Right, it's definitely a contributing factor as to why it's profitable, but the attacks themselves could be done entirely out of malice if they wanted to.
Incentives matter. Bitcoin incentivizes certain types of criminal activity. As Bitcoin grows the negative externalities will become more pronounced. I truly don’t get the ethics of it. It is killing people, literally blood money as a great new technology. Bonus points for incentivizing climate destruction and burning of fossil fuels. I don’t understand the ethics of it.
I am trying to say that Bitcoin has caused a change in the types of crimes that are being committed. It’s easily quantifiable. When I say it is blood money I mean that it is a way to pay for assassinations. Assassination markets are not new but Bitcoin as technology changes scale. Scale matters, regardless of what you believe.
The overwhelming majority of criminal commerce is conducted using traditional currencies such as U.S. Dollars or Euros. I truly don't get the ethics of it. It is killing people, literally blood money...
Cryptocurrency does make it easier, sure. But without it we'd still have Western Union/wire transfers to overseas jurisdictions, or Paypal, or gift cards, or money mules, or any number of less-traceable ways of turning ransomware into cash.
1. Creates a huge financial incentive to try and break PGP encryption.
2. Pushes aside all of the lame corporate compliance "infosec" people whose job it is get lied to about PCI compliance and bitch about version numbers that they don't understand.
3. Proves useless all of the "ex-special-forces" "red team" "master safecracker" Defcon LARPers.
4. Gives the insurance companies enough room to attribute attacks to nation-state actors, making them "acts of war," and thus uninsurable. If companies can't half-ass this stuff and let their insurer clean up the mess, they're going to stop half-assing this stuff.
5. Put an end to the "I dunno, I pulled it off Dockerhub" madness.
Also the most likely tonic to platform churn, reinvented wheels, codebase growth. The culture will flip towards lambasting anything that hasn't been put through the wringer as "untrustworthy".
so long as encryption-as-we-know-it holds-up, there's no rescue for orgs that repeatedly get hit and can't get their backup strategy together. Sure, you make a regulatory mis-step and you have friends in high places, they will look the other way. This indeed, is how the world works. If your entire infrastructure is encrypted into a solid block of nothingness it doesn't matter if your dad is a senator, you're done.
Name a single company that has died due to data breaches.
Meanwhile, I'll name a dozen that got breached/leaked data, and got away with it: Experian, Microsoft, Facebook, Google, Marriott, Yahoo, First American Financial Corporation, Deep Root Analytics, Court Ventures (a subsidiary of Experian), Capital One, Anthem.
Go on, search "list of largest data breaches" and then see how many of those companies are still in business.
It sure seems like large companies aren't suffering for their breaches.
Any system that has a case where key collisions can occur less than random is the only incentive you need...large use of bitcoin ensures that case all by itself with the rule that you use a new key for every transaction.
LEOs use this track down illicit money.
crypto in practical terms is not secure in that the key collision when it occurs and it will unmasks you not directly but indirectly and the cost to do the work of that lowers as it ages and does not go up computation wise.
It's somewhat perverse where when the world uses more bitcoin the more key collisions occur.
If you depend on PGP, knowing that there's an incentive to break it, and that people are actively trying to do so is good news. It's in your interest for it to be very well tested. "I can break PGP and spoof Debian packages" is an interesting conference talk. "I can break PGP and save your business $40m in ransomware costs and only charge you $10m" is a business.
Yep, if the companies leak our sensitive data, they don't care, business as usual. Ransomware will force companies to finally take this seriously and I, for one, am thankful even if in the short term it's painful.
I did some searching and didn't find anything about use of the OpenPGP standard in ransomware. It appears that ransomware creators don't care about interoperability, which makes sense for their biz.
A doubt that anyone has ever been motivated to try to break an encryption method just because it was used in some particular ransomware. The methods used are generally not breakable, the mistakes come from stuff like leaving keys laying around in memory or even on the disk.
How so? Seems it's spot on. Since the birth of the internet companies haven't given a damn about leaks and there're no real consequences. Now they care because it hurts them instead of just us.
I work in infosec and agree with the point that a lot of companies are overly lax, ignorant, and negligent about security. But I could probably write like a 10 page essay disputing all of those points. For a summarized version, I wrote some semi-relevant comments about this in another ransomware thread from the other day, so this is a lazy answer but you could Ctrl+F my username in https://news.ycombinator.com/item?id=27096137
Basically, I agree in general that a large percentage of the industry is a massive joke, but at the same time, I think in many cases there's more victim-blaming than is warranted. Ransomware isn't what it used to be. Being hit or ruined by a ransomware attack doesn't necessarily imply negligence or lack of care (even if a high percentage of the victims probably are negligent simply due to the high base rate of such companies).
