Comment by jameshart
14 hours ago
This analogy seems to be portraying 'ransomware hackers' as an unstoppable force of nature akin to gravity.
I'm not sure that's a fair analogy.
14 hours ago
This analogy seems to be portraying 'ransomware hackers' as an unstoppable force of nature akin to gravity.
I'm not sure that's a fair analogy.
I think it’s a very fair analogy. The _only_ way to stop them is to make your stuff secure. That’s literally the only way.
We do not generally hold victims of crimes accountable for failing to defend themselves adequately.
If someone threatens you with a knife and gets you to hand over your wallet, your bank doesn’t get to say ‘you should have hired better security’ when the mugger uses your credit card.
The problem here is the mugger, and that’s who the state goes after. Even if the victim walked into a bad area. Even if the victim could have defended themselves.
Same with ransomware attackers. They are the problem. We might encourage potential victims to behave in ways that make it less likely for them to be targeted. But if they are targeted, we should still focus our societal disdain on the criminal not the victim.
While I’m sympathetic to this argument (it would be great if the internet were a safe place), in practice this thinking leads to governments trying to impose legislation that hurts legitimate uses but does little to protect from the long tail of harm. There’s little that can be done about North Korean state sanctioned cybercrime without a great firewall.
If the perpetrators of this hack were caught and in a developed country, they would certainly be prosecuted for their crimes and not get off light (especially if any data is actually leaked).
1 reply →
The other side of that spectrum portrays the service providers as pure, negligence-free victims. The truth is probably somewhere in the middle.
Your analogy portrays gravity as a thing that buildings cannot be built to withstand. There are plenty of structurally sound buildings and while there are plenty of secure apps the problem is there’s no incentive to build the latter.
On the contrary.
My analogy would be: of course buildings have to be built to withstand gravity. That’s a natural part of the world that cannot be eliminated.
Buildings are built to stand up to natural forces. But not to, for example, the threat of a malicious actor crashing a plane into them. That isn’t typically considered a reasonable thing to architect civilian infrastructure for.
When you built IT infrastructure likewise you should build it to handle the natural forces it will be exposed to. But are you as accountable for securing it against the acts of malicious parties as a structural engineer is for securing a building against gravity, or as accountable for securing against those acts as the structural engineer is for securing that building against terrorists?