Posts by doublelayer

Re: Brutality

The quality of the prison doesn't change the expectation of ending up there. People do things all the time where the severity of the bad outcome is high but the risk of incurring it is, or they perceive that risk to be, low. Ransomware operators already have received very long sentences, but that's a small subset of people, and some of the others are living with quite a bit of wealth and happily evading law enforcement. Criminals have chosen to believe that they'll be like the latter and avoid the situation of the former. So far, they're mostly right to think they'll avoid the arm of the law, although they're often wrong about how well they'll be paid for the work. Increasing the severity of what will happen if law enforcement gets them won't have much of an effect unless law enforcement starts getting to more of them, and I think that the effect would be similar without increasing the penalties at all if they could only be applied more broadly.

Re: Would it not be possible to give a patient list to the police...

It should be, and for all I know they may have some method of determining that which for some reason isn't used for many calls. However, criminals who have even a bit of a clue could find ways to relay calls from their location to somewhere local, or even pay someone to make the calls on their behalf. There was a group of adolescents interviewed on a security podcast who operated swatting as a service operations, so they could try outsourcing the work to those guys. It probably won't end well for the less intelligent of those ones, but it offers them another proxy.

For those who are interested in hearing it, the specific episode is Episode 83: 'DING-DONG DITCH' ON STEROIDS (link goes to Apple podcasts).

Re: Would it not be possible to give a patient list to the police...

Fine with me. And those are? The problem with crime of this nature is that we usually don't know all the names and addresses, and when we find out one of them, it's usually more useful to hide it because there's a chance we may find more, while publishing the one we have will just alert them that we're getting close. Some criminals have been arrested successfully when law enforcement has succeeded in unmasking them, but unfortunately not often enough to stop others doing it.

It depends what you have to do to get cut off. If it's really difficult, effectively making yourself a pariah to everybody, then it won't matter. The only country that's achieved that is North Korea, and basically nothing comes from their tiny address space. All their attacks come from other countries' addresses, most of that launched from Chinese proxies (as the first link in a chain to more proxies), and some also committed by people operating from a different country already. If it's really easy to get a country blocked from the internet, what makes you so sure that the one you're in won't get blocked for some reason? Russia may have burned a lot of its bridges with European countries and close allies, but they've got plenty of links with other countries, especially including India and China. How would we ban Russia from the internet if India and China were voting on their side and could easily proxy as much traffic as they needed to. Would we try to ban those two as well for not complying with our ban? The decisions required to implement that and trying to decide who should have the power to make them is a very difficult task.

Re: How about a bounty?

They do that. For example, from this paper alone:

US offers $10m for info on DarkSide ransomware gang chiefs

US puts a $10m bounty on Hive while Russia shuts down access

US offers $15m for help catching Conti ransomware gang

If you have lots of cash to spend on that, you can keep doing it. I'm not sure the rewards promised in any of those have actually been paid, and I don't know how many useful leads they got from having those programs, but it is a tool and the US, at least, has been using it on occasion.

It won't destroy cybercrime, but it would weaken it. Anyone could have set up an insider trading scheme based on causing sabotage any time in the past. However, it's much more difficult to implement correctly. You may not know, for example, how much damage your sabotage will do or when it will become known. If your attack occurs in July but they don't announce financial results until September, you don't know how bad it will look then and there's a chance your trading either fails or, more likely, produces a really tiny profit for a carefully-planned attack. If we could destroy ransomware entirely and only be left with things like that, that would be an improvement. I won't pretend that banning payment of ransoms would completely kill ransomware, as I'm sure there would still be some people willing to circumvent the ban rather than incur the consequences, but it would be helpful.

Re: class ransomware as a weapon of mass destruction?

Sure, that will work great.

US: Excuse me Mr. Putin, but we detected some criminals operating from your country infecting hospitals with ransomware. We have a small missile pointed at Moscow and another one targeted at Volgograd, where we're pretty sure these guys are. We're about to kill two million of your citizens. What do you say?

Putin: One moment please.

...

Putin: I have thirty missiles ready to fire at thirty of your cities. I will kill fifteen million of your citizens. What do you say?

US: I have a hundred missiles. Thirty million citizens.

Putin: Five hundred missiles. Too many citizens to count.

