NotPetya
Andy Greenberg wrote a fascinating account of the Russian NotPetya worm, with an emphasis on its effects on the company Maersk.
BoingBoing post.
Comments
Vesselin Bontchev • August 28, 2018 7:36 AM
It’s a very nice read (well-written and captivating) but it is full of omissions and inaccuracies from a technical point of view.
The thing wasn’t “the fastest spreading worm, ever”. SQL Slammer, anyone? Infected every single vulnerable computer in the whole goddamn world within 10 minutes! This thing didn’t even have code to spread over the Internet. The only reason it spread widely was because of idiotically configured LANs.
The claim that it was designed to destroy and (possibly) hide evidence is complete bollocks. It was just a shitty, badly written ransomware, possibly on a deadline, and contained stupid errors. OK, so the MFT encryption key was overwritten and lost, making decryption (of the MFT!) impossible. Fine, let’s assume that this was intentional. But! What the article doesn’t mention, is that just like the original Petya, this thing also encrypted files, if the user it had infected didn’t have the rights to modify sectors on the disk directly (i.e., wasn’t admin). And in these cases the files are perfectly decryptable! (Provided that you have the key of the authors, of course.) Sure, the file encryptor was buggy too (the AES IV wasn’t re-initialized for every new encrypted file, so the files have to be decrypted in the order in which they were encrypted), but it worked and was decryptable with the proper key, unlike the MFT encryption.
Tell me, if somebody really wanted to make a destructive program that masqueraded as a ransomware, why the hell would they bother making a half-working one? There are so many more efficient ways to destroy information!
Most likely, somebody took a Petya variant (the Goldeneye variant, to be precise) and started making changes to it – changed the author’s public key and made some other changes, screwing up in the process.
Now, I am not competent to comment with authority on blaming the Russian government for it, but consider this. The supply-chain compromise (M.E.Doc) was top-notch. Sure, they were running outdated software with known vulnerabilities and, theoretically, any script kiddie could have pwned them, but still, it was done professionally. It’s certainly believable that this was Russian intel.
Then, consider the network worm mechanism. Again, very well done. The NSA exploits were adapted and implemented much better than in WannaCry. Could it have been Russian intel again? Not so confident about this one, but sure.
Finally, consider the ransomware component. It was total shite, buggy as hell. It was bad as ransomware, and it was bad as a destructive program. No way the Russian intel was responsible for this. They are more competent than this…
In my (unprofessional) opinion, the Russian intel gave the infrastructure (the M.E.Doc compromise) and the tools (the exploit implementations and the LAN crawler) to some incompetent cyber criminals (Russian intel is well-known to cooperate with cyber criminals and use them for its own purposes) and told then “cause grief to Ukraine”. And notPetya was the result.
In fact, if you read carefully what the US government said on this subject, they didn’t outright claim that the Russian government wrote and released this thing. They said that the Russian government bears responsibility for it – which would certainly be correct, if they gave to the cyber criminals the means to make and distribute it.
And the thing hit Russia badly, too. The article mentions en passant that Rosneft was hit – but many, many other Russian companies were hit too – banks (Sberbank, HomeCredit), gas companies (Rosneft, Bashneft), mining companies (Evraz), medical companies (Invitro), etc. Depending on whose anti-virus company’s statistics you look at, Russia was hit the second hardest, after Urkaine. An “official” Russian intel operation would have never allowed itself to cause so much collateral damage to their own country. It would simply have been irresponsible.
Furthermore, what the article doesn’t make clear, is that the worm didn’t rely on exploits alone. Even if the two Ethernal exploits it used (EternalBlue and EternalRomance) didn’t work, it could spread perfectly “legitimately” by stealing login credentials from memory with Mimikatz and using PsExec or WMI to start processes remotely with these credentials on other machines.
I can’t be bothered to list more flaws in the article, but there are many. I’ve repeatedly asked the author if he was interested in technical corrections and he never bothered to reply. Clearly, a “good read” is more important to him than a technically accurate one.
