html](https://intel.malwaretech.com/WannaCrypt.html)

Relevant MS security bulletin: [https://technet.microsoft.com/en-
us/library/security/ms17-01...](https://technet.microsoft.com/en-
us/library/security/ms17-010.aspx)

Edit: Analysis from Kaspersky Lab:
[https://securelist.com/blog/incidents/78351/wannacry-
ransomw...](https://securelist.com/blog/incidents/78351/wannacry-ransomware-
used-in-widespread-attacks-all-over-the-world/)

~~~
arthurfm
MalwareTech found the kill switch for WannaCrypt too.

[https://www.theguardian.com/technology/2017/may/13/accidenta...](https://www.theguardian.com/technology/2017/may/13/accidental-
hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack)

[https://twitter.com/MalwareTechBlog/status/86318710471668531...](https://twitter.com/MalwareTechBlog/status/863187104716685312)

[https://twitter.com/MalwareTechBlog/status/86318907784311603...](https://twitter.com/MalwareTechBlog/status/863189077843116032)

~~~
whatnotests
This sounds like something straight out of a James Bond movie.

~~~
mirimir
That was a dumb move by the malware coder ;)

Wouldn't you want to hide a kill switch?

~~~
tempay
The MalwareTech write up gives a plausible reason for the developer having
accidentally added the kill switch: > I believe they were trying to query an
intentionally unregistered domain which would appear registered in certain
sandbox environments, then once they see the domain responding, they know
they’re in a sandbox the malware exits to prevent further analysis.

------
RangerScience
> "Microsoft rolled out a patch for the vulnerability last March, but hackers
> took advantage of the fact that vulnerable targets — particularly hospitals
> — had yet to update their systems."

> "The malware was circulated by email; targets were sent an encrypted,
> compressed file that, once loaded, allowed the ransomware to infiltrate its
> targets."

It sounds like the basic (?) security practices recommended by professionals -
keep systems up-to-date, pay attention to whether an email is suspicious -
would have covered your network. Of course, as @mhogomchunu points out in his
comment - is this the sort of thing where only one weak link is needed?

Still. Maybe this will help the proponents of keeping government systems
updated? And/or, maybe this will prompt companies like MS to roll out
security-only updates, to make it easier for sysadmins to keep their systems
up-to-date...?

(presumably, a reason _why_ these systems weren't updated is due to
functionality concerns with updates...?)

~~~
eggbrain
> It sounds like the basic (?) security practices recommended by professionals
> - keep systems up-to-date, pay attention to whether an email is suspicious -
> would have covered your network.

This is secondhand information (so take it for what it's worth, there could be
pieces I'm missing), but I talked with a startup that was focusing on this
problem, and the issue was not quite the computers and servers that IT were
using (although sometimes it was), it was that many medical devices (like CT
scanners, pumps, etc) come shipped with old outdated versions of operating
systems and libraries.

No big deal right? Just make sure those are up to date too? Well, many times
the support contract for these medical devices are so strict that you can
invalidate the warranty by installing third party software like an antivirus,
or even doing something like Windows update.

Even worse, many hospitals don't even know what devices they have -- it's easy
for IT to know about laptops and computers, but when every single medical
device more complicated than a stethoscope has a chip in it and may respond to
calls on certain ports, it's a tougher picture to know.

The startup was [https://www.virtalabs.com/](https://www.virtalabs.com/) by
the way, they really are doing some cool things to help with this.

~~~
bluGill
In defense of these medical devices, that is actually a FDA requirement. The
entire combination of the system is certified to work, and even one patch for
a security vulnerability leaves open the possibility that the patch breaks
something and people die! Of course it goes without saying that you need to
ensure that a virus cannot run on this machine by some other means. If these
machines can get infected they automatically loses certification and cannot be
used for medical purposes.

~~~
a2tech
This 100x. I know it's extremely easy to Monday morning quarterback hospital
IT but it's not as simple as people think. There's legal and, far more
importantly, medical implications to updating software at a hospital. Oh you
think it's ridiculous we use i.e. 7 in compatibility mode? It's because our
mission critical emr only works in that (well it really works in everything
but it's certified in 7) and if we use anything but the certified software
load in accessing it the vendor puts all blame on us.

~~~
mjevans
Yes, it actually is.

Life critical systems should be small, fully open stack, fully audited, and
mathematically proven to be correct.

Non-critical systems, secondary information reporting, and possibly even
remote control interfaces for those systems should follow industry best
practices and try to do their best to stay up to date and updated.

Most likely many modern pieces of medical technology have not been designed
with this isolation between the core critical components that actually do the
job and the commodity junk around them that provide convenience for humans.

~~~
mark-r
The problem is that the technology stack required by modern equipment is too
large to be satisfied by anything but a general-purpose OS. Good luck trying
to get a mathematically proven OS.

~~~
lazaroclapp
Pretty sure you can build an X-Ray/MRI control software in Rust on top of
seL4, and do lightweight verification (or, even better: hardware breakers of
some sort) around issues like "will output lethal doses of radiation". That is
a general purpose enough kernel and a general purpose enough programming
language, without having to drag in tens of millions of lines of code intended
for personal GUI systems... Then for malware issues you simply don't plug that
device directly into the internet, nor allow it to run any new code (e.g. your
only +X mounted filesystem is a ROM and memory is strictly W^X).

~~~
panic
Rust has a lot of nice safety features, but the compiler hasn't been formally
verified at all.

~~~
lazaroclapp
Yeah, I am aware. The problem is that using, say, CompCert might result in
less security in practice, since although the compiler transformations are
verified, code written in C is usually more prone to security issues. It also
puts the burden of proving memory safety on the developer, which is a
requirement for proving nearly anything else. I don't know Rust well enough to
know if this applies for sure, but I think it is a lot less to ask from the
manufacturer that they produce a proof of the form "assuming this language's
memory model holds, we have properties X, Y and Z" and then just hope the
compiler is sane, versus requiring a more heavy-weight end to end proof. Also,
eventually there might be a mode for certified compilation in Rust/Go, at
which point you get the best of both worlds.

