I feel like giving criminals a platform like this is wrong.
I'm all for reformed criminals giving interviews in the context of what they did being wrong, but this is an interview about how they're getting better at their crimes.
Regardless of how easy it might be given security practices, these are crimes, and they are crimes for a reason: they cause damage. Their impact is felt beyond the ransom money paid, it's felt by employees who may be put in terrible positions as their work is held ransom and who might pay up personally to avoid problems at work, it's felt by customers of these companies who end up with higher prices, it's felt by countries as their output is hit. The fact that this "industry" is getting more "professional" does not change the fact that it's harmful. They don't deserve the publicity and attention that this sort of platforming provides them.
I think this is a good thing. It might show potential victims that their opponents are not a bunch of smelly teenagers hopping online after midnight.
These are multi-million (billion?) businesses. There's strategic leadership, target acquisition pipelines, R&D, talent recruitment and coordination with other businesses in the space.
There's every indication that with a little bit of protection money, you can even run your business with no interference from the law, as long as you don't mess around in your own backyard.
You can see from the blog post, that this "company" has done a product-market-fit analysis. They've taken a look at their competitors' work, considered the pros/cons, and decided that they can do better. Since they are a b2b company (hehe) you can be reasonably sure this is not some PR aimed at consumers. I think it reads as a recruitment pitch to their lead generators (read: hackers whom infect other networks for them).
You can see the pitch, it almost reads as a vacancy post:
- We make a lot of money
- We're new to the scene but already have had success
- We only work with the best hackers
- We pay you lots of money to infect a network, if you got what it takes
When groups do this in furtherance of illegal activities, it's called "organized crime". And such groups need to be pursued aggressively because they are corrosive and poisonous to society at large. If they are not actively and aggressively fought, their negative effects seep into broader society and can become entrenched for generations.
One option would be to try to doxx them, either as part of a criminal investigation or via private investigators. I bet these groups would be much less effective if their identities were publicly known. There's a reason they're not public.
What about when your “organized crime” group has a moral compass and isn’t breaking local laws?:
DS: Obviously, there are many talented professionals on your team. Why is it that this talent is aimed at destructive activities? Have you tried legal penetration testing?
BM: We do not deny that business is destructive, but if we look deeper—as a result of these problems new technologies are developed and created. If everything was good everywhere there would be no room for new development.
There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data.
We have not been involved in legal pentesting and we believe that this could not bring the proper material reward.
For me the line between organized crime and robin hood is very blurry.
But they're not killing people. They're extorting foreign business which is not explicitly illegal, and in fact encouraged, in certain countries. They even go above and beyond that with self-imposed restrictions against healthcare and infrastructure to try and minimize harm. I'm not saying I like what they're doing, but it seems hard to outright stop when their own country doesn't care. Same with Chinese businesses engaging in fraud with foreign investment firms. It's effectively accepted practice encouraged by their country. The market is the only real punisher. So if these types of activities are effectively allowed because people can play by the rules and engage in them, then as a society or as a company you have to respond rationally. "Well it's illegal where I live" is not really an answer. Thus my question is, "should companies pay security professionals more to combat the economics of these organizations?". People seem to think companies should pay out bug bounties on a scale much closer to what e.g. ZERODIUM would pay for 0 days to fix the economics. I guess I'm just asking if there's an economic "solution" to these ransomware groups in absence of a legal one?
It seems we both agree it's not ethical by our relative standards. But you're not actually responding to my question. I mean hey even killing is justified against foreign actors in the name of war. Doesn't matter. I'm asking whether there's an economic solution because I'd rather not devolve into some form of war.
> That some countries legalize theft of property in other countries does not change the ethics of this at all.
It literally does. Because those people are participating in a society where their actions are not strictly unethical. Their society does not necessarily view them as sociopaths.
Well I should concede it depends on whether your worldview accommodates different ethical frameworks or not. If you are absolutely ethical then all people must adhere to the same ethical standard and you can rightly justify punishment of outsiders.