So, take the article with a grain of salt.
Dimiter Shalvardjiev • August 28, 2018 8:41 AM
Good afternoon,
I also tried to provide technical corrections, but given my Slavic name (though not Russian) I did not expect an answer. Unfortunately, as with all wars, it seems the more we get into this one, the more radically different we would stereotypically assume “the others” are.
Anyway, I assume some truth – and not just accusations – could be established only by inspecting Patient Zero, which would be impossible, of course.
Lastly – for organizational or operational reasons the companies that were hit the hardest were extremely poor in their security practices. Remember the saying “don’t be the lowest hanging fruit”? Unfortunately, there are too many companies with that same level of attention to security, and the business justification is clear-cut:
infosec = cost = bad.
Bill Paxton • August 28, 2018 8:59 AM
Well, speaking as a totally objective Anglo with no Slavonic heritage, I fail to see any link to the Russian state. It just sounds like some guys from Great Rus realized they had a really convenient attack vector against some incompetently maintained systems in Little Rus. Having mostly mutually intelligible languages no doubt helped them track down vulns.
Izzy Stone • August 28, 2018 10:01 AM
The tone of this article is ridiculous. The entire world shut down? Read the last paragraph and subtitle. As in ZERO journalistic integrity.
Wired has no shame. Greenberg is a corporate shill, hyping threats to lure
eyeballs and please advertisers.
And now Bruce Schneier is a part of it too for amplifying the message.
Ransomware is going to end the world??? Tell that to people being killed every day by bombs and bullets in the Middle East.
Shameless…
Winter • August 28, 2018 10:20 AM
There is a predictable response of denial whenever Russia is accused of doing anything bad. Be it invading the Crimea, shooting down a comercial airline plane, or hacking US political parties.
In this case, it is no difference. Even though Russian forces have attacked Ukraine for years now by any means they have, this one case should not be even considered as being yet another attack.
The argument that Russian companies were hit to is empty. Incompetence has been observed to exist in Russia before, amply. So incompetence could have been a cause here.
Also, malware that paralyses a fifth of the freight carrying capacity at sea is serious. Attempts to portrait notpatya as just a small nuisance seem to me to be in line with the campaigns of denials of Russian involvement.
Bill Browder • August 28, 2018 10:59 AM
Ok, check, not Russia, check, it’s all Stuxnet and the U.S.’s fault. Sounds like the Trolls are out. Not that I am saying they are Russian, but you know, quack, quack. Denial and what-about-ism and all that, seems like a familiar and well known tune.
You know a good portion of attribution is consistency of features.
Although I agree, most enterprise’s security is atrocious. BTW, Loved you Bill Paxton in the movie “Twister”.
Hmm • August 28, 2018 1:19 PM
“Wired has no shame. Greenberg is a corporate shill, hyping threats to lure eyeballs and please advertisers.”
“Writer writes words, yet critics critical”
It’s almost like… they want to… sell… their publication? Crazy right?
Jack • August 28, 2018 2:02 PM
I agree 100% with Winter and Bill Browder : Computers got hacked, of course it’s evil commie-Putin behind it. No-one else, not even Bruce Schneier or Chuck Norris, can hack computers. Even Hillarys “private” email server was hacked by commie-Putin and not, as reported in the irresponsible media, by commie-China.
Assange is also commie-Putin, wikileaks is the KGB and I’ve about had it with this neocon warmongering russofobia .What, your banksters dont get to rob russia blind anymore ? Buhuhu….
Etienne Mathieu • August 28, 2018 2:28 PM
Moving NATO to the Russian border was a stupid plan. Dissolving NATO would save trillions of dollars. If anyone attacks the west there are 4000 nukes on alert. NATO countries won’t be anything except a speed bump.
Bill Paxton • August 28, 2018 2:40 PM
Thanks Bill Browder (not the actual lying mob-tied oligarch I presume)?
