Comment by perlgeek
5 years ago
> I think what people are missing with all these analogies about burglaries and negligence is the funny difference between cyberspace and meatspace: In cyberspace, your attacker can be anywhere on the planet, located in virtually any jurisdiction, and reliably tracing and attributing attacks is a very difficult task. In meatspace, your attacker must be physically present and is generally obvious and thus vulnerable. This difference has dramatic implications on the ability of the enforcement model to reduce incidence of attacks.
The jurisdiction part is the key here, IMHO.
Sure, the likelyhood of reliably tracing a single attack to a crew is very low, but a prolific crew has dozens or even hundreds of attacks going on in parallel, so tracing just one of them should be enough to take them down.
However, most crews live in "bullet proof" jurisdictions, where we cannot reach them.
If this practice of ransomware attacks continue, we really need a better solution for that. This could go as far as cutting off the "bullet proof" countries from the Internet, if it weren't for China and Russia, that simply from an economic and political perspective, we cannot disconnect.
I guess diplomatic solutions are needed, as well as investing more in IT security, secure OSS etc.
The way you have laid out this problem makes it seem similar to the naval piracy issue in the Age of Exploration. You have small, untraceable actors launching both ad-hoc and privateer-style attacks on large national and corporate entities.
Everything you suggested seems valid, and as you pointed out both the carrot and the stick are needed. The European powers enlarged their navies to absorb the surplus of unemployed sailors and used the enlarged navies to hunt the remaining pirates. British naval dominance (followed by American naval dominance) is what makes naval piracy comparatively rare today. I reckon a similar strategy would work digitally (put the best talent in golden handcuffs and hunt down the rest), but I'm not sure anyone has the resources, political will and the national interest right now.
> but I'm not sure anyone has the resources, political will and the national interest right now.
Well, this will change if/when ransomware attacks are becoming a big enough issue to noticeably impact the economy, health care, or something else that politicians and voters care about.
I'm not an IT security expert, but I do think we are now observing an increased industrialization of ransomware. Some crews specialize in initial attack vectors, and sell them to others who specialize in the lateral movement, and then those resell fully compromised systems to specialists that do the actual ransomware and payment.
If this trend continues, countries will be forced to take this far more seriously than they do it now.
Well sure, but all the potential choices have serious problems. American corporations have participated in weakening the government to the point where it's not capable, nor trusted, to do it. The EU may not have the cohesion, and they may not be able to get buy-in, since (I suspect) this will have to be a thing the Germans push hard for. The UK leaving the Union only throws another wrench in Europe being a solution to the problem. China and Russia's interests are aligned with preventing such a thing from happening globally.
Millions for defense, not one cent for tribute. Funny how that makes sense again.
It even occurs to me that like Tripoli of old, a lot of these "bulletproof" locations have a significant chunk of their economies based around this piracy. Romania's got some towns notorious for this, and India has places where scammy call centers are a way of life for thousands of people.
I saw once that the likelihood of a crime is s function of likelihood of getting caught and the severity of the punishment.
It's difficult enough getting government departments within the same country to cooperate. Tunneling attacks along several international jurisdictions compounds the problem, especially if the attacker chooses to tunnel through states that are adversaries to the victim nation.
> I saw once that the likelihood of a crime is s function of likelihood of getting caught and the severity of the punishment
Citation?
It sounds like this has been largely debunked, based on the research cited in The Honest Truth about Dishonesty https://www.amazon.com/Honest-Truth-About-Dishonesty-Everyon...
2 replies →
The above was taught during a lecture at business school. A quick search found this link which infers the above along with some interesting other points related to the subject.
"The certainty of being caught is a vastly more powerful deterrent than the punishment"
https://www.google.com/url?q=https://www.ncjrs.gov/pdffiles1...
1 reply →
Another solution: plugging attack vectors, like users ability run arbitrary non-sandboxed binaries. Server-side systems and thin clients are almost bullet proof. No virii for Chromebooks.
How likely do you think this is to make a significant dent in, say, the next 18 months?
> Server-side systems and thin clients are almost bullet proof.
Thin clients, maybe. Service-side systems, not so much.
I remember multiple pre-auth code exec bugs in VPN concentrators and other Internet-facing security appliances this year alone.
I really want to believe that better security practices can save us all, but somehow I've lost hope during the last 10 to 12 months...
Yet