133 comments

[ 2.5 ms ] story [ 216 ms ] thread
might actually work better than unionizing
Who says you can't do that to fund your union and other political activities? In the history of social struggles, quite a few cooperatives and libraries were funded through the expropriation of wealthy companies and individuals. It wouldn't surprise me if the same applied to some unions.
This is surreal but maybe exactly the impetus for tech companies to stop putting layers of political middle management and work with engineers instead.

At the very least, companies will be incentivized to improve security and reduce the pool of disgruntled engineers.

Maybe I'm disgruntled and didn't know it, but I can imagine reading that scenario in a book in some kind of fictional universe, but I really can not imagine things happening this way on the real life.
It’s akin to how, as an emir, you get a phone that is not set up to spy on you by your enemies:

- Do you hire someone to give you a secure phone? But then, there’s only one link to subvert…

- Do you hire a security company to build a custom phone for you? But then, there are 10 engineers to trust and all the open-source dependencies they have,

- Do you purchase a standard iPhone by going to a warehouse and choosing the box yourself, because they can’t bug the whole pallet?

> they can’t bug the whole pallet?

Who gets to push updates to your phone? Isn't that a fundamental property of most phones (yes even "dumb" phones) to be controllable remotely? Whether through (unisolated) modem firmware, or via the system's service such as Google Play Services?

So i'd say all in all it's not just that pallet that's bug, but the entire production line ;)

The NSA is out of the league, but sometimes there are other enemies to protect from.

Does Bill Gates just have a standard phone? Do Macron and Merkel just have standard phones? I have difficulty imagining they run Apple’s image detection software.

Disgruntled employees are not just the engineers, there's a lot more people waiting in line to take revenge against management ;)
Or it's one more tick on the balance sheet of crypto ills outweighing crypto benefits, and one more step towards heavy-handed laws prosecuting the use of crypto.
This type of news story makes IT directors or C-suite members that are on the fence about 100% employee surveillance much more likely to decide "better safe than sorry".
Probably. But not because it makes sense. After all, it would be easy to do bad things even with 100% surveillance. At some point, you have to trust somebody. That's especially true at big companies where the executives don't do anything except email and spreadsheets. There is no combination of email, spreadsheets, and enterprise surveillance webportal that can prevent a malefactor from doing harm, and in fact I would argue that such measures only increase the problems. Why? False positives should scare everyone, especially the good guys.
>There is no combination of email, spreadsheets, and enterprise surveillance webportal that can prevent a malefactor from doing harm

What do you think is used for audits and oversight if not email and spreadsheets?

Or are you just saying that everything everyone does, doesn't really work?

If some emoloyee thinks these scammers are going to give them their cut, they're going to be massively disappointed.
Criminals don't have the same cultural/legal pressure pushing them to scrape every dollar out of a transaction that corporations do. I think you're more likely to get paid generously or even favorably by a criminal enterprise than a 'straight' one.
Indeed, you think that - and that's greatly to their benefit. If they can screw you over without risk that the next person to come along has a different opinion then they will - and if they do screw you over what are you going to do... take them to court? Unless you can hire a private army to reclaim your funds there is no recourse for betrayal - you're dealing with blind faith.
Lol, criminals aren’t greedy now? There are countless stories of criminals turning on each other over the division of loot.
No, not some robin-hood narrative, just that in terms of self interest you'd want to pay accomplices, and perhaps a sense of gratitude or fair play. There aren't any share holders to appease or anything like that.

That isn't to say everyone who chips in is going to get a cut and its all lollipops and sugar snaps in the extortioners guild! But if you're thinking Oceans 11 or something you've missed the mark.

> and perhaps a sense of gratitude or fair play. There aren't any share holders to appease or anything like that.

That’s not a thing. Even non-criminals very frequently feel that someone didn’t fulfill an agreement and refuse to pay.

Companies most certainly aren’t refusing to pay people to please shareholders. Shareholders hate companies that don’t pay their bills.

