[AusNOG] Ransomware...

Robert Hudson hudrob at gmail.com
Sat Sep 24 10:21:18 EST 2016 

On 24 Sep 2016 8:59 AM, "Skeeve Stevens" <
skeeve+ausnog at eintellegonetworks.com> wrote:
>
> Robert,
>
> Digging what hole? What an arrogant perspective Rob.
>
> I don't do desktop support. I don't care in the slightest about that side
of IT... it isn't what I do.

And therein lies the problem.
>
> But I do get called when things like this happen.

So people call you to deal with a problem you apparently don't give a shit
about. At least now we understand where your bad advice comes from.

What are the ethics behind accepting money to advise/consult on an area
that you've publicly noted you don't care about?
>
> In the dozen events over the last 2 years or so where the user had no
choice (there was no backup), and they paid - they always got a working key.

Lucky them. Luck is the first thing I'd want to base my business success on
too.
>
> My point here isn't shaming the users - which you obviously have a
disdain for - it is getting the business running again. Sometimes they
can't afford to pay, in which case they have to live with the situation.

More arrogant, uneducated assumptions. Although I don't do desktop support
(as an official part of my job - no matter who's paying), I absolutely can,
will and do help at all levels of the business.

Can't  afford to pay what exactly? The cost of an offline backup (a USB
storage device can be had for < $100), or the ransom?

> Also, I've seen a couple of insurance companies for people who have
hacking insurance, they've paid the demand, because it was cheaper than
re-constructing the data. I'm not sure of their success rate.

I'd change insurers. At the very least because they're clearly not doing
enough due dilligence on customers and their setups before accepting a
premuim payment. I know the businesses I've been involved with who have had
similar policies had strict requirements around self-protection as part of
the policy.

> No one is trying to validate their criminal business Rob. And in some
cases, even if the result was not a working key, just trying is worth the
effort.

Paying a criminal a ransom when they have carried out an illegal act is
legitimising the business model. That is whether you're trying to do that
or not.

There is no side case in this particular reality that changes that fact.

> But clearly you give little care to the business and would rather shame
and punish them for their lack of skill or wisdom than getting them back on
line.

Who have I shamed or punished?

Clicking a link on an email from the Australian Federal Police, saying
you've been caught speeding - that is a moment of silliness, almost always
from a person who is otherwise a long way from silly, but who, due to
various influences, had a moment of weakness. It's even an OK thing to have
happened- we're all human, we are all fallible. To try to sugar-coat that
such an act was silly though is to fail to help the user to understand that
they can be a part of the solution - and actually, the most important part
of it.

> Dogmatic people like you with no empathy and rigid rules are what have
given IT people a bad name. You service PEOPLE, not bloody computers. They
are your customers. Without them you would have nothing to manage. Just
because they don't have our level of experience - both staff, directors,
CEO, whatever - does not mean we just tell them to eat shit when they make
a mistake. We do the best we can to help them get back on their feet.

Nobody has told anyone to eat shit.

I just believe that in the long term, paying criminals doesn't help anyone
but the criminals.

And I am well aware of the fact that it is my job to service and support
the users and the business I am either employed by or contracted to - and
not the criminals who profit from people paying ransoms to which they are
NOT entitled.

Do I have a dogmatic belief that criminals should not profit from their
illegal activities, particularly at the expense of their victims?
Absolutely.

> I don't have an employer... likely never will. But you do. And you've now
told the internet and its archives just how much you don't care for your
customers and that you wouldn't consider every option to help them.

I'd take what the Internet and its archives say about me and the
consideration I give others over what they say about you. Every day of the
week.

> What an asshole.

Coming from you, I can only take that as a compliment. Thank you.

Coming from you, I take that as a compliment.