I see nothing there that invalidates any of those points. At best it weakens points 1, 4 and 5 on the basis that companies will get away with it by paying ransoms[0], and ransomers have a incentive to not be so extractive that they kill the hosts they're parasitising, but that's still a idiot tax for said companies.
0: rather than their previous strategy of ignoring the problem entirely because other poeple's privacy doesn't show up on their balance sheet
Indeed, I'd need to explicitly address each point to explain exactly why and how I disagree.
They're not exactly wrong in a general sense (which I know sounds a little contradictory given I said "every single point is completely inaccurate, irrelevant, and/or nonsensical"), but I think they're wrong in a fundamental way when talking about the ransomware problem. And point 1 is a total non-sequitur in at least three different ways.
It's a complex topic. Basically, I just think that even though a ton of cynicism (about this, about the infosec industry, about companies' approach to security) is absolutely and overwhelmingly warranted, they're being too cynical.
Huh? If anything, they're too optimistic; as you pointed out, it's likely many companies will continue to ignore this and either make backups without improving their security, pay ransoms after the fact or quietly implode when they can't.
I agree that 1 is a bit useless (although I took it to mean PGP-for-example, not PGP-specifically), but I didn't see anything particularly relevant to it, aside from what I mentioned above.
#infosec "thought leaders" with a cool-sounding military history who purport to be able to do underwater lockpicking but can't put together a for loop. Their shtick exists to sell services to clients and to sell recent graduates on a Special Forces Awesome Security Career that in reality will be QA at best, corporate compliance at worst.
As somebody who's not that familiar with how financial institutions handle fraud/money laundering detection, is it possible for ransomware to have become so prevalent without cryptocurrencies? I know HSBC was in the news a few years ago for turning a blind eye towards a drug cartel, but would this type of attack at scale be tolerated by the major banks/credit unions?
The big corporate targets and the >1m ransoms aren't doable with gift cards.
A large hospital chain in San Diego[1] last week was hit with a $100m[2] ransomware attack that shut down the hospital. Can't pay that with gift cards.
You'd ask for cash. A middleman would pick it up, convert it to gift cards or Tide laundry detergent (so that the traced cash would go cold) and then pass it forward through the criminal network.
The middleman needs to be paid because it's high risk (cops would trace the cash to the middleman... but no further). So cryptocoin are way cheaper. But still, there's plenty of ways to do things using old school techniques.
I assume a money-laundering step (aka: a cryptocoin mixer service) needs to be used to practically extract wealth from a criminal activity.
If you directly use the money from a wallet directly related to a ransomware attack, the police would be on your tail almost immediately.
A cryptocoin mixing service is cheaper than traditional money laundering. So cryptocoins are the ideal solution to criminal activities (at least, better than Tide Laundry pod trading, or gift-card exchanges).
That's true. They'd probably launder through some other commodity: cocaine for instance, or other contraband.
I know that Tide Detergent was highly sought after by criminals, because of how easy it is to sell on the streets. Its got a highly consistent price around the country, so all you need to do is sell at slightly below market rates and bam, your money-laundering scheme is complete.
And unlike cash, Tide Detergent doesn't really have a serial-number that's tracked by the Secret Service (or other police organizations). So its better than cash in many respects. But its still an item that's in the ~$10 to $20 range at best.
More expensive commodities and/or contraband probably would make better sense at the 100M sizes.
"Imagine a world in which every other month you’re forced to bid for your personal data back from hackers who continuously rob you. And a world where all of this is is so commonplace there are automated darknet marketplaces where others can bid on your data, and every detail of your personal life is up for sale to the highest bidder. Every private text, photo, email, and password is just a digital commodity to be traded on the market. Because that’s what the market demands and that’s what capitalism left unchecked will provide."
Maybe I'm in a minority, but I think I'd air-gap my personal data if this world ever came to pass...I'm considering it already to be perfectly honest.
Would the general population just give up if things got that bad? As per TFA, I imagine state level actors will step in if things get much worse, lest people start unhooking en masse due to the risk/reward ratio flipping.
Banning cryptocurrency only fixes one side of the global-internet-being-security-broken problem. If you're a nation-state actor and you can still break into computer systems throughout the world, you can still:
- Manipulate and profit in foreign stock markets by short/long selling based on insider information
- Choose who gets elected by making dirty laundry public
- See military planning by the enemy, live, as it happens
- Trick critical foreign infrastructure into self-destruction
- Discover and cultivate corporate espionage assets based on what you know about their personality from emails/SMS/metadata/etc
- Plant incriminating evidence against political or corporate adversaries, for example by using their home internet connection for something nefarious
The future hell described in the article is not a future hell. It is the present hell. Ransomware is just one small part of it.
^ ^ ^ If there's any Keanu-pill to swallow, it's this. Intelligence agencies don't "make us safe," they drive financial gain for insiders. I'd bet the ratio of effort spent on "market manipulation" versus "find the evil doers" to be 10:1.
