The police have received over 13500 crime reports already, so this may well become the largest Finnish criminal case in history in terms of number of victims (Finnish source: https://www.hs.fi/kotimaa/art-2000006702261.html).
Though I don't think it is yet known how many of those crime reports concern blackmail, unauthorized data release, or other crimes related to the data breach.
> Vastaamo board fires CEO, says he kept [a previous] data breach secret for year and a half
> [The CEO's family] owned the company until it was bought by Helsinki-based private equity firm Intera Partners in May 2019, not long after a second breach of the psychotherapy provider’s data security systems.
To be fair, it doesn't actually wreck the company, it just front-runs other vultures by selling a bullshit turnaround narrative to obtain management status and get first pickings.
It's the white collar equivalent of walking out the door of a dying company with the chairs and coffee machine -- so, naturally, a thousand times more destructive and a thousand times less illegal.
Sounds as if private equity firms that buy a startup, often cause damage to the startup?
How does that work? I don't totally understand the chairs and coffee machine analogy
> selling a bullshit turnaround narrative
Does that mean that the PE firms pretend the startups are doing a lot better, than what they actually are? So that the PE firm gets to sell the starup to someone else who pays "a lot too much" money?
> to obtain management status and get first pickings
What does that mean? A PE firm having management status? I'm thinking individual people have management status does it mean that the PE firm appoints some of its own people as managers / CEX:es?
> Does that mean that the PE firms pretend the startups are doing a lot better, than what they actually are? So that the PE firm gets to sell the starup to someone else who pays "a lot too much" money?
I think typically not. That scheme is referred to as a "pump and dump" (buy a position in a company, greatly exaggerate it's value, then sell while the price is high, although you typically would do it with shares, not actual ownership of the company). I would imagine the people that play in this space could see the blood in the water. Plus the firms that do it are rather notorious, you'd want to do some serious thinking before paying them anywhere close to full price for an asset.
I'm not an expert, but from what I've gathered, they typically buy these companies, saddle them with as much debt as they can (which they then funnel into other ventures), liquidate anything worth selling (intellectual property, manufacturing facilities, etc), and then let the company crash into bankruptcy because it was already failing, and now it has tons of debt and nothing of value.
> What does that mean? A PE firm having management status? I'm thinking individual people have management status does it mean that the PE firm appoints some of its own people as managers / CEX:es?
It means they own the company; the PE firm is effectively the board of directors. I don't know what portion of the C-suite they typically replace. My offhand guess would be the CEO and CFO at the very least, to keep a tight hand on the purse strings. At this point, I doubt the rest of the C-suite matters much, because they plan on running the company into the ground. You probably don't have a ton of use for a CIO or COO in a company you don't expect to exist in a year (although I could very well be wrong).
The individual people with management status are also largely irrelevant. The plan is to leverage the corporate structure for profit, not the corporation itself. All the profit they want to extract comes from high level plays like selling IP and shuffling debt around; mid-level managers are basically just there to make sure that the company hobbles along long enough for the firm to extract maximal profits, which isn't very long.
Hopefully that's close to the truth; it's what I've picked up from other HN threads. I'm not a finance person so I don't know/understand the exact instruments used. Also, fair warning, since I'm basically just parroting information I've gotten from HN that I don't feel like I really understand, I've probably picked up whatever biases for/against PE firms were in those threads. It doesn't sound particularly vicious to me, which makes me think that either I don't fully understand the picture either, or that HN just really doesn't like PE firms (maybe for killing off what they saw as viable startups?).
If I myself understand correctly, there was a previous breach that the CEO covered up in advance of the takeover, which is being viewed as potential fraud
I don't quite understand how private equity is to blame here. The data breach happened in a start-up, before the acquisition by a private equity company, and the CEO and other start-up stakeholders withheld this information from the equity firm.
Yes. And also possibly a rather serious breach of due diligence revelation requirements in the acquisition process, which might constitute either a serious fraud, or specific securities trading crimes that carry penalties of several years in prison.
Nearly 10 M€ worth of assets of CEO and his parents have been frozen as a precautionary measure.
However, we cannot really know if that was the case. We have no guarantee that the message board poster even is the person behind the blackmail, and moreover, even if it is, this might be just about muddying the waters to cover what actually happend - for instance, if it was an old-fashioned stealing of data by a disgruntled employee.
Decades ago one of my first jobs was as an IT bod for a regional health service.
One of their facilities was an family psychiatry centre. The staff there refused to let their records be held centrally, and instead had everything on clunky PCs bolted into lockable safes in the corner of each doctor's office. When the safe opened the keyboard slid out.
The doctor in charge had also built their own database that they used. Early adopters, before the rest of the health service was modernizing with newfangled computer thingies. Clever people, those doctors.
IMO this is terrible advice. What happens after a decade when some or all of the desktops are way out of date? Are the doctors diligent about patching them? All of the doctors?
Likely the situation they’ll end up in is a bunch of old computers running outdated software that all ends up being a massive security threat. Let’s say in 2005 one of the doctors wanted to video chat with their kid, and the kid tells them to download teamviewer. Chances are, 15 years later in 2020, that 2005 version of teamviewer is still going to be on that computer. I know this because I work in a psychiatric research institute (though not in IT) and this kind of stuff happens all the time. It’s not everyone, but in this case the weakest link breaks the chain.
I suppose that as long as a computer lacks any network interface card, it's comparatively safe, compared to most organizations today?
@willvarfar,
About the safes — did they expect (or worry about) someone to breaking in, and power on and try to access the computers? Or/and was it to protect against "insiders"? (say, someone in the staff got bribed, or a janitor or some other 3rd party person?)
