
"not all victims would get the same treatment"
And there goes any goodwill you might have garnered. Penetration testers my ass. You're nothing but a bunch of greedy scumbags. I would hope you rot in Hell, but God is infinitely better than me.
Brain Cipher, the group responsible for hacking into Indonesia's Temporary National Data Center (PDNS) and disrupting the country's services, has seemingly apologized for its actions and released an encryption key to the government. That key was in the form of an 54 kb ESXi file. Its efficacy has not yet been confirmed. " …
Is a bank an innocent victim if they leave their vault open and unguarded for the public to stroll through?
Or would that be criminal negligence?
I don't understand why governments, hospitals and so on are all the victims when this stuff happens when it was preventable.
In this case it's obvious that layers upon layers of negligence were involved - the bank vault was left open.
You know what would make my life fetter? Not sharing all my private information I gave you with everyone that has an internet connection.
I'm tired of my stuff being left on a public AWS folder without a password, and the hospital getting away scott free "because they were a victim"
Also, the story notes that a lot of government agencies considered backups to be not worth the money or hassle. Those folks should be rendered jobless and broke.
"Is a bank an innocent victim if they leave their vault open and unguarded for the public to stroll through?"
Not entirely as in such an extreme example the bank should take some responsibility for lacking basic security. But that responsibility for security comes about because there are enough scum in our modern society that we have to expect them to try and do bad things to the rest of us. Sure, point your finger at the victim and say "you should have had better security" but point a bigger finger at the perpetrators and say "you're scum, stop it". If you found yourself walking through the bank's open vault, that still doesn't give you the right to take the unprotected money that isn't yours. In the same vein, anyone finding a poorly protected government database still doesn't have the right to attack it.
And of course, what constitutes "basic security"? If your front door was smashed in and your place burgled, would you take it on the chin if the police said "your fault for not having a strong enough front door"? We all need to have security measures, but that need is because of the scum in society who want to benefit by doing bad stuff to others.
As I understand it, there were no backups for most of the ransomed data. In my mind this is less like an bank vault without a secure door and more like a bank vault without a roof. Bad actors may take advantage of the situation to break in but sooner or later it is going to rain regardless.
That's a failure or society, not the bank.
E.g. leave the keys in a car, with the engine running, in the UAE and it'll still be there when you return, albeit with less fuel in the tank.
So no, it's not the banks fault at all, it's the people walking into it.
Humans: the reason we have locks on doors!
A bank may not be the best example.
I pay a bank to secure my money from internal and external theft.
A Datacenter is used to provide data and processing services.
Security services are for securing the data, but wait - I did not read anything about them having any security services. I wonder who could be at fault there.
This is Indonesia. Like many government institutions in Indonesia, Kominfo has been rocked by repeated corruption scandals.
You may call it "looking for a scapegoat", but many people in Indonesia suspect that the bank vault was a shed out the back, because the contract for building the bank vault went to a friend of somebodies nephew.
Now it's a question of morals and we need to bring the philosophers.
If I found myself in an open bank vault, would I steal stuff? Here's the answer most people would say....
YES, if I knew I would never get caught.
NO, if there's even a slim chance I would get caught.
My own moral compass would come screaming to the surface the second I put my hand on that bag of money and ask myself 50 "what if" questions in a split second. To be honest I would likely just walk away, the risk is too great.
Now let's get realistic, suppose you found a wallet with £100 in it and a name and address. Take it or send it back? Now let's up the ante. The wallet was found under a hedge and it's been there 2 years, changed your answer?
People have varying degrees of tolarance on their morals but generally most people do the right thing, but sometimes it's "who's gonna miss it?" that kicks in. I used to download MP3s and games for free 25 years ago but when I started making my own content and wanted to sell it that's when I understood why taking other people's creative work for free is a bad thing. My moral compass shifted big time.
If I found myself in an open bank vault, would I steal stuff?
