
Police chief: “Paying the Bitcoin ransom was the last resort” - edward
http://www.msn.com/en-us/news/technology/police-chief-%E2%80%9Cpaying-the-bitcoin-ransom-was-the-last-resort%E2%80%9D/ar-AAaBz50
======
MichaelGG
CryptoLocker is amazing. I find the reactions to it so intriguing. Because
before, viruses would just delete your data and let you know you were screwed.
Game over.

Now, they delete your data, but offer a quick time-rewind to undo the damage.
$500 seems like a not-so-bad deal, and if the data was deleted instead of
encrypted, I would imagine you'd pay more than $500 to send it to a recovery
shop.

So really, it's just doing a good job of teaching users about data loss,
without actually forcing them to lose data, just a bit of money. That seems
like an overwhelmingly good bargain, overall. _Especially_ if it gets someone
to make backups before they suffer a hardware failure that truly renders the
data lost.

And terrorists? Wikipedia indicates "Russian hackers". I suppose you can
stretch terrorist to cover that but well, that's just being dramatic.

~~~
notahacker
If someone kidnapped your child and asked for a ransom, would you consider it
an "overwhelmingly good bargain" because you'd get them back and they wouldn't
talk to strangers in future?

There is _nothing_ novel about extortion, even on the internet, and it's not
defensible as "doing a good job of teaching users about data loss"

~~~
jbob2000
Your metaphor is a little flawed. It's more like allowing a random person off
the street to babysit your child then they kidnap them. You could have avoided
the whole situation by not allowing some random person into your home.

~~~
notahacker
If you consider opening email attachments that appear to be pdfs from
legitimate sources (and only backing up occasionally) to be a comparable level
of negligence to offering your children to anonymous strangers, perhaps. No
amount of victim-blaming justifies the original poster's assertion that it's
an "overwhelmingly good bargain" though.

------
rikkus
"The Tewksbury Police Department chief told its local newspaper, the Tewksbury
Town Crier that those who infected the computers in early December 2014 were
"terrorists.""

None of the definitions of terrorism I can find would describe this. Exaction,
perhaps? Is there a better term?

~~~
ppod
Text of the patriot act definition below. As much as I hate the Patriot Act,
its terrorism definitions do a pretty good job I think, but B(ii) seems a bit
redundant given B(iii). Note that it's A && B, not A || B.

‘‘(5) the term ‘domestic terrorism’ means activities that— ‘‘(A) involve acts
dangerous to human life that are a violation of the criminal laws of the
United States or of any State; ‘‘(B) appear to be intended— ‘‘(i) to
intimidate or coerce a civilian population; ‘‘(ii) to influence the policy of
a government by intimidation or coercion; or ‘‘(iii) to affect the conduct of
a government by mass destruction, assassination, or kidnapping; and ‘‘(C)
occur primarily within the territorial jurisdiction of the United States.’’

------
laurencei
This raises so many questions. The 3 major ones that come to my mind are;

1\. How is security on a police server so bad it can be infected with malware
in the first place

2\. It sounds like they didnt have (good enough) backups, where they could
just format the server and restore the data

3\. Doesnt this mean that all the data on the police server is effectively
compromised? i.e. the hackers could have made a copy before encrypting - so it
is likely the data is breached?

~~~
fletchowns
It's a small town police department. They just don't have the resources to
properly address those aspects of IT. I worked IT helpdesk for an affluent
city of 70,000, you would be surprised at all the ancient equipment they were
still using.

~~~
kbart
It's not that costly to hire a smart highschool kid to handle the basic
security, such as backups and virus/malware prevention. It probably would have
been enough in this case. Of course, such means won't protect against targeted
attacks, but I doubt small town police departments are in a high risk of that
anyway.

~~~
MichaelGG
Do these programs lay in wait, hoping to wipe out all backups? Otherwise a
weekly USB-drive backup would probably have been enough protection.

