Colonial paid $5 million ransom to hackers
to get the gas flowing in their pipeline again
criminal hackers all over the world must be jumping for joy
https://www.nytimes.com/2021/05/13/us/politics/biden-colonial-pipeline-ransomware.html?action=click&module=Top%20Stories&pgtype=Homepage
*
Quote: onenickelmiracle$5 million is almost a joke. I almost posted a thread on this yesterday because I thought it was such a low number. Now they're saying they accepted such a low offer out of fear they landed on a too valuable target. They could have said 5 billion and the ransom might be feasible. If the ransom wasn't in BTC, how would they otherwise do it?
Very bad precedent!!! My hospital was hacked and the ransom was in Bitcoin. And was maybe $100k worth? The hospital, which is owned by the county, refused to pay. The estimate was it cost $10,000,000 to return to normal. It was a nightmare for the MONTH or two it took to have access to the records/files/programs that were hacked.
I believe that you NEVER reward a criminal enterprise.
Quote: SOOPOOVery bad precedent!!! My hospital was hacked and the ransom was in Bitcoin. And was maybe $100k worth? The hospital, which is owned by the county, refused to pay. The estimate was it cost $10,000,000 to return to normal. It was a nightmare for the MONTH or two it took to have access to the records/files/programs that were hacked.
I believe that you NEVER reward a criminal enterprise.
that was the IT departments fault.
they obv werent aware of what programs had what bugs and didnt keep them up to date frequently - although were talking about hackers so there is the possibility of a "zero-day"
and they dont need to pay the hackers if they have off site backups or backups in general.
Quote: heatmap
and they dont need to pay the hackers if they have off site backups or backups in general.
I don't agree with that. If you restore your backup you are still vulnerable and the hackers can immediately get back in and do it again the same way. Until you fix your systems and software you are in trouble.
Quote: DRichUntil you fix your systems and software you are in trouble.
absolutely you need to change passwords and everything before you reconnect it but the main thing is the physical computer - if you are willing to disconnect it and take the time to do as you said you should be fine
the time is the part that gets everyone - they aint got time to lose that time workin!
Quote: heatmapabsolutely you need to change passwords and everything before you reconnect it but the main thing is the physical computer - if you are willing to disconnect it and take the time to do as you said you should be fine
the time is the part that gets everyone - they aint got time to lose that time workin!
Yes, businesses are usually in too much of a hurry so they will not upgrade properly. About a month ago I had to upgrade an Oracle installation and it took six days to accomplish it. I'm talking 24 hours hours a day for six days before it finished.
Quote: DRichYes, businesses are usually in too much of a hurry so they will not upgrade properly. About a month ago I had to upgrade an Oracle installation and it took six days to accomplish it. I'm talking 24 hours hours a day for six days before it finished.
Funny story about this kind of thing
In school our final project for networking security was red team blue team kind of thing
Our team was "protecting a schools data" - this was a hypotheitcal and all we had to do was make the plan for defending against the people trying to "steal the data"
Literally the first thing the teacher said was “there has never been two grades of A ever given out for this project whoever loses gets a B for the grade”
Anyways our team was so thorough to the point where we were able to get a hold of the other teams plans.
I was tasked with stealing the plans from one of the kids - funny thing is they never knew we had stolen it.
Unfortunately for me the plans were fake and it was planned all along that they were going to ransom our data
Our team had Person in the military on it that knew security in and out
We had ALMOST every facet of our building locked down
Freaking red team hacks in and ransoms our school server
Teacher gave us all As because of how thorough we were and because of how new ransom ware was at the time we never planned for it so he felt bad lol
edit im really sorry about the grammar i know im not normally that great at typing what i say but this was written on mobile in a hurry so
Seems like if you have multi-million assets to protect, that would be a priority.
Bloomberg reports that CNA Financial paid $𝟒𝟎 𝐌𝐈𝐋𝐋𝐈𝐎𝐍 to hackers demanding a ransom
this is insane.................it looks like the black hats are smarter than the white hats
https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
*
There should be a law forbidding ransom payments.Quote: lilredrooster.....................
Bloomberg reports that CNA Financial paid $𝟒𝟎 𝐌𝐈𝐋𝐋𝐈𝐎𝐍 to hackers demanding a ransom
this is insane.................it looks like he black hats are smarter than the white hats
https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack
*
Quote: AxelWolfThere should be a law forbidding ransom payments.
I’ve thought that too! If it was a law with teeth, it would then dissuade further hacks.
Quote: AxelWolfThere should be a law forbidding ransom payments.