US: Most of the missiles. Your country will not exist.

Putin: All our missiles. Your country and those of your allies won't exist.

The concept of mutually assured destruction is not new. You would do well to learn it.

Re: "Such a ban would need to be universal"

If you want the logic to say that big business can do whatever it wants because it has ultimate power over everything, then let's just accept that. It's wrong and self-defeating, but we don't even have to argue about that to resolve this question. If the biggest businesses are beyond our ability to control them, then we still have the power to influence what everyone else can do, and that power is still big. So, whether we are powerless or not to regulate the actions of the largest companies (we are not), we can still make an impact by regulating what smaller ones and government-controlled entities as mentioned in the article, can do.

Re: Wrong

"How can you frame it as a crime to pay to get your own data back under threat of damages to your company?"

Paying money to known criminals? It is already illegal if you replace "criminals" with "terrorists", because you know the money will be put to use committing terrorism which is assumed to be worse than whatever problem you're having. It's pretty easy to make that logical leap, and the law would be compatible with other criminal legislation that already exists. There is no legal obstacle, as far as I know, that would prevent you from passing and enforcing such a law. Therefore, it comes down to whether we, as the voters in democracies, wish to make that a criminal offense or not.

Re: Wrong

The fact that someone made a mistake does not mean that we should adjust our laws to let them do whatever they think necessary to recover from their mistake. I have left too late for things before, but that didn't give me permission to treat the public streets as a racetrack to get where I needed to be on time. Making mistakes leads to consequences. Consequences are why you try to avoid mistakes when you can and to have contingencies for when you can't.

Re: the application will be removed on upgrade

Because there is a risk in telling people that they ship this binary on everyone's installation but it's not supported. If, for example, a security vulnerability was found in it, would they really be able to claim that they don't support it, so that's not their fault? They would be blamed for that, so if they're no longer going to maintain it, they remove it. You can always put it back. It appears to be one executable, one DLL, and a resources file for each installed language, so it should be pretty easy to keep even after it's removed from preinstallation.

Re: Word Processing in the Cloud

I'm sure that, if this is true, it was done intentionally by the place of education. If so, they likely did it to prevent students from writing something locally, saving it to a disk which isn't meant for storage of student work, and either losing important work or claiming that they did to get out of turning something in. The same reason why I've been asked to prevent people from being able to save documents except to a network drive, because evidently just telling people is not working.

I'd argue against this, but I think you misread the situation so much that it's virtually impossible to debate the point with you. Somehow reporting a problem is the same as advertising, even though I don't pay anybody to use libcurl and the article mentions nothing encouraging use of it. I think you might need to read the article again.

Re: Charge bug bounty hunters an entry fee

It will probably get rid of all hunters, both those who submit crap and those who don't. Hunters may be concerned about submitting a real bug and getting charged for it, especially if companies are being vindictive as they sometimes do. While I don't do commercial bug hunting, I've had the experience of reporting a vulnerability to a company and getting a nasty message back because they didn't like having a problem brought to light, so I'd be careful not to do that if it involved getting a nasty message and paying them for the privilege. I think that's what you'll get, but we can always try. I wish there was a better way, but I don't have one.

Re: What's the betting

I'm sure you can purge the advertising cache files every time Chrome creates them, but that will just cause Chrome to recreate them every time. With a 10 MB limit, it's likely those will be hideously compressed on disk to fit as much as they can in there, so expect to be downloading 10 MB per advertiser when it restarts. The good news: it will probably be different advertisers each time.

This is a good enough reason not to use Chrome if you can't disable this, and I already had a good enough reason not to use it.

Re: Cart Before The Horse?

"But for Bobby and Susy Office Worker, what exactly does AI bring to the table? I can get useless search results even faster? What's in it for me and the millions of other average users?"

If you need to write an email but don't want to be bothered thinking or typing, then you can use this to create a message that looks like it answers a question but really doesn't. If the person you are sending it to isn't bothering to read it, then you've saved yourself some time. Otherwise, you'll end up looking like a person either being deliberately unhelpful or someone with reading comprehension problems. That appears to be the use case for office workers that AI companies have thought of. I'm sure some people will try doing that. I didn't say it would be a good thing.

