Please. Even if your business will suffer it will suffer a lot more if you do pay since now it is known you'll cave. Also: you are making the problem larger for others.
At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.
They put their customers in charge of the company? This gets weirder all the time. The problem is that they asked their customers in the first place. They should have simply communicated the fact that they would be under attack shortly and indicate that they would never ever pay a red cent.
That would give their customers time to batten the hatches and/or migrate off the system for the time being while sending a clear signal that they would not pay anyway.
This is a tough situation to be in but putting your customers in control of the company (and in a democratic way no less) is not the solution. What about those customers that decided (rightly imo) against paying?
Companies such as these should have an up-front item in their terms of service indicating that they would never pay a ransom, that way they would be clear to both their customers and their potential attackers.
Let me make a spam analogy: the reason we are drowning in spam is because it works. If even 0.00001% of the spam recipients enters into a financially beneficial relationship with the spammers then everybody will get spammed. The only way spam will go away is if everybody will finally stop responding to spam.
So you just simply do not pay extortion fees unless you want to become part of the problem.
In the case of an encrypted filesystem that means you will have to restore from a back-up (which I assume (naively maybe) that you have). And you chalk the whole thing up to your education fund. Paying up is simply wrong.
If at any point a CryptoLocker locked a person files up, and they didn't give up the key and it got out, no-one will ever pay them again. It's in their best interest to actually unlock the files.
If you are the victim of a crypto locker, you don't really have a choice. In fact it is true of any hostage situation. Parents of a kidnapped kid only have one solution. It is the authorities role to ensure that the hostage takers end up in a jail or a coffin, otherwise impunity will fuel criminal behavior.
>NEVER EVER PAY... you are making the problem larger for others
That's true but for the individual payee it can make sense. Trying to get the ransomers back can work. They'll keep at it till they figure they can get harmed.
It would only make sense if you're doing it as a delaying tactic.
There is a chance they could be 'honorable' thieves and desist, but it's likely having had someone cave in once, they'd cave in again, and again... So, it only makes sense as a delaying tactic, in the long run it's mostly a losing proposition, unless you're setting them up for a sting or something.
I've been in that position (twice) and in both cases was able to reverse tables on my opponent. It could be that I'm lucky but I think that these operations only work because there are a lot of people that cave in when they see a letter on a lawyers letterhead regardless of the merit.
If your a security service, definitely pay no ransom money. Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack.
> Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack.
This goes for any 'in the cloud' data that you might have. In the end it's your data and your company that is at stake. Not all data wipe-outs are malicious, sometimes accidents do happen.
> Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack
you would be shocked at the number of people who get upset when you advise them to make their own backups, and interpret this as an indictment of the reliability of your own backup procedures.
e.g. "isn't that what we pay you for???"
nevertheless, do it anyway and let them fume. there are no prerequisites for running a business and you'll find that many absolute morons are at the helm of some nominally successful businesses.
It seems like the largest threat to the "ransom seeking industry" is for the public to come to believe that paying the the ransom will do no good. Sometimes, such as in cases like this, it becomes publicly known that a ransom is sought before it is paid. An interesting aspect of a Bitcoin ransom is that third parties can verify that a ransom was paid.
Would it be in the legitimate interest of the public as a whole for a third party (possibly governmental) to carry through on the threat as soon as the ransom is paid? This would be to the detriment of the victim, but reduce the likelihood that future ransoms would be paid, and thus eventually might reduce the number of future victims.
That's an interesting angle, but if traced to the source that source would still be 100% on the hook for any and all fall-out from such an attack and I really wonder if any government entity would be willing to sign off on such a vaccination service.
Vigilante solution: You could automatically send a ransom request any time you see a company getting DDOS'd by an attacker. If the attacker is also asking them for a ransom (so the company gets two ransoms), you ensure confusion and that the attacker doesn't get paid. Otherwise, you might get paid while the attack happens.
This way:
(1) companies that pay ransoms are AWLAYS punished and it never causes an attack to stop
(2) no attacker ever gets paid a ransom
I suspect, sadly, this is why Gmail and sites like it will continue to win. Secure email always sounds like a good thing, but it's less important in practice than accessible email. If you have to make a choice between confidentiality, integrity, and availability, for day-to-day email, very few people will choose anything other than availability.
(The email deliverability problem doesn't help matters, of course.)
By "the email deliverability problem" I'm referring to the problem that only well-known IP addresses get to send mail that doesn't get arbitrarily thrown into spam filters. See e.g. http://liminality.xyz/the-hostile-email-landscape/ , which was front-page here a few weeks back.
If you're just talking about availability, then yes, but this was a sustained DDoS that took their servers down for hours. While the email protocol does insist that the sender should queue and try later, having no new email for hours is not really what people want out of email.
Protonmail's e-mail servers were off line for multiple days. With an outage of that length mail will start to bounce. It depends on the local configuration. But, 3 days/72 hours is pretty standard.
There's regular security solutions then there's those meant to stop High Strength Attackers. I warned ProtonMail's team and infrastructure wouldn't handle the latter. I was expecting stealth 0-days, though, given there's DDOS mitigations available. That they went down due to DDOS was a bit of a surprise.
"Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents."
No shit lol... Not a good sign that they're already in reactive mode. On other end, that MyKolab hasn't gone down might mean they're already compromised or just not targeted by this attack. I wonder what it is. They're just a GPG carrier in a semi-neutral jurisdiction in my usage, though. ProtonMail would've been, too, but I figured they'd be more likely to have service issues.
You mentioned that you warned ProtonMail's team about High Strength Attackers. What else did you warn them about? What other security flaws do they have in your opinion?
I warned others about them. I rarely warn projects any more because my associates and I have done that until we were blue in the face with little effort. My MO is to just post good stuff in forums that attract talent so they might see and adopt it. In any case, I posted a write-up on what real security is and what goes into it on Schneier's blog in response to a [false] comment saying secure coding is all you need. Here's the Pastebin of it:
Hope what High Assurance Security takes is more clear now. Unless you get lucky (eg GPG), you need high assurance to resist TLA's successfully and that might just be delaying inevitable. Still need monitoring & tamper-detection.
I belong to a minority community in Pakistan target of regular state backed oppression.In addition to violence and flagrant discrimination the community representatives are also targets for abductions. The community has a rule.It never pays ransom to the kidnappers because this sets a precedent and exposes the representatives all over the country to even more kidnappings. This strategy while it may seem brutal is a necessary one and over the years kidnappings for ransom has gone down. Again, computer security is different, but the principle is same, you dont want to send out the message 'We'll give you money to make you go away' because it just goads even more to resort to such tactics.
This is the first case I've seen where a digital blackmailer didn't follow through with their promise. It's bad for business for them to renege as it increases the chance that their next victim wont pay.
"Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!"
"We have no such power to crash data center and no reason to attack ProtonMail any more!"
"WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE!"
"We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!"
I don't believe Protonmail have said they have received any more requests for money, so that would go along with the above. I agree that it was silly to pay the blackmailers, but there is some reason to believe that these are two separate attacks.
The original DDoSers actually did honor the ransom and stop their attack. However, another group started hitting them after the ransom was paid. Probably because they just advertised themselves as people who will reward DDoS attacks.
The article states that it was most likely two different attackers, due to the different methods used and the blackmailer denying responsibility for the comtinued (unsophisticated) attack.
I'm not sure what to think, but I can easily understand why they did pay. It's easy for others to say what would be best for the industry, but when you are the one suffering and your ISP is angry at you, and you can pay a small sum to (possibly) make the problem go away, your opinion will change.
From what it seems, there were two DDoSers. The ones they paid to, did stop DDoSing, but the other one is unknown and is still doing it. The first one did contact them and tell them that they had already stopped DDoSing.
I think the most likely scenerio is actually that the blackmailers are outsourcing the DDOSing so there was a communication delay and/or there is some latency/delay when issuing commands to the botnet.
Paying ransom is never worth the long-term costs. Once you've proven to the criminal that you're someone who will pay, they usually try again in the future because you're an easy mark.
Not only that, there is a power imbalance that shouldn't be ignored: the criminal has more experience in these kinds of confrontations than you do. Sam Harris has a very good article on this topic[1]; while he is discussing violent interactions on a personal level (e.g. mugging), the principles apply to many situations. The short version is that the criminal is trying to draw you onto their turf and to play by their rules. Almost always you will only make your situation worse when you let the criminal set the rules.
I guess by publicly announcing that they paid ransom that "didn't work" they have slightly undermined the trust for ransom as a solution in cases like this. So it might be correct from a game theory perspective, if you disregard any decrease in trust for themselves that is.
Ransomware is a different scenario. With ransomware, if you have no backups and absolutely need your files back, paying the ransom is the only sane option. Of course, this can easily be prevented by taking frequent backups.
With a DDoS, there are almost no advantages to paying the ransom. Much better to spend the money on DDoS mitigation instead, to help now and in the future.
Also, the FBI wasn't making an official statement. It was just an off-hand remark from an agent, recommending technically ignorant people who desperately want their files back to pay the ransom.
In fact backups is not enough. It has to be offline backups, which raises the bar quite a bit. Backing up to a network drive doesn't even help, and I am not aware of any wildly used "write once-only" network drive capabilities.
Agreed. The difference is that with ransomware the act has already been done. You can think of it as negotiating with kidnappers vs. paying off the mob to not rough up your shop.
No evidence given for it, but my first thought was to wonder is it was a government not liking ProtonMail's encrypted email service,and taking them down.
I mean, the day of SOPA blowing up when everyone was protesting what was necessary to take down piracy websites they shut down megaupload and arrested people across the world. My only question that day was: why doe we need SOPA again?
Does any one know the technical details of the attack? The article simply refers to it as 'highly advanced denial-of-service attacks'.
From the fact that it knocked off their upstream providers also means it was probably just a simple volumetric attack like an NTP or DNS reflection attack. These are relatively easy to defend against.
I work for an ISP that gets hit with 5 or 6 of these a week, but because of the mitigation strategies we have in place our customers don't even notice...