Why? Some ransomware gangs put great value in their reputation, as this isn't a one-time game for them. This is only becoming more so these days as the level of professionalism increases.

You might as well ask why the group would bother providing the decryption key once the ransom is paid. It's a little trickier here - do you want to be in a position to call them out publicly afterwards if you were complicit in sabotaging your employer? - but the criminals arguably have more to lose.

Because a ransomware gang screwing a victim is public. Screwing a criminal that would implicate themselves by complaining is not.
The idea that the criminals need to maintain a reputation doesn't make sense to me.

Every negotiation is about the best alternative each party has to an agreement.

If someone has a plausible alternative to a ransom, like restoring from backups, they will take it, regardless of the reputation of the adversary.

If someone doesn't have a plausible alternative to a ransom, then they might as well pay it even if the chance is infinitesimal.

Since in either case, the behavior of the victim is unrelated to the level of trust they have in the criminal gang, there is no incentive to be "professional" and trustworthy.

This might not apply if the gang actually is tied to a nation state and/or has political motives.

But if they are purely profit maximizing entities, then they should not be expected to concern themselves with a reputation for keeping their word.

Somehow people forget that the victims don't choose who they are victimized by.

We had a disgruntled employee here at our small business purposefully release ransomware on our network. I don't think he was working with the ransomware people, he was just being disgruntled and trying to hurt us. Thankfully we're small enough and have a good enough data security plan that it just ended up wasting one day of my time to contain, analyze, walk the guy out the door, and restore from backups.
And this is why corporate breakups are often as rude and traumatizing as the swipe card rejecting entry, you contact security and they tell you that you’ve been fired. I don’t know how we can be a better society, but I know we’re not there yet ;)
flipping the subject - my ex-colleague, a kind and talkative man, was deeply upset when a dot-com fired and locked out his co-worker over lunchtime, with no advance notice at all. Was it a "security problem" or was it slaver culture from the Third World in charge of personnel ? I mean, this is the Bay Area / Silicon Valley here, I am actually not kidding about slaver culture. The "money" wants complete control, and sees brusque, abrubt and no-alternative contract management as a big plus. Maybe this leads to a security problem mentioned as the topic? Talkative, kind people do wonder ...
You likely spent (pre-pandemic) more time with your coworkers than your spouse on an average day. Most everyone at your company has close bonds to a number of their coworkers and most people define the positive qualities of their workplace around their coworkers rather than the employer or the work. Losing a coworker is quite similar to a friend's parents moving them to a different school district - it's not uncommon to suffer a brief crisis as your brain copes with the change in expectations around what work will be like.

It is an extremely bad idea to bring coworkers into the scene at the time of firing and it's an even worse idea[1] to bring unnecessary people into the decision about firing - especially if they effectively have no voice in the decision.

You probably won't notice most of your coworkers leaving - but there are a few you'd likely feel deeply and people do occasionally need to move on. Go grab a coffee with them after the fact (or during their two weeks notice if that applies) and get your empathy in - but before someone is formally let go it will just hurt moral to spread that news too widely.

This is true, and the way things tend to work, but still short-sighted IMO. I don't think it's a good idea to design every process around the worst thing that could possibly happen. It further alienates the 99% of people who wouldn't do something like that, as well as everyone who witnesses it, to save the usually pretty mild pain from the 1% who actually do something bad.
In many places you can't be fired on a whim. There is an incompressible period of weeks. You can get credentials revoked obviously but it fosters a different dynamic.
You just let him walk and didn't call the cops?
I recently fired an employee who was working 3 full time 40/hr week engineering jobs concurrently, each paying $130k+, full benefits, etc (obviously breach of contract).

Especially in a small company, sometimes it’s best to cut your losses quickly and toss the rotten apple over the cliff rather than go out of your way to stomp on it and deal with rotten apple stuck on the bottom of your shoe.

wow! How did he manage it? 10X engineer with good social/communication skills?
Quite the opposite. Did the bare minimum to not be fired. Never took initiative. And stayed silent in all meetings unless forced to speak.