Intelligence agencies exist to gather intelligence about the adversaries of state actors, not "find the evil doers". And being the bloated government agencies that they are I very much doubt they're the hyper-competent market manipulators you imagine them to be.
But that only applies to targets who are "in the game." If you are a government entity or listed company or act as their agents, then you know that security is an issue and are paid well enough to make a decent effort. Whether you do or not is a different issue.
Grandma doesn't have security audits, wouldn't know how to do one, and couldn't afford it if she did. She is the victim here. She might call the police but they will file a report and forget it. The only chance of getting caught is some larger agency like the FBI picking it up and going after you. This is highly unlikely.
The only thing stopping Grandma from getting ransomed is making it difficult to pay. If your ransom depends on walking Grandma through the 15 step process of paying you, then it's unlikely to happen or be profitable.
I believe that subversion of the democratic process and economic efficiency hurts everyone, if not initially or obviously. Recent election cycles have been tumultuous.
Grandmas are currently targeted by scammers who ask for iTunes gift card numbers and not Bitcoin, I'm not sure that much will change. I've yet to hear people call for a ban on iTunes gift cards, but maybe we will get there.
I agree with your gift card point. That's definitely how they are operating right now for phone and pc repair scams. It wouldn't be a terrible idea to disallow redeeming gift cards in countries outside of the purchase.
> But that only applies to targets who are "in the game."
The problem is that any entity in a nation that you're aggressive with can be "in the game". You can steal IP from foreign companies, damage foreign infrastructure, and find the personal data of high-value persons in the datasets of otherwise "boring" companies.
Cryptocurrency is bad and must be banned because ransomware. Encryption is bad because pedos, let’s ban Tor and Signal. We need a permanent surveillance state and forfeit most of our rights to privacy because terrorists bad, what do you have to hide?
Why are comments in the form of putting words into someone's mouth which they didn't say, so pervasive? The blog says "reign in and regulate", not "ban".
But, to address your point, because they're good arguments. "We need to regulate $thing" has saved lots of lives. No longer can you sell plain river water to drink, dump sewage directly back into rivers, dump industrial waste into rivers, build houses which collapse, build hotels with no fire consideration, build using asbestos, make buildings with electric wiring without circuit breakers, adulterate food with sawdust and plaster, sell products with lead paint, burn leaded gasoline in places where people breathe, and on and on and on.
That's progress; try things, filter out the things which are badder than they are good.
The author has multiple articles calling for an outright blanket ban on all cryptocurrencies. So in the author's own words, he is calling for a ban on all cryptocurrency.
In this article being discussed the author's own words are: "'legislation and intervention in the financial system at only the level nation states can act. The free flow of money from US banks to cryptocurrency exchanges is the root cause and needs to halt'"
Which is a call for regulating, not banning. If you want to use something different which the author said somewhere else, to back some other point and say that it outweighs what the author says here, then actually do all those things. What are the author's own words elsewhere, where, and what point are you trying to make by vaguely gesticulating towards them?
The author is extremely prolific and vocal about his support for outright banning cryptocurrency. It's all over his blog, it's all over his Twitter. He is proud to admit it. It could have taken you 30 seconds to verify what I was saying, but instead you chose to double down on your ignorance.
The most expedient actions would be fourfold:
Halt all wire transfers of dollars in and out of cryptocurrency exchanges.
Halt foreign entities trading in dollar cash-equivalent crypto assets.
Add Chinese and other foreign cryptocurrency exchanges hiding in tax-havens to sanctioned entities lists.
Regulate the sale of any existing cryptocurrency assets to US persons by classifying them as securities investment contracts moving forward.
If you can still sell existing cryptocurrency assets, and exchanges still exist, that's not banned, is it?
> "It could have taken you 30 seconds to verify what I was saying, but instead you chose to double down on your ignorance."
I'm asking what relevance your comment has. "He calls for a ban" - so what? Make a point.
There, can you stop being so obtuse now? You are wrong. My point is that the author is calling for a ban and that nobody was putting words in his mouth, as you suggested.
It isn't "obtuse" to ask you to back up your sneering with evidence. It also seems to have no relevance to this thread and "why arguments of this kind are so common"?
Crypto is heavily regulated at least in the US, Western Europe and huge swaths of Asia. Exchanging to/from fiat can only be done through entities subject to KYC, AML laws, and OFAC regulations. Additional regulations are coming - see "travel rule".
Bitcoin is infinitely more traceable than cash. Here's one of the most popular software routinely used by law enforcement to trace crypto payments: https://www.chainalysis.com/. Tumblers / mixers, etc. have only limited cloaking power.
It's pretty obvious. Imagine that someone comes to you and shows you a cube. This cube has lightning inside of it, and you can press a button and it creates lightning. This cube can also program software, so if you feed it user stories, it outputs SaaS businesses. You try to understand how this magic lightning works, but to no avail, it's simply too complicated for you to understand.
