56 comments

[ 165 ms ] story [ 2309 ms ] thread
Let's see if fujifilm has better network security and backups than others. Cutting the network seems like a good way to gain time to figure out what is affected and how.
I hope they have good backups. They manufacture magnetic tape!
It's not just about the backups. If these people encrypted your data that means they had a good chance to copy a lot of it and threaten to release it if you don't pay.
Brought to you by cryptocurrency.
and underpriced bug bounties.
That's like a gang attacking you on the street, and someone remarking you should've hired (more) bodyguards.

No infrastructure is perfectly secure. This is why it's illegal to attack infrastructure and blackmail the owners.

However "illegal" doesn't mean anything to cryptocurrency, because it's beyond anyone's control. Before crypto, there was no direct way to pay the blackmailers, unless they were nearby, and willing to send someone to get cash in a briefcase. Which involves a lot of risk, obviously.

With crypto anyone in the world can attack you, and get paid risk-free.

And that someone happens to have a lot of bodyguards for sale / is a body guard
But its more like the incentives to crowdsource security improvements can be improved with bug bounties more closely reflecting the value of the system or bounty
I can play your game. But I'll make it fair.

I'll pay you to find bugs in my system. I'll pay you a lot. But if it gets hacked:

1. You return all money.

2. You're personally responsible for all negative financial and legal outcomes.

3. And I don't mean I get to take your Nintendo Wii and your half-eaten donut. I mean you need to prove you have a whole lot of money, like how much I stand to lose. And if I lose them due to a hack you failed to prevent, I take all your money.

4. Also you can't have contracts with other people, unless you have a separate pile of money for them when they get hacked.

You game? Sign here, here and here.

orrrrr just use the existing bug bounty systems with higher payouts and less arbitrary nature of whether a payout will occur or not, as they already have sorted out liability exemptions and the limit of what the hacker will do.
Bug bounty programs help when you want to gradually improve the quality of your system, but no single bug can be used to blackmail or halt your entire business.

You see, your proposal's math doesn't work. Acme has a system worth 100 million. This means a blackmailer can ask for 100 million if they find one bug (let's keep things simple).

Obviously Acme can't offer 100 million in a bug bounty program for every bug found. So let's say they offer 100k, they're very generous. This means after 1000 bugs found, they've transferred their entire worth to bug bounty hunters.

So while Acme had to create a system worth 100 million, they own 0 of it now. They gave everything to bounty hunters. Is this fair? No. What happened is that instead of one blackmailer, there were 1000 blackmailers saying "we're the good guys, we help you find bugs in your system, OR ELSE".

When a health industry keeps raising the prices on you, because they keep saying "we're the good guys, we help you not die of cancer, give us your house, OR ELSE" we love them right?

But that's not the end of the story.

Did the good guys who took all your money found all the bugs? Well a blackmailer still stands to gain 1000x more than anyone on the bug bounty program, if they can find a bug before the bug bounty hunters have leeched the host dry of their last drop of blood. So a malicious hacker is motivated to be faster, and financed to be better, with more people, better equipment, and so on.

So the bug bounty program is absolutely inadequate solution to the problem. Paying more to match what a blackmailer would ask, turns the bug bounty hunters into blackmailers. Except they also can't guarantee shit. And they can't cover losses for shit if they miss something either. They just take your money and leave you almost as vulnerable as you were.

So, no. Companies won't have bigger bug bounty programs.

Instead they'll do something that might help. Like move off the internet, making things more inconvenient for everyone, and insure heavily anything they put online.

Great points

My primary rebuttal is that enough hackers don't want 1000x more than anyone else in the bug bounty program, they don't want the liability associated with reintegrating that money back into society

Somewhere in between bug bounties pricing and payouts now, and the incentive to cripple/steal everything for ransom, is the more accurate medium

The problem with your rebuttal is that there is ZERO liability in asking Bitcoin to be moved into an anonymous wallet. And when you include the whole world into your scenario, you need to realize there are a whole lot of countries that can't give a flying fuck about America, or Japan, or basically any other country than theirs, especially when for example the target country is dropping bombs on their heads, or crippling their economy with sanctions.

You think we're all good guys and we'll get along, see? But actually, Bitcoin has enabled a new type of international warfare. And thinking positive thoughts will do nothing to prevent that.

I can make the same observations as you, the difference is that this doesn't bother me.

The concept will never go away. The concept of computing a hash client side under an agreed upon set of conformity for eventually addition to a globally stored list of hashes. Although you haven't argued for making it go away, people that talk like you typically are arguing for the idea that the state can successfully make it go away. This concept works whether institutional exchanges say each hash is part of a unit worth $60,000 a pop or those institutions don't exist and the market says the units are worth $2 a pop.

The concept of deciding something that's rare is valuable will never go away. It's just revision #987192 of the "tulip craze" phenomenon.

But this will keep getting worse and worse until cryptocurrencies are outlawed. And this will not stop their use completely, but their value hinges on their trade value, which in large part depends on their legality. So the value will collapse to nothing. So now blockchains have no incentive to exist either. Poof.