Definitely not a 10x, just a scam artist.

>Did the bare minimum to not be fired?

Did you only fire him because you found out he worked other jobs or because he didn't do enough work?

Maybe a "mere" beach of contact would have been excusable provided he was doing an amazing job.
It’s less about the breach of contract and more about the breach of trust.

(He was also not doing an amazing job - he required constant supervision without which he wouldn’t produce any meaningful output, presumably because he had 2 other managers he was trying to please at the same time)

He was fired because I can’t trust our production AWS keys to someone who lies about who he works for.

It’s not so much about whether he was a good coder. More that I can’t trust someone with production database access if I discover 6 months in that he has 2 other full time jobs.

sounds like they didn't really need to be paying a full time worker and could have got a casual/part-timer to handle the load instead
You’re right. What we got was a part time worker being paid a full time wage.
(comment deleted)
Yes, I did just let him walk. It didn't cause overly much damage and I was more interested in removing an employee that was not happy working for me and getting back to business than getting bogged down in a civil or criminal case.
While emailing a bunch of employees is probably not going to be too successful, this could actually be a pretty effective strategy if the criminals would follow through on it; basically have an open offer to employees of large companies (or any companies, really) to deploy ransomware internally. Have an installer with a unique ID, a detailed set of instructions for installing the ransomware, communicating anonymously and obtaining the money as anonymously as possible, etc.

Nobody needs to know who anybody else is - just "here's our ransomware, any ransom paid that mentions your unique ID, we'll split with you. Have fun"

Crowdsourced criminality.

Make it a fire and forget hidden installer on any usb-port and the world ends today.
(comment deleted)
So the criminals can get the ransom, then offer the id of the colluders in return for a further ransom!
I don't think so. The success of this would all hinge on an un-easy trust between the organizers and the individuals. Backstabbing your partner would ensure that you would never get anyone else to do this for you again. That would be the end of your operation. You need the world to know that yes people really do this for you, and yes they really do get paid.

A similar dynamic is at play between ransomware attackers and their victims. Why would ransomware attackers restore files from a successful attack after the ransom is paid? Easy. The attackers need the world to know that paying the ransom will work, otherwise no one would pay it.

It is odd watching a bunch of people who effectively deal with rules all day try to predict behavior for a group of people who effectively ignore rules all day.

Why is a ransomware company going to follow the rules of common decorum when dealing with a collaborator if the whole point is to defraud a third party?

How do I know that they made the payout? Is the collaborator going to come forward and identify themselves? The only way you know that person got paid is if they don't get arrested. There are whole branches of organized crime than live and breathe in the space between 'got paid and lived happily ever after' and 'ended up on the front page of the NYT'. Just off the top of my head you have blackmail, extortion, and hiding the body.

We aren't invoking the ethics of "rule-following" to explain why criminals behave certain ways, rather we are speculating on based on incentive alignments and rational self-interest. The answer to your question is quite simple: because they need third parties to work with them. There are lots of ways as to make past history of payouts known without releasing who the individual collaborators were in each case.
No. Not even close. This isn't 7-11 trying to con me into buying their scary hot dogs, these are bad people, in all senses of the word.

They need third parties to think that working with them is their best option. Their best option is to do something legal, but desperate people can be manipulated. Greedy people can be really manipulated. Maintaining the illusion of safety is just marketing.

If the game is extortion, then psychological manipulation is part of the game. I have no assurances that you've given me $1.4 million today and this is the last I will ever hear from you. If I know little about you I can't even turn State's Evidence to save my ass if I get caught but you don't. If I think I know that you or anyone with details of your operation won't come back later and threaten to turn me in unless I pay you money, then I'm a fucking idiot. You could ask for money, or to "deliver a package" for you. In that situation, what you and your associates are counting on me forgetting is that I am mortgaging my future by piling on new crimes with later statute of limitations dates, and establishing a pattern of behavior that makes me look even more complicit.