------
turnip123942
I think this is an excellent example that we can all reference the next time
someone says that governments should be allowed to have backdoors to
encryption etc.

This shows that no agency is immune from leaks and when these tools fall into
the wrong hands the results are truly catastrophic.

~~~
maerF0x0
To be completely fair, it's not the NSA's fault that software has faults. Its
the software manufacturers'.

The ethical concern here is whether the NSA should have reported the holes to
the manufacturers and the failure to handle its privileged knowledge in a safe
manner.

~~~
cortesoft
He is not talking about the actual flaws as being the example as to why we
shouldn't give the NSA backdoor access; he is saying that the leaks prove that
even the NSA can't keep their stuff secret. If they couldn't keep their
hacking tools secret, why should we think they can keep their backdoor access
secret?

~~~
rgbrenner
In case anyone has been living under a rock for the past 3 years:

FBI's (recently fired) James Comey has been asking for an encryption backdoor
for the past 3 years:

2014: [https://www.fbi.gov/news/speeches/going-dark-are-
technology-...](https://www.fbi.gov/news/speeches/going-dark-are-technology-
privacy-and-public-safety-on-a-collision-course)

At that time, he said unbreakable encryption should be illegal:
[http://www.newsweek.com/going-not-so-bright-fbi-director-
jam...](http://www.newsweek.com/going-not-so-bright-fbi-director-james-comey-
calls-making-impenetrable-devices-278190)

2015 (asking for a backdoor):
[https://www.theguardian.com/technology/2015/jul/08/fbi-
chief...](https://www.theguardian.com/technology/2015/jul/08/fbi-chief-
backdoor-access-encryption-isis)

2016 (same): [https://arstechnica.com/tech-policy/2016/03/fbi-is-asking-
co...](https://arstechnica.com/tech-policy/2016/03/fbi-is-asking-courts-to-
legalize-crypto-backdoors-because-congress-wont/)

2016 (tried to force apple to create a backdoor for the iphone):
[https://www.apple.com/customer-letter/](https://www.apple.com/customer-
letter/)

And then here recently, he's upped it to an international agreement to create
a backdoor:
[https://www.techdirt.com/articles/20170327/10121437009/james...](https://www.techdirt.com/articles/20170327/10121437009/james-
comeys-new-idea-international-encryption-backdoor-partnership.shtml)

He's not the first, only, or last person to ask for it.

~~~
superkuh
The UK's doing it,
[http://www.theregister.co.uk/2017/05/04/uk_bulk_surveillance...](http://www.theregister.co.uk/2017/05/04/uk_bulk_surveillance_powers_draft/)

------
mhogomchungu
I am in Tanzania(East Africa) and my father's computer is infected.

All he did to get infected was plugging his laptop on the network at
work(University of Dar Es Salaam).

The laptop is next to me and my task this night is to try to remove this
thing.

~~~
devrandomguy
This malware is well written, and uses strong encryption.

I would suggest that you and your father spend the evening reading up on
backup practices, and reconsider the value proposition of open source
software.

I hope I am not coming off as a smug jerk. My hope is that rather than
becoming frustrated and demoralized after an evening of fruitless hacking, you
and your uni will recover, and become resilient against future attacks.

~~~
mhogomchungu
He has backups of his data.

I personally use linux and my github repo is here[1] where i have a bunch of
encryption related projects(zuluCrypt,SiriKali and lxqt_wallet). The last
windows computer i used was windows xp.

I dont want to move him to linux because i am not always around and he can ask
other people for help when he is on windows.

[1] [https://github.com/mhogomchungu](https://github.com/mhogomchungu)

~~~
devrandomguy
Thank God for backups! And thank you for making sure people make backups.

My mother is in a similar situation. She is an elementary school teacher, and
has little time for unrelated endeavors like this. What time she does have, is
spent in the garden, as it should be.

Nevertheless, we are now seeing that the time-cost of closed source software,
is greater than that of open-source software. My solution has been to prepare
a KDE based distro for her, to work with her, side by side, whenever she needs
to learn new tools. It is a good bonding experience, when both people can
maintain a positive attitude about it.

The solution to the problem of malware, is education.

~~~
AdeptusAquinas
How quickly some forget heartbleed.

The solution to malware is obscurity. Have an OS that no one wants to break
into, and you won't be broken into.

~~~
hackuser
> The solution to malware is obscurity. Have an OS that no one wants to break
> into ...

... and you'll have an OS for which neither malware authors nor legitimate
software developers want to write applications.

There's a trade-off involved. We could all use pen an paper and be
invulnerable to malware, but then how would we post on HN?

~~~
AdeptusAquinas
That's my point, as I type this on fully patched Win 10 Pro.

Certainly Windows has its issues, but it's biggest 'flaw' when it comes to
malware isn't that it's closed-source, but that it's ubiquitous and therefore
a highly attractive target.

~~~
devrandomguy
Linux is ubiquitous in the data center. We are not a low-value target. Also,
corporations with cloud-based infrastructure are more likely to pay large
ransoms for their data, especially if it is the backup/archive system that is
attacked.

~~~
AdeptusAquinas
Data centers are dwarfed in size by the consumer and business markets, while
also being much less vulnerable due to their more specialised nature and
therefore ease of update. Case in point: there are plenty of windows data
centres out there, but its not likely any of them were effected by this
incident.

------
raesene6
One of the big problems here will be for any country which makes a lot of use
of older computers using Windows XP as there is no patch for this
vulnerability on that OS version.

How many systems that is, is debatable but by at least one benchmark
([https://www.netmarketshare.com/operating-system-market-
share...](https://www.netmarketshare.com/operating-system-market-
share.aspx?qprid=10&qpcustomd=0)) we're looking at 7% of the desktop PC market
that could be exposed with no patch available.

~~~
chronial
> no patch available

Not anymore:
[https://blogs.technet.microsoft.com/msrc/2017/05/12/customer...](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-
guidance-for-wannacrypt-attacks/)

------
placeybordeaux
Going through their wallets it looks like they've gotten 32 pay outs, some for
more than 300 USD. Are there any addresses that they are using outside of the
four listed int he article?

It'd be an interesting project to try and track where these funds go and where
they came from.

[https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...](https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94)
\- 11
[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)
\- 4
[https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8is...](https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw)
\- 6
[https://blockchain.info/address/1QAc9S5EmycqjzzWDc1yiWzr9jJL...](https://blockchain.info/address/1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY)
\- 11

~~~
doomrobo
They'll probably be tumbled (i.e Bitcoin laundering), meaning that we'll get
no info from the transactions at all.

~~~
placeybordeaux
I haven't looked into tumbling recently, whats the volume look like these
days? So far the attack has yielded less than 5 btc, I'd guess that amount can
be laundered safely. Whats the current limit?

