Posts by doublelayer

Re: class ransomware as a weapon of mass destruction?

Do you want that tested over your house? Are you really planning your international policy on Russia being unwilling or unable to maintain some nuclear weapons to back up the frequent threats, weapons they already had? I'm sure the Russian arsenal is less modern and well-maintained than the American or British ones, but an old nuclear weapon can still kill a lot of people. The reason that nuclear powers usually have a strong line against any use of nuclear weapons is that even one detonation can be catastrophic. Unless you seriously believe that Russia somehow managed to break every nuclear weapon they've ever had, you need to take their ability to use them into account when planning actions against them, which means that nuking them yourself is a really risky thing to do.

But let's assume it's not Russia. It's the People's Republic of Alphia which doesn't have any nuclear weapons. They can't get any meaningful revenge if you decide to attack them. Are you satisfied dropping a nuclear weapon on them when criminals operate from them and they don't do something about it? That will result in thousands to millions of innocent Alphians who didn't do that dying. It will probably cause people in Alphia's neighbors to die as well. It will certainly cause complete chaos in the region. It will likely cause a lot of Alphians to hate your country, so expect some Alphian terrorist movements trying to make you pay. Is that something you're comfortable doing, both from a moral and a pragmatic point of view?

It depends what you have to do to get cut off. If it's really difficult, effectively making yourself a pariah to everybody, then it won't matter. The only country that's achieved that is North Korea, and basically nothing comes from their tiny address space. All their attacks come from other countries' addresses, most of that launched from Chinese proxies (as the first link in a chain to more proxies), and some also committed by people operating from a different country already. If it's really easy to get a country blocked from the internet, what makes you so sure that the one you're in won't get blocked for some reason? Russia may have burned a lot of its bridges with European countries and close allies, but they've got plenty of links with other countries, especially including India and China. How would we ban Russia from the internet if India and China were voting on their side and could easily proxy as much traffic as they needed to. Would we try to ban those two as well for not complying with our ban? The decisions required to implement that and trying to decide who should have the power to make them is a very difficult task.

Re: How about a bounty?

They do that. For example, from this paper alone:

US offers $10m for info on DarkSide ransomware gang chiefs

US puts a $10m bounty on Hive while Russia shuts down access

US offers $15m for help catching Conti ransomware gang

If you have lots of cash to spend on that, you can keep doing it. I'm not sure the rewards promised in any of those have actually been paid, and I don't know how many useful leads they got from having those programs, but it is a tool and the US, at least, has been using it on occasion.

It won't destroy cybercrime, but it would weaken it. Anyone could have set up an insider trading scheme based on causing sabotage any time in the past. However, it's much more difficult to implement correctly. You may not know, for example, how much damage your sabotage will do or when it will become known. If your attack occurs in July but they don't announce financial results until September, you don't know how bad it will look then and there's a chance your trading either fails or, more likely, produces a really tiny profit for a carefully-planned attack. If we could destroy ransomware entirely and only be left with things like that, that would be an improvement. I won't pretend that banning payment of ransoms would completely kill ransomware, as I'm sure there would still be some people willing to circumvent the ban rather than incur the consequences, but it would be helpful.

Re: class ransomware as a weapon of mass destruction?

Sure, that will work great.

US: Excuse me Mr. Putin, but we detected some criminals operating from your country infecting hospitals with ransomware. We have a small missile pointed at Moscow and another one targeted at Volgograd, where we're pretty sure these guys are. We're about to kill two million of your citizens. What do you say?

Putin: One moment please.

...

Putin: I have thirty missiles ready to fire at thirty of your cities. I will kill fifteen million of your citizens. What do you say?

US: I have a hundred missiles. Thirty million citizens.

Putin: Five hundred missiles. Too many citizens to count.

US: Most of the missiles. Your country will not exist.

Putin: All our missiles. Your country and those of your allies won't exist.