I wonder how they got data out from those computers? If by connecting to a printer, to print on paper, then, was that via a cable? Was the printer connected to any network? Hmm but you wrote that this was before the Internet, so, then, maybe only an intranet? and no wifi, only cables?
Maybe they copied data in text files on floppy disks?
What do they do instead nowadays, if you happen to know?
> The very real threat were people trying to locate young victims taken into care etc
Who are the people who want to do such things? Was it the same underlying reason as this time — extortion and making money? Or something else? If it's okay to ask / if you happen to know
The 'safes' were really just very sturdy cabinets designed to house a PC and a dot-matrix printer etc. I'm sure they weren't fire-proof but they were really heavily built. They did have power and network cables entering, obviously.
There was a netware server in back of a cupboard. It backed up nightly to DAT tapes. That room was also properly locked.
When children are taken into care, the abusers are strongly motivated to try and contact the child to intimidate them into remaining quiet. Etc. Its uncomfortable to think about that side of things.
Thanks for explaining. That last thing — yes that sounds uncomfortable to think about.
Hmm network cables, decades ago — I suppose that back then, hacking over the Internet wasn't really a thing, (?) so I suppose that wasn't much of an issue. Or maybe it was a local network only (for backup)
And yet a compromisation is still far more unlikely than hosting it on the next shitty cloud application. Any cloud application and a threat analysis on data will reveal exactly that. And it won't even be close.
this sounds about a thousand times more secure than a state of the art cloud solution, because the physical isolation (even with outdated software) is so robust.
I think whether it's a local optimum vs. a global optimum can be debated, but to call it "terrible advice" is way off the mark.
Another option is to go live in a forest and not use any of the digital tech at all. But that isn’t a smart solution if you’re doing all of this only not to get hacked.
PS: let’s say a patient in that clinic wanted to move their history to another clinic. Are they now supposed to pro-rata their surgeon just to get the information from that custom-built database? That is incredibly expensive; and no matter how smart that surgeon is that database is almost certainly not that much more secure than off-the-shelf solution.
As the husband of a Marriage and Family Therapist operating in NYC and upstate, I can tell you that most client notes are still done on paper, and locked away. My wife's notes are either locked in a "safe" at her office (heavy time-locked door to a room, with locking file cabinets) in the city, or in a small locking fire-proof file safe at home.
Really the only things that get computerized are the things required by insurance (diagnosis and treatment plans).
But notes are highly personal to the therapist, and can include any number of on-topic or off-topic , and it is rare even under subpoena to release your personal notes. Her office has a lawyer on retainer who's only job is to quash subpoenas. She's never had one served to her, and I dont know if any of the other clinicians have.
But back on topic - though, I'm 90% sure the clinicians at the psychotherapy clinic in GP's comment probably had the same thing. They would take paper notes, and only digitized what they needed to digitize, and most of those digitized records are non-transferable anyway, because they would be diagnosis and treatments for that patient/client provided by that clinic, and if a clinician left, and was allowed to take clients/patients to their new practice (sometimes allowed, but often times not), the clinician would take their personal notes with them.
In the US, that's actually the way it works. HIPAA laws are very strict.
When I change doctors, I have to go around to all my prior physicians, and get hand-signed releases delivered (if I'm lucky, they will accept a fax). Sometimes, the records are physical papers.
I still have all my old MRI and CAT pics (long story).
Down side is some years ago I got badly injured.
I was unable to get my own records. I was not mentally competent during it, and I could not get assistance. So I failed to get disability, even though I had excellent coverage.
Eventually recovered, have a ton of notes and instructions in place on who to talk to and how to gather all the correct documents in case of a future episode.
With MyChart it's fairly simple to get health care summaries here in Canada (Toronto at least), but I still have to go t through the rigamarole for my images and getting them around to other caretakers. I should have done that last week actually...
This is so insane and so tragic. The anguish these people are going through right now is unconscionable. And the people doing this are truly the scum of the earth.
It also raises the question whether certain records just ought not to be digitized, ever. I saw a therapist a few years ago. I asked her at the start, while reviewing her Ts&Cs, about the service she used to store her client data. It was a very secure online service, she assured me. Yeah right, I thought. I asked her to keep my records on paper in her locked filing cabinet instead, and she agreed. I would really recommend the same course of action to anyone.
My spouse works as psychotherapist. She has ever only used pen & paper for patient notes for exactly this reason. No digital service is unhackable, and the cases where you would actually need to access patient notes in electronic form are quite rare.
Sadly this is no guarantee as the news is replete with stories of people finding medical records in trash or abandoned in close facilities.
However since no system is perfect laws have to exist to prevent the information from being used by others except as how authorized by the law; examples would be preventing prospective employers from using it to filter candidates, housing agencies would be similar restricted. The same law would put in place a means to force it to be removed from any site hosting the information.
The key take away is we cannot guarantee full protection but we minimize the damage caused
It also vastly decreases the feasible number of attackers. Digital records means you are vulnerable to criminals globally, particularly ones from places that don’t care so much about US law. Paper records in the trash are vulnerable to an extremely localized threat.
Yeah, but what's the scenario where isolated medical records put in trash turn into a massive extortion scheme like this?
It even turning into a small-scale extortion scheme seems unlikely. Records are in trash AND someone finds them in trash in the relatively brief period before they wind up landfilled or incinerated, AND they decide to take them and track down the people who they belong to for purposes of extortion? I mean, sure, it could happen, and it's not a good thing for medical records to be in the trash. There are no "guarantees".
Physical records are clearly much much lower risk though.