~~~
20delta
You don't have to worry about tumbling anymore.

You can use XMR.to, Shapeshift.io, or Changelly.com over TOR to move funds
directly into another another blockchain currency. So have fun following
things around Bitcoin blockchain like some high tech sleuth, but thats a wild
goose chase.

I buy all my cryptocurrencies through those kind of services nowadays, because
there's no risk or temptation to keep coins on custodial exchanges, instead of
in a private wallet. As well as no worries about withdrawal limits (although
shapeshift has fairly low per transaction limits, just make an additional
transaction)

For unlinking the transaction, the only currency you want to cross-chain into
is Monero. With its Ring Signatures and Stealth Addresses it is a private
blockchain by default (in comparison with some other cryptocurrencies that
have a secondary optional privacy feature like Zcash/Shadowcash/Dash).

I'm actually surprised that the ransomware isn't taking Monero directly yet as
some exchanges have direct Monero/USD markets already.

~~~
isseu
> I'm actually surprised that the ransomware isn't taking Monero directly yet
> as some exchanges have direct Monero/USD markets already.

Buying Bitcoin is much easier

~~~
20delta
Marginally.

And the malware controllers can just as easily add instruction to users to
shapeshift bitcoin to their Monero address

------
natch
This gives the lie to the notion that a government master key or back door
scheme could be protected from leaks and abuse.

~~~
dhimes
Came here to say this. I completely agree.

------
sasas
Malware tech need recongnition! By being the first to register the hard coded
domain in the malware they have slowed the spread significantly ...

[https://twitter.com/josephfcox/status/863171107217563648](https://twitter.com/josephfcox/status/863171107217563648)

------
blitmap
The real world doesn't update in 2 months. (I wish it did.)

The NSA should have responsibly disclosed the vulnerabilities they had been
sitting on as soon as they were discovered.

That protects national security - not this.

~~~
whatupmd
Wikileaks should have disclosed before dumping publicly.

Burning down the house to prove that there are fire safety issues is the wrong
approach.

~~~
boomboomsubban
This has nothing to do with Wikileaks, who have tried not to release any
unpatched vulnerabilities in the Vault 7 documents and have been ignored by
many companies they have approached offering to disclose vulnerabilities.

At least double check you've got the right person before labeling them an
arsonist.

------
jayess
You can keep an eye on their bitcoin wallet (or at least one of them):
[https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6N...](https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94)

~~~
sp332
Two others are
[https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNX...](https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)
and
[https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8is...](https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw)

------
Asdfbla
One of the side effect if states participate in the proliferation of offensive
tools. Won't be the last time state-sponsored tools, exploits or backdoors
fall into the hands of interested third parties.

I think collateral damage like that is way underrated by politicians all
around the globe that call for their respective intelligence agencies to build
up offensive capabilities to be able to conduct cyber warfare and whatnot.

~~~
willstrafach
The vulnerability is already patched, it is not a 0-day. Regardless of the
leak, anyone could have reverse engineered the security patch to see how it
worked.

------
f2f
Cisco's TALOS team just published an analysis:

[http://blog.talosintelligence.com/2017/05/wannacry.html](http://blog.talosintelligence.com/2017/05/wannacry.html)

------
mschuster91
Apparently, this has spread to Deutsche Bahn...

1) a railway dispatcher just tweeted that IT systems will be shut down
([https://twitter.com/lokfuehrer_tim/status/863139642488614912](https://twitter.com/lokfuehrer_tim/status/863139642488614912))

2) a journalist tweeted that an information display of DB fell victim to
ransomware
([https://twitter.com/Nick_Lange_/status/863132237822394369](https://twitter.com/Nick_Lange_/status/863132237822394369)).

I guess that #1 and #2 are related, though.

------
nyolfen
BBC says up to 74 nations now:
[http://www.bbc.com/news/live/39901370](http://www.bbc.com/news/live/39901370)

~~~
aw3c2
In other words, time to stop talking about nations if it's about the global
internet.

------
WheelsAtLarge
Wow, the future is here and it's not looking very good. We need to diversify
our OS's in the enterprise. This time it was MSFT next it could be linux. No
OS gives an absolute guarantee. The systems are relatively dumb now what will
happen when AI has gotten deeper into our everyday lives. This is a wake up
call.

------
Keverw
Wow, this is so insane. I really don't think the NSA should be finding
vulnerabilities and keeping them to themselves.

I mean I get it is all to help stop the bad guys, but if you are keeping cyber
weapons like this. You should be required to keep them as secure and locked as
possible if you don't follow responsible disclosure.

Just like how a cop would keep their weapon on them, instead of sitting it
down on the table while eating lunch.

~~~
mi100hael
Right, I'm sure the NSA doesn't currently take any effort to secure their
trove of 0-days. It's not like they're valuable assets or anything.

Edit: My point is that thinking that requiring the NSA to keep them "as secure
as possible" as though that would eliminate risk is just silly. There will
always be risk of breach or insider theft, as well as the requirement that the
exploits actually be put to use outside some theoretical digital lockbox. And
more importantly, there will always be the risk of human error. The only way
to ensure this can't happen again is to require disclosure & patching.