The concept of mutually assured destruction is not new. You would do well to learn it.

Re: "Such a ban would need to be universal"

If you want the logic to say that big business can do whatever it wants because it has ultimate power over everything, then let's just accept that. It's wrong and self-defeating, but we don't even have to argue about that to resolve this question. If the biggest businesses are beyond our ability to control them, then we still have the power to influence what everyone else can do, and that power is still big. So, whether we are powerless or not to regulate the actions of the largest companies (we are not), we can still make an impact by regulating what smaller ones and government-controlled entities as mentioned in the article, can do.

Re: Wrong

"How can you frame it as a crime to pay to get your own data back under threat of damages to your company?"

Paying money to known criminals? It is already illegal if you replace "criminals" with "terrorists", because you know the money will be put to use committing terrorism which is assumed to be worse than whatever problem you're having. It's pretty easy to make that logical leap, and the law would be compatible with other criminal legislation that already exists. There is no legal obstacle, as far as I know, that would prevent you from passing and enforcing such a law. Therefore, it comes down to whether we, as the voters in democracies, wish to make that a criminal offense or not.

Re: Wrong

The fact that someone made a mistake does not mean that we should adjust our laws to let them do whatever they think necessary to recover from their mistake. I have left too late for things before, but that didn't give me permission to treat the public streets as a racetrack to get where I needed to be on time. Making mistakes leads to consequences. Consequences are why you try to avoid mistakes when you can and to have contingencies for when you can't.

Re: What but not why...

"It also (as another poster raised and promptly got downvoted for) can be wildly abused as a mechanism for denying the reward for work done."

They got downvotes because it's not abuse. It's specifically written into the license the person doing the work chose. If I write some code and say you can use it for free, and you can make money from using it, then maybe I should have tried to charge you in the first place. There's a reasonable chance you wouldn't have used my code in that case, but if I choose to give you the right to use it for free, then I should expect that you get to use it for free. There are a lot of options for making software which cannot be used in commercial situations without payment. If you don't choose any of those methods, and you specifically choose one that does allow it, it is not abuse when people do what you said they could.

Re: Someone wasn't doing their job.

"This time [...] with some security" is not something you can just buy. You have to work on doing that better than last time, and that takes time and effort. Insurance covering the costs depends on whether you had insurance that covers that, which not everyone does, and doesn't necessarily shorten the time to recovery; if the insurance lets you hire the most expensive consultants and as many of them as you want, then you can cut down on implementation time to some extent, but it usually doesn't let you do that. Even if it did, there comes a point where adding more people won't speed up the process anymore.

Re: Backups

Not necessarily, but it is possible. They may be trying to rebuild something better rather than restoring exactly what they had before, or they might have to rebuild something different because they don't have some of what used to exist. From the statements in the article, I don't think we can know for sure whether either of those apply. Similarly, they may have restored a lot of the content from backups but want to recreate all the systems that handled that content from scratch, which would certainly add to the recovery time. It's often not as simple as did they have unaffected backups yes or no.

That's what I was saying. Folder represents the abstract concept at the user level because folders appear to contain files and more folders. Directory represents the abstract concept at the developer level because directories contain the name and location of other things. Both are abstractions to some degree because the directory is actually a linked list of strings which are serializations of objects which contain strings and integers which refer to filesystem-relative locations which are translated into disk-specific information* which can be used to locate linked lists of strings which can be concatenated to produce the big string the user put there before, but nobody wants to deal with the concept on that level unless they have to.

* Or sometimes there are more levels in the middle, such as virtual disks, RAID arrays, filesystem redundancy, etc. Either abstraction is much nicer.

Re: Cart Before The Horse?

"But for Bobby and Susy Office Worker, what exactly does AI bring to the table? I can get useless search results even faster? What's in it for me and the millions of other average users?"