Your first emotion is most likely fear. Like how the hell does that thing does it, how does it's magic work?
This is how many people see cryptocurrencies. Something "magic" that just somehow is used as money for some people, but it's still just ones-and-zeroes, how does anything make sense?! First reaction is to be careful around it, and try to "protect" yourself from it.
We saw the same thing with the internet initially, until it gradually sucked us all in. We saw the same thing with social media initially, until it gradually sucked most of us in.
It's an appeal to authoritarianism. The author wants "someone" with power to tell everyone what they're allowed, and not allowed to do.
"
The free flow of money from US banks to cryptocurrency exchanges is the root cause and needs to halt.
"
Direct quote. Author is in London, but believes that #TeamAmericaWorldPoliece needs to step in because the only viable on/off ramp to cryptocurrencies is the US Bank System.
The article has the veneer of being well thought out, however if you look at their other writing & twitter there's definitely a I think I'm smart & didn't invent/make money/gain referential power from crypto so it's a scam & they now have ego tied up in being right/seeing the state clamp down on it.
Not to speak to the author or the article, as I’m not familiar with their other writing, but this exact argument is why I think this battle for free speech ultimately gets lost.
Given two options A and B:
Option A) Status quo stays as is.
Option B) Legally ban end-to-end encryption.
My experience has been that most tech people advocate for A.
Personally, I have no desire to have every conversation I expect to be private with the government watching over my shoulder, but that’s exactly where we’re headed if the tech community’s response to the problem of perverts/pedos/launderer/druglords boils down to “oh well gotta break a few eggs”.
Techies can balk all day long at the idea of the government legislating away end-to-end encryption but the voting public won’t (and I don’t blame them, given the tech community’s response of ignoring this issue so far).
Now, you might be thinking “but it doesn’t make sense! if you ban encryption, evildoers will still use it, and everyone else will have lost their privacy for nothing”. True.
The tech community needs to find an Option C that resolves criminality before Option B is forced on everyone.
(I have no suggestions for this, and doubt it’s possible, but maybe there’s a novel idea no-one has thought of.)
I'd say crypto is made to remove government control on money, not to evade law and order. That's certainly doable, but you can also evade law and order with normal fiat currency (ex: HSBC laundering billions of dollars for cartels).
The half-life of anarchy is measured in hours. Then the gangs show up. Gangs are basically governments, except even less responsive to your needs and more openly committed to enriching their own leadership.
Perhaps the key is that most people do not perceive huge benefits from these, but they perceive huge danger from the downsides. People usually both underestimate their own downstream benefits because of large inferential distance between the thing (encryption) and themselves, and overestimate the dangers of the downsides.
Then we'd have the ages-old dynamic that something that benefits everyone a bit but harms a minority a lot will be pushed out by people.
I remember reading about malware like this some time back. I tried everything I could to prepare but got vetoed at every turn by management. My idea was to do "pull" backups to a server, instead of "push" backups to shares, instead my boss's boss bought some commercial backup package that while ok, when it bombed a t-log chain, they blamed microsoft's implementation of native sql server backups, and of course was nowhere near my dream "pull" server thing, heck, I don't know if my idea was even valid, I'm not that smart a guy honestly, you gotta know your limits.
I wanted flash removed from my desktop, because being the intellectual slug I am, I google everything, like how to get the correct date and time. My previous job was as a convenience store clerk, and as I'm in the process of getting fired right this very week, I suspect it'll be my next job too. I was told by my boss's boss and his cousin the gaming guy who built servers that "our firewall blocks everything".
Of course, I got a text message one morning from my boss, while I don't remember the exact text, I remember it included the word "armagghedon". I came in to work carrying my uninfected laptop, and heck, my pc looked pretty normal except the icons had changed and sort of "doubled up", each second version contained the same message, you know the drill.
I'm an sql guy, I know I'm not all CS smart like everyone here but I gotta say it was obvious even to me what was coming, its like an enemy doing bombing raids in the next city over and people are still out there watering their lawns like nothing is happening. Friggin malware, I guess it pays well tho.
interestingly enough, I've learned that machine learning is a trend in malware protection nowadays and rather than being signature based, it watches for malware like behavior. after the attack, we installed something like that, and it removed some of the very small vb programs I had put my heart and soul into.
I managed to wire up sirc to a perl eliza implementation once. My cobol instructer in community college thought I was a pervert for doing so and in hindsight she was probably right, I think I only ran it once honestly. Nowadays I just run an old eliza in another terminal when I chat on irc and copy and paste between the two terminals, this gets rid of the ethical concerns as there is a human between the interface acting as a guard against AI run amuck so I think I'm good.
Yep, you're alright. I like that you talk like a person and not like a copywriter.