~~~
sbov
Wasn't the story behind the NSA leak that it explicitly wasn't well protected,
and was passed relatively freely between contractors and without much in the
way of oversight?

~~~
willstrafach
Not at all, you are thinking of the allegations regarding the CIA content from
WikiLeaks.

------
Kali909
There's the bitcoin ransom aspect, but presumably a worm like this could
extract a massive amount of data from infected servers and send that back to
someone/somewhere?

Bank transactions, patient medical data, stored passwords/keys/CA info,
contacts, emails, configuration files, registry dumps for firewall rules etc
etc. (I'm not that creative so there's probably a lot more that's been
exfiltrated).

Pretty hellish knowing they'd let that quietly sit there, in the name of
espionage. I'm not sure the benefits outweigh the damage they're doing,
without even mentioning the chilling effect and lack of confidence this
instills in IT everywhere.

~~~
wu-ikkyu
Right, the real money is not going to come from the bitcoin ransoms, but from
the information on millions of patients which they surely made copies of.

------
nyolfen
We really are living in the future. My condolences to the NHS, but what a time
to be alive.

~~~
doktrin
Out of curiosity, what about this attacks feels futuristic? If anything it
feels very retro, in that it hails back to the notorious worm attacks from the
earliest days of networked computing.

~~~
nyolfen
the headline more than anything -- pilfered secret spy software stolen by
(probably) a rival intelligence agency, released to the public without
scrutiny, repurposed by cybercriminals, used to ransom data indiscriminately
for decentralized software currency, bringing major institutions to their
knees, and defeated by a guy in his bedroom at his parents' house who
accidentally found a secret kill switch. it all feels very cyberpunk, and very
much like a fictional plot, unfortunate circumstances aside

~~~
nyolfen
aha, and i see i'm not the only one who thinks so:
[http://www.antipope.org/charlie/blog-
static/2017/05/rejectio...](http://www.antipope.org/charlie/blog-
static/2017/05/rejection-letter.html)

though a bit of it is in your camp as well:

> It's a worm — a boringly old-hat idea first introduced into fiction by SF
> author John Brunner in his 1977 novel "The Shockwave Rider".

------
olliej
Cyber attacks use patched exploit to attack systems running out of date
software, even in large enterprises handling sensitive data?

I give a pass to individuals (bandwidth for updates can be expensive, regular
users don't know about patch Tuesday etc), but enterprise scale deployment
should have IT for this, and IT should have been well aware of this kind of
thing happening.

~~~
daxorid
Strangely enough, people like Matt Blaze are out beating the "don't blame the
victim" drum by stating the exact opposite, giving a pass to large enterprises
under the "patching is hard" mantra:

[https://www.cs.columbia.edu/~smb/blog/2017-05/2017-05-12.htm...](https://www.cs.columbia.edu/~smb/blog/2017-05/2017-05-12.html)

------
remarkEon
If I want a deep technical analysis of what we know so far, where do I go?

------
EmlynC
What gets me is why we don't see more viruses that _deliver_ the patch to fix
the vulnerability.

It's perhaps a little more difficult as you'd need a vulnerability to keep
spreading the innoculation. Arguably, though you release the virus, let it
spread and then trigger the innoculation using a mechanism like calling out to
a webserver, just as the kill switch worked here.

~~~
adrianN
You run the risk of jail time without the upside of ransom payments.

~~~
EmlynC
True, plus, I forget the legislation but you are effectively breaking into the
computer first which is a crime. Committing a crime for a noble outcome is
still a crime.

Incentives is a real issue here and those that provide the patch would,
reasonably, expect a reward i.e. MS for updates, AV provider for testing,
finding and securing the vulnerability and a whitehat for disclosure. However,
there is no reason why a "charitable" hacking group wouldn't do this as part
of some sort of digital vigilantism. Sometimes people do things without
extrinsic reward and the thrill here is that it is as hard as cracking, but
you get to know that your efforts could be immediately applied.

------
jgaa
If NSA made it, and failed to protect it - then NSA should be liable for law
suits to pay for damages.

~~~
lmz
Should that apply only to NSA or also to the writers of e.g. Metasploit
exploits?

~~~
jgaa
NSA made a weapon with the purpose of harming someone. In court, intent
matters.

~~~
thoth
So: A makes a product with flaws, B makes an exploit, C leaks that exploit, D
adds a harmful payload to the exploit and goes on to extort/profit from E, who
has computers systems they failed to patch in time... and somehow B and only B
is at fault?

~~~
nomercy400
FTFY: and somehow D and only D is at fault? You'll see that they'll get the
blame and the rest goes free.

------
microcolonel
> The attacks were reminiscent of the hack that took down dozens of websites
> last October, including Twitter, Spotify and PayPal, via devices connected
> to the internet, including printers and baby monitors.

Lazy writing at NYTimes; what on earth does this attack have to do with the
one at hand? It's not broadly the same type of attack, nor the same scale, nor
the same outcome.

------
JackFr
As far as I can see it hasn't moved the needle on Bitcoin/$ today though.

Ransom ware was a play for big Bitcoin holders to unwind large positions at
the highs without too much downward pressure in Bitcoin market.

------
c3534l
It could also just be the NSA banking on everyone assuming it's someone using
NSA tools.

------
print_r
While I can understand WikiLeaks position, I feel like it was incredibly short
sighted and uninformed of them to release the code itself. Unless you believe
that they are working with the Russian (and other?) governments to destabilize
the west. Personally, I wouldn't be surprised if this was the case.

~~~
H4CK3RM4N
My impression was hat the Shadow Brokers already had, or were about to release
the tools which Wikileaks ended up leaking. Regardless, these should've been
disclosed to the manufacturers under Obama's policies.

~~~
print_r
I would be curious as to the agenda of these "Shadow Brokers" it all sounds
very Gibsonesque. Recent events have made Neuromancer seem more and more
prophetic to me.

~~~
H4CK3RM4N
They were hackers who acquired a trove of state secrets and were looking to
make a quick buck. I've linked an archive of their initial statement below. I
think it speaks volumes about how far the NSA can be trusted that these people
were the ones to leak the tools instead of a state actor or someone previously
known.

[https://web.archive.org/web/20160815124425/https://github.co...](https://web.archive.org/web/20160815124425/https://github.com/theshadowbrokers/EQGRP-
AUCTION)

~~~
print_r
that's pretty heavy. life imitating art for sure. thanks

------
drinchev
So If I pay how does the hackers decrypt my HD? Is there a way to sniff the
key and pay once - decrypt everywhere?

~~~
PeterisP
You send them the code (encrypted key?) from your machine, they send you back
the key that works for your machine.

If you have multiple computers (as these large organizations do), you need to
pay for each one separately; the key for one won't work for the other. Perhaps
they offer volume discounts?