I disagree. Why shouldn't each person get to decide on their own? If someone hijacked all of your financial assets except for the $20 cash in your pocket, wouldn't you pay the $20 to get it all back immediately? I would pay the $20 to not have to wait potentially 2 years to get it back or to never get it back. I wouldn't know how to live my life without my financial assets so I would gladly pay $20 to get it back and over with.
Quote: DRichI disagree. Why shouldn't each person get to decide on their own? If someone hijacked all of your financial assets except for the $20 cash in your pocket, wouldn't you pay the $20 to get it all back immediately? I would pay the $20 to not have to wait potentially 2 years to get it back or to never get it back. I wouldn't know how to live my life without my financial assets so I would gladly pay $20 to get it back and over with.
I am of mixed feelings. Of course given the scenario you present it clearly makes sense to take the action you suggest. What if the next day they do the same but ask for $30? And the next day they ask for $100....? Etc..... I think it is in ‘society’s’ best interests to not allow you to pay. If NO ONE was EVER allowed to pay, the activity would decrease substantially.
There are so many things ‘society’ (the government) prevents me from doing.... I can’t freely give a friend $20k. I can’t park near my favorite restaurant without a handicapped sticker. I can’t drive 35mph on Delaware Avenue in Tonawanda despite any reasonable person feeling 45mph is safe on that road.
I’m ok if the gubmint decided to ban paying those ransoms.
Quote: SOOPOOI am of mixed feelings. Of course given the scenario you present it clearly makes sense to take the action you suggest. What if the next day they do the same but ask for $30? And the next day they ask for $100....? Etc..... I think it is in ‘society’s’ best interests to not allow you to pay. If NO ONE was EVER allowed to pay, the activity would decrease substantially.
You are using the terms “can’t” and “not allowed to” rather than “discouraged from” or “choose not to.”
How would you prevent someone from being “EVER” “allowed” to pay with a law?
And then when it is inevitably broken, presumably you would want to punish the original victim with a significant criminal penalty to effectively discourage the behavior? The penalty would have to be quite severe to be effective given the incentive to break it some situations, and a severe penalty seems unjust.
.Quote: mcallister3200You are using the terms “can’t” and “not allowed to” rather than “discouraged from” or “choose not to.”
How would you prevent someone from being “EVER” “allowed” to pay with a law?
And then when it is inevitably broken, presumably you would want to punish the original victim with a significant criminal penalty to effectively discourage the behavior? The penalty would have to be quite severe to be effective given the incentive to break it some situations, and a severe penalty seems unjust.
Correct. Make it illegal punishable by jail time. If someone you know swindles you, you are already prevented by law from blowing their brains out.
If society decides that to severely discourage these hacks requires a firm law preventing paying the criminal, I’m ok with that.
Anyways, I just think in this specific situation there is no reasonable punishment that would both fit the action and be severe enough to be effective. Anything severe enough to be effective in a situation where someone might not feel like they have a better option would be extreme overkill in comparison to the action.
.Quote: mcallister3200Discouraged, not prevented. The existence of a law discourages me from breaking that law it does not prevent me from doing so. It’s an option that’s there. Semantics I know.
Anyways, I just think in this specific situation there is no reasonable punishment that would both fit the action and be severe enough to be effective. Anything severe enough to be effective in a situation where someone might not feel like they have a better option would be extreme overkill in comparison to the action.
Then I guess we should have no laws and no punishments because no law is 100% effective at stopping criminal behavior, and no punishment enough of a dissuasion?
I truly believe, if, say, armed robbery resulted in a minimum 20 year prison sentence, no out early for ‘good behavior’, no pre trial plea bargain, then there would be substantially less armed robberies.
If it was KNOWN that if you paid the ransom you’d be in JAIL for 7 years, then there would be far fewer ransoms paid.
Quote: SOOPOOI am of mixed feelings. Of course given the scenario you present it clearly makes sense to take the action you suggest. What if the next day they do the same but ask for $30? And the next day they ask for $100....? Etc.....
Simple, protect your assets better or expect it to happen again.
In my example if they got all my money from Wells Fargo, ETrade, and Fidelity. I would probably withdraw from each of those institutions and find safer places to keep my assets.
Quote: mcallister3200You are using the terms “can’t” and “not allowed to” rather than “discouraged from” or “choose not to.”
How would you prevent someone from being “EVER” “allowed” to pay with a law?
And then when it is inevitably broken, presumably you would want to punish the original victim with a significant criminal penalty to effectively discourage the behavior? The penalty would have to be quite severe to be effective given the incentive to break it some situations, and a severe penalty seems unjust.