They say the attack "exceeded 100Gbps" (https://protonmaildotcom.wordpress.com/). I moved my server to OVH 6 months ago, and since then any DDoS attacks don't affect me at all. OVH say they can handle up to 480Gbps of attacks, and people are reporting that they are getting up to 90Gbps of DDoS attacks mitigated by OVH without any problem. Their DDoS protection is completely free with any of their dedicated servers.
I don't really understand the logic behind setting up with a Swiss datacenter with zero (or very little) DDoS protection. It is pretty much guaranteed that China will DDoS you if you are in any way involved in helping dissident groups.
It is possible that by paying the ransom, ProtonMail effectively financed its own DDoS attack. That being send, I commend ProtonMail's transparency in this situation, regardless of the seemingly negative reaction.
Cloudflare should have an emergency hotline for situations like this. Charge half the ransom to handle the traffic for the duration of the attack. Offer contract afterwards.
We (CloudFlare) do. We have done onboardings in real time with people under attacks. We do full length contracts because that works better for customers, though.
We don't proxy smtp. There are solutions to deal with that in a hybrid way, though.
I think the OP meant it as a discount. (E.g. if cloudflare blocking the attack would cost 10k (for 5 sites) for a month, offer a discount at half the ransom (3k) for however long the attack lasts days).
Cloudflare's $200/month business plan includes DDoS mitigation. It's self-serve and there's an "I'm Under Attack!" button in every account. There's no extra cost for the bandwidth.
CloudFlare was the first company ProtonMail called (with in 5 minutes of the DDoS starting). Unfortunately, they couldn't help ProtonMail. But, thanks to @rdl for responding to a txt on his cell phone at an inopportune time and mobilizing CloudFlare's sales and engineering teams to talk with Proton (during the company's retreat no less)!
For all the people getting nasty and arm chair quarter backing this on little to no information or trying to claim credit for things they did not do- understand that once you start working in venture funded startups pretty much everyone knows each other and many people have worked together before.
I don't understand why the attackers wouldn't stop? Why would they want to build up a reputation of not being worth paying? If they were always true to the word, then people would mostly always pay.
this article is great, in a way. People pay ransoms with extreme agony, but because they are supposed to be effective. If they don't work, there goes the only reason to pay. this is exactly the article the DDoSers don't ever want to see written about them.
Because ProtonMail would have been required to give CloudFlare encryption keys that would have 1) allowed CloudFlare to inject JavaScript to steal decryption passwords and keys 2) Allowed CloudFlare to collect
metadata on traffic for individual users
ClouldFlare are a bunch of great guys. And, they wouldn't
do any of that unless they were delivered a National Security Letter forcing them to.
If ProtonMail signed up with CloudFlare, like HushMail did, ProtonMail would have no way to know if these types of code modification attacks or metadata collections were happening.
And, as people saw with Hushmail, since CloudFlare does not do SMTP proxying (filtering/challenging) a DDoS could have still taken down ProtonMail's mail servers offline. While CloudFlare allowed Hushmail to get it's website back online, mail to my Hushmail account is currently delayed by several hours due to DDoS of their mail servers.
It is always a temptation to an armed and agile nation
To call upon a neighbour and to say: --
"We invaded you last night--we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away."
And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
I guess Kipling's knowledge of this had a practical basis, since he was one of the chief apologists for the systematic extortion the British Empire used to enrich itself.
(Note - I am from one of the countries invaded and occupied by Britain)
I must come to Britain's defence here - it's behaviour was normal in those times but it did eventually give up most of its "ownership" without actually being defeated in wars. That was pretty amazing.
By modern standards, British behaviour was despicable, but a lot of the invaded countries got enormous benefits - rule of law, economic infrastructure, transport networks etc. Being invaded (not just plundered) by major cultures has generally had good benefits - in the long term - for the invaded nation as they get a lot of the characteristics of the stronger nation.
Again, keep in mind that this is not the modern way of looking at things, which is why we have the United Nations and other international organizations.
Was he really? The White Man's Burden isn't that ambiguous. Not now, and not even when it was written.
It was about the Philippine-American war. 2 days after publication in America, it was read in the Senate to argue for the US to end the war.
One of his more famous stories, The Man Who Would Be King is about two white men who manage to convince an Afghani tribe they're gods. It becomes undone, when one tries to marry one of the women, she attacks him drawing blood, and the tribe's priest declares he is "Neither god nor devil but a man!" (at which point one is brutally killed, and the other manages to flee). It could almost be read as an analogy for colonialism - the white men might have had a technological edge, and used shock and awe to take over, but as the natives catch on to what's happening, the risk of backlash and revolution grows.
Kipling wasn't firmly against colonialism, but he was a savvy (sometimes cynical) realist. Most colonials were pretty cynical about it.
That story is absurd, considering that a lot of modern diplomacy is essentially deciding how much Dane-geld you should pay to appease America, Russia, or (insert your regional power here), and how much you could expect in return for promising that you will not pay the Dane-geld to the other side.
If you don't play, you end up like North Korea, ever so proud for their fierce independence, cut off from everyone else.
I find this cute tale, from a subject of the British Empire, doubly insulting. If you are powerful and you can extract Dane-geld from others, fine, but stop insinuating that other people pay Dane-geld because they're stupid.