~~~
thaumaturgy
Please, don't call "manually copying files to a USB drive once a week" a
"backup", that's something we have to educate people on and it's frustrating.
I know you didn't mean it that way, I'm just trying to combat the spread of a
bad idea.

CryptoLocker doesn't lay in wait or try specifically to target backups.
However, it will hit shared network drives; basically, anything that Windows
has mounted as a drive letter at the time of infection can end up getting its
files encrypted. (And I'm betting that's how the police department's file
server was affected -- it wasn't the point of infection, it was just a shared
network drive.)

CryptoLocker bets on most Windows users not having reliable backups, and it's
usually right. This is one area where Mac users often have no idea how good
they have it; there is simply nothing in the Windows ecosystem that is as
simple, reliable, and complete as Time Machine, at any price.

~~~
1wd
What's the closest thing to a simple, reliable and complete backup system for
Windows?

~~~
tempestn
A combination of Crashplan, configured to backup all file types in any
directory where you have irreplaceable files (generally your user folder
should suffice), and a full disk imaging program. I use Macrium Reflect, as
it's free and for me has been more reliable than Acronis. Run Crashplan
continuously and image weekly or so. Even monthly would probably be fine,
since Crashplan's incremental backups save you from any data loss. More
frequent is just more convenient for restoration.

~~~
thaumaturgy
Your answer's better than mine, I kinda half-assed it.

I don't know if Macrium made it into our last round of backup software evals,
and we're overdue for another one anyway (and not terribly happy with
Acronis).

Anything about it you don't like?

~~~
tempestn
Only that it doesn't support Acronis-style incremental images. So imaging
takes more time and space. It also (last I checked) doesn't provide a way to
automatically delete old images (but that's easy enough to script). It does do
full images very quickly and reliability though, which is worth it for me. I
tried for a long time to like Acronis. Even submitted several bug reports. But
I had no end of problems, and even aside from the annoyance and wasted time, I
don't want to trust a program with such quality control issues with my
backups.

------
toxicFork
I'm not an expert of CryptoLocker but at this point I would just format the
computer and assume all data is stolen and gone already, then deal with the
consequences and train my employees about computer security a bit more.

It's not like someone has a physical thing in their hands and are willing to
give it back if the ransom is paid. That is a bad situation as well, of
course; but I find this to be worse.

~~~
kbart
You can't simply delete police records, it's not your home computer with cat
pics. According to the article, these files were pretty important:

 _" the infected computer contained a significant amount of police data,
including its "Computer Aided Dispatch, records management, arrest logs, calls
for service, [and] motor vehicle matters"_

~~~
tribaal
If they were pretty important I would make sure they are backed up in the
first place.

------
rodgerd
I am more disturbed that they don't have access to rolling snapshots and
backups that would let them restore and ignore.

~~~
toxicFork
From what I have seen in most countries I have been in, it is very safe to
assume that most of the offices (including government or small businesses) do
not have very good practices nor training regarding digital content or
software security.

~~~
patio11
Yep. This is also true about large companies and software startups. Pick any
group of savvy technologists you want, then on the morning of their A round
take the CEO's Macbook and throw it into the river. That should be a non-
event. It is not.

~~~
thaumaturgy
And even people that think they're covered sometimes turn out not to be.

"But I have a NAS with two hard drives and all my files are on it. That's my
backup."

"Yeah, the company that set it up did it wrong. Your files were spread across
both drives, instead of copied to each drive. When one of the drives failed,
all of your files went with it."

"..."

True story.

~~~
mnw21cam
Repeat after me: RAID is not backup.

~~~
pbhjpbhj
RAID 1 (or say RAID 1+5) sounds like a [local] backup to me - what am I
missing. Are you just saying local backup is insufficient or is it something
less obvious??