Many therapists don't write names in their psychotherapy notes, and instead use initials, and store them separately from records that require identifying information. It could be possible, but difficult to identify people from these records -- certainly not on a large scale like has happened here.
Agree on this point. Some computers just should not be internet connected. Security is the wild west right now and isn't going to be fixed any time soon.
That would help, but metadata is a powerful thing. The relations, tendencies, and activities of someone, particularly the kind of notes (I imagine) are kept for therapy subjects, would be a treasure trove even with some subject indirection.
Unfortunately you need surprisingly little data to uniquely identify someone. For example, sex, date of birth, and zip code can uniquely identify a large swath of the general public.
A funny piece of advice, I have an actually very good friend (we still are, but at a point in history our relations became a bit dark) who knew that I was going into therapy. I didn't actually accept the fact that I had to go well, and I felt ashamed and weak when we talked about it. Little did he knew, in the meantime I got much better, accepted the fact and started freely speaking about it with other people here and there. Not when not asked, but when the topic of mental health came along, I wasn't shy to expose the fact and encourage people to seek their own. And in one relatively big dispute (minor from this distance), he kind of tried exposing it against me in front of some mutual friends who actually already knew (I told them in the meantime). Well, he looked like massive jackass.
In conclusion, don't be ashamed for seeking therapy. Yes, it may feel shameful now, which is completely unwarranted, but a part of the process of healing is also dealing with the existence of the issue itself and taking a different stance at mental health issues.
My therapist addressed the stigma of therapy in session one: when your arm is broken, you go to a doctor. So why wouldn’t you go to one when your mind is broken? Makes sense to me.
Therapy was the best $20 co-pay I paid every week for quite a while. I only stopped because I moved to a state where mental health wasn’t covered well by insurance and couldn’t justify the hourly rate in cash. But it really helped me find perspective in the minutia that is my life.
I’d highly recommend it to anyone that can access it. Find a good therapist and give it a go.
Also, I second your call for blackmailers to rot. :)
At least in the US where I am, there is a strong stigma attached, and if people know you have mental issues you are assumed to be dangerous. Not surprising, I suppose, in a society that guarantees access to weapons of mass murder. But people won't let you near their kids, and you probably would have trouble finding a job.
I've never been anywhere near the US, but from my exposure to US media (TV, movies, podcasts, news, socials, ...) as well as some US friends my impression was that at least half of the population goes to therapy and a big part of those are on some antidepressants. So I'm surprised that's still a stigma if it's essentially the norm for anyone who can afford it.
I'm not sure it's the access to weapons that makes a whole lot of difference. Certain events in the US come first to mind when you mention it, but where I live there is practically no weapons readily available, even certain air rifles being regulated. You can't even buy ammo without approval yet people still fear of being harmed from a "crazy person". People equate any issue with aggression, delusions, dark secrets while in reality in most cases it's more likely to be things like hypochondria, insomnia, family relations, coping with loss of loved ones etc.
I've never gone to therapy but have always thought that in an ideal world everyone would go, from time to time. People go to the gym to keep their bodies fit and healthy, why not go to a therapist to keep your mind fit and healthy?
There is a Philip K. Dick short story where practically everyone does. I don't remember its name. The topic of therapy commonly came up in his short stories and novels.
I am not ashamed of seeking therapy, and am pretty open about it with anyone, although I respect anyone that wants to keep it private.
I still would definitely not choose to share the NOTES FROM MY THERAPIST of private things I said to them -- if I'd ever choose to share that with anyone (maybe not), it would certainly not be with the public at large, with anyone who cares to look it up at any time.
It's not just an indication that someone went to therapy that the blackmailers are revealing and threatening to reveal. It's a very different thing. I would expect most people who are public about having gone to therapy (like the people interviewed in OP) are not in fact fine with sharing the complete notes of everything they said in therapy with any interested acquaintance or member of the public.
Haha, I send him there a couple of times every week for the last 20 years.
It was much more benign and the people we were with are fairly close to both of us. We wouldn't quarrel in such a way in front of them if they weren't. But it was heated at that point, and a learning opportunity for both of us.
Yet another instance of "if you're not doing anything wrong, you've got nothing to hide" being a very poor argument against robust privacy protections.
Ah yes, the notorious bitcoin that stole this data and extorted people. Curse this troublesome software that has gained sentience wreaks havoc on the world.
>Ah yes, the notorious bitcoin that stole this data and extorted people. Curse this troublesome software that has gained sentience wreaks havoc on the world.
I see this exact argument -- almost word-for-word -- applied to guns.
I don't presume to know anything about you personally, nor about your political opinions, but I've encountered many west-coast, left-leaning, tech-industry professionals support $TECH on the basis of individual responsibility, whilst simultaneously opposing guns due to their potential for misuse.
What this tells me is that the "X isn't good or bad, it just depends on who's using it" argument is weak. It's weak in the sense that it doesn't capture the nuances that might make someone support bitcoin, but not guns.
(Again, I don't presume to know your thoughts on gun-ownership. I'm making a more general point.)
You don't have to "think" whether it "changes anything". You just have to observe that yes, in fact these problems did not occur on such a scale before cryptocurrencies came along, and given their obvious role in the process, Occam's razor would suggest they do change things unless proven otherwise. At which point one would want to examine the problem more deeply, which thankfully others have and which you can Google, to see exactly what role cryptocurrencies play. For example you might want to read: https://cointelegraph.com/news/the-role-of-cryptocurrencies-...
What you say is untrue. Black hats have done things on this scale for as long as this scale has existed.
RATs, malware, spam, ransomware, scareware, worms, all this existed in the largest scale possible before the advent of crypto currency.
Doxing, messing with people, leaking sensitive files, pictures and other media, has existed on massive scale before crypto currencies.