I’m actually libertarian economist Michael Bolton, but I keep getting tired of getting confused with that other guy.
Hmm • August 28, 2018 2:51 PM
@Dulles
It’s called Wired magazine. I did look it up, I found and posted the article yesterday.
I found the NotPetya details related well with the previous subject, cyberwarfare.
Threats are actually not being inflated, these are known-possible attacks that could happen.
Whether the author’s conclusions are accurate or not is debatable, but most of this is possible.
All threats are inflated until they happen. Then it’s “why didn’t we see this before?”
Well, people write articles like this both to sell magazines and to debate possibilities.
To get upset about that is to misunderstand either rationale.
@Jack
The fact is Russia is proven and accepted to have been involved. (QAnon fetish nonwithstanding)
You can pretend otherwise but you’d need some serious evidence to counter the existing.
You’ve got foregone conclusions upstairs that your outstretched finger is trying to point at.
If you just want to take us down the gaslit path of epistemological nihilism, no.
Not even Rudy Giuliani is going to be able to deny all the evidence and win.
If you want to actually discuss the details you should probably read some.
Both Russia and China attempt to undermine and influence US govt functions daily.
One does not disprove the other. When the Mueller report lands, I’ll be sure to CC you.
No doubt you’re going to have trouble admitting it exists also.
echo • August 28, 2018 2:59 PM
There’s three layers to this issue atleast.
- Geo-politics.
- Organisation.
- Attribution.
It’s all a bit of a mess.
vas pup • August 28, 2018 3:01 PM
@Etienne Mathieu.
Your post sounds reasonable. The only part needed to be incorporated in NATO was Eastern Germany as part of unified Germany. All other former Soviet satellites (including former republics after USSR collapsed) should accept status of buffer (at least for 50 years – nothing is forever) between NATO and Russia kind of Austria and Finland neutrality.
Bill Browder • August 28, 2018 4:17 PM
Bill Paxton/Michael Bolton, I probably should have used a nom-de-plume like you, something like, Sergei Magnitsky. Only a Russian troll would call me a mob-connected oligarch. Oops, there goes my russophobia again; Apologies Jack, must be all those Interpol red-notices the Russkies keep issuing to get me, they just irritate me so much (the red-notices I mean). BTW, Love your music Michael, hey you might want to consider doing a cover of or duet with, PussyRiot, if they aren’t still jailed. If I may suggest, a really great read, “Red Notice”… oops… that russophobia is showing again… my my.
Anon Y. Mouse • August 28, 2018 4:53 PM
@Bill Paxton
I thought you were the Initech programmer Michael Bolton.
Ramsi • August 28, 2018 5:13 PM
Given the state of the hacked network there is merit in penalising the companies which make it easy for the hackers.
Carl Bernstein • August 28, 2018 5:34 PM
@Hmm
“How a single piece of code crashed the world” – This isn’t journalism, it’s cheap salesmanship.
“Salesmen sell snake oil, yet critics not buying it”
Take ransomware and make it sound like nuclear war. It’s an insult to anyone who lived through Hiroshima.
Hmm • August 28, 2018 5:57 PM
@Bernstein
Well again, it’s Wired magazine’s feature. They sell it. Describe it any way you like.
It’s a mixture of facts packaged by opine/analysis.
You have hit on one or a few hyperbolic thematic lines in it that are overblown, true.
You’re right, the whole world didn’t crash. It’s also not a “single piece of code” really.
That is inaccurate I agree. What else?
I wonder if you’re also then doubting the widely reported details specifically, or not?
AFAIK Wired did not invent those, the author just supplied the narrative, conclusions.
I can see how an unreliable narration would lead you to question the entirety. Absolutely.
So question it. Find sources that conflict, contrast them. I’m certainly not trying to vouch for every bit byte or conclusion in that piece, but it’s the specifics that will make or break it as a work of non-fiction. Break away, you have my blessing.