There is no honor among thieves. Stop trying to figure out how to pet a wolf without getting bit.

Most folks will follow this approach - but it's not guaranteed. Some of the attackers will betray their victim and ride on the goodwill garnered by other attackers to make their strategy sustainable.
You missed something fundamental there about the difference between the two scenarios that drastically changes the optimal play.

Victims of ransomware are public and will publicize if they don’t get their files back. An individual willingly trying to compromise their employer’s network is not going to publicize not getting paid because it will get him/her arrested.

> An individual willingly trying to compromise their employer’s network is not going to publicize not getting paid because it will get him/her arrested.

They will anonymously post on the message boards dedicated to ransomeware gangs that this particular gang is not reputable. Like leaving a Yelp review, except even more trustworthy because it's a relatively tight-knit community.

It would only work out for the gang if the ransom was enough money they decide to "retire" and not pay out. In all other situations, they need their reputation.

> They will anonymously post on the message boards dedicated to ransomeware gangs that this particular gang is not reputable.

And why would someone believe an anonymous post? Don’t you see the problem here?

The ransomware group does not need to know the identity of the disgruntled insider.
On the other hand, it might provide new opportunities, I would say that an escrow service for this (hypothetical) payment of the (promised) 40% share might represent a new kind of service in demand.
I feel like you could just set it up with a smart contract. No need for anything special, if payment is received, you automatically get your cut.
Exactly. Future of France over here.
I've never understood the nitty gritty details on how that's supposed to work. Certainly you'd still need both parties to tell the contract that the work was done, right? Otherwise, just one party acting fraudulently could release the funds to the wrong person.
I think this would just rely on the ransomers to have the ransom paid to the correct address, which would be tied to a smart contract that'd take care of divvying up any money coming in and forwarding it to other addresses. If money comes in, the work was done, so distribute it, all automatic.

Aside from bugs in the contract, or opsec concerns, the main risk (for the saboteur) would be the ransom folks directing the victim to pay some other address that wasn't part of the smart contract, so no money ever comes into it. Really, it's only marginally more reliable than just depending on them to pay you when they get paid.

That is interesting, how would the employee trust that the criminal organization would indicate the correct address (that triggers the smart contract) to the hostage company?
That's the part that makes it only marginally better than just counting on them to manually forward the money. The only advantage is you skip the part where they already have the money but have not yet betrayed you, and are looking at a huge figure already in their own account and maybe contemplating not sending any of that to you. They can still just have it sent to the wrong place to begin with. Since it'd be easy to fake fulfilled contracts (make sure you own all addresses the contract disburses to) completed contracts, even if publicly visible, aren't even very good for building a reputation for paying out. You might just be paying yourself at multiple addresses, to make it look like you reliably pay out rewards.
I wonder if you could use something on the target’s network as an oracle. “This smart contract will pay out when presented with a Kerberos ticket signed by a target.example.com Active Directory server granting Domain Admin privileges.” (This particular formulation has some obvious holes, but you get the idea.)
Yes, there in smart contracts there are things called "oracles" which are like 3rd party indicators or sensors that something happened. I don't see how anyone besides the hackers could indicate that.
The fact that the employee can't publicize the windfall means that the gang has no incentive to pay them, either. The employee can't exactly complain to anyone that they got stiffed.

It's a sort of prisoner's dilemma problem - since the game won't be repeated with any single employee, and there's no communication between employees, the gang gets a better outcome in all cases by not paying.

I'd bet on the employee getting scammed too.

The only way people would reliably help with the sabotage is if the group had a reputation for paying out. Kind of the same way ransomware works already- if nobody gets their data back, people will be advised never to pay
Unless some employees get caught, there's no way for the group to acquire this reputation. Certainly they can't be trusted at their word ("we pay out" - sure you do).
So pay out, then anonymously rat out their own inside man to the feds?

Ugh feels so dirty even saying it, I guess that's why sociopaths win so often.