It's the scale of the internet itself, and the amount of money involved, and the fragility of connected systems, that has lead to the increase.
I'll grant that cryptocurrency adds even more of this badness. It's definitively increased the number of bad actors. But this is not the driving cause.
Their 'obvious role' is only a role for some actors. Not everyone is financially motivated.
It's also easily measurable, the revenue of a ransomware-as-a-service group (this exists) is an easy jaw-dropping number to display.
But that number does not capture the damage done by actors not financially motivated. Hell _the_ largest and _most_ devastating attack ever was not financially motivated at all. I'm of course talking about NotPetya. Whose damage and impact easily dwarfs that of the financially motivated ransomware groups.
True! But then again, some arguments lend themselves to inconsistent application, usually because they aren't precise enough.
What I'm getting at (albeit awkwardly), is that I wish your argument included some notion of threshold. At what point do you consider the potential for misuse to be so extreme that the technology should be banned? If you don't address this point, you sound unreasonable to many.
The point I meant to address here, is that Bitcoin is incidental to this crime. The criminals stole data and blackmailed people. Bitcoin didn't do that. If Bitcoin didn't exist, criminals would still steal data and blackmail people. Blackmail existed long before Bitcoin. Perhaps it's marginally easier because of Bitcoin, although accepting your payment for crimes via a system where all transactions are public record doesn't seem that smart to me, but whatever.
Banning things doesn't stop criminals from using them. It doesn't even stop many otherwise law-abiding people. Many of the people who support banning guns are able to recognize that banning drugs doesn't stop people from using drugs and banning abortions doesn't stop people from getting abortions, so why should banning guns stop shootings?
If you want to stop people from doing something, you need to figure out why they're doing it and remove the reason that causes them to do it. The existence of guns doesn't cause people to shoot up schools. Likewise the existence of Bitcoin doesn't cause people to blackmail. If it's not the cause, then removing it can't remove the effect.
> If it's not the cause, then removing it can't remove the effect.
You’re confusing “root cause” with “causal”. Guns do “cause” murder insofar as they facilitate the act of killing. The same argument can be made for Bitcoin facilitating blackmail.
Whether or not banning either technology is a worthwhile trade off is debatable, but an effectively enforced ban is unambiguously effective.
Facilitating is not causing. These are two different things.
Just about any object can facilitate the act of killing. A car, a bowling ball, a swimming pool. Do these things cause murders too? That's not how causation works.
A car can facilitate going to the store. Does the car cause you to go to the store? Of course not. You go to buy the thing you needed. The car is just a means.
Facilitation is literally a mediator or moderator in an effect. It is not a root cause, but it is part of the causal chain. As such, acting upon it can reduce the effect.
Simply put: an effective crackdown on guns, cars, snowballs, scissors, and Bitcoin can absolutely reduce the associated downsides. The question isn’t “is it effective”. The question is “is it worth it”.
The question is absolutely "is it effective". There's a reason we do root-cause analysis and five-whys exercises. If the source of the problem is not corrected, the problem does not go away.
If your basement is flooding from a burst pipe, maybe you can "reduce the associated downsides" by bailing it out. This doesn't fix the problem though, does it? You're actually prolonging and exacerbating the issue by not turning off the water from the source.
Temporary band-aids that address the symptom rather than the disease are not effective in the long run. They also often come with secondary effects and unintended consequences that create additional problems.
> Ah yes, the notorious bitcoin that stole this data and extorted people. Curse this troublesome software that has gained sentience wreaks havoc on the world.
I suppose you're also against NPT? Or do nukes gain sentience in your world?
Sure, nuclear weapons and crypto currency are the exact same thing and pose identical risks to the world.
Governments voluntarily agreeing to reduce their weapons is also the same as forcibly forbidding people from using a useful technology. Top notch analysis.
> Sure, nuclear weapons and crypto currency are the exact same thing and pose identical risks to the world.
> Governments voluntarily agreeing to reduce their weapons is also the same as forcibly forbidding people from using a useful technology. Top notch analysis.
Governments "forcibly forbid" their citizens from developing nuclear weapons. Similarly so for things far less dangerous than nukes because, you know, "less dangerous than a nuke" isn't exactly synonymous with "safe". I can't top your "top-notch analysis" though, so this will be my last reply.
Right, if we forbid one technology that's dangerous, we must also forbid any technology that could in any way be used in a negative manner, right?
Cars can be used to run people over, better forbid those. A hammer can cave someone's head in, better forbid that. People can drown in water, better forbid that too. After all, we wouldn't want to be inconsistent.
It's not like we would ever consider using any kind of judgement and conclude that the benefits outweigh the risks for some things. That's just silly.
You're complaining about criminals having anonymity in a discussion about privacy. The technology enabling bitcoin is cryptography itself. There's no putting it back in the bottle, and we'd still want it anyway.
We simply need data to be as well protected as the criminals can protect their financial transactions.
It definitely played a role, but so what? The ability to transfer money outside the control of the state is a good thing, and the fact that some people abuse that doesn't make it bad. Same as gun ownership.
> Is "the idea that people don't lose liberty because others abuse it" too difficult to fathom as a possibility?
Considering the billions(?) of dollars of damage that it has inflicted so far and the sheer number of lives it has ruined in the process... and the fact that probably >99.99% of people in the world would not attribute their "liberty" to anything related to Bitcoin... and that neither the regulation of money nor "liberty" were invented in 2009... yeah, it very much is...
I guess you're coming at this from a fundamentally different perspective; you seem to believe that enough of a problem justifies state intervention. You're arguing that it harms too many people, but I really don't care; it could have harmed ten thousand times the number of people and that wouldn't matter.
