Conversation

Notices

1. Embed this notice
   BrianKrebs (briankrebs@infosec.exchange)'s status on Friday, 15-Dec-2023 10:30:38 JST BrianKrebs

   I've grudgingly come around to the notion that there is only one way out of the ransomware problem: Make paying a ransom illegal. This is not very different from laws that make it illegal for US companies to pay bribes to foreign officials.

   I really don't see any other way out of this mess. Yes, some victims will unfortunately ignore any laws that say they can't pay, but enforcement probably will not be hard.

   What will be difficult are the situations where peoples' lives are at stake in ransomware situations. This sounds callous, but we can't afford to take the short view here anymore, and our other alternatives aren't great either.

   I'm quite certain this is an unpopular view, but we have already seen the cost of doing nothing. At least in the interests of congruity for our financial sanctions vs Russia, we should probably make this change sooner rather than later.

   • Embed this notice
     Daniel T 🌻 (randomdamage@infosec.exchange)'s status on Friday, 15-Dec-2023 11:18:24 JST Daniel T 🌻

     in reply to

     @briankrebs the second case is why EHR is one of the few good uses for blockchain

     When you absolutely must be able to verify the validity of a document

     Also a great reason for off-line backups to become standard again

     feld likes this.
   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Friday, 15-Dec-2023 11:18:25 JST BrianKrebs

     in reply to

     I really admire what Bruce Schneier has said about the pay-or-not-pay debacle that ransomware puts companies and individuals in. Because it aptly summarizes the counterpoint to outlawing the payment of ransomware: I'm paraphrasing from memory here, but it was something to the effect of, "it's your data, or your daughter." In other words, the imperative to pay is directly related to your skin in the game.

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Friday, 15-Dec-2023 11:18:25 JST BrianKrebs

     in reply to

     In re the "how ransomware could possibly get worse" response, I have two scenarios (which we have already seen in the playbook/arsenal of ALL of the regimes already mentioned): Deleting data (forget ransoming it: you already pwn the servers); corrupting it (holy crap what blood type is this patient????).

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 15-Dec-2023 11:20:05 JST feld

     in reply to

     • Daniel T 🌻
     @RandomDamage @briankrebs over time you'll finally concede and recognize the other use cases, we just need to suffer from more attacks that can destabilize supply chains and the global economy first
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 15-Dec-2023 11:30:10 JST feld

     in reply to

     • Daniel T 🌻
     @RandomDamage imho this is the same as when we were like "but we really only need HTTPS for banking and online shopping"
   • Embed this notice
     Daniel T 🌻 (randomdamage@infosec.exchange)'s status on Friday, 15-Dec-2023 11:30:11 JST Daniel T 🌻

     in reply to

     • feld

     @feld @briankrebs I have seriously looked.

     Document integrity is really it.

     A few places are using it for that already, but it doesn't get much hype because for most people it's too boring

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 15-Dec-2023 13:53:10 JST feld

     in reply to

     • Daniel T 🌻
     @RandomDamage I'm not buying that because although the hardware was slower the original ciphers were weak. The problem was the cost of certificates for most small webmasters -- several hundred dollars per year was the real burden.
   • Embed this notice
     Daniel T 🌻 (randomdamage@infosec.exchange)'s status on Friday, 15-Dec-2023 13:53:11 JST Daniel T 🌻

     in reply to

     • feld

     @feld when we started with https it was a significant load that not every site could bear.

     But all we get from blockchain is a mechanism for validating document integrity

     Maybe that will percolate down to news sites and blogs eventually, but that's all we get

   • Embed this notice
     Andreas K (yacc143@mastodon.social)'s status on Friday, 15-Dec-2023 20:07:47 JST Andreas K

     in reply to

     @briankrebs 🤷
     But surely it won't be illegal to pay for IT security consultants to repair the systems. You know, "specially highly recommended" remote working specialists who prefer to be paid in crypto.

     But yes, that's the obvious solution.

     Till somebody make it a case about "Freedom of speech", just a curious observation of a foreigner, the most curious things in the USA (medical therapy, fraud, …) all end up as 1st amendment cases.

     clacke likes this.
   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 16-Dec-2023 00:21:55 JST feld

     in reply to

     • Daniel T 🌻
     • Mathaetaes
     • vriesk (Jan Srz)
     @vriesk @mathaetaes @RandomDamage oh yes, I remember, but IPs weren't that hard to come by back then either. It just made configuration and deployment more annoying.
   • Embed this notice
     vriesk (Jan Srz) (vriesk@hachyderm.io)'s status on Saturday, 16-Dec-2023 00:21:56 JST vriesk (Jan Srz)

     in reply to

     • feld
     • Daniel T 🌻
     • Mathaetaes

     @mathaetaes @feld @RandomDamage also, multi-hosting (multiple web services hosted on the same IP/port) didn't work with SSL at all, each SSL-enabled service required their own dedicated public IP.

