For a site the size of ProtonMail, $6K is the cost for protection for a single month. Most of the companies that offer this kind of protection require you to sign a one to three year contract.
There are two kinds of protection, basic HTTP/HTTPS and DNS only (done with DNS and CDN like servers co-located at peering points), and traffic filtering that is done through BGP with and a GRE tunnel. While you can get basic HTTP/HTTPS and DNS from CloudFlare for $200/month on a business account, what ProtonMail needed was a BGP/GRE which at it's lowest price is a multiple and an order of magnitude more expensive.
Isn't Cloudfare around $2,000 a month with no data caps for high-end package with $50 a month for low end? I know reasons why some people avoid them but I figure there's a similar service in Switzerland that just costs a bit more. That might be what they're referring to for $100,000. I'm curious.
Paying ransom is never worth the long-term costs. Once you've proven to the criminal that you're someone who will pay, they usually try again in the future because you're an easy mark.
Not only that, there is a power imbalance that shouldn't be ignored: the criminal has more experience in these kinds of confrontations than you do. Sam Harris has a very good article on this topic[1]; while he is discussing violent interactions on a personal level (e.g. mugging), the principles apply to many situations. The short version is that the criminal is trying to draw you onto their turf and to play by their rules. Almost always you will only make your situation worse when you let the criminal set the rules.
> Paying ransom is never worth the long-term costs.
I am amazed about how many people are making this claim confidently in this thread. It's clearly wrong. Very, very often it's definitely worth the cost, because very often you will never see the same criminal again. Consider:
"Don't pay ransoms, because (1) you'll get extorted again once the criminal knows you're an easy mark and (2) if everyone always refuses to pay, criminals will have no incentives to try and extort."
versus
"Don't pay muggers, because (1) you'll get mugged again once the mugger knows you're an easy mark and (2) if everyone always refuses to pay muggers, muggers will have no incentive to mug."
Yes there are cases, like if you're the government, where you are very long-lived and your reputation is reliable such that having a stated, followed policy of not being extorted works. But for individuals, it's just not feasible most of the time. You probably won't see that mugger/extorter ever again, and it's very unlikely that most victims will refuse.
Muggers are typically not going to come across the same victim twice and word does not spread that you are 'an easy mark'. So the advice to people being mugged is to simply give your stuff rather than to try to put up a fight.
But extortion is different than mugging. See, in extortion you have a perceived weakness other than that you fear for your life and that weakness has subscription possibilities, unlike mugging people. For instance one simple defence against muggers would be to have nothing on your person. Hard to mug you in that case. But since the ransom victim can't really change the nature of his business (short of removing themselves from being online) they will always be open to a replay.
Individuals are not the parties being extorted here, it's companies with some degree of success and visibility. I pretty much guarantee you that every larger entity online has either been prodded by extortionists or will be prodded in the near future. This is a very large business and everybody that pays makes it a bigger issue because of the perceived easy money drawing in ever more prospective extortionists.
Muggers != extortionists. Blackmailers are extortionists and they always come back until they get stopped through some other means (for instance the authorities) or until you tell them to do their worst.
In the case of one Dutch bank this led to intermittent outages over the course of several weeks but eventually they got things under control and there hasn't been a problem since. If on the other hand they had paid I'm pretty sure that they'd be paying a nice monthly protection fee. "It'd be a terrible thing if something happened to that nice website of yours.", it's just the same tactic as the mob employs against shops.
It's never worth it. For $6k you can get actual protection for some time before you upgrade your infrastructure.
For a site the size of ProtonMail, $6K is the cost for protection for a single month. Most of the companies that offer this kind of protection require you to sign a one to three year contract.
There are two kinds of protection, basic HTTP/HTTPS and DNS only (done with DNS and CDN like servers co-located at peering points), and traffic filtering that is done through BGP with and a GRE tunnel. While you can get basic HTTP/HTTPS and DNS from CloudFlare for $200/month on a business account, what ProtonMail needed was a BGP/GRE which at it's lowest price is a multiple and an order of magnitude more expensive.
Isn't Cloudfare around $2,000 a month with no data caps for high-end package with $50 a month for low end? I know reasons why some people avoid them but I figure there's a similar service in Switzerland that just costs a bit more. That might be what they're referring to for $100,000. I'm curious.
Paying ransom is never worth the long-term costs. Once you've proven to the criminal that you're someone who will pay, they usually try again in the future because you're an easy mark.
Not only that, there is a power imbalance that shouldn't be ignored: the criminal has more experience in these kinds of confrontations than you do. Sam Harris has a very good article on this topic[1]; while he is discussing violent interactions on a personal level (e.g. mugging), the principles apply to many situations. The short version is that the criminal is trying to draw you onto their turf and to play by their rules. Almost always you will only make your situation worse when you let the criminal set the rules.
[1] http://www.samharris.org/blog/item/the-truth-about-violence
> Paying ransom is never worth the long-term costs.
I am amazed about how many people are making this claim confidently in this thread. It's clearly wrong. Very, very often it's definitely worth the cost, because very often you will never see the same criminal again. Consider:
"Don't pay ransoms, because (1) you'll get extorted again once the criminal knows you're an easy mark and (2) if everyone always refuses to pay, criminals will have no incentives to try and extort."
versus
"Don't pay muggers, because (1) you'll get mugged again once the mugger knows you're an easy mark and (2) if everyone always refuses to pay muggers, muggers will have no incentive to mug."
Yes there are cases, like if you're the government, where you are very long-lived and your reputation is reliable such that having a stated, followed policy of not being extorted works. But for individuals, it's just not feasible most of the time. You probably won't see that mugger/extorter ever again, and it's very unlikely that most victims will refuse.
Muggers are typically not going to come across the same victim twice and word does not spread that you are 'an easy mark'. So the advice to people being mugged is to simply give your stuff rather than to try to put up a fight.
But extortion is different than mugging. See, in extortion you have a perceived weakness other than that you fear for your life and that weakness has subscription possibilities, unlike mugging people. For instance one simple defence against muggers would be to have nothing on your person. Hard to mug you in that case. But since the ransom victim can't really change the nature of his business (short of removing themselves from being online) they will always be open to a replay.
Individuals are not the parties being extorted here, it's companies with some degree of success and visibility. I pretty much guarantee you that every larger entity online has either been prodded by extortionists or will be prodded in the near future. This is a very large business and everybody that pays makes it a bigger issue because of the perceived easy money drawing in ever more prospective extortionists.
Muggers != extortionists. Blackmailers are extortionists and they always come back until they get stopped through some other means (for instance the authorities) or until you tell them to do their worst.
In the case of one Dutch bank this led to intermittent outages over the course of several weeks but eventually they got things under control and there hasn't been a problem since. If on the other hand they had paid I'm pretty sure that they'd be paying a nice monthly protection fee. "It'd be a terrible thing if something happened to that nice website of yours.", it's just the same tactic as the mob employs against shops.
4 replies →
No, it's not worth it.