~~~
thaumaturgy
RAID (of any kind) isn't a backup because it doesn't store previous versions
of files. For example, if your RAID 1, 5, 6, 10, etc. array is attached as a
Windows shared network drive -- which is not uncommon -- then CryptoLocker can
find it, silently encrypt every single .doc, .pdf, .jpg, etc. file on it, and
you're still boned because you don't have a copy of those files before they
were changed.

Less dramatically, sometimes people make mistakes, like editing a document,
then fat-fingering a mass deletion in the document during the save process and
not noticing it until a month later. Again, RAID doesn't protect you from
that, but a proper backup system does.

And finally, it's not unheard-of for RAID systems of any kind to just fall
over. Even a RAID 10 is a whole lot of redundancy all running on a single
drive controller; if that drive controller does something very silly -- and
I've seen it happen, we've personally shipped systems to data recovery outfits
for this -- then you can end up with garbage on all of your drives.

There are two different concepts at work here. "Redundancy" and "High
Availability". RAID uses redundancy, but it belongs under "High Availability"
\-- it's a system that's designed to still be mostly available even if it
suffers a hardware failure. But strictly speaking it does not provide for
redundancy of your data.

~~~
pbhjpbhj
Ha, lol, yes mirroring rather than backup. Have made the same comments as you
per dropbox. Mirroring, eg RAID 1, provides some hardware redundancy; it's an
entirely incomplete backup that is easily made useless. It's more like having
a spare-tyre when what you really need is a spare car.

Point entirely accepted but I can't help feel there is a deficiency in the
language here - a hardware failover is a backup of a sort; it's not a
sufficient backup to address even most potential failures.

~~~
thaumaturgy
Yeah, and ordinarily I'd happily agree with you and not take a militant
"raaaaaahh that's not a backup" stance, 'cause you're right, it is a backup of
sorts.

Unfortunately, for a lot of people, especially computer novices, "backup" is
confused with "absolute guarantee against data loss", which forces me to
occasionally say things that aren't 100% true in an engineering sense. If I
say, "Well, RAID is kind of a backup, but...", people seem to stop listening
just before "but".

~~~
pbhjpbhj
Thanks, you took the right approach!

------
captainmuon
I wonder if there is a way to come down with the full force of the police &
surveillance state on this. I mean it has to be good for something....

For example (and I'm just making this up): If the malware contacts a server,
send a rapid response team there. Find out where the data goes next, repeat.
If they make it a national security or terrorism issue, they would have the
cooperation of many western/interpol states (at least Europe, Australia and
Canada). I also can't imagine that its in the interest of the Russians to be a
host to this kind of crime, so you might get them to cooperate, too.

I realize that this is complicated through the bitcoin protocol (if the
malware doesn't communicate back in any other way - although it has to get the
key from somewhere). But in an age where the GHCQ can record all trafic in and
out of the UK for a day, it shouldn't be beyond their technical reach to
monitor all bitcoin transactions passing through their nets in realtime. A
transaction from/to a tainted wallet was issued from your PC? Expect a SWAT
team in 10 minutes at your door.

Of course this would be grossly undemocratic, complete overkill, and create
huge collateral damage. But I believe the capabilities for such a crackdown
are almost there. And if criminals start targeting infrastructure and law
enforcement (and don't just "accidentially" attack them), something like that
might happen.

------
atYevP
Yev from Backblaze here -> Isn't that crazy? I've written to blog posts about
Cryptolocker, and how you can use a backup system to defeat it (just wipe the
machine and restore from a backup). The cryptolocker virus is definitely
pretty amazing from a virus perspective. It turned the virus world on its head
a bit. Still defeated by having a good backup strategy though!

------
kwhitefoot
It should be illegal to pay.

~~~
pbhjpbhj
Wouldn't that just pan out as a tax on payments - or do you propose
imprisoning people who don't have backups and want their data back?

~~~
kwhitefoot
Paying an extortionist only makes it easier for the extortionist to continue.
The same with kidnapping. In some countries it is in fact illegal to pay a
ransom.