~~~
incompatible
Send it how, do they provide an email address and helpfully send it back by
return mail? A tor hidden service maybe? I'd have assumed they just take the
money without bothering to decrypt anything, but maybe they are looking for
repeat customers.

~~~
PeterisP
Depends on the particular malware, but generally it will direct you to a (tor)
website explaining the details, often with newbie-friendly guides on how to
set up the accounts needed to buy and transfer bitcoin.

They generally do offer a way to decrypt, it's a long term business for them,
not a one-time prank; and the results matter - first, the "audience" who are
willing and able to pay generally have multiple devices, and they won't pay
for the dozen other devices if the first "trial" device isn't successfully
decrypted, and second, the infection spreads over victim's contacts - so your
buddy who also got the malware managed to decrypt, you're more likely to pay,
and if your buddy paid and failed to decrypt, the crooks won't get a dime from
you.

There are all kinds of options. For example, one piece of malware offered to
decrypt two files of your choosing for free when you contacted them, just to
show that they can do so, as a 'teaser' before paying the full amount.

Besides, why wouldn't they decrypt? It's not like it costs them anything or
takes much effort; if they have the ability but wouldn't send the keys, then
that's just hurting their business "PR/advertising" for no reason whatsoever.

------
sasas
Here is a link to the malware sample and technical implementation details.

[https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b...](https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168)

------
blackflame7000
I was debugging a private web app today when I noticed a python script agent
suddenly performing a port scan on me. it was querying for something called
"a2billing/common/javascript/misc.js". After googling that phrase it seems im
not the only person who has seen this today. The country of origin of the IP
was Britain.

After Further investigation, it appears this attack could be in relation to
this
[http://www.cvedetails.com/cve/CVE-2015-1875/](http://www.cvedetails.com/cve/CVE-2015-1875/)

------
Myrmornis
> Security experts described the attacks as the digital equivalent of a
> perfect storm.

Just in case there are any journalists reading - never use the term "perfect
storm".

------
gazos
Im hearing the password wncry@20l7 decrypts the zip within the PE resources.
anyone confirm?

~~~
kabes
[https://twitter.com/0xSpamTech/status/863224147576594432](https://twitter.com/0xSpamTech/status/863224147576594432)

Believe what you want of it of course.

------
arca_vorago
First of all, while I of all people love to pile onto the anti-NSA bandwagon
(within constitutional reason that is, I don't advocate their abolishment, but
that's a different conversation), there are quite a few non-three-letter
related things that have contributed to this story and ones like it.

The primary issue at the heart of things like this, beyond the backdoors and
0-days is this: bad IT.

That being said though, bad IT is far too often the fault of upper management,
and not the IT people themselves. After years of sysadmining, I've seen the
inside of hundreds of companies, from fortune 500 oil to medium sized law
firms. You know what they have all been doing over the years? Cutting costs by
cutting IT. Exept... they completely fail to consider long term consequences,
which end up costing more.

I blame things like this on two main groups. Boards of directors, and company
executives. Far too often I ran into a situation where a company didn't even
have a CIO or a CTO, and you had some senior one man miracle show drowning in
technical debt reporting to a CEO or CFO and getting nowhere, and therefore
getting no support, no budget, no personell, etc. I've seen exceptions too,
but they are far too rare. If it's not technical debt that's drowning the
company, it tends to be politics. The bottom line is forward thinking IT
personell don't get heard, and inevitably companies hire people or an MSP with
all the proprietary, cisco, microsoft, oracle, etc bullshit certs that make
the C's feel better, but don't actually produce the wanted results. They
inevitably end up providing an inferior product with inferior service at a
short term cost just as high as doing it right the first time, and a much
higher long term cost.

If I could say one thing that could help prevent issues like this, besides my
standard whinging on about FOSS and the four freedoms and such, is that we
need better CTO's and CIO's to advocate on behalf of IT departments, and I
think senior sysadmins who feel they have hit a ceiling should consider going
for their MBA's and transitioning to those titles.

Now, onto the NSA angle of the story. Well... all I can say is I told ya so,
with an extra note that HN in the past few years has been surprisingly
dismissive of FOSS proponents who have been warning about these things.

First they made fun of us for saying everything was being spied on, and then
Snowden happened. (often followed by bullshit like "are you suprised?" or
"what do you have to hide?"

Then we warned about proprietary systems, and then NSA/CIA tool leaks
happened. (often followed by things like "but its for foreign collection only"
and "but the NSA contributes to SElinux")

Ya'll aren't listening until after the fact, and that's not going to fix
anything.

~~~
toyg
IT is just a reflection of overall society. In the name of immediate profit,
we're cutting all we can cut, including essential services and maintenance;
sooner or later we end up paying the full price for it.

This will not change until the reward systems for managerial classes change
significantly.

------
nthcolumn
Shadowbrokers claiming blame:
[https://twitter.com/0xSpamTech](https://twitter.com/0xSpamTech)

Analysis here:
[http://blog.talosintelligence.com/2017/05/wannacry.html](http://blog.talosintelligence.com/2017/05/wannacry.html)

------
campuscodi
It's not 12 nations.... it's all over the world...

~~~
erikbye
Yes, 70+ countries.

~~~
jstanley
Botnets don't care about countries. It's not an attack against 70+ countries,
it's an attack against everyone on the internet.

~~~
erikbye
The point was that it is worldwide.

~~~
jstanley
When a nuclear bomb is dropped on Hiroshima, is that an attack against
hundreds of buildings, or is it an attack against Hiroshima? :)

Thinking of it as "an attack against 70+ countries" is an anachronism. The
attack _doesn 't care_ about countries. It doesn't even need to acknowledge
their existence.

------
dberhane
Maybe it is now the time for a major review of the NHS Microsoft software
dependency and should seriously consider switching to Linux based software.

Here is the BBC news update about the NHS Cyber attack:

"NHS trusts 'ran outdated software'

Some who have followed the issue of NHS cyber security are sharing a report
from the IT news site Silicon, which reported last December that NHS trusts
had been running outdated Windows XP software.

The website says that Microsoft officially ended support for Windows XP back
in April 2014, meaning it was no longer fixing vulnerabilities in the system -
except for clients that paid for an extended support deal.

The UK government initially paid Microsoft £5.5 million to keep providing
security support - but the website adds that this deal ended in May 2015."