Poems by the man who romanticized the colonization of my grandparents' country are always cool, but the logic doesn't hold up. If you're not as well-armed as the British Empire, and you very much do not have the resources to defeat the Dane, it's nice that the end of the game is oppression and shame, but you're going to lose well before you even get to endgame.
You do realize why the British called it the "dane geld" and not tribute right? Because the Dane used to plounder the English and demand gold to go away, and the English learned to their sorrow what happens when you pay the dane geld.
The British created your grandparents' country and you should be thankful to them for it. It was nothing but fortunate for India to have sensible men like Charles James Napier working to put an end to barbarism like Sati:
A story for which Napier is often noted involved Hindu priests complaining to him about the prohibition of Sati by British authorities. This was the custom of burning a widow alive on the funeral pyre of her husband. As first recounted by his brother William, he replied:
"Be it so. This burning of widows is your custom; prepare the funeral pile. But my nation has also a custom. When men burn women alive we hang them, and confiscate all their property. My carpenters shall therefore erect gibbets on which to hang all concerned when the widow is consumed. Let us all act according to national customs."[1]
If you are talking about India, it wasn't a "country" before the British. It was a mixture of disparate kingdoms and sultanates. Not to mention that before the British, most of India was under Muslim colonizers i.e. the Mughals.
The Indians have always been a conquered people, it is only in the last 70 years that they have had freedom; you should thank the British for it.
NEVER EVER PAY RANSOM MONEY.
Please. Even if your business will suffer it will suffer a lot more if you do pay since now it is known you'll cave. Also: you are making the problem larger for others.
From their blog: https://protonmaildotcom.wordpress.com/
At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.
At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y. This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.
They put their customers in charge of the company? This gets weirder all the time. The problem is that they asked their customers in the first place. They should have simply communicated the fact that they would be under attack shortly and indicate that they would never ever pay a red cent.
That would give their customers time to batten the hatches and/or migrate off the system for the time being while sending a clear signal that they would not pay anyway.
This is a tough situation to be in but putting your customers in control of the company (and in a democratic way no less) is not the solution. What about those customers that decided (rightly imo) against paying?
Companies such as these should have an up-front item in their terms of service indicating that they would never pay a ransom, that way they would be clear to both their customers and their potential attackers.
12 replies →
So if you start following what flows out of that bitcoin account, couldn't you find out who it benefits?
2 replies →
I think cryptolocker actually decrypted the FS after the ransom was paid. So sometimes it works.
Actually, it makes no sense to not follow through because that is their business model.
Let me make a spam analogy: the reason we are drowning in spam is because it works. If even 0.00001% of the spam recipients enters into a financially beneficial relationship with the spammers then everybody will get spammed. The only way spam will go away is if everybody will finally stop responding to spam.
So you just simply do not pay extortion fees unless you want to become part of the problem.
In the case of an encrypted filesystem that means you will have to restore from a back-up (which I assume (naively maybe) that you have). And you chalk the whole thing up to your education fund. Paying up is simply wrong.
7 replies →
If at any point a CryptoLocker locked a person files up, and they didn't give up the key and it got out, no-one will ever pay them again. It's in their best interest to actually unlock the files.
If you are the victim of a crypto locker, you don't really have a choice. In fact it is true of any hostage situation. Parents of a kidnapped kid only have one solution. It is the authorities role to ensure that the hostage takers end up in a jail or a coffin, otherwise impunity will fuel criminal behavior.
Kidnapped kid versus restoring a back-up. That's not a fair comparison.
5 replies →
>NEVER EVER PAY... you are making the problem larger for others
That's true but for the individual payee it can make sense. Trying to get the ransomers back can work. They'll keep at it till they figure they can get harmed.
That's naive. If you pay a ransom they'll be back shortly for more. You've just turned yourself into an ATM for your attackers.
6 replies →
It would only make sense if you're doing it as a delaying tactic.
There is a chance they could be 'honorable' thieves and desist, but it's likely having had someone cave in once, they'd cave in again, and again... So, it only makes sense as a delaying tactic, in the long run it's mostly a losing proposition, unless you're setting them up for a sting or something.
What's your opinion on settling bogus litigation?
Bury the bastards.
I've been in that position (twice) and in both cases was able to reverse tables on my opponent. It could be that I'm lucky but I think that these operations only work because there are a lot of people that cave in when they see a letter on a lawyers letterhead regardless of the merit.
Hire a hitman, kill main lawyer and go up from there. Will be cheaper than settlement, not to mention full lawsuit.
"An appeaser is one who feeds a crocodile, hoping it will eat him last."
-Winston Churchill
If your a security service, definitely pay no ransom money. Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack.
> Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack.
This goes for any 'in the cloud' data that you might have. In the end it's your data and your company that is at stake. Not all data wipe-outs are malicious, sometimes accidents do happen.
6 replies →
> Also, tell your clients to back their stuff up with their own methods, too, just in case you come under heavy attack
you would be shocked at the number of people who get upset when you advise them to make their own backups, and interpret this as an indictment of the reliability of your own backup procedures.
e.g. "isn't that what we pay you for???"
nevertheless, do it anyway and let them fume. there are no prerequisites for running a business and you'll find that many absolute morons are at the helm of some nominally successful businesses.
