Part of me is so hoping that they extracted those keys from the crooks using rubber-hose cryptanalysis. There are many types of Internet scams, some more evil than others, but this is one of the nastiest I ever heard of.
BBC article: http://www.bbc.com/news/technology-28661463
Fox-IT CEO: https://twitter.com/cryptoron/status/496945787700805632
Why should a commercial entity have a donate button? Why would I donate to a business?
You might be surprised to learn that the business world already has tons of donation buttons and trust networks. For accounting reasons they're often called contracts.
I don't think many people actually use them, especially if the traffic is mainly curious readers sent there by mainstream press.
That is awesome. I'm sure a large percentage of people with irreplaceable files hung onto them, hope these guys get the exposure they deserve for the site.
#1 on HN is a good start.
She kept her files hanging around, just in case someone broke the encryption later on. A smart move from someone foolish enough to open a ".pdf.exe" file from an email reeking of fraud.
The goodness of the decryptCryptolocker crew will probably make me laugh whenever I hear some other not-half-as-good organization claim "we're the good guys".
However, if on the other hand we allow the users freedom, and thus assume that mistakes (such as being infected with malware like this) will happen, then it makes sense that a means of recovery should be available, which is not something that "perfect" security allows. To use an analogy, people who have lost their keys or had them stolen should still be able to gain access to their house. In the physical world, perfect security is nearly impossible, but with digital data, it's not. Locking an item in a safe means it can still be retrieved if the key is lost by, in the worst possible circumstance, cutting open the safe, no matter how physically strong it is. Encrypting data with a long-enough key and sufficiently strong algorithm means it's truly practically destroyed without the key. I think this point - that encryption can be really, really, really unrecoverably strong - needs to be made more aware as we continue to use more of it.
It would be particularly ironic if this recovery was made possible through exploiting the malware servers with something like Heartbleed...
Well, it's usually a good thing when the bad guys make a mistake, isn't it? "Oh, I wanted to blow up this building, but I set my timer to the wrong time zone." Oops, now the police has an extra hour to evacuate the building and dismantle your bomb.
What matters is: Good for whom? Obviously, insecure tools are not good for the person who relies on it for mission-critical tasks. But what is good for that particular person and that particular task might not be good for other people and other tasks.
Since "good" is relative, "perfect security" is also relative. Perfect security for whom? And what do we mean by "security", anyway? Let's say we think of security as the ability of a system to resist interference from anybody other than its legitimate user(s). But then the question becomes, who are the legitimate users?
If Apple is the sole legitimate user of a device, it makes sense for that device to resist your attempts to interfere with its Apple-approved functions. That's perfect security for Apple, perfect security for Steve Jobs's posthumous ego.
If you are the sole legitimate user, on the other hand, the device should resist Apple's attempts to tell you what you can or can't do with it. That's perfect security for you, but it comes at the expense of perfect security from the point of view of Apple designers.
As for CryptoLocker, the whole purpose of that program is grossly immoral, so does it even have a legitimate user?
Unfortunately, it is becoming increasingly clear that perfect security for one party does not always align with perfect security for some other party.
The interesting case is: if I am the sole legitimate user of the device, should my device resist my attempts to run cat_pictures_infected_with_cryptolocker.jpg.exe?
On the flip side, if your device resists your attempts to run cat_pictures_infected_with_cryptolocker.jpg.exe, it is clear that somebody else has some degree of control over the behavior of your device, and this somebody does not consider you to be the sole legitimate controller of your device.
Who is this somebody, and what right does he/she/they have to retain partial control of your property? That sounds like a more interesting question to me. Because unless you're like RMS and only use free software on open-source hardware, you're never the sole legitimate controller of any device these days.
Things get more complicated when a stranger decides to tell you what you can or can't do, without your consent, against your expectations, and sometimes even in spite of your loud complaints.
If I have thousands of files, that will take forever, anyway to batch decrypt?
Decryptolocker.exe --key "<key>" <Lockedfile>
Everytime I paste the key in, the command prompt executes each line. Any ideas how to preserve the line breaks?
Maybe public/private key pairs aren't as secure as we've been lead to believe.