Bitcoin absolutely has legitimate uses, as I'm sure you know, but that's not really pertinent to the issue that the government doesn't get to tell free men what they may or may not do because someone else committed a crime. "Freedom creates opportunities for bad guys" is not an argument against freedom.
> the government doesn't get to tell free men what they may or may not do because someone else committed a crime
What world you live in?! In the one I know, the government absolutely does tell and has told people what they may or may not do with all sorts of things, including with financial instruments.
> You're arguing that it harms too many people, but I really don't care; it could have harmed ten thousand times the number of people and that wouldn't matter.
Wow!
Generally people at least pretend to care about other people and get a little concerned when it looks like their ideologies might burn the world to the ground, but I suppose it's quite... admirable(?) that you're absolutely brutally honest that you don't care about others...
Governments are important to protect freedom. I'm in favor of national currencies, but when it comes to the world wide web, and computers in general, I'm more comfortable with having a neutral currency not influenced by some people taking political decisions and deciding whether or not my savings can exist or not, or adding arbitrary technical limitations because of political reasons.
Projects like bitcoin are not a negative thing for regular citizens, the benefits outweighs the cons. You proposed earlier to make it illegal however, which means you're not okay with some persons having the option to control their currency in the digital space. Such opinions are the reason why bitcoin appeared in the first place, and why cryptography will probably be for a long time a beneficial tool to protect people, along with governments.
The fact that the government does that today isn't a justification for doing it.
I didn't say I don't care about others. I do value liberty higher than life, however. I don't think a cryptocurrency will "burn the world to the ground"...
Governments are allowed to stop people from harming each other - enforce pollution controls, chase down criminals, etc. They aren't allowed to tell someone he can't use bitcoin because too many bad guys use it too.
That's basically an anarchist point of view. If you can't outlaw anything no matter the harm it causes, then what's left for the role of government? "At least it's an ethos" and all, but that's not how any modern society operates.
No, it's not; maybe I didn't express it well. The government absolutely has a role in preventing harm and punishing those who cause it - if you pollute the atmosphere, the government can come after you. If you hurt someone, the government can come after you. But if you just own and use bitcoin, the government can't come after you just because some bad guy also uses bitcoin.
My point wasn't really to make an either-or argument, but if you really want me to: consider that if you agree cryptocurrencies are enabling these events, then removing cryptocurrencies would remove these events as bases for any other arguments you might wish to make.
Bitcoin is "pseudoanonymous", right? Am I wrong in assuming that state level actors would have the juice to deanon transactions? Like we suspect NSA and others have hacked tor?
Naive me guesses bad guys launder bitcoin thru banks beyond the reach of interpol and other agencies. That seems like a thin, easily pierced veil by any sufficiently motivated state level player.
I've watched some videos about money laundering for noob audiences like me. Based on some of the strategies explained, another notion occurs to me: use a herd of smurfs to launder the bitcoin into physical assets.
I was 100% serious. Your understanding is already correct. I'm not sure what else you're hoping to read; there's nothing for me to add. What you're saying is exactly the case. You can find lots of stories if you Google, e.g. https://www.sciencemag.org/news/2016/03/why-criminals-cant-h...
When asked during an interview for CNBC's recent "Inside the Mind of Google" special about whether users should be sharing information with Google as if it were a "trusted friend," Schmidt responded, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
Which is proof positive of how boring Eric's sex life must be.
But seriously though, I've held a grudge against Eric ever since he uttered this completely absurd quote. He never backed away from it, because he didn't misspeak--he believes it.
In the twitter age and today's political landscape, the modes of privacy have been pushed to the rails. So even if you are only a minor celebrity, or whatever embarrassing episode you're caught in is viral, the gory details of every single part of your life could be blaring from a bullhorn on every street corner in milliseconds flat.
It's reverse insurance. With insurance, everyone pitches in so that no one is harmed irreparably. In this case, some people pay dearly for some (arguable) benefit to the collective.
It's interesting to read back over past discussion of this question.
Among the more interesting academics is Herbert Simon, and his 1977 essay "What Computers Mean for Man and Society" makes a strong case for the positive impacts of increased utilisation of computer technology. It also specifically discusses the privacy concerns, in one paragraph.
That, unfortunately for Simon's case, contains an egregious factual error, though one which may not have been known to Simon at the time:
The Nazis operated with horrifying effectiveness and thoroughness without the benefits of any kind of mechanized data processing.
Unfortunately, we're now very well aware that this was not the case. Not only did Nazi German prosecute the Holocaust with the extensive aid of mechanised data processing technologies, but they did so using American technology, provided and supported, with full knowledge, by IBM:
Edwin Black has documented this in his horrific book, IBM and the Holocaust (2012)
"I'm scared that I'll end up like the first 300 people who had all of their info dumped on [anonymity network] Tor, with people going through them, reading everything about their lives and abusing their info for identity thefts."
Also another good reason for people not to seek mental help, on top of being able to own a gun.
And with the recent rush to transition online, I hope this 2018 hack doesn't give the bad guys any ideas.
Another good reason to not go to Catholic confession or store your cash in the Panama paper's islands or go to a scientology session or store your credit information with equifax. Secrets have to exist somewhere.
Socially ostracizing people for leaked mental help information is like laughing at fat people who had their gym treadmill data leaked. That's where you go to solve your problems, data leak or not.
This location exists below the cranium or somewhere securely encrypted and private.