> Although you haven't argued for making it go away, people that talk like you typically are arguing for the idea that the state can successfully make it go away.

and there it is.

Yeah I read this the first time around.

My point was to explain why a trade tool's value is determined by its ability to trade with it, and demonstrate why legality of the currency itself matters.

If you don't understand this, you don't understand the concept of currency in the first place. Something being rare is not sufficient for it to have trade value.

The concept requires demand, which you already identified. The demand helps retains the exchange rate.

You think the demand will evaporate if the cryptocurrency is illegal or hard to obtain. I think this is not true. Compliant hashes will still be easy to generate, acquire, and transfer and some people that they are transferred to will append the hash to a globally stored ledger. These concepts are not bannable.

Blockchain forensics are already used for tracking transactions and these will get more advanced over time. I think saying "risk-free" is a big stretch. Yes, this is made possible with cryptocurrency, the transactions are irreversible and are not controlled by a central authority (generally). However, many blockchains are also public ledgers, and you have to also figure in fiat gateways if the attackers don't just want to keep the money in cryptocurrency.
So some poor soul gets stuck with the hot potato down the road(Ie their funds frozen for no apparent reason when the forensics flags them). The criminals know this and will cash out immediately as much as possible. How is that a good thing?
Analysis of the transactions could lead law enforcement to the attackers before they try to cash out. Centralized exchanges may also flag the attackers when they attempt to cash out. There is no guarantee they can cash out without getting caught first. It's not just that some poor new owner is left holding the bag. Addresses get blacklisted by law enforcement and the exchanges. I don't think those coins would continue to be transferred to new owners.

Those potential new owners would also probably just go trade on an exchange. If there is some big discount from a local party trying to get rid of the coins, wouldn't that raise some red flag?

The transactions for most cryptocurrency blockchains are viewable by all members of the public. With fiat, only the banks (or the governments) can see transactions. If I was to say there is some good thing, I would say that is a new innovation that hasn't been possible before. Cryptocurrency also does enable new illegal activities that weren't possible before, so there are definitely pros / cons, but I would say there are pros / cons to fiat as well.

> With fiat, only the banks (or the governments) can see transactions. If I was to say there is some good thing, I would say that is a new innovation that hasn't been possible before.

What do you mean it hasn't been possible. It's absolutely possible. We don't do it because no one wants to advertise how much money they have and who they give it to, unless compelled by a specific reason.

> Cryptocurrency also does enable new illegal activities that weren't possible before, so there are definitely pros / cons, but I would say there are pros / cons to fiat as well.

So the pros are things we could do (publish our private transactions), but we don't want to, and the cons are things we could do (blackmail each other), but we don't want to.

Lol, great.

For me it is that I think the general public has no choice in the matter now, the banks and governments do. That is the difference I see.
You have the choice of downloading your account history and copy pasting it here for us to see. Can you think of a reason why you wouldn't do that?

Also does Bitcoin give you a "choice" in exposing your wallet transactions? How is Bitcoin's lack of privacy choice "a choice", and your choice whether to keep your bank account history private or not, "not a choice".

It's say crypto gives you less choice. And even worse, the way crypto chose, to expose transactions, makes actually the regular folks more vulnerable.

(comment deleted)
(comment deleted)
These are bad assumptions about what options and interests and motives that attackers have.

Laundering is very easy with cryptocurrency. Despite the transparency on chain, how can anyone distuingish between someone buying a meme coin earlier and cashing out at 80,000% gains, versus someone with two accounts and bought a meme coin with clean money (account 1) and then pumped that meme coin 80,000% with their dirty money (accounts 2 through n) coming from different addresses. The dirty money accounts are now saddled with the meme coin, and the clean money accounts as well as yours and every other fomo trader's account that sold now has the more liquid cryptocurrency. For all reporting purposes, everyone has clean money and simply was a good trader. No investigator or government is proposing that traders are liable for determining who they traded against when its onchain or in an offchain exchange.

Secondly, not everyone wants fiat currency. The attackers can invest in other cryptos and make any founder or fund popular and highly revered. They can acquire goods and services and access with the crypto itself. They aren't sitting there trying to figure out how they can buy multimillion dollar houses and yachts, as its not a priority, but if they do want a lot of fiat its always available.

I do think blockchain analysis will get more advanced over time and people who think they are anonymous now may have a rude awakening years down the line, but from what I can tell, you know crypto better than I do.

IMO, if folks wants privacy now they should actually use privacy focused crypto, but I also think the public nature of crypto is one of the interesting parts of it. I know there are privacy diehards and I can understand why, but I'm more interested about the technology in general.

yeah private cryptos like the Secret Network, Monero, or Tornado.cash contract on the Ethereum network all have a way for the user to provide audits. so what you find interesting about the technology is still available or even more available. Secret Network offloads necessary state information into Intel SGX chips that all the validators have. Tornado.cash generates state information client side and offloads it all client side and must be saved by the user, for now. Monero is much more complicated.

ultimately the only thing changing is the state's ability to flag electronic transactions, as there are no financial intermediaries for them to deputize. they didn't have that ability in the cash based system, and they temporarily got used to it in the electronic one. This is just a reversion to the mean.