"BTW, what's the difference between directories and folders?"

The level of abstraction involved in the name. Both are pretty abstract, but "folder" was intended to represent to the user what the thing does, and "directory" was intended to represent to the user how the thing worked. The concept that they're doing is identical.

Re: Don't get this confused with free speech.

I didn't disagree with that. In fact, I was using that as part of my statement that there are always consequences, and that the free speech legislation in the US does not prohibit companies from using employees' speech as a reason to fire them. What I asked about was why the original poster thought their opinions should be excluded on a free speech basis, but that the people in this article don't qualify for the same. I think the law doesn't give an exception to either, which is internally consistent, but their post did not have a similar consistency, nor even an argument for why their exception should be specially excluded from consequences.

Re: Don't get this confused with free speech.

So let me see if I understand your statement correctly:

If someone says something that you agree with then it's a free speech issue and you should be allowed to say it without fear of losing your job. If it's something different, which you probably disagree with, then it's not a free speech issue and bring on the consequences.

Sorry, if your boss can fire you for one thing you said, they can fire you for other things as well. Consequences always apply. The only exceptions are when labor law restricts them, which could be in everything or not. In the U.S., those laws are not strong, meaning that you can be fired for lots of things you may choose to post. This means that I don't expect these workers will get anything in this case, as they can be fired for the statements their managers did not like. It does not mean the views you prefer would or should get to bypass this reality unless the law is changed. I'm having trouble seeing your distinction between what counts and what doesn't other than you agree with one and don't with another.

Re: MIT/BSD anybody?

It's true that Linus didn't have the ability to just switch everything to GPL 3, but he could have done something to make the terms apply to some important part and apply the restrictions to most users. Based on his comments at the time, it seems he didn't have a major objection to the tactics that the FSF wanted to prevent with the GPL 3, so he didn't try to do that.

Re: Eclipse Versus Borland Delphi

"Companies don’t need Open Source if they want to cooperate."

True, but it helps. They could form a consortium and build something closed. That consortium could even sell licenses and that might help make some money. But it makes it really hard for new companies or individuals to join and start working on it as well, and it reduces the number of users, which can be important if you want contributors. They appreciate that it's free as well, but part of the reason that it can be is that there are so many people interested in maintaining it.

Re: Let's say he creates this post-open "contract"

It's not about willingness to pay so much as knowing whether or not I have to. I don't object to proprietary software; if I want it, I will and have paid for it. The companies that employ me do so all the time. The charities I used in my example do so less frequently because, as I said, they don't have a lot of money so asking them to spend five figures on some enterprise software is a hard sell, but they still do it if it's important enough. However, I know that when I suggest the option. I don't say "Let's use Office365" and get surprised that Microsoft wants money for it. Using something sold as open source and then finding out that the license is not compliant is a much larger surprise, especially if I've previously contributed code or donated money to that project.

One of the reasons I might adopt open source software instead of proprietary is the freedom it offers me, and I don't just mean the freedom to read the source and modify it in my environment. Chances are that I won't be doing a lot of that for the infrastructure software anyway. One other freedom that I value highly is the knowledge that, no matter what the authors did, I can keep using this. If the authors gave up and stopped developing it, I still have the software and the right to run it here. If the authors started demanding a higher price than I can pay for some feature, I still have the old software and can work around this change while using what I already had. In either case, I can take the code, make my own version, and work with others to keep the software alive despite it. In an environment where certain uses require permission or payment, I no longer have that guarantee. If the authors have the choice to tell me that my use is now forbidden, then I have lost something that traditional open source provided.

Re: All because of crypto

"I never claimed (and if you disagree: show me were I did) that this is a silver bullet that will magically solve all cybercrime."

I agree, you did not. The person to whom I first replied did, or rather that it would magically solve all ransomware. I've seen the argument before, and similar to the discussion elsewhere in these threads about whether you could start a global trade war to stop ransomware, it could theoretically help but not as thoroughly nor as cheaply as people would like to believe.