> Socially ostracizing people for leaked mental help information is like laughing at fat people who had their gym treadmill data leaked
And like that example it happens despite whatever ideal moral system we want to espouse (never watched AFHV?). Advising people to not seek mental health care because of social acceptance is a valid concern since the consequences are real and critical. In 1952 Alan Turing admitted to performing homosexual acts and was subsequently charged with gross indecency - he was punished for sharing his secret. What do you think would happen if someone pursued mental health care to resolve a deviance in 2020?
"Hello Bob, I'm quite happy you've come to seek help with your problem... but first constable Alice would like to have a word with you. Oh, and I'm afraid you won't be allowed to leave the country or own a firearm; plus I've already spoken to your employer and he "suggests" you take a permanent leave of absence to resolve these issues. No worries Bob, just doing my job! Hm? Your girlfriend and friends dumped you after finding out? That's a shame, Bob."
If you want to act like there are no downsides to these solutions then I'm afraid you're being particularly naive. By all means fight for the right to have these people not discriminated against but don't mislead people by suggesting that you've already won the war when you clearly have not. Some lack the fortitude and recruiting them through disingenuous advertising is unethical.
Some mental health problems are quite serious. People should own that by taking refuge in the mental health process. There is respect to be had in that path.
Are you saying that homosexuality is a mental health topic that Alan was trying to solve earnestly in private? I don't know what to say about legal acceptance of sexual choices and it's not the same thing as earnestly trying to solve a defined mental health issue, which is a legal act. A possible legal outcome for a lot of the behaviours in therapeutic secrets would be more therapy until healed.
I'm arguing that your secrets, especially if they're socially taboo, are best kept to yourself unless you are fully aware of the consequences. I'm against disguising mental health care as something inherently beneficial to the patient. If people are fully aware of what will happen to them then I have no problem, but there is simply not enough transparency in this process and some are lulled into a false sense of security by the advertising.
My point with Turing was that here was a man who lived a decent life up until he exposed himself to society, thinking that this society would help him solve an unrelated problem. In truth, society is only motivated by self-interest (of the collective) and sometimes having you live a decent life is simply not in its best interest.
You can't ever be fully aware of the consequences, and you can't keep every secret to yourself. Sure, take some to the death bed if you want, I think we should heartily defend the right to "make the mistake" of telling a secret to someone private and stand up for the horrible crime of seeking help in an isolating society. Nice name by the way, we don't all have the memory of a goddess to properly order our secrets in.
____
Okay I've skimmed your HN history for juicy secrets to make a point. You're a teenager who doesn't trust people (with some parts of yourself) and writes your secret emotions down on paper to send to fake people. You think a public psychological label is a life-and-death matter. You seem to think 'How to win friends & influence people' is an acceptable instruction book for manipulating people. So you are somewhat exposed already.
The point of therapy is to not need it anymore. If you have hang ups about it, or other topics, you should go there until you don't need to anymore. There is nothing inherently good or bad about having a socially approved and useful set of ideas to contain chaos.
The psychological disorders are like tools. They don't describe what you are, they are a useful label for closing up Pandora's box again and give people some relief from an unknown illness. Having a psychologist label you or anybody else as narcissistic, sociopathic or psychopathic is no more dangerous than being called a jay-walker. If you know what it means and what you are, then it's manageable.
There are some secrets that will get your life messed up. For every Turing, you have a Tom Cruise or the people who went to Epstein's island or whoever else has taboo secrets and still succeeds. There are not good or virtuous secrets and you are wise to be aware of their impact. The majority of secrets are uninteresting and commonplace.
You are referencing my comments without the proper context:
> who doesn't trust people
I do not trust people because I write in a journal? How is this incriminating? I don't find it any more peculiar than speaking to oneself or opening with "dear diary" -- as if those who address their text to something inanimate are any better. I fail to see any merit in this revelation aside from attacking my character. I could try and dig up something equally irrelevant from your history but I find that act to be in poor taste.
> You seem to think 'How to win friends & influence people' is an acceptable instruction book for manipulating people
Once again the context is conveniently missing: the individual I was replying to described himself as someone who dislikes talking to average people (had a sense of superiority). I figured rather than offer him something vague and patronizing like, "be nice and try to be humble", I would endorse a resource that would offer solutions pertinent to the subject matter. I was not sharing my own personal opinions; one does not have to ascribe morality to a function in order to see merit in its execution towards an objective.
> You think a public psychological label is a life-and-death matter
Not entirely, no. But is this a minority opinion? Why would they blackmail the patients if they didn't believe that some would be willing to pay? I have recently lost someone precious to me as a result of similar circumstances and my mishandling of the situation by encouraging therapy and medication played a key role in her suicide. I apologize if my original comment appeared unnecessarily reflexive -- I'm still reeling from the guilt and I could be projecting some of that bias in my response to these types of things.
I think if something necessitates intervention then by all means seek professional care. But if you're unsure and living a decent life make sure you exhaust all other options before considering yourself diagnosed with whatever label is put in vogue by pseudo-scientists. If you think some secrets are uninteresting consider if they'll remain that way when the culture inevitably shifts and society decides to reject certain categories of people. The normal of yesterday too often becomes the enemy of a better tomorrow.
> Also another good reason for people not to seek mental help, on top of being able to own a gun.
Your feeling is well-founded, as much as you are being downvoted. This is actually a huge topic in the ongoing evolution of digitizing client records in psychotherapy.
My wife (a marriage and family therapist) was taught in school that about 20 years ago insurance started requiring a diagnosis to reimburse for treatment, and ongoing treatment plans to be uploaded to their portal to continue reimbursing more than the standard 3-6 sessions most insurers felt was adequate.
This cause a HUGE backlash among psychotherapist, because depression would be considered a pre-existing condition, and also if it is on your records, life insurance was nearly impossible to secure, future non-workplace health insurance was hard to get, etc.