~~~
UK-AL
A simple patching policy would have fixed this

~~~
olivermarks
[https://youtu.be/VjfaCoA2sQk](https://youtu.be/VjfaCoA2sQk) Hitler rants
about cloud security. Sorry couldn't resist...

------
JohnTHaller
Medical offices are notorious for having machines out of date, not properly
secured, and not backed up. Just recently I wanted to get test results from a
few years earlier from a previous doctor. Nope, the machine they were on runs
a proprietary GE setup and it crashed. The same test a few years earlier? The
hospital lost them and had no record of them being done. A different test I
had done a month ago was hooked up to an aging Windows XP machine. Yes, it was
networked, though I'm unsure if it was intranet only (I doubt it).

In the US, you have to manage your own healthcare. Get every result as a hard
copy or on disk (in the case of MRI etc) and save it yourself. And back it up.
That way you're prepared.

~~~
rorykoehler
I recently went to a consultancy sales meeting with a GP who wanted me to port
the MS Dos Patient Record Management system used by his medical centre to the
cloud. While I'm sure with a suitable budget it could have been figured out
the fact that I could only find a handful of references to the database file
format when searching google didn't bode well. It looked like I would have to
reverse engineer the parsing and interpretation of the bytecode. In the end my
advice was to hire data entry professionals to do it manually.

~~~
JohnTHaller
You likely preserved your own sanity and theirs.

------
kabes
I hope the NSA can be hold accountable for this and we can finally all agree
that a government holding on to 0-days and asking for loophole encryption
always bites back to the very people they claim to protect.

------
TomK32
So... I'm running Linux on all my systems, how bad will it be for me?

~~~
TomK32
Oh, and I'm flying tomorrow, what software does an Airbus run on?

~~~
crocal
SCADE, FWIW...

------
cryogenspirit
Q: does anyone know how to disable regular internet access in Windows except
through a virtual machine (VMware or Virtualbox)?

I have set up my mom to use a live debian cd through VMware, but I would also
like to disable networking through Windows Edge and Explorer. I don't know how
to do this however.

Myself, I follow a similar scheme but using a linux virtual guest and host. Is
it easy to disable networking for all networking except for apt/yum and
vmware/kvm?

Lastly, does anyone know what it costs for a personal subscription to
grsecurity?

~~~
boardwaalk
My first thought would be to clear the routing table on Windows (maybe using a
batch script on startup?) and using bridged networking in the VM.

That would totally disable internet access on Windows though, including
updates (but you also wouldn't have that attack surface!)

~~~
cryogenspirit
Thanks. Had a brief look, seems useful.

Does the VM using the "nat" mode of networking also use Windows routing table?
I don't know much about the networking between guest and host, except that the
guest uses NetworkManager through its ethernet device. Even though this is a
virtual device, I didn't think it would go through Windows' own net stack.

Would the bridged networking be any different than passing through the USB
wifi adapter directly to VMware? (at which point the host doesn't have access
to internet)

~~~
boardwaalk
As far as I understand it, with bridged networking you're basically sharing
the network device -- your VM has it's own stack down to the MAC address. So
as long as your network device is still online (in the sense of being enabled
in Windows and having a cable attached), packets for a particular MAC will
travel to the right network stack.

This is probably useful from the VirtualBox manual:

> With bridged networking, VirtualBox uses a device driver on your host system
> that filters data from your physical network adapter. This driver is
> therefore called a "net filter" driver. This allows VirtualBox to intercept
> data from the physical network and inject data into it, effectively creating
> a new network interface in software...

I'd try it, it wouldn't be hard to reverse.

------
turblety
Just to let you know in the UK we'll all be safe from things like this. The
UK's banning encryption so stuff like this won't happen in the future. Phew. I
feel safer!

------
rdiddly
"Emergency rooms were forced to divert people seeking urgent care."

I feel like the words "urgent" and "forced" might both be a bit shy of
absolutely true here?

------
lngnmn
Just for reminder - the second leak does not match the vault7 leak, which is
supposed to be from the very same NSA.

There is not a single proof or reason to believe that the second leak was not
a fake (while the vault7 leak looks more legit) .

There are reasons to think that the same people are behind the second leak and
the malware, and the malware, which is said to be based on "a leaked NSA
exploit", was the part of a single plan.

It is not that hard to guess who is behind the internet bullying.

------
soneca
_" Microsoft rolled out a patch for the vulnerability last March, but hackers
took advantage of the fact that vulnerable targets — particularly hospitals —
had yet to update their systems."_

What Microsoft's software should be updated now to protect against this
particular attack? Windows? Windows at the end user machines? The servers?

Could someone share a "What should I do now to protect myself" guide, please?

Thanks!

~~~
degenerate
From everything I read last year... as long as someone has write access to a
shared network resource, your network is vulnerable.

I read about ways to detect it early with FSRM, but never tried it:

[https://chrisreinking.com/stop-cryptolocker-from-hitting-
win...](https://chrisreinking.com/stop-cryptolocker-from-hitting-windows-file-
shares-with-fsrm/)

Experts, chime in? What is out there in 2017 (paid or not paid) as a way to
protect network drives from ransomware?

~~~
ComodoHacker
Proper backup system?

~~~
degenerate
Well yes that's obvious, I meant more along the lines of:

Are there any ways to detect and stop it from happening in 2017? Third party
software? New group policies from MS?

~~~
problems
Not really, ultimately if someone has write to your network drive, it's not
any different than malware having it. The best solution is a good backup and
protecting your hosts from being infected as much as possible.

I believe some people were trying to do rate limiting and traversal detection,
which should be possible, but also is common in many tools, like running grep
or find on a network share, so it's far from a perfect solution. It could also
probably be avoided by clever malware if it were to be widely deployed.