I also agree that disabling cryptocurrency, if we could do so unilaterally, would cause some serious problems to ransomware operators. So would several alternative methods, such as making payment of ransoms illegal or having a larger dedicated police force for identifying operators and tracking them until they come to a country in which they could be arrested. We could try all of these things and more. Each would probably have some effect. None would have the ultimate effect we both want, and I fear that cryptocurrency might be among the weaker of them given the scale involved. There are a lot of criminal organizations that have spent time and effort figuring out how to move large quantities of money before cryptocurrency existed, and ransomware has become large enough that they could start to do the same. I think that there is an appetite to shut down ransomware that is strong enough that people are abandoning the step of considering the costs and likely results of possible measures. This has led, in these comments alone, to suggestions to send assassins to kill the ransomware operators and to commit acts of war against the countries in which they are located. Banning cryptocurrency is much less outlandish than either of these, but that doesn't make the description realistic.

Re: All because of crypto

Did I say that you need to keep cryptocurrency because it's so useful? I did not. What I was arguing against was this: "Get rid of cryptocurrency and the problem goes away." Sorry, that would be great, but the problem won't go away with a flip of a switch. If you pretend it will, it will only result in disappointment when you spend a long time convincing people to do the difficult work required to shut down or make effectively worthless all cryptocurrencies and ransomware operators are still around. A counterpoint is that, if we could retroactively disable cryptocurrency a decade ago, I think we might have prevented ransomware because they started with small attacks and small ransoms where finding a transfer method was not worth it, but you rarely hear about a ransomware attack on a personal laptop anymore. Nowadays, it's large groups going after large companies or governments for millions in ransom, and that scale is where finding alternatives is worth the effort and much easier to try.

I don't much care whether cryptocurrency exists. I have none, I don't want any, and the benefits it was supposed to bring it hasn't and won't. Let's still be honest about the realities involved in both the ransomware industry and the cryptocurrency industry before we claim easy answers.

Re: All because of crypto

Challenge: find a way to get £10M from someone who has it and is willing to pay it, into your hands without the police identifying you and you win £10M. Do you really think that, with an incentive like that, people will really just give up if the first one they used isn't working anymore? Can you really not conceive of a method that might work?

What if I give you an extra asset, one the largest ransomware organizations tend to have: if you have some people in Russia, the Russian police won't try to arrest you anyway. That means you can do things in Russia that wouldn't normally work in a different country, if any physical interaction is needed. I'm guessing you have some ideas that don't involve cryptocurrency. And they already have the software, so trying some new ones would be close to free. If it fails and their transaction is reversed, they can always try another method with the next company, or even call back the first company and try again.

Re: Unannounced security tests

If the link they're clicking on is to a phishing test provider, the one your company contracts with, you can probably take a pretty good guess that it's a phishing test. If you're not sure, you can ask whoever sends them out, and if they tell you that it is one, then you know for certain. There are ways to know that other than being the sender. If you're trying to test vigilance, it can be useful to know who will click on something when there isn't someone shouting for them not to; a real attack will not necessarily go to the users who know what they're doing. Clicking on a link even when I'm looking over your shoulder and telling you it's a bad idea is a bad sign, but someone who avoids doing that is not necessarily good enough to avoid the real risks.

"our process for checking suspicious links that look plausible involves clicking them"

And almost certainly telling the attacker that this address exists and has someone who clicks on links, so send some more over there. Sure, it's a lot better than if they actually got what they wanted, and I'm assuming you clicked them on a machine that didn't have any credentials to try to steal, but does the risk of sending information to the attacker about the link clicked cause any concern?

Re: Unannounced security tests

If you know for certain that it is a test, then you also know that there isn't a risk to security if someone clicks on it. Not telling them means that the test is better, because it tells you what things would look like if they were the only or first person to get this message. They can't always count on you having received any phishing attempt before it is sent to them, so they need their own vigilance as well as listening to you. This is why phishing tests at my company are intermittent, so if one person gets a suspicious email and asks me whether I got one as well, I will usually say no completely honestly because I did not get this one. This requires them to either test the email on their own or enlist someone like me to help them do so, which is what we want them to be doing with suspicious mails anyway.

If you don't know that it is a test, tell everyone.

Re: Customers are the security liability

It wouldn't have happened automatically, but it would have been easy to open. I'm not sure about others' workflows, but I read the message before opening the attachments, mostly because there's a chance that the message will tell me that I don't need to bother with that file so opening it is a waste of time, but also to detect risks with the file. If others weren't doing that, suggesting that they might want to read the message first is not a bad plan.