So everyone started using various "adjustment disorders", or acute grief (I think that's the term they use for loss of a loved one) as an ethical way around marring an otherwise healthy persons permanent record. There are times when it is more ethical to put a real diagnosis, usually so that you can have them referred to a more specialized clinician.
There are significant real world negative consequences to seeking mental health. That’s a real problem that needs to be addressed.
Unfortunately, there isn’t a good general solution for this stuff. For example, at some point mental illness results in loss of custody for the safety of their children. Getting that right isn’t some easy thing, and mental heath is a common enough problem that people will occasionally get this seriously wrong in both directions.
I would prefer to make it more personal, like "Im worried my (or my family's) healthcare information would be used against me, that's why we need strong privacy" or "We can all agree that you wouldnt want your child's counselor's notes on the Internet"
A) A large number of people have had their wellbeing put at risk due to placing sensitive information about themselves in a location that was compromised.
B) mostlove pointed out that this would give reason not to continue doing this in future.
We have two statements here.
These two statements when examined closely might have a connection between one another don't you think?
Could it be the case that there might be a possible rational connection between them both? That perhaps the consequences of the first might lead to the second? That a rational adult with an IQ in single digits or greater might be able to understand basic cause and effect, and that looking at a certain statement (lets pick a random one and say statement A) might lead to certain conclusions such as (lets pick at random again and pick B).
Could it be that a basic understanding of human behaviour (Thing causes damage to human > human avoid thing) could have led to this conclusion being drawn?
Or would such a concept require further elaboration and perhaps diagrams to help those unable to grasp it?
I think they meant it in the way that if you want to own a gun now or in the future, you shouldn't seek mental health help. And now, as hacks can reveal the data to your employer/school/in laws, there can be discrimination from that angle as well. That was their point I think.
I trained as a therapist a decade ago, and even then it was written into my organisational code of ethics that patient notes be stored encrypted with identifying codes rather than names, and the list of name / numbers stored and encrypted separately. While our code of practice didn't specify scheme or location, it's pretty awful that this company didn't seem to have anything in place. But I guess that's to be expected from what sounds like a corporate firm rather than a set of practitioners. At this scale, clients are just numbers on a balance sheet.
That makes sense, but Finland is a welfare state where government pays for a large part of health care costs, and this data breach was at a start-up that has a couple hundred therapists that mostly contract for the public health care system.
And government regulations require tracking of sessions, costs and compensations, identifiable by person ID.
One extra piece of anguish people have here is that not only may their mental records be revealed, but simply that their address and person ID is used by identify thiefs who take loans or mail-order things in their name.
The government has now responded by starting to find out if the person IDs of the victims could be changed quickly to avoid this risk, but I think that is an answer to wrong question. The right question is why it is permitted to apply for loans with a specific person ID without providing reliable authentication (either electronic signing or physical photo ID).
Source: Created some of the first medical records digital exchanges (NYCLIX, BHIX, etc) in the mid 2000s. Worked very hard to figure out how to protect patient privacy. This breach and subsequent blackmailing was one of our nightmare scenarios. FWIW, nothing (nothing) has improved since.
I'm kinda curious about what some of the recent advances in differential privacy in ML could imply in the field here. Taking a look at FB's Opacus, they basically use added noise to ensure that the data "in transit" is not really the data "at rest" and I've toyed with the idea of storing working data and data at rest differently for sensitive information, with the latter being encrypted by a user's OTP so an operator breach cannot effectively do much.
The problem with this approach is the question "how much noise?" Too little and an adversarial attacker can do some kind of a regression based attack. Too much and the "anonymized" data fails to be a useful "substitute" for previous analysis/business logic previously operating on the raw data. There's also the whole field of homomorphic encryption to get into as well. It looks like there have been some interesting breakthroughs there from the crypto nut side, specifically with zk-snarks. I can't say I understand the underlying tech well enough to comment, though. Fascinating subject.
Thanks. Learning zero knowledge is on my to do list.
I'm skeptical of differential privacy for patient medical records. I assume big data style deanon wins once you can correlate with other data.
Differential privacy is probably fine for "data dumps", like when study data is extracted from many patients. Since those dumps are not used for ongoing care, they can be more aggressively scrubbed.
Total aside:
Even encrypting data at rest is insufficient. Because even preserving chronological order (no timestamps) is sufficient for deanon. But last week I had a new notion for hiding time and order. I am a total crypto noob, so I'm still trying to figure out if this is a new idea.
As a defender of patient and voter privacy, and so therefore a very vocal critic of electronic voting, I will be deeply chagrinned if I figure out how to make it work.
I think (i Might be wrong) you are talking about SSE (Semantic Searchable Encryption) which by an d large can let you search (in an encrypted manner) and order by timestamp.
Is there a catchy expression for the fact that in the future all data that we believe private will probably be public? Give it a few more security breaches..
I would nominate "data apocalypse" based on the literal meaning of apocalypse (disclosure), but it seems others have already coined the phrase for various other events.
Even in absence of any security breaches, all currently used encryption is practically assured to be broken with the advances of technology. That LastPass app is so convenient, it stores your passwords in the cloud "securely encrypted". But all your secrets are going to spill in ~50 years.
Call to action for neural artists: We need deep fakes to generate vast amounts of plausible noise and thereby conceal our sensitive private signal. I feel like the only way our species will regain a sense of privacy is when we're concealed in a forest of artificial signal.
Wasn't that a plot point in Rainbow's End where in the future the internet is filled with fake personal information to the point of googling someone is pointless.
2018 Nov: Company breached, seems most likely database of 40,000 mental health records including PII (duh), contact information and treatment history and notes was stolen at this time.