1 reply →
Loved the comment at the bottom:
'So basically ProtonMail said "We're incompetent and fund criminals… give us money."'
There's another good one:
"ProtonMail should apply for a refund. Or at least store credit."
It seems like the largest threat to the "ransom seeking industry" is for the public to come to believe that paying the the ransom will do no good. Sometimes, such as in cases like this, it becomes publicly known that a ransom is sought before it is paid. An interesting aspect of a Bitcoin ransom is that third parties can verify that a ransom was paid.
Would it be in the legitimate interest of the public as a whole for a third party (possibly governmental) to carry through on the threat as soon as the ransom is paid? This would be to the detriment of the victim, but reduce the likelihood that future ransoms would be paid, and thus eventually might reduce the number of future victims.
Might that be what's happened here?
> An interesting aspect of a Bitcoin ransom is that third parties can verify that a ransom was paid.
Huh, interesting. If third parties have attackers' bitcoin address, they can also pay the ransom themselves.
That's an interesting angle, but if traced to the source that source would still be 100% on the hook for any and all fall-out from such an attack and I really wonder if any government entity would be willing to sign off on such a vaccination service.
It doesn't necessarily have to be a government, things like this probably attract more vigilante "Anonymous" type of people anyway.
Vigilante solution: You could automatically send a ransom request any time you see a company getting DDOS'd by an attacker. If the attacker is also asking them for a ransom (so the company gets two ransoms), you ensure confusion and that the attacker doesn't get paid. Otherwise, you might get paid while the attack happens.
This way:
(1) companies that pay ransoms are AWLAYS punished and it never causes an attack to stop (2) no attacker ever gets paid a ransom
I suspect, sadly, this is why Gmail and sites like it will continue to win. Secure email always sounds like a good thing, but it's less important in practice than accessible email. If you have to make a choice between confidentiality, integrity, and availability, for day-to-day email, very few people will choose anything other than availability.
(The email deliverability problem doesn't help matters, of course.)
an email server doesn't need to be accessible 100% of the time to guarantee deliverability
By "the email deliverability problem" I'm referring to the problem that only well-known IP addresses get to send mail that doesn't get arbitrarily thrown into spam filters. See e.g. http://liminality.xyz/the-hostile-email-landscape/ , which was front-page here a few weeks back.
If you're just talking about availability, then yes, but this was a sustained DDoS that took their servers down for hours. While the email protocol does insist that the sender should queue and try later, having no new email for hours is not really what people want out of email.
Protonmail's e-mail servers were off line for multiple days. With an outage of that length mail will start to bounce. It depends on the local configuration. But, 3 days/72 hours is pretty standard.
1 reply →
There's regular security solutions then there's those meant to stop High Strength Attackers. I warned ProtonMail's team and infrastructure wouldn't handle the latter. I was expecting stealth 0-days, though, given there's DDOS mitigations available. That they went down due to DDOS was a bit of a surprise.
"Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents."
No shit lol... Not a good sign that they're already in reactive mode. On other end, that MyKolab hasn't gone down might mean they're already compromised or just not targeted by this attack. I wonder what it is. They're just a GPG carrier in a semi-neutral jurisdiction in my usage, though. ProtonMail would've been, too, but I figured they'd be more likely to have service issues.
You mentioned that you warned ProtonMail's team about High Strength Attackers. What else did you warn them about? What other security flaws do they have in your opinion?
I warned others about them. I rarely warn projects any more because my associates and I have done that until we were blue in the face with little effort. My MO is to just post good stuff in forums that attract talent so they might see and adopt it. In any case, I posted a write-up on what real security is and what goes into it on Schneier's blog in response to a [false] comment saying secure coding is all you need. Here's the Pastebin of it:
http://pastebin.com/y3PufJ0V
Here's a specific example where I try to make a step-by-step guide for high assurance Tor without knowing its internals. Just drew on my prior work:
https://www.schneier.com/blog/archives/2014/09/identifying_d...
Hope what High Assurance Security takes is more clear now. Unless you get lucky (eg GPG), you need high assurance to resist TLA's successfully and that might just be delaying inevitable. Still need monitoring & tamper-detection.
I belong to a minority community in Pakistan target of regular state backed oppression.In addition to violence and flagrant discrimination the community representatives are also targets for abductions. The community has a rule.It never pays ransom to the kidnappers because this sets a precedent and exposes the representatives all over the country to even more kidnappings. This strategy while it may seem brutal is a necessary one and over the years kidnappings for ransom has gone down. Again, computer security is different, but the principle is same, you dont want to send out the message 'We'll give you money to make you go away' because it just goads even more to resort to such tactics.
See eg http://blogs.telegraph.co.uk/news/colinfreeman/100251070/dav...
That's really not smart. By paying it up you just incentive them to do it more often. Not only to yourself but to other websites.
This is the first case I've seen where a digital blackmailer didn't follow through with their promise. It's bad for business for them to renege as it increases the chance that their next victim wont pay.