If you need to write an email but don't want to be bothered thinking or typing, then you can use this to create a message that looks like it answers a question but really doesn't. If the person you are sending it to isn't bothering to read it, then you've saved yourself some time. Otherwise, you'll end up looking like a person either being deliberately unhelpful or someone with reading comprehension problems. That appears to be the use case for office workers that AI companies have thought of. I'm sure some people will try doing that. I didn't say it would be a good thing.

"BTW, what's the difference between directories and folders?"

The level of abstraction involved in the name. Both are pretty abstract, but "folder" was intended to represent to the user what the thing does, and "directory" was intended to represent to the user how the thing worked. The concept that they're doing is identical.

Re: Word Processing in the Cloud

It appears people disagree with my supposition. I'm curious if others have another reason they'd like to propose for why a school would intentionally remove both editors from a system? It can't be Microsoft doing it; Notepad is always there and Word Pad has been thus far as well. To actually remove them would take someone deliberately trying to do so. As much as we might try to blame Microsoft for it, can you actually name a version of Windows that has had them stripped out to push Office365, or for any other reason?

Re: the application will be removed on upgrade

Because there is a risk in telling people that they ship this binary on everyone's installation but it's not supported. If, for example, a security vulnerability was found in it, would they really be able to claim that they don't support it, so that's not their fault? They would be blamed for that, so if they're no longer going to maintain it, they remove it. You can always put it back. It appears to be one executable, one DLL, and a resources file for each installed language, so it should be pretty easy to keep even after it's removed from preinstallation.

Re: Word Processing in the Cloud

I'm sure that, if this is true, it was done intentionally by the place of education. If so, they likely did it to prevent students from writing something locally, saving it to a disk which isn't meant for storage of student work, and either losing important work or claiming that they did to get out of turning something in. The same reason why I've been asked to prevent people from being able to save documents except to a network drive, because evidently just telling people is not working.

Re: Brutality

The quality of the prison doesn't change the expectation of ending up there. People do things all the time where the severity of the bad outcome is high but the risk of incurring it is, or they perceive that risk to be, low. Ransomware operators already have received very long sentences, but that's a small subset of people, and some of the others are living with quite a bit of wealth and happily evading law enforcement. Criminals have chosen to believe that they'll be like the latter and avoid the situation of the former. So far, they're mostly right to think they'll avoid the arm of the law, although they're often wrong about how well they'll be paid for the work. Increasing the severity of what will happen if law enforcement gets them won't have much of an effect unless law enforcement starts getting to more of them, and I think that the effect would be similar without increasing the penalties at all if they could only be applied more broadly.

Re: Would it not be possible to give a patient list to the police...

It should be, and for all I know they may have some method of determining that which for some reason isn't used for many calls. However, criminals who have even a bit of a clue could find ways to relay calls from their location to somewhere local, or even pay someone to make the calls on their behalf. There was a group of adolescents interviewed on a security podcast who operated swatting as a service operations, so they could try outsourcing the work to those guys. It probably won't end well for the less intelligent of those ones, but it offers them another proxy.

For those who are interested in hearing it, the specific episode is Episode 83: 'DING-DONG DITCH' ON STEROIDS (link goes to Apple podcasts).

Re: Would it not be possible to give a patient list to the police...

Fine with me. And those are? The problem with crime of this nature is that we usually don't know all the names and addresses, and when we find out one of them, it's usually more useful to hide it because there's a chance we may find more, while publishing the one we have will just alert them that we're getting close. Some criminals have been arrested successfully when law enforcement has succeeded in unmasking them, but unfortunately not often enough to stop others doing it.

I'd argue against this, but I think you misread the situation so much that it's virtually impossible to debate the point with you. Somehow reporting a problem is the same as advertising, even though I don't pay anybody to use libcurl and the article mentions nothing encouraging use of it. I think you might need to read the article again.