The lack of creative (or just non-dogmatic) thinking in this place is something else though. At times it feels like there's no human in the loop, which is disappointing because this is one of the few interesting forums remaining on the whole Internet...
And even here's not immune to waves of people bulldozing over a nuanced conversation by parroting whatever ideological orthodoxy they've had to internalize to be able to successfully signal "lookit me HR I'm normaaaal".
Fitting to mention Eliza - designed to be a shrink simulator IIRC? - sometimes I wish someone developed an AI to make people reflect on their blind spots in the rudest and most efficiently disruptive way possible. Thanks to the magic of AI, the ethical concerns of doing that to someone would vanish into thin air!
I know what you mean (at least I hope I do), but after getting the boot from reddit (actually just 6 years of karma set to zero to effectively silence me) this place is fantastic by comparison, and I guess I'm new enough to have not been disappointed yet. I suspect that in time you're probably right, and I'll see that lack of mediocre thinking you speak of. The thing I have learned all too late in life is that on the average, people WILL dissapoint, its just that the current population here are such that maybe that disapointment will happen less often.
Any place that inspires me to read more than write will get me hooked everytime tho.
Yes Eliza the shrink, it was meant to be hooked to an irc bot lol.
I don't really have any answers. I don't think cryptocurrency really makes the 'ransomware storm' possible. Maybe it makes it easier or easier to get away with the cash.
I do know that I work at a company with very tight controls on what we can and can't do with our computers. But we're free to install Chrome extensions as we please. Which doesn't strike me as a great idea, but maybe that's not really even the problem.
A lot of what I see in big corp environments comes down to finger pointing. I'm on a weeks old thread this very day where different groups are saying 'this isnt X's fault it's Y's fault' and it is going nowhere. At the end of the day we need to stop assigning blame and work together to fix problems. But that means we have to be able to actually admit 'maybe this system isnt as fool proof as we thought' which, of course, opens the company up to legal liability. It's a tough and complex problem, I think. Because no one wants to 'admit fault' for fear of being sued, but not admitting fault ends up obscuring root cause. And round and round we go.
> The singular reason why these attacks are even possible is due entirely to rise of cryptocurrency. And is entirely enabled by this one technology, it could not exist otherwise.
Huh, cryptocurrency existed in 1989, when the first ransomware was active? Did the author even google the word "ransomware?"
Wire transfers and all types of pre-paid voucher services were used well before cryptocurrencies were even created.
The article directly addresses your point in the paragraph surrounding the sentence you cherry picked.
> Now this is not a new phenomenon by any means. But what is new is that the level of these attacks has gone parabolic in the last few years because of one simple fact. With the addition of bitcoin to the problem it’s insanely profitable, low-risk, and almost the perfect crime. It’s also a very real economic tool that nation states can use to disrupt each other’s infrastructure.
> The singular reason why these attacks are even possible is due entirely to rise of cryptocurrency. Consider the same situation on top of the existing international banking system. Go to your local bank branch and try to wire transfer $200,000 to an anonymous stranger in Russia and see how that works out. Modern ransomware could not exist without Bitcoin, it has poured gasoline on a fire we may not be able to put out.
I agree, the author contradicts themselves immediately. Cryptocurrency is not the "singular" reason, and it is not why these attacks are even "possible."
The hypothetical they picked might not work. The methods that ransomware was using for decades to extort hundreds of thousands of dollars did, and will continue to work.
You are still taking words out of context. Clearly the author agrees that cryptocurrency is not the singular reason behind *all* ransomware, considering he states it is not a new phenomenon. The sentence you took out of context relates to *modern* ransomware:
> The singular reason why these attacks are even possible is due entirely to rise of cryptocurrency.... Modern ransomware could not exist without Bitcoin, it has poured gasoline on a fire we may not be able to put out.
The question is not if ransomware would still exist without cryptocurrency (obviously it would, it existed before then). The question is if it would still be as pervasive as it has become in the last few years without cryptocurrency.
"These attacks" are defined as "automated exploitation of computer networks that aims to extract cash from the owner of that network" and "cryptocurrency" is "the singular reason" why "these attacks" are "even possible."
Later on the author shamelessly tries to shift that definition to "modern ransomware" (the same trick you're attempting here).
Why do they need to resort to that? Because they're wrong.
Governments should make it illegal to pay ransom. Only the government should be allowed to pay (in the name of victims) but under very strict conditions.
That's not exactly going to do what you think it does.
It potentially makes the victims criminals. That's just not what the law should be doing. It is decidedly unjust. It also drives the whole thing further from the public eye as no one will admit they're being held up for ransom because paying is now illegal.
If making something illegal was a perfect solution, ransomware wouldn't be a thing in the first place.
What's the punishment for paying? A fine? Then you might as well add that to the ransom and pay...