------
marcrosoft
If anyone reading this was effected by this attack, please take this as an
opportunity to start the journey to become "antifragile". If you are severely
effected by this (mainly speaking about ransomeware) it means you lack backups
and the ability to self-heal infrastructure. These attacks will only get more
frequent and more sophisticated. So, start now.

------
Irreal
Is it possible to cause havoc on banks worldwide?

------
jordan314
Can't law enforcement follow the transactions of the public address of the
ransom bitcoin wallet until the bitcoin is sold?

~~~
lossolo
There are services that will mix your coins making it impossible to track
because he will receive other people coins from the pool.

~~~
21
Not impossible, just hard.

And the cops can go and track each individual person from that pool if they
really care. Even if we are talking about thousands.

Remember the story from a few days ago where to track a possible spy they went
through all glasses prescriptions from a city.

~~~
lossolo
It's different beast. It's almost impossible if done right. How would you
track this person? You only see end transactions from those addresses which
are not mixed with coins of attackers. You would need to check EVERY possible
place where bitcoin exchange happen and there hundreds in hundreds of
countries in blind to check if bitcoin address x was used there. Then some
countries maybe even will not give you any information because electronic
currency doesn't exist in their law and it's not a felony to use mixing
service etc. etc. That's why they use bitcoin in the first place for 99% of
criminal activities in Internet.

------
pja
I see the Rust Evangelism Strike Force are out in action again.

Guys, it may surprise you, but some of this kit _predates_ Rust :)

~~~
kibwen
Er, aside from yours, there are literally two comments in this 444-comment
thread that have mentioned Rust, both of them written by a single person.
Given that both those comments also mention sel4, perhaps we ought to invoke
the sel4 Evangelism Strike Force? :P

------
a3n
I think tools like this should be secured at least as well as "research"
stores of smallpox and other biotoxins. And certainly tracked long after
they've outlived their usefulness within the agency that produced them.

Or maybe smallpox isn't actually stored as securely as I assume?

------
runesoerensen
DHS Statement on Ongoing Ransomware Attacks:
[https://www.dhs.gov/news/2017/05/12/dhs-statement-ongoing-
ra...](https://www.dhs.gov/news/2017/05/12/dhs-statement-ongoing-ransomware-
attacks)

------
mtgx
Is Russia being hit the most because it was the NSA the one that was
exploiting this vulnerability before? Perhaps they are leveraging some other
leaked NSA tool that gives them more direct access to Russian computers?

------
rorykoehler
The entertainment system on my flight is mysteriously down. I wonder if it's
connected. As a side thought does anyone know the vulnerability of critical
systems such as airliners, air traffic control etc?

------
djanklow
Why don't telecom providers help remove devices who are requesting an
exorbitant amount of requests? Wouldn't this kill bot nets, if the exponential
growth effect became impossible?

------
itissid
Does any one have a running list of the organizations effected so far?

------
Myrmornis
There's no evidence that this attack targeted the NHS or other health systems,
right? Just spreading randomly by email, highest infection probabilities
certain older Microsoft OSs?

~~~
billharrison
This definitely wasn't targeted. Check here -
[https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all](https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all)

------
hd4
We Linux people really should not miss this opportunity to bring people on
board. Ubuntu is a great starting point.

------
mdkdog
It looks to me like common stupidity...people opening attachments that they
should not be opening. No need to involve CIA NSA or other tree letters agency
hacking tool...just old school phishing. I see this happening much to
often....people opening *.pdf.js attachment. No need for another conspiracy
theory...stupidity explains it all. Just my 50¢.

~~~
robertfw
It looks like you have not done any "looking" at this at all. This is a worm
that is using the ETERNALBLUE (and possibly other) exploits to infect all
vulnerable machines on a network without user interaction

plenty of stupidity for sure, but the stupidity is at the number of unpatched
systems

~~~
mdkdog
My bad...the article is not really clear thou... My first comment...and my
first fail... /me sad!

------
mgalka
What exactly does this NSA tool do? Every story I've seen glosses over how it
works.

~~~
erikbye
The tools in reference are from the Equation Group dump the Shadow Brokers
did. Equation Group is believed to be the NSA (a group within). EG activity
dates back to at least 1996.

More info on EG:
[https://securelist.com/files/2015/02/Equation_group_question...](https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)

The dump contains many tools; but the ones used in this attack are two
exploits for vulnerabilities in Windows SMB (Server Message Block, a file
sharing protocol) implementation. Microsoft patched this in March, but as we
all know, many systems remain unpatched. The vulnerabilities allowed for
remote code execution.

Practical exploit info: [https://www.exploit-
db.com/docs/41896.pdf](https://www.exploit-db.com/docs/41896.pdf)

The two exploits, EternalBlue and EternalChampion targets respectively SMBv2
and SMBv1. That's not how the ransomware gets inside the network in the first
place though, that is done by a user executing a file received via email, or
downloaded from a received URL. But, through these two exploits, once inside,
it can spread through the network (subnet) worm-like. Actually, the ransomware
first checks for the existence of the backdoor (also from the same dump of
tools) called DoublePulsar. If the ransomware does not find it to be
implanted, it will use one of the two aforementioned exploits, based on which
ports and protocols it makes a connection to.

The DoublePulsar backdoor is installed on at least 400,000+ systems worldwide.

You can read more about it here: [https://countercept.com/our-
thinking/analyzing-the-doublepul...](https://countercept.com/our-
thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/)

------
anigbrowl
I'm surprised by the lack of speculation on the identity of the perpetrators.

------
rileytg
is this supporting evidence of the us doing something "wrong" by creating
these tools?

disclaimer: i hope no b/c it's like any other military tech being leaked and
used, but am not sold either way.

------
gildas
Q: could fuzzing techniques help to take down such (p2p) botnets?

------
reviewmon
Anticiaption for an attack tied to an all time high bitcoin?