"we paid that guy and he got caught"

"we paid this other guy and he got caught"

"come join us!"

I strongly disagree based on my experience consulting and the countless articles you can find about this very situation happening prior to the rise of cryptocurrency and ransomware gangs. Disgruntled employees doing shift+delete on a critical directory after missing backups or rotating encryption passwords to gibberish on their last day is very common. (or of course both and more)

For me it's not hard to believe at all that someone who is already at a low point and motivated with malicious intent would read up on such an offer and think to themselves "I can screw my boss __and__ get a cool million in etc? Just for 'accidentally' uploading some ssh keys with a misplaced wildcard?"

Even before the covid pandemic, stress in IT was high and disgruntled employees doing damage on the way out was making headlines. Search 'Disgruntled employee destroys data' on google and check the date of some of the news articles. Here's one that made US national news in 2014 about how data theft was a trend.[0]

Whether or not there's a real payout is of no consequence it seems. I'm only able to immediately find articles about such incidents in the US and the UK, but I am fairly sure it's not limited to such locations, or that outsourced IT isn't just as vulnerable.

I've written it before on HN for other reasons, but people like to talk about new laws/standards/etc, but IT doesn't have problems that need legal solutions, as an industry, IT needs to improve discipline across the board and stop letting situations where one person can be so destructive happen. Too many places still run their IT like it's the 80's/90's where one or maybe two with absolutely control over everything. This leads to burnout first of all, which is horrible, but it also creates these bad situations of unregulated control in the first place.

[0] https://www.wsj.com/articles/fbi-warns-of-rise-in-disgruntle...

> I've written it before on HN for other reasons, but people like to talk about new laws/standards/etc, but IT doesn't have problems that need legal solutions, as an industry, IT needs to improve discipline across the board and stop letting situations where one person can be so destructive happen. Too many places still run their IT like it's the 80's/90's where one or maybe two with absolutely control over everything.

I mean, it's like having the neurosurgeon at the hospital retire/quit for a software company to lose it's IT.

The issue is, many software companies don't know/think they are a software company.

I've worked with enough disgruntled employees to know that many of them would anything to hurt their company, even if there was no compensation for them. The secret is to hit them at a low point in their day.
> The secret is to hit them at a low point in their day.

You don't even have to time it perfectly. In six months, when they're most upset and seeking revenge they'll remember the email

Even better as sabotage - Make a public offer to your competitor, then watch their org implode in a cloud of suspicion
Basically affiliate cracking! That's an idea!
A problem (for the criminal org) might be that if an employee is willing to follow the customization steps for the ransomware and deploy it in order to receive a share of the ransom, it might not be much more difficult or illegal for the employee to just do everything by themselves and receive all of the ransom, cutting out the criminal org completely.
Sounds like something HR would try
I think it's more realistic that baddies pay employees to see some of the juicy data in the company db. Lower(but not 0) risk of detection.
honey pots would make counteracting them very effective
Well, this has potential to become the equivalent to a security pandemic.
I almost hate to say it but more sophisticated versions of this will come about. Like everyone knows you can order various nefarious things on the dark web, it might become common knowledge that if you are a disgruntled employee you can go find these scammers and collude. A smart contract linked to the ransomware you install could pay you out a guaranteed cut.

Clearly it’s a dumb thing to do because you are in the same country as the victim, would be on a list of interesting people to talk to and you’ll probably leave a trace of some sort. Unlike the scammer who is anywhere and anyone.

It is a dumb thing to do because the FBI (and other in-country equivalents) will be posting their own messages looking for such people. For that matter I expect the big fortune-1000 type companies will troll these as well looking for people to fire for cause.
I do know some companies pay to occasionally phish their own employees. I think (hope) it’s mainly used for training. But I wouldn’t be surprised if there are teams dedicated to this sort of effort. Would it be illegal?
My company does for training. In this case though they would be targeting someone who is taking action to be bad, as opposed to someone who might make a mistake.