Hmm • August 28, 2018 5:59 PM
“Take ransomware and make it sound like nuclear war. It’s an insult to anyone who lived through Hiroshima.”
Obviously if anyone reading this lived through Hiroshima, that’s not a comparison I made.
If you could point to what I said that gave you that impression, I’d appreciate it.
bender • August 28, 2018 6:31 PM
The malware’s goal was purely destructive. It irreversibly encrypted computers’ master boot records… Everything … from notes to contacts to family photos, was gone.
Huh? Any halfway competent IT admin can retrieve data from a machine with a corrupted MBR.
Then again, no halfway competent admin runs unpatched Windows machines with no backup.
One would hope that some companies learned an expensive lesson, but I’m not holding my breath.
Jonathan Wilson • August 28, 2018 7:50 PM
The fact that this destructive piece of malware only existed because of a vulnerability the US government knew about but kept secret is the perfect example of why allowing anyone (be it law enforcement, intelligence, government agencies, companies, hacking groups or otherwise) to buy/collect/retain/use/keep secret vulnerabilities in commercially available software is a BAD idea. I dont care if that means some bad guy doesn’t get caught (or that some crime gets committed that would otherwise not have been committed), the risks to the world when (not if) the bad guys discover or obtain the otherwise secret vulnerability and use it for nefarious purposes are too great.
The same applies to the ridiculous notion that some law enforcement and intelligence agencies have whereby companies should be forced to add intentional backdoors in their software.
Hmm • August 28, 2018 8:20 PM
@Wilson
Well if you know the history of “what SMB is” and how it got there, it’s less a nefarious spyplot and more the usual “leaving legacy cruft in windows” problem. There have been dozens and dozens of vulns discovered since the 1990’s, and @asimov above is correct, people probably “should have been” making sure it was disabled even before the attack. But I don’t believe it was “one big vuln” that “the gubmint only” knew about and kept to themselves that caused this; it’s more like there are dozens and hundreds of vulns out there per platform, known/unknown, some discovered and others not public, some half-discovered but not fully scoped, all the time in common platforms just waiting for someone to figure out how to chain them into an attack.
https://www.theregister.co.uk/2014/12/10/x_window_system_bugs/ -27 year old bug, for example.
You can shout and stomp your feet and send out CVN advisories until you’re blue in the face.
Folks knew SMB/netbios/ipx had serious holes for a long time. They used it anyway.
From wiki:
SMB / CIFS / SMB1
Barry Feigenbaum originally designed SMB at IBM with the aim of turning DOS “Interrupt 33” (21h) local file access into a networked file system.[11] Microsoft has made considerable modifications to the most commonly used version. Microsoft merged the SMB protocol with the LAN Manager product which it had started developing for OS/2 with 3Com around 1990, and continued to add features to the protocol in Windows for Workgroups (c. 1992) and in later versions of Windows.
SMB was originally designed to run on top of the NetBIOS/NetBEUI API (typically implemented with NBF, NetBIOS over IPX/SPX, or NBT). Since Windows 2000, SMB runs, by default, with a thin layer, similar to the Session Message packet of NBT’s Session Service, on top of TCP, using TCP port 445 rather than TCP port 139—a feature known as “direct host SMB”.[5]
Windows Server 2003, and older NAS devices use SMB1/CIFS natively. SMB1/CIFS is an extremely chatty protocol, in that it makes inefficient use of networking resources, particularly when transported over expensive WAN links. While Microsoft estimates that SMB1/CIFS comprises less than 10% of network traffic in the average Enterprise network, that is still a significant amount of traffic. One approach to mitigating the inefficiencies in the protocol is to use WAN Acceleration products such as those provided by Riverbed, Silver Peak, or Cisco Systems. A better approach is simply to eliminate SMB1/CIFS by upgrading the server infrastructure that uses it. This includes both NAS devices as well as Windows Server 2003. The most effective method in use currently to identify SMB1/CIFS traffic is to use a network analyzer tool such as Wireshark, etc., to identify SMB1/CIFS “talkers” and then decommission or upgrade them over time. Microsoft also provides an auditing tool in Microsoft Server 2016, which can be used to track down SMB1/CIFS talkers.[12]
In 1996 when Sun Microsystems announced WebNFS,[13] Microsoft launched an initiative to rename SMB to Common Internet File System (CIFS),[11] and added more features, including support for symbolic links, hard links, larger file sizes, and an initial attempt at supporting direct connections over TCP port 445 without requiring NetBIOS as a transport (a largely experimental effort that required further refinement). Microsoft submitted some partial specifications as Internet-Drafts to the IETF,[14] though these submissions have expired.