Re: Charge bug bounty hunters an entry fee

It will probably get rid of all hunters, both those who submit crap and those who don't. Hunters may be concerned about submitting a real bug and getting charged for it, especially if companies are being vindictive as they sometimes do. While I don't do commercial bug hunting, I've had the experience of reporting a vulnerability to a company and getting a nasty message back because they didn't like having a problem brought to light, so I'd be careful not to do that if it involved getting a nasty message and paying them for the privilege. I think that's what you'll get, but we can always try. I wish there was a better way, but I don't have one.

Re: What's the betting

I'm sure you can purge the advertising cache files every time Chrome creates them, but that will just cause Chrome to recreate them every time. With a 10 MB limit, it's likely those will be hideously compressed on disk to fit as much as they can in there, so expect to be downloading 10 MB per advertiser when it restarts. The good news: it will probably be different advertisers each time.

This is a good enough reason not to use Chrome if you can't disable this, and I already had a good enough reason not to use it.

Re: Don't get this confused with free speech.

I didn't disagree with that. In fact, I was using that as part of my statement that there are always consequences, and that the free speech legislation in the US does not prohibit companies from using employees' speech as a reason to fire them. What I asked about was why the original poster thought their opinions should be excluded on a free speech basis, but that the people in this article don't qualify for the same. I think the law doesn't give an exception to either, which is internally consistent, but their post did not have a similar consistency, nor even an argument for why their exception should be specially excluded from consequences.

Re: Don't get this confused with free speech.

So let me see if I understand your statement correctly:

If someone says something that you agree with then it's a free speech issue and you should be allowed to say it without fear of losing your job. If it's something different, which you probably disagree with, then it's not a free speech issue and bring on the consequences.

Sorry, if your boss can fire you for one thing you said, they can fire you for other things as well. Consequences always apply. The only exceptions are when labor law restricts them, which could be in everything or not. In the U.S., those laws are not strong, meaning that you can be fired for lots of things you may choose to post. This means that I don't expect these workers will get anything in this case, as they can be fired for the statements their managers did not like. It does not mean the views you prefer would or should get to bypass this reality unless the law is changed. I'm having trouble seeing your distinction between what counts and what doesn't other than you agree with one and don't with another.

Re: MIT/BSD anybody?

It's true that Linus didn't have the ability to just switch everything to GPL 3, but he could have done something to make the terms apply to some important part and apply the restrictions to most users. Based on his comments at the time, it seems he didn't have a major objection to the tactics that the FSF wanted to prevent with the GPL 3, so he didn't try to do that.

Re: All because of crypto

"I never claimed (and if you disagree: show me were I did) that this is a silver bullet that will magically solve all cybercrime."

I agree, you did not. The person to whom I first replied did, or rather that it would magically solve all ransomware. I've seen the argument before, and similar to the discussion elsewhere in these threads about whether you could start a global trade war to stop ransomware, it could theoretically help but not as thoroughly nor as cheaply as people would like to believe.

I also agree that disabling cryptocurrency, if we could do so unilaterally, would cause some serious problems to ransomware operators. So would several alternative methods, such as making payment of ransoms illegal or having a larger dedicated police force for identifying operators and tracking them until they come to a country in which they could be arrested. We could try all of these things and more. Each would probably have some effect. None would have the ultimate effect we both want, and I fear that cryptocurrency might be among the weaker of them given the scale involved. There are a lot of criminal organizations that have spent time and effort figuring out how to move large quantities of money before cryptocurrency existed, and ransomware has become large enough that they could start to do the same. I think that there is an appetite to shut down ransomware that is strong enough that people are abandoning the step of considering the costs and likely results of possible measures. This has led, in these comments alone, to suggestions to send assassins to kill the ransomware operators and to commit acts of war against the countries in which they are located. Banning cryptocurrency is much less outlandish than either of these, but that doesn't make the description realistic.