Ask a lawyer what is legal.

Could the techie guys become the new owners of capitalism? What can corporate and politicians do to remain the branches of social power?
We already are.
Every single company is paying some overpaid techie somewhere to keep something online up in some way, at the very least. The decisions software engineers make in their career choices and goals have extreme and direct impacts on the economy
We aren't yet. Overpaid doesn't mean owner or power. Look at pro sports... Corporate and politicians are still in power, because corruption in those niches rarely ends in accountability; yet cases like Snowden and disgruntled techies can end up as social outlaws.
This table https://krebsonsecurity.com/wp-content/uploads/2021/08/fbi20... from https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pd... is most interesting.

$ 1.8 BLN in "Business Email Compromise (BEC) or CEO Scams, in which crooks mainly based in Africa and Southeast Asia will spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers."

$0 for terrorism.

Meanwhile wage theft in the US is estimated between 40 and 60 Billion $.

Do you have a source on $40-60B for wage theft, that includes a definition of wage theft? Searching does not yield much.
>that includes a definition of wage theft

AFAIK it boils down to "amount that employees should have been paid but haven't". That might sound comparable to regular theft, but it's not, because it fails to account for the intent component. If you forgot to scan a bag of potatoes in your shopping cart and you walked out of the store with it, it's not theft because you didn't intend to do it. I'm not saying that all wage theft can be excused this way, but I'm not a fan of the combination of naming/definition.

Employers that fail to compensate their employees in the agreed upon manner are incredibly scummy and you should run very fast in the other direction. That said if the person who runs payroll was suddenly sick for three days in a row getting your payment two days late is acceptable.

It's a question of the magnitude of lateness - if ever your employer says they'll "make sure you get double next pay period" it's a good sign to leave - and they're still obligated to pay you for the previous pay period regardless of how undiplomatically you exit.

You also need to realize that a lot of Americans work paycheck to paycheck so an employer failing their obligation can cause financial hardship and possibly force debt (with the accompanying interest) on their employee.

>Employers that fail to compensate their employees in the agreed upon manner are incredibly scummy and you should run very fast in the other direction

That... depends? If you're salaried and your employer missed a paycheck I'd agree it's scummy, because it's hard they screwed that up. However, if you're being compensated variably (eg. hourly or on commission), and you got paid incorrectly because of some random failure (eg. timesheet got lost/buried, sales numbers got delayed due to ERP issues) I think it's excusable if it was fixed in a timely manner.

I agree with that yes - if your employer resolves the situation quickly without causing you stress that's fair. However - it's their obligation, above all else, to make sure you're getting paid. If this sort of error occurs repeatedly due to someone unqualified to handle the books then your employer should rectify the situation.

I think it's fair - while that money is tied up in limbo - to essentially cease working. That provides a very clear incentive and attaches a level of importance to the incident that should prompt your employer to correct in the future.

Everyone makes mistakes - we're all human - however recovering denied wages is a very difficult legal fight that often results in failure due to debt shenanigans and the like. As an employee you need to be incredibly defensive about any interruption to your pay stream.

Here's an example: a retail store has several KPI they must hit set by corporate. One is some kind of metrics on work performed, another is not allowing above some level of overtime hours. Officially, working off the clock is a fireable offense, but no controls are in place to catch this, meanwhile the work done metrics are closely monitored. Expected KPI numbers are ratcheted up and managers are placed in intense competition with each other. Managers have been promoted internally and do not have better career options, some significant number of employees badly need their job and routinely agree to work late. This is a self-reinforcing cycle--eventually the only way to meet your targets is to "cheat".

This is an incredibly common practice. Employees may come to believe some version of, "this sucks, but that's just how it is". Meanwhile employers and management have complete deniability and can point to company policy saying this is explicitly not allowed.

Even various FAANGs do something quite similar: overtime is allowed, unmetered and unpaid.

At the same time employees are [secretly] stack ranked and everybody knows that the expectation is to work 50 hours a week to survive in the company.