Re: I'm shocked!

I'm curious why people disagree with that? It's not too different from what Firefox says:

Private window: Firefox clears your search and browsing history when you close all private windows. This doesn’t make you anonymous.

Learn more

Of course, Google does a lot more nefarious stuff than Mozilla does, but their warning doesn't hide that incognito is a very basic thing that is limited to the local device. I don't mind that someone sued Google over collecting a bunch of data and tried to link it to their Chrome privacy record, which is pretty terrible, but the message they show does indicate that they haven't opted out of collecting data on their end and nor has anyone else.

Re: Pretty sure you can't change the laws of Physics...

The laws of physics don't change. That's why your radio receives one channel, just Morse code. After all, the first radio experiments worked that way, and the physics isn't any different today. The advantages are in our more efficient use of the laws of physics. Instead of using all frequencies, we limit to a smaller band. Instead of using analog data, we use digital data which can be more tightly packed. Some of the changes are redesigns like that, whereas others are simply improvements in manufacturing technology allowing transmitters to use less bandwidth while not getting prohibitively expensive. The laws of physics say such things as how much power your signal will have based on the distance and items between the receiver and transmitter, that is unless you use other physics hacks like finding a way to reflect it, but those laws say nothing about how low the power level can get before your receiver can no longer use it, let alone how many bits per second you can manage to shove in there. That's down to your tools, and those do change.

As for WiFi, you can have that. Lots of countries have some ISP who came up with this idea and has a public access method. Find which ones do that in your country, they probably exist, and sign up for an account. Congratulations, you have WiFi access from the house of anyone who has the same ISP and didn't change the settings on the supplied equipment. It doesn't work for people like me who buy my own equipment and configure it myself, but my neighbors have these, so you'll have coverage. That is you'll have coverage when you're near someone else's house, but I spend no effort making sure my WiFi coverage extends outside those walls very far. If you're in the street near a house, you'll probably have something, but if you're in a more open space, you won't. The same applies if you're moving between these access points. Most importantly, there are a lot of places without houses where you won't have any APs to connect to at all, and if you want the internet there, you'll need something that has better coverage than home WiFi.

Re: 5G speed not just affected by signal

I would guess that it's for tracking and billing because your provider will be responsible for charging you for billed usage and paying their partner network. Alternatively, it could be related to protection of your data so they can use networks you otherwise wouldn't trust, but I don't know whether their tunneling includes encryption or not. Both of these are guesses, though. I don't know if they are correct.

Re: Correctness and Simplicity

If your comment was meant to explain what I missed, I still don't get it. Yes, one of the reasons people may have used the option the writer doesn't like could be that that one came first. Or that that one is cheaper. Or that that one was faster. Or that that one is better. Or something else entirely. Either way, it still boils down to the author complaining that people don't use the thing they wanted.

Here's an example. I don't much like Javascript because writing it is painful and it lacks a lot of stuff that a proper programming language would have, it's inefficient and calling into anything else is a mess of incompatible standards into which companies like Google want to cram everything. Unfortunately, it is the only feasible option for client-side web scripting, so we're stuck with it. The above two sentences are a better argument than that essay was because I at least told you what the system I don't like is and why, albeit in very little detail. The famous essay doesn't do either. Neither of the approaches refer to a real system with real complaints, but to theoretical systems with complaints that have been deliberately exaggerated. My two sentences are also a bad essay, because if I'm actually going to complain about web scripting, then I need to acknowledge the also ran, which would involve me explaining why Javascript is certainly a lot better than client-side Java was, and it beats Flash, and Silverlight is a word that nobody wanted to see in this sentence. In short, to admit why Javascript is where it is today. I think it is possible to create a better scripting language than JS, but that doing so is not justified because it is too popular for an alternative to be adopted, but I could specify what characteristics a replacement should have. An essay like that would make a point that others could debate. If I instead chose to make a fake language that could be JS or maybe not, then explained that everyone who was involved in it was sloppy and undisciplined, but that the good people couldn't succeed because the sloppy people got to market first, then I'm doing my own argument a disservice by ignoring reality in two different ways.