Snark aside, there's just no simple, hand-waving solution to this. Even if you held the company owners criminally liable for paying a ransom, pretty much any small company will shut down for not being able to afford top-notch security.
It also opens the door to blackmail:
> We've encrypted your files. Pay us $AMOUNT BTC by tomorrow, or your files are gone. And with a recurring payment of $AMOUNT BTC per month, I promise not to report you to the FBI for paying!
> Governments should make it illegal to pay ransom.
That won't really change anything, other than add 'break a law' to 'lose tons of $$' and 'lose data/time' to the list of bad things a company will deal with to recover from a ransomware attack.
This histrionic piece really reduces this author's credibility in my mind. I say this as someone fairly skeptical of cryptocurrency, or at least of the value of present-day cryptocurrency.
Why is it that an organization can topple to malware and ransomware by some L1 tech clicking on a "bad email"?
People are going to click on shit. That's a 100% guaranteed fact - be it intentional or not. But WHY is our computing and communications paradigm so brittle that any Jack or Jane can click a link and pwn the infrastructure?
Take a quick look at all the vulnerabilities out there. Google has been releasing 1-2 fixes a week for the last month or so. It's a constant battle keeping this stuff patched.
As I've told someone today, we're shooting lightning through sand and somehow it all works.
There are network effects of network effects at work inside computer systems. We can harden a path. Two paths, sure. Three, why not. 4 billion? No way to be sure.
It's also a matter of it being an aggressor's game. The defense has to be perfect every single time. The offense just has to win once. And they get infinite tries. And they suffer no penalty for failure.
You're completely right in your thinking that it's largely ridiculous and avoidable. The answer is generally lack of separation of duties and least privilege. That L1 tech in a smaller organization might be a member of the domain admins group. And to avoid UAC prompts, might sign into his computer as domain admin account. If something runs as him, it runs as admin. Large file shares where every user has edit permissions are also extremely prevalent. Every user has the ability to destroy the shared drive. I've seen a lot of small organizations where the owner insisted on being an admin, despite having no technical knowledge. He clicks something wrong and the malware's got carte blanche. Old line of business applications will often require exact versions of Flash/Java/whatever which are riddled with security holes.
Outside that, there's the 0 days and exploits. But a lot of what I see are setups that grew from small, insecure setups where it didn't matter to big, insecure setups where it did. Combine that with the ROI on security not being immediately tangible, and it's hard to get approval for projects to fix it. Even if you design the most secure systems, unless you've got a seat at the executive table someone will probably overrule you and make exceptions.
Just a few years ago, one of the most high profile financially-motivated ransomware attacks, WannaCry, hit the NHS and various other government agencies and companies around the world and demanded the unbelievable sum of $300 per computer [1], an amount that most of those organizations could only find by looking through their pocket lint for amounts so small. They spent 100x-1000x more money solving the residual problems than they did or would have needed to pay dealing with the ransom itself.
Just a few years ago, the worst case impacts were so small that the problem was not even worth caring about. What they did not realize is that the amounts were small because the ransomware groups likely consisted of young people with more technical ability than business sense. They did not realize how deep the money well went and how much they could really ask for, the criminal equivalent of a bunch of college students making a B2B startup and being worried that their $1k price tag might be too expensive since they would personally think that is a lot to spend. This is borne out by the fact that the targets even a few years earlier were mostly personal computers of random people who might actually have a problem paying $300 to get their family photos back. However, these ransomware groups have been rapidly wising up and now realize they were doing the effective equivalent of robbing the bank for their pens. They are starting to ask for reasonable amounts of money that businesses might actually worry about and with that money they are expanding their operations as fast as they can to try to exploit the entire market. They just have not gotten there quite yet since they do not have access to vast gobs of VC cash and need to instead bootstrap themselves up to a multi-billion dollar criminal enterprise.
The unfortunate problem for all of their targets is that none of their things work and they did not think the problem was serious since the impact of failure was so small. They did not realize that was not because more could not be done, but because the people doing it did not know what they were doing and that they were actually at the start of a serious exponential ramp.
If you want more technical reasons, it is because every commercially available solution is completely inadequate for an environment where people with modest amounts of money want to attack your system. Nobody selling commercial IT systems has the first clue how to make systems that are actually robust against credible threat actors. The absolute best of the best can maybe protect a system against attacks funded at the ~$10M level, but when you are talking about companies with literally $100B revenue streams, that is a rounding error of a rounding error. Exactly 0 executives at such a company would think that being defenseless against attackers with $10M is acceptable if told directly and I think most of their shareholders and customers would be horrified if they had to put that in their commercials in big bold letters, but that is the best that they can get.
I’m willing to bet SaaS ransomware will be up next.
Imagine a user is tricked into adding a browser addon (common), and the malicious addon encrypts all the data in a salesforce, Dropbox, and online mail account
One of the reasons why it's so important to disable the ability for users to consent on behalf of the organization for applications in suites such as 365 where the default is to allow the user to do so.