That's a 25% more work than 40 hours. Not a rounding error.

At FAANGs (and in most other tech companies) employees are salaried so overtime is never required to be metered - this is different from hourly work which does require accounting of those hours. There is nothing legally stopping you from being asked to put in 60 hours for the same rate at Google - if you're on the receiving end of it you need to decide for yourself if it's worth it.
No, the very definition of wage theft implies intention.

"""Wage theft is the denial of wages or employee benefits rightfully owed to an employee. It can be conducted by employers in various ways, among them failing to pay overtime; violating minimum-wage laws; the misclassification of employees as independent contractors, illegal deductions in pay; forcing employees to work "off the clock", not paying annual leave or holiday entitlements, or simply not paying an employee at all. """

from https://en.wikipedia.org/wiki/Wage_theft

It's not a delay in payment or a misplaced bag of potatoes.

(comment deleted)
>Do you have a source on $40-60B for wage theft, that includes a definition of wage theft? Searching does not yield much.

Not quite what you're looking for, but here's a recent article [0] on a $1.6M fine for $1.4M in violations at a single restaurant in San Francisco.

[0]https://www.google.com/amp/s/www.ktvu.com/news/san-francisco...

https://en.wikipedia.org/wiki/Wage_theft#cite_note-Groote-13 and https://www.epi.org/publication/epidemic-wage-theft-costing-...

...having said that, wage theft is not only difficult to quantify but even to define precisely.

Ask anyone working minimum wage jobs to help describe wage theft and they'll give plenty of definitions. I worked at a movie theater as a manager. On slow weekdays I was scheduled from open to close. But the manager above me added a two hour "lunch break" each day to my time card. Maybe a half hour of that was actual free time. They withheld company policy from me regarding what I was entitled as a full time employee (vacation days, etc). People can get creative when stealing from minimum wage employees.
An employee steals £20 from the company and the police will come and arrest that person, and they have a good chance to bring a prosecution if they have committed a similar crime before.

An employer with-holds/steals/defrauds an employee for £500 or more, and not only will the police not care, they won't even note it as a crime. Best bet is a civil court, but that takes time and can cost money.

So most people just move on and the employer does it again and again.

It's almost like it's a feature and not a bug. Like somehow management was able to use all these ill-gotten gains to exert influence on the courts/legislatures to create a more corporate-friendly/employee-hostile environment...
I was one of the first employees at a startup. Originally a contractor. When the owner converted us all to employees, he did the math in such a way that it was clear he didn’t count weekends so we got a pay-cut.

We made a big stink out of it, but he didn’t budge until there was an outage on Saturday and we didn’t fix it until Monday. There was only three of us, colluding not to fix it, but he’d have gotten away with it if the team were bigger. It’s hard to “make a stand” when more people are involved.

>$0 for terrorism.

What's this supposed to mean? That terrorists don't receive financing and/or conduct illegal activities to finance their activities?

Kind of reminds me of Business Software Alliance's disgruntled employee program : https://en.wikipedia.org/wiki/BSA_(The_Software_Alliance)#Cr...

The only difference being that the BSA's program is legal because it benefits huge multinationals.

It is legal because using a disgruntled employee is not unethical in itself. Society does need disgruntled employees as a threat to keep the management from doing even more shitty stuff.
Or maybe we could actually fix society so that management is organized by the workers themselves, in order to fill an actual need of the community? Instead of having work organized by a managerial class which is completely disconnected from their expertise (and actually has no expertise of their own apart from making people's lives miserable), and many companies competing on a market which was usually not based on established needs/desires from the people but rather seeks to manufacture consent/desire.

We're trapped in the worst possible timeline where we have an abundance of resources and work that's so much abused by privileged elites that many people suffer from bad access to food & housing (despite an over-abundance, at least in the global north), others from lack of meaning to their work/life (see also bullshit jobs), while others suffer from the pollution created by IoT and entire families of throwaway products that populate all supermarkets and e-commerce sites.