------
zyztem
12 Nations that did not apply security patches

------
agent3bood
The article could have been writen in 15 lines or less. Why u do this

------
CCing
Is OSX affected ?

~~~
Retr0spectrum
For the record, no.

------
SomeStupidPoint
This is what blowback looks like.

The US military and intelligence communities focused hard on cyber offense,
rather than improving the defensive standards and technologies practiced among
allies. Because of this, several allies have important systems compromised by
(essentially) US-engineered malware.

Well, at least DARPA is sort of on it:
[http://archive.darpa.mil/cybergrandchallenge/](http://archive.darpa.mil/cybergrandchallenge/)

(There's also work stemming from the HoTT body of work on verified systems, as
I understand it. But that doesn't have a sexy webpage.)

------
brilliantcode
Isn't it peculiar that Russia remains the least hit or not even hit at all? It
seems like the West was a clear target. Connecting the dots here, it's suffice
to say Shadow Brokers serves Russian interests.

We are seeing bullet holes from what seem to have been cyber warfare between
the former cold war foes.

~~~
tankenmate
Time of day, come back in 12 hours and check again.

That said the Russian government is trying to move people to local
distributions of Linux, like Astra Linux, but I don't think the uptake is
enough to explain low infection rate in Russia.

~~~
brilliantcode
Yeah definitely downvote manipulations going on again...

At this point I'm not even upset or shocked. It just further supports the
narrative Russia is seeking to manipulate/exploit the internet to their
benefit.

Considering the average Russian is poorer than an Indian, it looks like Putin
is going to fuck over his country as his countrymen cheer him on and suffer in
poverty and alcoholism.

The West will crush the feeble Russian economy back to Tsar days.

~~~
dang
We asked you many times to stop breaking the Hacker News guidelines with
uncivil and unsubstantive comments. Since you've ignored us, continued, and
gotten worse, we've banned your account. Insinuations of astroturfing and
shillage without evidence are not allowed here [1], and bad enough, but
national rants and slurs are completely unwelcome.

1\.
[https://hn.algolia.com/?query=by:dang%20astroturf&sort=byDat...](https://hn.algolia.com/?query=by:dang%20astroturf&sort=byDate&prefix=true&page=0&dateRange=all&type=comment)

------
lukaa
Just use Linux and 90% of your problems with malware is history.Your own
customization of kernel will make your even more secure.

~~~
Cakez0r
Let's not pretend that Linux is invulnerable to the class of exploits that
make this kind of malware possible [1]. Windows isn't a target because it's
vulnerable (all software is vulnerable). Windows is targeted because it's
widely used. If the majority of systems were using Linux, malware authors
would simply adapt to write malware targeting Linux instead.

[1]
[https://nvd.nist.gov/vuln/detail/CVE-2016-7117](https://nvd.nist.gov/vuln/detail/CVE-2016-7117)

~~~
devrandomguy

      all software is vulnerable
    

This is false, and spreads FUD. It does a great disservice to those who do
meticulously maintain their systems, to those who sacrifice convenience and
beauty for stability and security, to those who take the time to scrutinize
other people's work. It is possible to build and deploy secure software.

Linux dominates the datacenter; we are a high value target, and have been for
quite some time now.

~~~
wu-ikkyu
>It is possible to build and deploy secure software.

By secure, you don't mean 100% secure, do you?

~~~
devrandomguy
I mean secure as in, when the last of that product line's devices have retired
or died of old age, there have been no successful exploits against that
product.

~~~
wu-ikkyu
Has there ever been such a product? What about exploits on the
software/hardware underlying the supposedly secure software?

~~~
devrandomguy
Critical devices should either be simple, or they should run open source
firmware. If governments had required the ability to audit the IC designs that
go into medical, military and national infrastructure equipment, then we would
now have open source ICs.

I am seeing an incredible resistance to this idea of increasing the
situational awareness and capabilities of the people who provision and
maintain large deployments. Perhaps it is too soon to propose solutions.
Perhaps, today, we should just express solidarity with the victims, and try to
warn operators of unaffected, but vulnerable systems to temporarily take them
offline.

My apologies to those that I have offended. As a software developer who has
struggled for years to articulate the need for transparency and simplicity in
our systems, I feel very frustrated right now.

------
anigbrowl
I do not believe that attacks of this scale or coordination are undertaken by
private actors. This is warfare; it just isn't kinetic yet.

------
jansho
From the Guardian:

 _" He adds that the fear is that the ransonware cannot be broken and thus
data and files infected are either lost or that the only way to get them back
would be to pay the ransom, which would involve giving money to criminals."_

The new terrorism.

[https://www.theguardian.com/society/live/2017/may/12/england...](https://www.theguardian.com/society/live/2017/may/12/england-
hospitals-cyber-attack-nhs-live-updates)

~~~
pveierland
How is it terrorism if the purpose is to get money?

~~~
jansho
I meant it in a more general way: a group of horrible people taking over a
core function of society and saying "If you don't do x we will do y." And they
will actually do y.

As you may have gathered, my original statement is more eloquent.

~~~
civilian
It isn't more eloquent, because it's wrong. Wouldn't saying: "The new mafia."
or "The new shake-down" be more accurate?

Terrorism is done for political reasons and often involves things that involve
putting fear into the populace. Your general "If you don't do x we will do y."
statement does cover terrorism, but it covers terrorism because it covers _all
kinds of threats_. So I suppose what you really meant was: "The new threat."

Words are important :]

~~~
jansho
Ah sorry, I got it wrong twice.

But you got me thinking again: because this ransomware is targeting the
infrastructure itself (national healthcare service) isn't this playing with
fear too? If I was in hospital, or my friends/family, I would be acutely
paranoid that medical devices will go wrong, medicine administration will go
wrong, the A&E will go bonkers et cetra. I've worked in healthcare before, and
this kind of domino effect is very easy to believe in.

(Funnily enough, my old organisation was making a fuss about upgrading from
Windows XP just last year. A lot of my colleagues complained that this was
hardly a priority)

~~~
civilian
Hmmm, that's a fair point. And now I'm wondering what my primary care last
security report turned up. There's also some things that I still haven't told
me doctors-- because I really don't believe in their ability to not disclose
it somehow. And I want to remind everyone that you will pay for computer
security no matter what--- you can either pay for it upfront, or you can pay
ransoms in the future.