Hmm • August 28, 2018 8:25 PM
“A better approach is simply to eliminate SMB1/CIFS by upgrading the server infrastructure that uses it.”
We at least until recently still had/have US Naval vessels running XP.
https://slate.com/technology/2018/06/why-the-military-cant-quit-windows-xp.html
You can only imagine the small and medium and large businesses in similar boats, so to speak.
XP? That’s a relatively new system, compared to the Defense Department:
https://www.thoughtco.com/nuclear-weapons-computers-using-floppy-disks-4060269
What about XP networked over secure 56kb lines?
gordo • August 28, 2018 10:07 PM
Excerpt from the last couple of paragraphs in the Sandworm book excerpt:
“Somehow the vulnerability of this Ukrainian accounting software affects the US national security supply of vaccines and global shipping?” asks Joshua Corman, a cybersecurity fellow at the Atlantic Council, as if still puzzling out the shape of the wormhole that made that cause-and-effect possible. “The physics of cyberspace are wholly different from every other war domain.”
In those physics, NotPetya reminds us, distance is no defense.
Nor is time.
Vesselin Bontchev • August 29, 2018 6:25 AM
@Dimiter Shalvardjiev, my name is also Slavic (I’m Bulgarian) but it didn’t occur to me that this has prevented the journalist from seeking additional information. That would be highly unprofessional. I am, after all, an authority in the field of malware of world renown and he himself asked any victims who wanted to share their stories to contact him (and, obviously, many of them would be Ukrainian or Russian and would have Slavic names, too).
I am going to ignore all the politicized ignoramuses who have commented on both sides of the issue here but, yes, I have noticed that the West tends to blame Russia even when it is innocent (consider the idiotic campaign against Kaspersky, for instance), and Russia tends to deny things even when it is obvious that they are to blame. As they say, truth is the first casualty in a conflict. Anyway, I’ll try to stick to the facts when responding below.
@Winter, you are clearly not familiar enough with Russian malware. The criminals there usually take special precautions to ensure that they don’t hit Russian targets. This is because the law enforcement there tends to let the cyber criminals do whatever they want (and even occasionally uses their services), as long as they don’t hit anyone in Russia. “Не работай на ру” (“don’t work on Ru”) is a common saying among the hackers there. Trust me, if they cared to exclude Russian targets, they would have done so.
Instead, what we have, is sheer incompetence. Clearly, the idea was to hit Ukraine (and maybe everybody who was doing business there) and they didn’t even bother to think about the possibility of the thing spreading outside the country. That fits the profile of stupid cyber criminals – not of serious intelligence professionals.
I am not saying that the malware wasn’t serious. I am saying that the ransomware component of it was badly written, buggy as hell, and created by an incompetent, not by a professional. It was bad as ransomware and it was bad as a destructive program. There are much better ways to cause damage; some of them even invented by a countryman of mine.
@Hmm, I’m a pro in this field, OK? (Google me.) Of course I’ve read these articles. They are wrong. Especially the second one, you might want to look up me (@VessOnSecurity) arguing on Twitter with its author (Matt Suiche) on this subject at the time.