     (multiple certs on the same IP require SNI which was only fully included in OpenSSL 0.9.8j in 2009)

   • Embed this notice
     Mathaetaes (mathaetaes@infosec.exchange)'s status on Saturday, 16-Dec-2023 00:21:57 JST Mathaetaes

     in reply to

     • feld
     • Daniel T 🌻

     @feld @RandomDamage weak ciphers do not necessarily mean computationally cheap ciphers… but that’s less relevant.

     Way back when I used to work at an ISP, we’d have people with colo servers running on single-core pentium chips. Most connections were high-latency, low bandwidth 56K dualup. If a normal page took 3-10 seconds to load due to slow bandwidth, the same page over SSL might take 15-20 due to the number of extra round trips required to negotiate the session over a 100-300ms connection. Add a 333 mhz clock on the server (and a 100-200mhz clock on the client) and you did get a noticeable performance hit.

     It was enough that people who needed ssl would buy dedicated SSL-offload hardware just to handle the compute, and hope the rtt was low enough that they didn’t lose customers.

     So yeah, certificate costs were also stupid high, but the compute and bandwidth impact of SSL back in the day was not trivial, and hindered adoption on its own.

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 16-Dec-2023 04:02:37 JST feld

     in reply to

     • Daniel T 🌻
     • Mathaetaes
     • vriesk (Jan Srz)
     @vriesk @RandomDamage @mathaetaes I worked at an ISP in the US as one of the state network engineers, and the internet outside the USA doesn't exist 🤫
     
     What was going on outside ARIN that made it so hard to get addresses? It's not like there was a shortage in the 90s
   • Embed this notice
     vriesk (Jan Srz) (vriesk@hachyderm.io)'s status on Saturday, 16-Dec-2023 04:02:39 JST vriesk (Jan Srz)

     in reply to

     • feld
     • Daniel T 🌻
     • Mathaetaes

     @feld @RandomDamage @mathaetaes "IPs weren't that hard to come by" is a strange way to say "I haven't worked for a non-US hosting provider".

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Saturday, 16-Dec-2023 04:45:34 JST feld

     in reply to

     • Daniel T 🌻
     • Mathaetaes
     • vriesk (Jan Srz)
     @vriesk @RandomDamage @mathaetaes that's crazy, I have a /27 at home that ATT gives me for $30 😆
     
     We never had issues getting IPs. Even out transit providers would delegate tons of addresses to us. I used to have a /23 at home from Sprint and when we dropped them as a transit provider they never took back their addresses so I kept using them for years. Mostly just enabled them all on my router so they'd respond to pings and appear in use, but... that sounds like massive stupid bureaucracy over there
   • Embed this notice
     vriesk (Jan Srz) (vriesk@hachyderm.io)'s status on Saturday, 16-Dec-2023 04:45:35 JST vriesk (Jan Srz)

     in reply to

     • feld
     • Daniel T 🌻
     • Mathaetaes

     @feld @RandomDamage @mathaetaes early 2000s in my case. Worked at a hosting provider with around 7k individual websites hosted (around half being e-commerces), and I remember spending a week polishing a "petition" to RIPE to grant us some IPs and the screams of joy when we received a /24 share (from /21 or /22 requested, don't recall now) up from the /27 range we were squeezing in previously.

   • Embed this notice
     Cecilia Mjausson Huster (mjausson@mastodon.design)'s status on Wednesday, 20-Dec-2023 15:46:18 JST Cecilia Mjausson Huster

     in reply to

     • A feral Natalie

     @some_natalie @briankrebs We need to follow the EU's example on corporate fines. They base them on the company's revenue. A first-time offender can net a fine of 7% of their annual revenue. Subsequent offenses get more costly.

     When the fine is seriously eating into corporate profits, compliance comes quickly.

     clacke likes this.
   • Embed this notice
     A feral Natalie (some_natalie@infosec.exchange)'s status on Wednesday, 20-Dec-2023 15:46:23 JST A feral Natalie

     in reply to

     @briankrebs even Skeletor agrees - fining companies for incidents (ransomware or otherwise) tends to be a cost of doing business :thinking_very_hard:

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 20-Dec-2023 15:46:24 JST BrianKrebs

     in reply to

     I mean, why shouldn't we count on more organizations just observing best practices? It's so simple, I just don't understand why everyone can't do this? /s

     This is not sustainable. We probably need to scrap everything and start over. But in the meantime, yeah, let's make it illegal to pay a ransom. I think we've long past reached that point.