He's far from the most radical thinker i can think of in this regard, but i think David Graeber's (RIP) CCC talk on Managerial feudalism and the revolt of the caring classes is spot on in many regards.

Seems like a pretty bad proposition. Take all the legal risk for only 40% of the profit.
If it were real, it'd be a pretty sweet deal for the criminally minded employee. Cybercrime already uses "division of labor" where profits are shared. For the criminal, paying out 40% would make sense if that meant 2x as many victims with less work.

I suspect what actually happens is that the employee takes all the heat for an empty promise of big money, and the criminals walk away with the entire profit.

There's always the Office Space approach. I would add crypto mixing before it drops in a bank account though. ;)
Hmm how long before we start to see companies extracting money from ransomware gangs by deploying honeypots and selling access to them?

Imagine getting blacklisted by ransomware gangs for being an untrustworthy company.

Would have been a hilarious entry in the "Who is Hiring" thread for September.
I would assume anything looking like that is actually posted by the FBI.
Or it's the new phishing test from the security team.
Still could be. Turn around and contact the relevant employers... "pay me $10k and I'll unmask your employee who installed fake malware with intent to extort you." Just... make sure the malware is perfectly harmless.
Designate someone to act as the "disgruntled employee." Agree to deploy the ransomware but bring it in and analyze its hash and block its signature from execution.
Congratulations, you've blocked one virus.
I think of it more of a "game day" exercise. Let it happen and see how well IT and the security team handle it.
Well I'm assuming that however the "disgruntled employee" is found is also available to the mole. So a company could presumably use this mechanism to both block this ransomware and find their criminally disgruntled employees at the same time.
I think this assumes the ransomware team contracts with two people from the same company. In this case if they still want in they could use two different software or methods to encrypt the data.
This reminds me of that movie where the criminal boss gets arrested and as he’s being taken to prison a large crowd of reports gather as he’s a big deal crime boss. He turns to the cameras and says he’ll give anyone who gets him out of prison a hundred million dollars.

Imagine if these groups actually advertised right out in the open. I’m sure they could catch a few people before their free AdWords account got suspended.

I would have thought or hoped that companies were doing this themselves in order to test their defenses. If a disgruntled employee is capable of doing this, then clearly your defenses are inadequate.
A disgruntled employee somewhere is always going to have the capability to cause serious harm. You can isolate the harm into a single set of hands (initially the owners in all likelihood) but as your company grows you need to delegate. Most companies will initially open up their guts to every employee and then slowly restrict access - but someone somewhere always needs to retain access.
> This attacker’s approach may seem fairly amateur, but it would be a mistake to dismiss the threat from West African cybercriminals dabbling in ransomware.

Or, you know, anybody anywhere

This kind of shit is why we're bound to end up living under intense surveillance and with little privacy most of our lives, if we keep computerizing and networking everything. It's inevitable, if that's the direction we keep going.
Not why! Why do we need to open all utilities, finances and banks, to they internet? It's crazy. All of a sudden, in ten years, everything is accessible to any one with desire and intent. And worse, it's harder and harder to be that person, that doesn't want to use online access.
> Why do we need to open all utilities, finances and banks, to they internet?

Because cloud. If it's not cloud it needs to be cloud because cloud. Cloud.

Because it makes everything easier seems to be the main reason. A (mostly) crime free society where you don't even need a wallet because the buildings all know who you are isn't exactly unpleasant as fast as dystopias go. And if you already think the government could oppress you if it wanted to anyway then wanting to add gilding to the cage isn't unreasonable.
It's great for me. I'm very glad I: don't have to make regular trips to the bank to deposit my paycheck, make trips even farther to renew my car's registration, get instant notifications about credit card transactions instead of waiting for a mailed statement, etc. Saves me a lot of driving.
Isn't recovering from a ransomware just... restoring from backup?

Legitimate question here.

You forgot the part about having a working backup. And the disgruntled employee must not be able to delete it, too.