Re: All because of crypto

Did I say that you need to keep cryptocurrency because it's so useful? I did not. What I was arguing against was this: "Get rid of cryptocurrency and the problem goes away." Sorry, that would be great, but the problem won't go away with a flip of a switch. If you pretend it will, it will only result in disappointment when you spend a long time convincing people to do the difficult work required to shut down or make effectively worthless all cryptocurrencies and ransomware operators are still around. A counterpoint is that, if we could retroactively disable cryptocurrency a decade ago, I think we might have prevented ransomware because they started with small attacks and small ransoms where finding a transfer method was not worth it, but you rarely hear about a ransomware attack on a personal laptop anymore. Nowadays, it's large groups going after large companies or governments for millions in ransom, and that scale is where finding alternatives is worth the effort and much easier to try.

I don't much care whether cryptocurrency exists. I have none, I don't want any, and the benefits it was supposed to bring it hasn't and won't. Let's still be honest about the realities involved in both the ransomware industry and the cryptocurrency industry before we claim easy answers.

Re: Unannounced security tests

If the link they're clicking on is to a phishing test provider, the one your company contracts with, you can probably take a pretty good guess that it's a phishing test. If you're not sure, you can ask whoever sends them out, and if they tell you that it is one, then you know for certain. There are ways to know that other than being the sender. If you're trying to test vigilance, it can be useful to know who will click on something when there isn't someone shouting for them not to; a real attack will not necessarily go to the users who know what they're doing. Clicking on a link even when I'm looking over your shoulder and telling you it's a bad idea is a bad sign, but someone who avoids doing that is not necessarily good enough to avoid the real risks.

Re: I'm shocked!

I'm curious why people disagree with that? It's not too different from what Firefox says:

Private window: Firefox clears your search and browsing history when you close all private windows. This doesn’t make you anonymous.

Learn more

Of course, Google does a lot more nefarious stuff than Mozilla does, but their warning doesn't hide that incognito is a very basic thing that is limited to the local device. I don't mind that someone sued Google over collecting a bunch of data and tried to link it to their Chrome privacy record, which is pretty terrible, but the message they show does indicate that they haven't opted out of collecting data on their end and nor has anyone else.

Re: Pretty sure you can't change the laws of Physics...

The laws of physics don't change. That's why your radio receives one channel, just Morse code. After all, the first radio experiments worked that way, and the physics isn't any different today. The advantages are in our more efficient use of the laws of physics. Instead of using all frequencies, we limit to a smaller band. Instead of using analog data, we use digital data which can be more tightly packed. Some of the changes are redesigns like that, whereas others are simply improvements in manufacturing technology allowing transmitters to use less bandwidth while not getting prohibitively expensive. The laws of physics say such things as how much power your signal will have based on the distance and items between the receiver and transmitter, that is unless you use other physics hacks like finding a way to reflect it, but those laws say nothing about how low the power level can get before your receiver can no longer use it, let alone how many bits per second you can manage to shove in there. That's down to your tools, and those do change.

As for WiFi, you can have that. Lots of countries have some ISP who came up with this idea and has a public access method. Find which ones do that in your country, they probably exist, and sign up for an account. Congratulations, you have WiFi access from the house of anyone who has the same ISP and didn't change the settings on the supplied equipment. It doesn't work for people like me who buy my own equipment and configure it myself, but my neighbors have these, so you'll have coverage. That is you'll have coverage when you're near someone else's house, but I spend no effort making sure my WiFi coverage extends outside those walls very far. If you're in the street near a house, you'll probably have something, but if you're in a more open space, you won't. The same applies if you're moving between these access points. Most importantly, there are a lot of places without houses where you won't have any APs to connect to at all, and if you want the internet there, you'll need something that has better coverage than home WiFi.

Re: 5G speed not just affected by signal

I would guess that it's for tracking and billing because your provider will be responsible for charging you for billed usage and paying their partner network. Alternatively, it could be related to protection of your data so they can use networks you otherwise wouldn't trust, but I don't know whether their tunneling includes encryption or not. Both of these are guesses, though. I don't know if they are correct.