I have no idea how to verify the statements, but I found some comments on the blockchain.info page for the bitcoin address regarding the DoS. It is supposedly from the blackmailers: https://blockchain.info/address/1FxHcZzW3z9NRSUnQ9Pcp58ddYaS...
"Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!" "We have no such power to crash data center and no reason to attack ProtonMail any more!" "WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE!" "We are not attacking ProtonMail! Our attack was small, directed at their IP only and lasted 15 minutes only!"
I don't believe Protonmail have said they have received any more requests for money, so that would go along with the above. I agree that it was silly to pay the blackmailers, but there is some reason to believe that these are two separate attacks.
1 reply →
The original DDoSers actually did honor the ransom and stop their attack. However, another group started hitting them after the ransom was paid. Probably because they just advertised themselves as people who will reward DDoS attacks.
1 reply →
The article states that it was most likely two different attackers, due to the different methods used and the blackmailer denying responsibility for the comtinued (unsophisticated) attack.
I'm not sure what to think, but I can easily understand why they did pay. It's easy for others to say what would be best for the industry, but when you are the one suffering and your ISP is angry at you, and you can pay a small sum to (possibly) make the problem go away, your opinion will change.
From what it seems, there were two DDoSers. The ones they paid to, did stop DDoSing, but the other one is unknown and is still doing it. The first one did contact them and tell them that they had already stopped DDoSing.
I think the most likely scenerio is actually that the blackmailers are outsourcing the DDOSing so there was a communication delay and/or there is some latency/delay when issuing commands to the botnet.
But if it buys you time to upgrade your infrastructure it could be worth it.
It's never worth it. For $6k you can get actual protection for some time before you upgrade your infrastructure.
2 replies →
Paying ransom is never worth the long-term costs. Once you've proven to the criminal that you're someone who will pay, they usually try again in the future because you're an easy mark.
Not only that, there is a power imbalance that shouldn't be ignored: the criminal has more experience in these kinds of confrontations than you do. Sam Harris has a very good article on this topic[1]; while he is discussing violent interactions on a personal level (e.g. mugging), the principles apply to many situations. The short version is that the criminal is trying to draw you onto their turf and to play by their rules. Almost always you will only make your situation worse when you let the criminal set the rules.
[1] http://www.samharris.org/blog/item/the-truth-about-violence
6 replies →
No, it's not worth it.
The only thing worse than paying a ransom is publicly announcing you've paid a ransom.
I guess by publicly announcing that they paid ransom that "didn't work" they have slightly undermined the trust for ransom as a solution in cases like this. So it might be correct from a game theory perspective, if you disregard any decrease in trust for themselves that is.
I'm reminded of a similar article on ransoms and FBI's strange advice to pay up.
https://news.ycombinator.com/item?id=10482242
I think this is a good example of why this is bad advice.
Ransomware is a different scenario. With ransomware, if you have no backups and absolutely need your files back, paying the ransom is the only sane option. Of course, this can easily be prevented by taking frequent backups.
With a DDoS, there are almost no advantages to paying the ransom. Much better to spend the money on DDoS mitigation instead, to help now and in the future.
Also, the FBI wasn't making an official statement. It was just an off-hand remark from an agent, recommending technically ignorant people who desperately want their files back to pay the ransom.
In fact backups is not enough. It has to be offline backups, which raises the bar quite a bit. Backing up to a network drive doesn't even help, and I am not aware of any wildly used "write once-only" network drive capabilities.
1 reply →
Agreed. The difference is that with ransomware the act has already been done. You can think of it as negotiating with kidnappers vs. paying off the mob to not rough up your shop.
1 reply →
No evidence given for it, but my first thought was to wonder is it was a government not liking ProtonMail's encrypted email service,and taking them down.
I mean, the day of SOPA blowing up when everyone was protesting what was necessary to take down piracy websites they shut down megaupload and arrested people across the world. My only question that day was: why doe we need SOPA again?
Runbox have also been under DDoS ransom too [1], although they appear to have handled it well because I haven't noticed any down time.
1: https://blog.runbox.com/2015/11/ddos-attacks-on-runbox/
God, why? That's utter incompetence. Never pay ransoms. This has highly lowered my opinion of ProntoMail.
I know you mistyped it, but ProntoMail really sounds cool.
All rights Reserved, Mailcentro, Inc Copyright © 2002-2013
(damn, it does sound like a cool domain)
Might have been autocorrect on my phone but I'm leaving it now.
Yeah, I'd be upset if I were one of the people who donated and found that's what they did with the money.
Does any one know the technical details of the attack? The article simply refers to it as 'highly advanced denial-of-service attacks'.
From the fact that it knocked off their upstream providers also means it was probably just a simple volumetric attack like an NTP or DNS reflection attack. These are relatively easy to defend against.
I work for an ISP that gets hit with 5 or 6 of these a week, but because of the mitigation strategies we have in place our customers don't even notice...
They say the attack "exceeded 100Gbps" (https://protonmaildotcom.wordpress.com/). I moved my server to OVH 6 months ago, and since then any DDoS attacks don't affect me at all. OVH say they can handle up to 480Gbps of attacks, and people are reporting that they are getting up to 90Gbps of DDoS attacks mitigated by OVH without any problem. Their DDoS protection is completely free with any of their dedicated servers.