You can decrypt the files. It’s only the MFT encryption that loses (overwrites) the encryption key. Many other ransomwares have used a single point of contact. This thing is just a buggy, incompetently written piece of crap.
If someone wanted to destroy information while masquerading as ransomware, all they had to do is make proper ransomware (thus masquerading well, not like this shit) and simply not providing a decryption key when the ransom is paid. This would have a much better effect than notPetya – it would hide the destructive goal better, it would be more competent, and it would cause double damage (not only information would be lost, but victims would lose the ransom, too). They could even provide a decryption key for free to any Russian victims, thus negating the home country collateral damage. And all this assuming they wanted “visible” destruction. If they wanted to be sneaky, too, there are even more efficient ways – slowly corrupting random data over time, so that by the time you notice that something is amiss, you backups are corrupted too. If you think that the Russian intelligence services are too stupid and ignorant to figure that out, you’re not giving them enough credit.
@bender, the thing did not encrypt the MBR (although part of it resided there). That would have been, indeed, trivial to recover. It encrypted the MFT (the Master File Table; a critical part of the NTFS file system, somewhat similar to the FAT in functionality). Recovering that is impossible. Some (few and small) data files might have been recoverable from their headers, but even that is extremely unlikely. A digital forensics professional probably could get some data back from the encrypted disk but it would have been way too much trouble and the results would have been very mediocre. Much easier to restore from backups.
@Jonathan Wilson, you didn’t read my comment, did you. And the incomplete and inaccurate Wired article has succeeded misleading you. Yes, notPetya used exploits developed by the NSA. But it didn’t rely on them alone. It would have spread very well even without them. You might want to blame the NSA (discovered the exploits), or Russian intel (stole the exploits from the NSA and released them publicly), or Microsoft (whose software was vulnerable in the first place), or the French author of Mimikatz (which this thing used to steal credentials from memory) – but I prefer to be practical and blame the people who released notPetya. I just disagree that they were Russian intel.
Phaete • August 29, 2018 7:57 AM
Propaganda
Propaganda is information that is not objective and is used primarily to influence an audience and further an agenda, often by presenting facts selectively to encourage a particular synthesis or perception, or using loaded language to produce an emotional rather than a rational response to the information that is presented.
Propaganda is often associated with material prepared by governments, but activist groups, companies and the media can also produce propaganda.
The Wiki definition fits snuggly. (as pertaining to the original article, not the discussion here)
Clive Robinson • August 29, 2018 8:10 AM
@ Bender,
Then again, no halfway competent admin runs unpatched Windows machines with no backup.
Every time I hear this I wince. As I have pointed out a few times hear “backups alone are insufficient” that is there are all sorts of nasties that can be hidden away in backups in a transparent way that at some point you will find to your cost is as much use as an encrypted hard drive from Ransom ware.
So you have to test your backups and to do it properly is a long process involving entirely seperate hardware.
The odd thing is that few people talk about what can be done, how, and how you detect it or mitigate it.
echo • August 29, 2018 2:42 PM
@Clive
The odd thing is that few people talk about what can be done, how, and how you detect it or mitigate it.
I have noticed this with bureaucratic systems too. I’m not sure if it’s a form of Stockholm syndrome or failure to communicate. Perhaps it’s a lack of education and experience? Systems tend to degrade to lowest common denominators. When mitigating a disaster or cleaning up from a disaster things always seem to require external input. At some point it’s usually a management failure of some form.
If I hear one more person say “we have a policy” or “we don’t have the resources” I will scream. This happens even with known critical issues. Organisations are typically riddled with this attitude even at a corporate governance level. (What corporate governance?) You really notice this with discrimination issues because this often brings out the worst habits.
Back to your initial point I have probably heard two maybe three people in the past decade even raise this. It’s rarely a topic of discussion in itself. There must be a psycho-scocial reason for it. I suspect comfort zones and mental shortcuts play a role.