FYI, the author has a huge conflict of interest whenever he writes about cryptocurrency, seeing as he's the founder of Adjoint, Inc, a company which digitizes cash and settlement processes for multinational corporates.
So it's easy to see why he hates a technology that renders his entire company useless.
You seem to share an anti-crytpo outlook and a history of musings on Haskell with the OP. Are you related in some way? You even have another comment [0] defending him. Crying foul.
The same shortsighted argument could've been done at various times against cryptography, against torrents, against remote access, against the internet, and against using computers (inherently hackable). Now it's crypto payments, and tomorrow it's going to be something else because criminals use technology to scale as much as everyone else.
Crypto networks are especially good at cross-border payments, and they are hard to censor by a state actor. Indeed, these were among the design constraints of Bitcoin. If one wishes to argue that such a technology shouldn't exist, good luck with that; it exists, has legitimate use cases, and banning outright it is shortsighted in the same way opposing cryptography is shortsighted.
The article failed to mention tor. IMPO, tor and cryptocurrency combined are the reason for the explosion of ransomware. Payment websites running as tor location hidden services combined with anon payments (XMR) is hard to beat (when done correctly).
Today is the beginning 'wild west' stage of the information technology industry. Software ate the world and now security is starting to matter to the bottom line.
GDPR and privacy are another big factor which I think will push the professionalization of the industry.
I do think the worst case scenario outlined in this article is unlikely. We can build systems that are not that vulnerable to ransomware. You can have backups that are safely stored off network. It is just that old industries have slowly computerized without updating their processes and view of themselves.
"The singular reason why these attacks are even possible is due entirely to rise of cryptocurrency."
So-called crytocurrency may not be the sine qua non, but it is arguably a substantial factor in what is causing these campaigns of automated attacks. Without an easy way to launder the "ransom" payments, could these attacks be systematically executed on a large scale with a level of success (receiving the payments without getting caught) necessary to justify the risk.
I'm not an unequivocal fan of cryptocurrencies or any particular cryptocurrency by any means, but it appears this author really hates cryptocurrency and this is just an opportunity for them to argue that governments should ban cryptocurrency. Which is completely understandable and obviously in good faith given ransomware is bad and they think cryptocurrencies are bad, but I just wanted to point out their stance and that this is an anti-cryptocurrency blog rather than a security/tech blog.
>The Political Case for a Blanket Cryptocurrency Ban - March 30, 2021
>Bitcoin: The Postmodern Ponzi - February 27, 2021
>The Crypto Chernobyl - February 10, 2021
>Gamestop, Bitcoin and the Commoditization of Populist Rage - February 3, 2021
>Facebook Libra is Architecturally Unsound - November 2, 2019
I think they make many valid criticisms, but they remind me of the inverse of the standard Bitcoin maximalist. It seems there are a lot of people who think Bitcoin or Ethereum or something else should become the universal currency of the world and is the best and most innovative thing ever, and a lot of other people who think they should all be made illegal and are the worst thing ever. Also somewhat reminiscent of pg's fanboy/hater dichotomy: http://www.paulgraham.com/fh.html
It 100% is an ad hominem response. I'm not trying to address his arguments whatsoever and am very low on Graham's hierarchy of disagreement. And again, I do agree with many of his points.
I just personally don't think banning cryptocurrencies (or pretty much anything) is the answer, and the very "ban-happy" attitude colors my impression of all of this and makes it less likely that I'd want to attempt to address their arguments, because I know they've very likely already made up their mind that they think the only solution is a government crackdown.
I guess I’d like to see either a) a genuine engagement with the actual arguments made or b) alternative proposals that make his proposed solution moot.
It seems to me that a strong dislike of the cryptocurrency space is an entirely reasonable & rational position to take at this point in time: the harm done with & by cryptocurrencies is now very obvious - if cryptocurrency boosters can demonstrate positive outcomes that outweigh those harms then they should be easily able to do so.
I definitely wouldn't call myself a cryptocurrency booster. I similarly wouldn't call myself a Tor booster. But if I saw someone advocating that governments should ban Tor ("what's the point except facilitating illegal activity and harassment/ban evasion/spam/malware/DDoSing/hacking"), I'd definitely want to counter that.
If I ever make my own blog or something, I could write a thorough response to all of his own blog posts, including this one, but I think it's too much to ask for in an HN comment. (I also don't have nearly enough expertise to warrant making a blog or writing a blog post just for something like that.)
I already wrote some responses with regards to ransomware in this thread: https://news.ycombinator.com/item?id=27096137, where I argue the root of the problem is the Russian government's policy of not in any way inhibiting cybercriminals as long as the criminals don't target Russian/Russia-allied citizens. I don't think banning cryptocurrency would help decrease ransomware that much. Ransomware was still prevalent before Bitcoin existed; it was just a much more immature space, with much less sophisticated and damaging malware. The top ransomware operators are either going to find alternatives, or, more likely, just circumvent the bans through various means.