Even if your worldview doesn't accommodate different ethical frameworks (i.e. I stand behind my own ethical principles, and believe that anyone who disagrees with me is unethical), surely you have to admit that some people will disagree with that stance, will hold their own views that are incompatible with yours, and will call themselves ethical until the cows come home, right?
We're not arguing about whether that's ethical, we're simply pointing out that people like that exist.
You and the parent commenter are no longer arguing about what is and isn't ethical (as you've stated, you both seem to agree), but instead on what to do about the practical reality that society in Russia does see this as ethical, and doesn't give a flying fuck what you or I think.
Now the question becomes, what should we do about that.
This is the same kind of "moral compass" that scammers use to scam senior citizens out of their life citizens. The targets are rich Americans (every American being rich compared to where they live), so does it really matter if they lose several thousand dollars?
They outright admit that they see the targets primarily as money bags, and that they are making the economy better in exactly the same way that breaking windows makes the economy better, and your opinion is that it's ethically blurry?
My ethical framework allows for disagreements on the nature of what is and isn't ethical. It doesn't matter if you and I agree some behavior is unethical. Some other group of people clearly consider their behavior to be in the realm of ethical given their worldview, location, upbringing, etc. So no amount of us whining about how unethical it is really changes anything, does it? I personally consider massive hoarding of wealth unethical... so... from a total harm standpoint... yeah it's kinda grey.
> as long as you don't mess around in your own backyard.
Based on the recent pipeline incident, it seems that these crime groups realize there are other places you'd better not mess around.
Screw with Bank A or Company B ... fine. Screw with infrastructure of a country with a large scale military, control over large chunks of global finance, and so much more ... probably not a good idea.
I don't have metal bars across my windows, should they start targeting my house to force me to add them?
I'm being somewhat facetious, but I want to live in a society where not being hyper focused on all forms of security at all times, and just being _safe_ is an ok way to live your life.
"It's easy so we'll do it" is not a defence of this practice. The only reason the security is needed at all is because of people like this. I'm not saying security isn't important, but being bad at security is not a defence of people who take advantage of that poor security.
The reason security is needed is that we have institutional methods for transferring ransom and paying for the rackets.
The reason that it’s ok to have a shitty $80 lock on your front door or an unprotected window near ground level is that the value for a would be burglar to break in for a crime of opportunity is low. If you’re a well known jeweler or gun collector, you typically take other measures because you may be a target.
Cryptocurrency made computer crimes profitable crimes of opportunity.
> The reason security is needed is that we have institutional methods for transferring ransom and paying for the rackets.
The reason we have child pornography is that people don't need to have their photographs developed by a chemist in a photo lab anymore. The photo lab chemists would've turned them in to the cops.
The type of society you want to live in is utterly irrelevant. Those ransomware gangs exist and there is no way to eliminate them. That is our new reality. Any business leader who is bad at security is incompetent. I wish it didn't have to be that way but whining about it won't accomplish anything.
Employees are being paid by hour, so they wouldn’t care at all. Customers - true, this might cause delays for them, if the company decided not to pay the ransom. It’s still just a delayed cost, though.
> Employees are being paid by hour, so they wouldn’t care at all
Sorry, but that's just not correct. It's always someone's job to clean up this mess, and that falls on individuals. If they have to clean up a stressful mess, they definitely do care. A lot.
I've had to clear up messes in the past, and it severely negatively impacts my mental health. Never, ever think that it's a victimless crime. They might not feel the force of the actual crime itself, but there are most definitely employees out there where the second-order effects on their wellbeing are starkly negative.
Again, for customers, you never know what those second-order effects of the delayed cost would be. I'm not going to whip up slippery slope arguments, but again, you're assuming that customer interactions with companies are all one-sided "I can do this later" kinds of interactions.
We shouldn't hand-wave away bad things because they only impact some faceless "company". Companies are made up of individuals, most of whom don't want to be there, but most definitely care when they're forced to do more work by some bad actor.
Of course it’s always somebody’s job, but that’s it: it’s their job, they are paid by an hour. There is no “more work”, it’s just the planned work will be delayed.