Many years ago, a friend was interviewed for a head cashier post at a big city parking garage operator. This was in the days of all cash for parking, so the monies handled daily were considerable. She was asked if that much money tempted her, and she answered honestly that to be able to escape to a place without extradition and live luxuriously for the rest of her life would take more money than they handled in a day, and the audit trails would catch any gradual siphoning, so, no. She was offered the job.
In most cases you want to "send a message" to future victims about the consequences of not paying up, however in the case of fucking over an entire government who it turns out have no backups it's probably a more sensible business decision to earn some good will with international law enforcement...
Similar logic to those groups who have an official public policy of handing over deception keys for free if they accidentally hit a hospital. A purely business decision to reduce the risk of law enforcement related actions on potential future profits.
Sorry, but I smell rat here: the only reason these guys backed off was that somebody up their food chain told them to drop it.
If I understood things right, this was a potentially nation crippling attack.
And a nation that is at risk of going under completely, faced with an enemy that only wants money, can't afford to just say no: they will have to negotiate a price for their survival.
So clearly someone in that nation knew this was a government sponsored attack and they had a quiet chat with someone from that sponsoring government about the risks of starting a war.
And that sponsoring government called off their punks, who cannot say no to their puppet masters.
Please, don't just buy into the superficial story!
Perhaps I should have chosen another word like hostilities, but effectively we live in a world of constant smaller undeclared wars and this would have started another, if perhaps only a civil war within Indonesia. And there are far too many non-Chinese who might then want to claim parts of the large Pacific that the PRC would rather conquer diplomatically.
IL throw it out there
1 they probably copied the data already and will sell it once they get a chance/can move to a country where they know they won't be extradited if cought
2 they saw a chance to try and build a reputation as good guys from uniformed citizens and will probably make a decent little dime of donations from people who buy there story
Indonesia is hardly a super power when it comes to war fighting abilities.
Not to mention even US can't seem to do much when they get caught with ransomware troubles from bad actors linked to other governments.
And most of the nations linked to such bad actors are Russia (which has nukes although a crap conventional warfare capability), China (which also has nukes and unknown conventional fighting abilities) and North Korea (which also has nukes and does not seem to give a damn about what others think), who hardly fear Indonesia in the first place.
The Indonesian elite is very Chinese. They expect to be treated like family. And like family they'd retaliate more vicerally if they're not.
Of course, there is little chance of Indonesia invading the PRC in retaliation, but deep and long retaliation for endangering their nation there would be, in all importune manners possible, with anyone who wants to play ally (the enemy of my enemy...)
The PRC is aiming for dominance in the Pacific: turning a nation that claims sovereignty over a vast and strategically important swath of said Pacific, from a cousin into an enemy, because some of your backroom scum overdid it, simply doesn't cut it ....yet.
Because it's also a demo of PRC power, just in case Indonesia and neighbors might need reminding that there is value in allying yourself with the PRC.
Some cousins are bullies, too.
... somebody up their food chain told them to drop it - absolutely. The hackers are independent pirates, but they are offered shelter, protection, and resources in exchange for not hacking their sponsors. But the hackers still have a large degree of independence.
... the risks of starting a war - I doubt it. Indonesia could not fight China-Russia-NK. However, China-Russia-NK needs third world allies, or at least not to have third world enemies. And Indonesia is a huge player in the third world - it is the world's fourth-most-populous country and the most populous Muslim-majority country.
It could be that Indonesia made a educated guess and asked China to call off the dogs - and China did so or relayed the message to Russia/NK.
I really, really, really don't want to annoy a nation state. There really isn't anywhere to hide from a determined country. They might take for ever about it but you will be found eventually.
Its the same with a crime organization. Anything with a long memory, a long reach and less than perfect scruples.
Betting a case of Pilsner for a diet coke that someone somewhere has just discovered which parts of the Indonesian government still function efficiently if not 100% lawfully, shown what a karambit to the throat feels like, and given the opportunity to fix things while presenting it as a magnanimous act of good will.