Asking for ransom and getting the payment are, yes, 100%, absolutely, no ifs, no buts, no exceptions: risk-free. Zero risk.

So it will happen with increasing frequency, thanks to cryptocurrency.

What you're talking about, actually laundering the coin so it's usable, is a problem. But it's a problem that comes AFTER. And you probably realize criminals don't just sit idle, until they can plan out their crime 50 years ahead to perfect detail.

Also you can do all the forensics you want, if that coin ends up scattered around the world in tiny bits, what are you going to do, jail everyone?

What if I hate person X, and send him some of my publicly dirty Bitcoin, $1 million worth? I can put him in jail then.

What if person Y wants to put person X in jail? So person Y buys my painting for $1M cash. And I send $1M dirty Bitcoin to the target and put him in jail. I just laundered $1M in a completely untraceable way. "Fuck your blockchain forensics" is what criminals have to say about all this.

You have no idea how infinite the ways to use and launder that money is, ONCE you have it. And to have it, again... is RISK-FREE.

(comment deleted)
It’s more like you move to a high crime area and don’t lock your front door and then blame the break in on your wife’s diamond necklace.
Brought to you by a culture of insecurity in computer programming and network engineering.

I understand the temptation to blame cybercoins, because the actual explanation is a stunning inditement of our entire profession.

But, no, the insecurity is optional, and comes from an entire culture of "good enough", which is manifestly not good enough.

Cybercoins provide a general-purpose medium to profit from exploiting this insecurity. But the insecurity was already there, with plenty of economic and political reasons to exploit it; the pre-Bitcoin status quo was chock full of data breaches and state actors siphoning off anything they wanted to, and we just put up with it because we're lazy and arrogant.

> But, no, the insecurity is optional, and comes from an entire culture of "good enough", which is manifestly not good enough.

You sound so sure of this. You should start a company that guarantees security, and get everyone's trillions of dollars flowing your way. Good luck with that, seriously.

Or maybe you'll realize how complexity breeds imperfection and realize the countless ways in which theory and practice are the same in theory, but in practice aren't.

It's very easy to imagine a secure system, though. I give you that. Also everyone at the company is completely impervious to social engineering, even the cleaning lady. I'm imagining it.

We’re ruining the environment to enable ransomware attacks.
20th century consensus: centralized stupidity is a threat, we must decentralize

21st century consensus: decentralized stupidity is worse, turns out

really? crypto is to blame? not the weak security and culture of passing the buck?

do you know what is the currency involved in most number of crimes in the world? i’ll let you guess.

Correct, crypto is to blame for the current ransomware epidemic. Weak security and a culture of passing the bunk may have created the environment, but crypto made the entire enterprise profitable and is completely to blame for what is happening now. Whether you like it or not this is a simple truth.

Do you know what 'currency' is involved in ALL ransomware crimes? I'll let you guess.

wow. just wow. so crypto is to blame?

let me ask you this? after to get your bitcoins or whatever you are getting with this ransomware, what exactly do you do with them? what do you do with all those bitcoins?

also, your argument is that a centralized currency / a central authority vouching for the currency makes things better and deters crime? lol.

If cryptocurrency disappeared tomorrow ransomware operators would have no difficulty switching to bank transfers or bags of cash flown to Russia.
But their victims would have a hard time paying in that manner. For the longest time the exchange was the hard part of any ransom operation. Cryptocurrency makes it easy. If it changes to bank transfers then that is easier to trace and adds significant risk, it also raises the bar in terms of who can pull it off. Bags of cash? That never works.
What's wrong with bags of cash? A company paying a 5 million ransom can spend 100k on the logistics (private jet etc) of getting that money delivered. This isn't a real obstacle.

Ransoms aren't paid by the companies themselves anyway, it's always professional ransomware negotiators who handle the exchanging for them.

Wire transfers would work fine too, the ransomware operators simply won't provide the keys until they've secured the money from their drop account.

Imagine if they targeted TSMC or ASML ???.
I know some people who work for a TSMC subsidiary- they take security extremely seriously, all data is physically located in Taiwan and everyone remotes in, super locked down systems, etc.

I can’t imagine their actual production floor being connected to anything at all, ever. You’d need a stuxnet style airgap jump.

It seems that possibly now is a chance to data breach thanks to their fab expansion plan to overseas.
Those companies have state level adversaries to contend with.
Chinese hackers already hacked the NSA and stole their zero day exploits - it was 2014 but still.
Don't worry, I'm sure the NSA has acquired lots of fresh new exploits since then!
Yep..MS just had to send out a 'security update' to provide them with a few new vectors.
MS Windows is 100% to blame. How can a worm spread that easily in 2021 to pcs across the network? 0day trash windows exploits
Why is infrastructure on the internet?
Impacted infrastructure like ... their email server?
I guess this is the wrong article to ask, I'm thinking more of the recent meat company hacks.
Having worked at a Japanese startup and seen the advice that came down from our customer companies and the country, I got the impression that there is an ernest attempt to modify peoples behaviour to secure against ransomware sw getting in to a network. But I didn't have much confidence on the over all security in depth of things.