Regarding the other externalities associated with cryptocurrencies, I think many of his points are valid. There's absolutely no mention of the positive outcomes, though.
I don't know if those positive outcomes outweigh those harms now or if they will in the future; it depends how you calculate it. I don't know if the positive outcomes of Tor now or ever will outweigh the negative outcomes. I still don't want either banned.
And I think a good case could be made that the positive outcomes may outweigh the negative ones, for Proof of Stake-based smart contract protocols like the upcoming Ethereum 2.0, which will likely be out this year. (And please none of this ridiculous "Proof of Stake is vaporware and continuously promised to be just around the corner, like cold fusion", because it's not true. Tons of progress has been made and is being made every day.)
I don't think cryptocurrencies (like ether) are necessarily that interesting, but decentralized smart contract protocols (like Ethereum) are super technologically and societally interesting.
I think I could write an even longer blog post about the core problem I have with this writing. I would feel this way if I read someone writing like this about almost any topic imaginable in the world. It's extremely one-sided, unnuanced, uncharitable, unrigorous, and comes across as very emotionally charged and biased. (And all this was before I learned he's the founder of a company that's trying to compete with cryptocurrencies in many ways.) The tone and style is the main thing I dislike.
>The author being a founder a company for which cryptocurrencies are competitors makes this doubly true.
I totally missed this. That makes it worse. The company's tagline is "[company name] digitises cash and settlement processes for multinational corporates [sic?]", which is a pretty clear overlap. I don't necessarily see any evidence he's doing anything in bad faith, though - I just think he's extremely biased and narrowly agenda-driven.
My main issue is just how much he seems to viscerally hate cryptocurrencies. It makes it harder to take it seriously. Like how incredibly snarky and spiteful he comes across in his most recent ostensibly-about-programming blog post: https://www.stephendiehl.com/posts/fpt.html
It's all starting to feel so political and a little bit religious. I sense a lot of parallels between staunchly pro- and anti-cryptocurrency people and the US political divide and culture wars. I know it's an annoying trope (https://xkcd.com/774/), but in the case of both politics and cryptocurrency, each side seems insufferable. I feel "accidentally moderate" (http://www.paulgraham.com/mod.html) on both topics.
edit: Side note, just to counter-balance the criticism. I knew his name seemed familiar; he wrote one of the most useful and formative tutorials for me when I started programming about a decade ago: https://sdiehl.github.io/gevent-tutorial/. (Although it's a bit gauche now, I still use gevent for new projects to this day.) It's more due to serendipity than anything else since there's not anything too special about it, but in my case it's actually possible I never would've become a developer if not for his tutorial - I used it to build my first programming project at a time when I was kind of struggling with many concepts and unsure if I wanted to go through with it. It goes to show that there isn't necessarily much correlation between (one's perception of) people's technical and non-technical attributes.
I've followed Stephen Diehl for awhile got the idea that he hated Bitcoin and proof of work because it's a climate change disaster for the amount of electricity it uses. I feel he is sincere in that. I happen to agree with him, so maybe that makes him more credible to me.
It's a valid concern. Bitcoin could plausibly move to proof of stake at some point, though. And if it doesn't, there are still some PoS-based cryptocurrencies out there that won't have that problem, so disliking Bitcoin doesn't necessarily imply one should dislike all cryptocurrencies.
From what I can tell, that's only one of his many criticisms, if you read his blog. I'm sure he's sincere about all of the criticisms, and I agree with many of them in a general sense, but I don't agree with the conclusions or the (IMO) hyperbolization.
Stephen takes an anti-crypto view and he's not trying to hid it. He's isn't some "hater" that got burnt on a random ICO, but a thoughtful engineer who backs up his opinions with technical, societal, and economic arguments based in part on his own experience in the blockchain space.
I definitely acknowledge all that. I'm not questioning his motives, and I also agree with many of his arguments. I just don't agree with other arguments, or the conclusions, and I don't really understand the tone and ruthless hostility. I wouldn't even really understand it if the topic were just about anything else in the world.
More blaming money for crime. Cryptocurrency is money. Crime will always exist as long as there are laws. Laws will exist as long as there is society. Money will exist as long as there is trade. Society<=>Trade. Stephen once again shouts at the inanimate money or tech to blame it for societies ills. This is a dangerous attitude can lead to cryptography restrictions, like banning of e2e or tor.
It's money that is more difficult to regulate, and easier to conduct illicit transactions with. Rather than debate abstract principles the point of the article is very clearly that fewer practical hurdles to clear -> more people engaging in an activity, given the same incentive.
Also article is a bit dystopian and blaming capitalism (per usual these days).
reply