In the early 90s, there was a wild and crazy goal keep on the Columbian National team. About a year before the World Cup , he was imprisoned for helping to pay a ransom. He was one of the most popular figures in the country and spent months in jail without ever being charged. My Columbian friends said putting him in jail killed the kidnapping for-profit epidemic.
Quote: SOOPOO.
Then I guess we should have no laws and no punishments because no law is 100% effective at stopping criminal behavior, and no punishment enough of a dissuasion?
.
No. I think we mostly just disagree on the severity of the action of paying the ransom then. I believe the punishments should fit the crime. And that punishment should be based solely on the crime, not the criminals record or lack thereof.
If the law and punishment were potentially 7 years rather than automatic, with the reality of how our justice system and corporatism society operates I still doubt it would have the desired outcome.
A lack of faith in the justice system from me would be the reason. If it works the same way it generally does now, those with a good enough lawyer get a lower charge/dismissal. Lots of pro athletes with more than a handful of charges/arrests and no convictions. Those not able to get legitimate legal representation (not an overworked public defender paid by the state that’s prosecuting while on a career path toward prosecuting attorney...) can sit in jail and feel like they don’t have an option but to take any plea bargain offered, despite the two having been equally guilty. Those able to pay a ransom are going to fall into the first category that often enough don’t have the laws applied to them in the same manner as someone poor.
Quote: SOOPOO.
Correct. Make it illegal punishable by jail time...
Wow, talk about blaming the victim!
So under the Soopoo administration, that pipeline is still closed?
That'll teach...someone...something.
Quote: billryanIn the early 90s, there was a wild and crazy goal keep on the Columbian National team. About a year before the World Cup , he was imprisoned for helping to pay a ransom. He was one of the most popular figures in the country and spent months in jail without ever being charged. My Columbian friends said putting him in jail killed the kidnapping for-profit epidemic.
Well, that is an example of a severe enough penalty to cause change but did not fit the action given he wasn’t charged. One or the other was going to be disproportionate to the action imo. I think in the US they would have had only 3 business days to bring a charge or release. It’s Colombia btw.
Quote: CalderWow, talk about blaming the victim!
So under the Soopoo administration, that pipeline is still closed?
That'll teach...someone...something.
Perhaps! My hospital refused to pay the small sum being asked for, and likely paid 100 x what was asked for in fixes and lost revenue.
I mean this seriously. Would you have us pay 1 trillion dollars to get the safe return of a kidnapped President? Assume he is killed if ransom not paid, and paying ransom guarantees safe return.
I do not pay the ransom.
Quote: SOOPOOPerhaps! My hospital refused to pay the small sum being asked for, and likely paid 100 x what was asked for in fixes and lost revenue.
I mean this seriously. Would you have us pay 1 trillion dollars to get the safe return of a kidnapped President? Assume he is killed if ransom not paid, and paying ransom guarantees safe return.
I do not pay the ransom.
Strawman.
Would you pay $1?
Now we are just haggling.
Quote: unJonStrawman.
Would you pay $1?
Now we are just haggling.
I, as a generally selfish individual, would most likely pay any reasonable ‘ransom’ if I determined the EV of doing so was positive for ME. My point is that for ‘society’ it is +EV to prohibit such payments. No strawman.
Quote: SOOPOOI, as a generally selfish individual, would most likely pay any reasonable ‘ransom’ if I determined the EV of doing so was positive for ME. My point is that for ‘society’ it is +EV to prohibit such payments. No strawman.
And by extension, the society that prohibits the ransom payment should collectively bear the cost and repay the 100x burden on the hospital or other entity that was the victim?
Quote: SOOPOO. . . . If it was KNOWN that if you paid the ransom you’d be in JAIL for 7 years, then there would be far fewer ransoms paid.
IIRC, the eastern US would still have no gasoline if the ransom had not been paid. Someone please correct me if I'm mistaken. I recall mention that it might take weeks to restore and test the locked-up system if the ransom had not been paid.
Quote: unJonAnd by extension, the society that prohibits the ransom payment should collectively bear the cost and repay the 100x burden on the hospital or other entity that was the victim?
The hospital was a county hospital. Thus the taxpayers did collectively bear the cost.
Quote: SOOPOOThe hospital was a county hospital. Thus the taxpayers did collectively bear the cost.
That’s not quite the same thing. If it were a corporation, the shareholders would bear the cost. If it were an individual, the individual would bear the cost.
You know what I meant, I think?