I've seen this happen more than once, where IT spells out the risks and recommends tighter security practices, more security hardware/software, more backups and redundancy, a bigger security team so they're not just running around fighting fires all the time and have some resources to improve security, etc, but these requests are denied because there's not enough budget for them or they're too inconvenient (as security is almost always a tradeoff against convenience).
Then there's a security incident and suddenly money materializes out of nowhere and they'll pay whatever it takes to get back online, making the security and IT teams work nights and weekends until the incident is resolved.
At the same time, security look like incompetent idiots for letting the incident happen in the first place, with everyone conveniently forgetting that multiple requests to tighten security were denied.. and many other people in the company don't even know about what happened, but consider the security team to have screwed up.
So security often wind up looking like idiots, though it's not their fault. Or maybe there really was a screwup by someone who's no longer with the company. Dealing with gigantic legacy systems and endless complexity that no one fully understands is common.
When the security incident blows over, those security budgets shrink again and the importance of security dwindles as other parts of the business take precedence, until the cycle repeats again and again.
Or security really is taken seriously at some companies, and then the security teams are often seen as the "no men", and widely despised because they stand in the way of getting work done.
These reasons and more is why I don't like to work in a security role. Let someone else take the blame.
The lost productivity and general _stress_ due to well-intentioned but ultimately counterproductive software being introduced by IT after a ransomware attack was the last straw for at least two highly qualified engineers I know personally. They left their employer after that. Being blocked from doing your job is highly stressful for people who are motivated by the utility of their work to society, a description which I believe fit these engineers. This is an example of direct human cost - the transformation of a desirable, fulfilling job to one less so.
Now, sure, the IT dept in question could have handled this a little better. Maybe. But the presence of these advanced threats forced IT's hand here.
Because the employer isn’t fixing the problem they’re deploying bandaids that are known not to work. I wouldn't want to work like that either and companies need to learn how to effectively secure software. What if companies paid like BM probably pays? I bet most people would do the work in a less grey fashion. But companies don’t value security so this is the result.
I'm not sure we're going to get much further here if you're arguing on the dichotomy of checked out employees punching a clock vs exploitation by the employer.
Suffice to say, this crap has impact on real people, in the real world. To imply it's just some neutral action doesn't reflect the reality we live in.
Not only this, but ransomware companies are even more nakedly in pursuit of profit than most non-ransomware companies. It's hard to imagine any ethical framework regarding capitalism etc. which would enable a favourable view of ransomware companies.
I think making companies and the industry more aware that their bug bounties are undervalued is important. It raises the bug bounties and creates more opportunities.
This is an approach of like "okay lets just ignore your rational for not doing that and give the hackers a platform until you change"
There's a difference between educating and warning people about attacks, and having the attackers do that themselves. I'm not saying we shouldn't talk about these things, we absolutely should! It just shouldn't be by interviewing and glamorising those committing the crimes.
I share your concern that people will see this as cool or glamorous. But isn't it also helpful for people to try to understand the perspective of the attackers, for example because they might
* become better able to defend themselves
* become better motivated to defend themselves
* better understand how to deter these attackers
* become more motivated to seek action from government or vendors to deter these attackers
* have a more informed debate about the ransomware industry or organized crime as a whole
...?
Edit: for example, things that I had heard that were confirmed for me by this interview include that the Russian government is consciously tolerant of this activity (maybe someone could find ways to change that!?), that organized crime fears being caught or attacked by NSA, that ransomware attackers are very sensitive to their reputation and public image, that you can probably count on them to keep their side of their illicit bargains, and that they are especially motivated by money rather than ideology. All of those seem like pretty interesting ideas that might be hard to confirm quite as well in other ways.
Considering the huge environmental damage created by e.g. oil companies (and many others), one could say the same about them?
The only difference is what these people do is illegal while what the companies do is not: the damage, though, is arguably on the same scale, if not lower for ransomware attacks depending on which infrastructure is attacked.
I personally take moral issue with oil companies, but society as a whole has not decided that they are deserving of punishment, so I save my actions for campaigning, lobbying, and supporting groups that are pushing for change.
On the other hand, society has decided, via law making, that ransomware attacks are deserving of punishment.