2019 Mar: Another breach. This causes Vastaamo to increase security and close the holes the hackers used.
2019 Apr/May: Independent security company (not named) performs audit since the company was to be sold. Some improvements were suggested, no major security flaws were found.
2020 Aug/Sep: Vastaamo receives threat from hacker if they will not pay 40BTC the hacker will release the database. Until they do the hacker will release 100 records per day.
2020 Sep/Oct: Infosec company Nixu researches Vastaamo systems, reporting that the breach that stole the database was probably made in November 2018, possibly single records in subsequent breaches.
2020 Oct: Individuals whose information was not in the already-leaked records have been contacted and extorted individually.
After that, in no particular order:
* 300 records have been leaked. The hacker seems to have stopped, though.
* Single records not included in the 400 have surfaced on
TOR web
* A site on TOR was up for a while with several similarly-named files, one a 10GB tar that is rumored to be database. Partial downloads have been reported. Edit: Also program snippets etc included, with possible 'digital fingerprint' according to Mikko Hyppönen, a well-known Finnish security expert.
* An IP address related to the hack has been traced to Inkoo, Finland.
CEO claims the 2020 Nixu report was the first time he heard of the breaches and that's why the new CEO or board were not informed -- which seems awfully sus, considering several breaches were made and a reactionary battering down the hatches as well as an external audit were made.
Further, people who work or used to work at Vastaamo have come out claiming toxic work environment, threats of lawsuits if they speak out against the company, bad working conditions and a large number of ethical violations (like using as advertisement names and reputation of people who don't work for them). It also appears they've been sending social security numbers in plaintext over email. Claims have also been made that the database and system were outdated and only had default passwords and no real attempt at securing the data or even servers have been made, but of course nothing is public yet. Possibly never will be.
All in all, looks like the previous owner is a bona fide scumbag with all the bells and whistles that entail. And, of course as is fashionable, when asked about these things his responses have been "I have no knowledge of that" and "I do not recall." And, of course, affected people have found out about this from the news and not Vastaamo themselves.
My heart goes out to the people affected, it takes courage and effort to start working out mental health problems and this has probably been a devastating blow to many.
Another crime partially made possible by Bitcoin. This doesn't necessarily make Bitcoin or other cryptocurrencies "bad", but we should keep a score of the advantages and disadvantages of a technology.
This isn’t just limited to Bitcoin. It applies to encryption and privacy in general. Should people be allowed to permissionlessly create accounts on networks, and have private communications in which they can organize large activities or effect large value transfers, or should we as a society go after every such network to shut it down?
Off-topic, but there's one funny thing about psychiatric clinics. Waiting rooms are completely silent. Everywhere else, patients (especially elderly) won't shut up about their pains and treatments.
There have been previous discussions on HN about why it should be illegal to pay a ransom to hackers. Here is a very good reason why it should not be illegal.
Here I was thinking this is a very good example why paying ransoms should indeed be outlawed. It's a classic case of the individual's short-term interests conflicting with the long-term interests of both society at large and the individual being blackmailed. My main reservation is, I'm not sure how effective a ban on ransom payments would be, in reality.
Well if it had been made illegal and people stopped paying long ago maybe these hackers wouldn't have bothered since they wouldn't expect a payout. It's only going to get worse as people continue to pay.
Identifying the incompetend IT security department responsible for this is likely pretty easy.
It is much harder to make the message heard that those in charge of taking care of sensible data are those putting people at risk. How the stuff gets stolen isnt very relevant if it has been stolen.
Healthcare data should simply not be allowed to be stored in a way where it can get lost. Period. If the people in charge can not guarantee that, then digital storage needs to be stopped immediately.
Agree. Hackers in this case ought to be treated as a force of nature and those responsible for security treated as though they had failed to put adequate "weather protection" in place.
Sueing companies doesn't work quite the same way in Finland as it does in the US, but I am fairly certain that this chain of clinics (which was a 10-year-old start-up with about 250 employees, sold to private equity investor a couple of years ago) is out of business within months.
I expect the pieces ("assets") will be picked up by some of the larger private health care providers where the same therapists will continue to contract for the public health care system (it's not the fault of therapists, after all).
Again, there's a reason ransomware doesn't ask for cash. It simply doesn't work for ransomware style attacks; you need an immediate, irreversible payment method that doesn't put the ransomer at significant risk.
You don't need a cryptocurrency to do that. Things like Western Union payments, gift cards, and (if you're really fancy) running bank payments through multiple jurisdictions have all been used in ransomware attacks. Ransomware has been around a lot longer than Bitcoin.
My comment was somewhat flippant and I genuinely don't want to distract from this terrible situation for all the victims, but seriously, this type of criminal activity has been enabled by cryptocurrency, and the journalist who uses 'cash' and 'bitcoin' interchangeably the way that the BBC has done in this article should be ashamed of themselves.
Cash may well be 'irreversible' in the same way as bitcoin, but how exactly would these criminals physically receive cash from all of the victims? How else would they be able to demand and receive these vast payments anonymously?
edit: I'd prefer to get counter-arguments for genuine questions instead of downvotes.
The initial post and data dump was on a Finnish TOR-based imageboard but it was written in English. It is still being discussed if the hacker actually is from Finland but uses English to not reveal that.
Most Finnish people are fluent in English so it wasn't an issue. The leak was in Finnish mainstream media before the Finnish extortion mails were even sent. When the mails were sent, all hell went loose.
At least some of the threats were reportedly in poor Finnish. Some thinks that is indicative that the extortionists aren't native. You could just as easily make the argument that they're trying to obscure that they are.