>
>
> ...Skeeve
>
> Skeeve Stevens - Founder & The Architect - eintellego Networks Pty Ltd
> Email: skeeve at eintellegonetworks.com ; Web: eintellegonetworks.com
>
> Cell +61 (0)414 753 383 ; Skype: skeeve
; LinkedIn: /in/skeeve ; Expert360: Profile ; Keybase:
https://keybase.io/skeeve
>
>
> On Sat, Sep 24, 2016 at 7:17 AM, Robert Hudson <hudrob at gmail.com> wrote:
>>
>> Yes, you're right Skeeve. Other people being silly (or uneducated)
enough to open documents or click links that deliver malware that no common
anti-virus package can pick up (you're aware of course that these things
mutate to stay one step ahead of such tools), that is a reflection of my
skill.
>>
>> The fact that I have set up recovery systems to be able to retrieve
files, and have been able to convince senior managers that the investment
in appropriate tools (education to slow the incident rate, recovery tools
for when it invariably does happen) for this purpose, that is no reflection
on my capabilities at all.
>>
>> If, on the other hand, you think:
>>
>> * it is in the best interests of a client to pay money to a criminal
enterprise with no reasonable expectation that they will deliver the
decryption key as promised;
>> * that paying won't simply mark the victim as one willing to pay again;
>>
>> When you:
>>
>> * have apparently failed to inform them of a well known threat;
>> * failed to advise them to take simple and inexpensive steps to ensure
that business-critical documents are adequately protected;
>>
>> Then what does this say about your skills or even who's interests you
have at heart?
>>
>> Keep digging. That hole is getting bigger.
>>
>>
>> On 23 Sep 2016 11:08 PM, "Skeeve Stevens" <
skeeve+ausnog at eintellegonetworks.com> wrote:
>>>
>>> Robert,
>>>
>>> Obviously if you can restore the file you would.
>>>
>>> But... You've been hit at work (where you are responsible), family
business (where you may or may not) and at home (where you are likely
responsible).
>>>
>>> This is not a fantastic testament to you skills is it.
>>>
>>> You always think you have a choice - until you don't. Of course, trust
the advice of people who aren't stake holders, clearly they have your best
interests at heart - because clearly you don't.
>>>
>>>
>>> ...Skeeve
>>>
>>> Skeeve Stevens - Founder & The Architect - eintellego Networks Pty Ltd
>>> Email: skeeve at eintellegonetworks.com ; Web: eintellegonetworks.com
>>>
>>> Cell +61 (0)414 753 383 ; Skype: skeeve
; LinkedIn: /in/skeeve ; Expert360: Profile ; Keybase:
https://keybase.io/skeeve
>>>
>>>
>>> On Fri, Sep 23, 2016 at 2:11 PM, Robert Hudson <hudrob at gmail.com> wrote:
>>>>
>>>> On 23 Sep 2016 8:25 AM, "Skeeve Stevens" <
skeeve+ausnog at eintellegonetworks.com> wrote:
>>>> >
>>>> > This is from the perspective of someone who hasn't been held to
ransom
>>>>
>>>> Wrong. I have been hit at work where I am responsible for the IT
systems (to the point where I can lose my job, and thus ability to support
my family.  We recovered files without paying the ransom
>>>>
>>>> > had their business at risk
>>>>
>>>> Wrong. A family business has also been hit. We got hit at home too,
with documents encrypted that are worth way more to me than any company or
business document.  Again, we recovered files without legitimising the
business model of ransomware authors/attackers.
>>>>
>>>> > and had no other choice.
>>>>
>>>> Wrong.  Three strikes and you're out?  You're really not very good at
this baseless assumption thing, are you...
>>>>
>>>> > The few here who say they wouldn't pay are the same... wait till it
is your only choice.
>>>>
>>>> There is always another choice.  Being prepared is a major part of
that choice.
>>>>
>>>> If you are storing business-critical documents without adequate
protection from a well documented style of attack that has existed in the
wild for years now, I would argue that you're not very good at this
business thing, and your failing to plan is really planning to fail.
>>>>
>>>> A criminal has decided to attack your business, and upon breaching
your initial defenses, found you to be vulnerable. Someone with the ethics
to take that path is now holding your data to ransom, promising to release
it if you pay them some money via a path that makes it virtually impossible
to trace them. And never to bother you, someone who already proved that
will give up money if threatened, again.
>>>>
>>>> Now, I don't pretend to understand the throught processes of such
people. But a target, I choose to trust people who have acted in that
particular fashion as far as I can throw them.
>>>>
>>>> All the advice I get from people who I trust in matters such as this
is that I am doing the right thing.
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Robert
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160924/e9fc998c/attachment.html>

More information about the AusNOG mailing list