I don't really understand the logic behind setting up with a Swiss datacenter with zero (or very little) DDoS protection. It is pretty much guaranteed that China will DDoS you if you are in any way involved in helping dissident groups.
I'm not recommending it, but it should be noted that this does sometimes work as when Kim DotCom paid for the LizardSquad DDOS of XBox and PS4 networks to be halted last Christmas: https://torrentfreak.com/kim-dotcom-stops-xbox-and-playstati...
Kim Dotcom gave a gift that could easily be revoked if the attacker had continued attacking. Very different situation to giving cash (or bitcoin).
To pay or not to pay....the bigger story here is the implication a nation state was involved.
That's purely speculative.
I did say implication
It is possible that by paying the ransom, ProtonMail effectively financed its own DDoS attack. That being send, I commend ProtonMail's transparency in this situation, regardless of the seemingly negative reaction.
Cloudflare should have an emergency hotline for situations like this. Charge half the ransom to handle the traffic for the duration of the attack. Offer contract afterwards.
We (CloudFlare) do. We have done onboardings in real time with people under attacks. We do full length contracts because that works better for customers, though.
We don't proxy smtp. There are solutions to deal with that in a hybrid way, though.
No, profiting in any way off blackmailers looks really bad...
Reminds me of when Uber had that surge pricing scandal during the Sydney hostage crisis.
I think the OP meant it as a discount. (E.g. if cloudflare blocking the attack would cost 10k (for 5 sites) for a month, offer a discount at half the ransom (3k) for however long the attack lasts days).
1 reply →
Cloudflare's $200/month business plan includes DDoS mitigation. It's self-serve and there's an "I'm Under Attack!" button in every account. There's no extra cost for the bandwidth.
So $6000 would get them over two years of self-service DDoS mitigation. Ouch.
3 replies →
CloudFlare was the first company ProtonMail called (with in 5 minutes of the DDoS starting). Unfortunately, they couldn't help ProtonMail. But, thanks to @rdl for responding to a txt on his cell phone at an inopportune time and mobilizing CloudFlare's sales and engineering teams to talk with Proton (during the company's retreat no less)!
For all the people getting nasty and arm chair quarter backing this on little to no information or trying to claim credit for things they did not do- understand that once you start working in venture funded startups pretty much everyone knows each other and many people have worked together before.
Cloudflare don't proxy mail though, which is ProtonMail's main business, so that wouldn't have done much for keeping their services up.
Additionally, I don't see ProtonMail as the kind of company that'll let other third parties terminate their SSL connections/proxy all their traffic.
They have BGP origin protection, where they announce your IP space for enterprise plan, probably expensive though.
Wasnt Cloudflare founded by ex fed or something? Hosting isis chat rooms that somehow are not being taken down by US fed is also slightly suspicious.
Quite a few companies do pay ransoms that is not unusual
In fact is 100% of people never paid a ransom the attacks would not be funded
Publicly speaking about paying ransoms is very unusual.
It seems like a similar DDOS knocked out FastMail last night for a little while, although they returned to service very quickly (<30 min)
I don't understand why the attackers wouldn't stop? Why would they want to build up a reputation of not being worth paying? If they were always true to the word, then people would mostly always pay.
Different shark. Once there is blood in the water there'll be more.
this article is great, in a way. People pay ransoms with extreme agony, but because they are supposed to be effective. If they don't work, there goes the only reason to pay. this is exactly the article the DDoSers don't ever want to see written about them.
I wonder if the second attack was trying to punish them for paying, and a warning to others?
Honestly maybe they could have hired security consultants for a comprable fee? Fireye etc
I hope they catch the culprits and put them in jail for thirty years.
Good luck with putting Xi Jinping in jail :)
Wasn't able to get on site earlier at protonmail.ch
Why couldn't they put it on Cloudflare?
Because ProtonMail would have been required to give CloudFlare encryption keys that would have 1) allowed CloudFlare to inject JavaScript to steal decryption passwords and keys 2) Allowed CloudFlare to collect metadata on traffic for individual users
ClouldFlare are a bunch of great guys. And, they wouldn't do any of that unless they were delivered a National Security Letter forcing them to.
If ProtonMail signed up with CloudFlare, like HushMail did, ProtonMail would have no way to know if these types of code modification attacks or metadata collections were happening.
And, as people saw with Hushmail, since CloudFlare does not do SMTP proxying (filtering/challenging) a DDoS could have still taken down ProtonMail's mail servers offline. While CloudFlare allowed Hushmail to get it's website back online, mail to my Hushmail account is currently delayed by several hours due to DDoS of their mail servers.
From https://hushmailstatus.com/ :
"We're investigating reports of incoming and outgoing email delivery delays. We'll update this page as more information becomes available."
Privacy and a s service sitting between user and host doesn't mix well, I'd guess
lol, shame for you ProtonMail and Welcome to my blacklist
It is always a temptation to an armed and agile nation To call upon a neighbour and to say: -- "We invaded you last night--we are quite prepared to fight, Unless you pay us cash to go away."