With so many differing opinions it's hard to please everyone. I'm in favour of having a range of voices that I might not agree with represented in media, but criminals advertising their crimes and talking about how they're getting better at doing it feels like it's fairly clearly past a line.
Following that logic nurses delivering babies are also on the same level considering they're supporting the growth of the human race (which causes all the environmental damage)...
That's of course a possible interpretation if you want to stretch everything to the extreme. OP thinks it's dangerous to publish a blog post with such an interview because it gives a platform to people who cause damage.
I'm just pointing out that oil companies have caused way more damage than this guy and they have had a massive platform for decades, why shouldn't we stop giving them a platform as well?
As much as I loathe our response towards global warming. This comment shows why equivalence should not be taken lightly and how absurd the result can be.
How about holding people for ransom that is equivalent for sure, how about killing people? Well oil industry eventually ends up killing some people.
Let’s put a stop to oil industry before we deal with the kidnappers and killers!!
> Let’s put a stop to oil industry before we deal with the kidnappers and killers!!
Nobody said there has to be a priority. Why can't we stop both?
Moreover OP comments was not talking about stopping them, but about giving these people a platform.
Despite the damage done by oil companies they are still allowed to spend billions of dollars in marketing, lobbying, etc... Resulting in a much bigger, legalized, platform, while still causing way more damage than ransomware "companies".
It's the sad double standard that most companies have: Look, I pollute half the planet and I don't give a shit about investing in new technology, I just want my ARR of 100 million, and I'm willing to lie with cheap marketing ...
But ransomware It's clearly a priority, we can't risk being attacked if we didn't do anything illegal, that's morally wrong, and I'm a very moral person.
How stupid people are on our planet, billionaire people are really very stupid people ... Put a scientific researcher and an entrepreneur to debate on any subject and that's when you realize that most "entrepreneurs" have the coefficient of a 5-year-old child.
why do we never see Elon Musk debate with researchers if he has as much intelligence as he says (the techno king)? It must be so as not to make a fool of himself on television (or youtube)
Whataboutism. Let’s respond by bringing up a completely unrelated topic to justify the actions of criminal organizations.
These are organized crime activities akin to cartel kidnappings, Somalia Pirates, mob extortion, and kidnapping tourists for ransom. 21st century pirates/mobsters.
How long until ransomware becomes extortion or protection schemes? Pay us a yearly fee and we’ll not hack you and if someone does hack you we’ll hack them back.
Nobody is justifying anything, I'm just saying that if it's wrong to give these people a platform, why is it ok to give it to oil companies? The latter have caused way more damage than a random ransomware group.
Can you point out where I justified the actions of these criminal organizations (as parent said)? It's funny that the comment labeling mine as whataboutism is factually incorrect about what I said.
It's easy to reply by labeling anything you don't agree with as whataboutism, because you don't have to go into the merit of the discussion. You don't have to articulate a reply, you don't need to reason about it.
I made a pretty simple analogy, and the only one who actually replied with something sensible was OP, which I appreciate.
Everyone else just tried to find logical fallacies (like now we need to stop nurses from giving birth) or just discredit the argument but without providing any meaningful reason.
Most of the damage oil companies are making is legal. At the moment fracking is legal but IMHO it’s very damaging. Undersea oil drilling is legal but there are many accidents. Shipping oil is legal but there are a lot of accidents that cause massive environmental problems.
Ransomeware is never legal and organized crime is not legal in the West. They should not have a voice at all and should be treated like the criminal organizations they are.
I'm all for reformed criminals giving interviews in the context of what they did being wrong, but this is an interview about how they're getting better at their crimes.
Regardless of how easy it might be given security practices, these are crimes, and they are crimes for a reason: they cause damage. Their impact is felt beyond the ransom money paid, it's felt by employees who may be put in terrible positions as their work is held ransom and who might pay up personally to avoid problems at work, it's felt by customers of these companies who end up with higher prices, it's felt by countries as their output is hit. The fact that this "industry" is getting more "professional" does not change the fact that it's harmful. They don't deserve the publicity and attention that this sort of platforming provides them.