And that is called asking for Dane-geld, And the people who ask it explain That you've only to pay 'em the Dane-geld And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation, To puff and look important and to say: -- "Though we know we should defeat you, we have not the time to meet you. We will therefore pay you cash to go away."
And that is called paying the Dane-geld; But we've proved it again and again, That if once you have paid him the Dane-geld You never get rid of the Dane.
It is wrong to put temptation in the path of any nation, For fear they should succumb and go astray; So when you are requested to pay up or be molested, You will find it better policy to say: --
"We never pay any-one Dane-geld, No matter how trifling the cost; For the end of that game is oppression and shame, And the nation that pays it is lost!"
- Rudyard Kipling
Sometimes this is good advice. For some rather vivid counterexamples, read up on Genghis Khan.
Computer security is of course a whole different thing.
The wrath of the Khans was amazing.
Seemed like your odds of dying were pretty high either way. Give him all your stuff and starve. Or say no and get beheaded..
7 replies →
Yes, pros and cons, its quite possible that by paying one then has enough breathing space to set up better defences.
I guess Kipling's knowledge of this had a practical basis, since he was one of the chief apologists for the systematic extortion the British Empire used to enrich itself.
(Note - I am from one of the countries invaded and occupied by Britain)
I must come to Britain's defence here - it's behaviour was normal in those times but it did eventually give up most of its "ownership" without actually being defeated in wars. That was pretty amazing.
By modern standards, British behaviour was despicable, but a lot of the invaded countries got enormous benefits - rule of law, economic infrastructure, transport networks etc. Being invaded (not just plundered) by major cultures has generally had good benefits - in the long term - for the invaded nation as they get a lot of the characteristics of the stronger nation.
Again, keep in mind that this is not the modern way of looking at things, which is why we have the United Nations and other international organizations.
22 replies →
Was he really? The White Man's Burden isn't that ambiguous. Not now, and not even when it was written.
It was about the Philippine-American war. 2 days after publication in America, it was read in the Senate to argue for the US to end the war.
One of his more famous stories, The Man Who Would Be King is about two white men who manage to convince an Afghani tribe they're gods. It becomes undone, when one tries to marry one of the women, she attacks him drawing blood, and the tribe's priest declares he is "Neither god nor devil but a man!" (at which point one is brutally killed, and the other manages to flee). It could almost be read as an analogy for colonialism - the white men might have had a technological edge, and used shock and awe to take over, but as the natives catch on to what's happening, the risk of backlash and revolution grows.
Kipling wasn't firmly against colonialism, but he was a savvy (sometimes cynical) realist. Most colonials were pretty cynical about it.
1 reply →
Wouldn't this apply the other way around as well? If you become known as a blackmailer who's true to their word, wouldn't your payment rate go up?
(Off-topic)
That story is absurd, considering that a lot of modern diplomacy is essentially deciding how much Dane-geld you should pay to appease America, Russia, or (insert your regional power here), and how much you could expect in return for promising that you will not pay the Dane-geld to the other side.
If you don't play, you end up like North Korea, ever so proud for their fierce independence, cut off from everyone else.
I find this cute tale, from a subject of the British Empire, doubly insulting. If you are powerful and you can extract Dane-geld from others, fine, but stop insinuating that other people pay Dane-geld because they're stupid.
Poems by the man who romanticized the colonization of my grandparents' country are always cool, but the logic doesn't hold up. If you're not as well-armed as the British Empire, and you very much do not have the resources to defeat the Dane, it's nice that the end of the game is oppression and shame, but you're going to lose well before you even get to endgame.
You do realize why the British called it the "dane geld" and not tribute right? Because the Dane used to plounder the English and demand gold to go away, and the English learned to their sorrow what happens when you pay the dane geld.
And I say that as a Dane.
3 replies →
The British created your grandparents' country and you should be thankful to them for it. It was nothing but fortunate for India to have sensible men like Charles James Napier working to put an end to barbarism like Sati:
A story for which Napier is often noted involved Hindu priests complaining to him about the prohibition of Sati by British authorities. This was the custom of burning a widow alive on the funeral pyre of her husband. As first recounted by his brother William, he replied:
"Be it so. This burning of widows is your custom; prepare the funeral pile. But my nation has also a custom. When men burn women alive we hang them, and confiscate all their property. My carpenters shall therefore erect gibbets on which to hang all concerned when the widow is consumed. Let us all act according to national customs."[1]
[1] https://en.wikipedia.org/wiki/Charles_James_Napier#Service_i...
17 replies →
If you are talking about India, it wasn't a "country" before the British. It was a mixture of disparate kingdoms and sultanates. Not to mention that before the British, most of India was under Muslim colonizers i.e. the Mughals.
The Indians have always been a conquered people, it is only in the last 70 years that they have had freedom; you should thank the British for it.
6 replies →
I really hate to think that some of the btc I donated is now with some criminal.
never deal with terrorists
They are not terrorists though. Their goal isn't to harm their target - their goal is to enrich them selves through ransom.
Bomb their families instead?
7 replies →