Perhaps disaster or challenging on the surface small mistakes doesn’t happen often enough? Because of this people may reject the potential reality if it disagrees with the model in their head?
Sancho_P • August 29, 2018 4:58 PM
@Vesselin Bontchev
I agree with all your arguments but one: ” [that] … fits the profile of stupid cyber criminals …”
I think the guys were neither stupid nor (ordinary) cyber criminals [1].
For “stupid” it was too good, for professionals it was too bad, and the motive was not personal enrichment. The whole thing was a mess, so I’d call it terrorism.
Terrorist = fanatic + crazy.
The one and only target was the Ukraine, the rest was (likely not intended) collateral damage. (East) Ukraine has a lot of fanatic and crazy-bright guys, mostly Russians, and they are motivated as hell (that’s something I can understand).
So I’m convinced “the Russians” did it – and they did it only to destroy America!
We need more sanctions, e.g. never again allow Trump to talk to evil Putin.
Be aware, Reds are everywhere!
[1]
Generally, the motive for a criminal is personal enrichment / benefit.
Having a global, more abstract motive (religion, politics, “liberation”, inner voices, racial hate, resources, …), though involving criminal methods, nowadays would be called terrorism – or Nazzional Security, depending on the side you are.
Hmm • August 29, 2018 5:20 PM
@Bontchev
“I’m a pro in this field, OK? (Google me.) Of course I’ve read these articles. They are wrong. Especially the second one, you might want to look up me (@VessOnSecurity) arguing on Twitter with its author (Matt Suiche) on this subject at the time.
You can decrypt the files. It’s only the MFT encryption that loses (overwrites) the encryption key. Many other ransomwares have used a single point of contact. This thing is just a buggy, incompetently written piece of crap.”
I agree it’s buggy.
I actually do know who you are, lol, but that alone is not a magic feather. What you’re saying directly contradicts what others (plural) are saying about the user string being incorrectly (random data) fed into the hash such that the result is garbage and could never be decrypted as advertised.
But that’s not even the worst part, they used a hard-coded email with a german ISP that was almost immediately noticed and sunk, so there was no way to get in touch with the author to decrypt the files because of that – previous iterations of the code did not have that problem, they generated the contacts recursively like most ransomware knows to do for a while now. Oh yeah, and they used a single hardcoded bitcoin purse.
So that IS incompetent, I don’t know if we’re agreeing or disagreeing, but it’s SO incompetent that on total it appears to be masquerading as ransomware incompetently. Quite a waste of zero-day vulns and side-jumping techniques if they were only after money.
“The only communication with these threat actors was going to be through that one email account that got terminated pretty quickly by the ISP,” he says. “The second mistake was the fact that there’s a single Bitcoin wallet. That’s the way of tracking who’s making the payments and who isn’t. So if somebody posted a payment to that wallet, anybody else could say, ‘Hey, I’m the one who posted that payment, give me my key.’ There are multiple flaws with the payment method, which clearly indicates that those guys may not have been interested in generating revenue.”
-Mounir Hahad, senior director and head of Cyphort Labs. (also does this for a living)
https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/
“In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contains crucial information for the key recovery. After sending this information to the attacker they can extract the decryption key using their private key.
This installation ID in our test case is built using the CryptGenRandom function, which is basically generating random data.
If we compare this randomly generated data and the final installation ID shown in the first screen, they are the same. In a normal setup, this string should contain encrypted information that will be used to restore the decryption key. For ExPetr, the ID shown in the ransom screen is just plain random data.
That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID.
What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”
-Anton Ivanov, Orkhan Mamedov (Also do this for a living)
So Mr. Bontchev I’m not arguing against your reputation, skill or profession.
I’m saying you’re contradicting a lot of also-professional people and perhaps not overriding what they’re saying with new compelling information that makes me the casual reader believe what you’re saying is in fact considering all aspects of why NotPetya is not now considered to have competently attempted to be ransomware, and is more likely a destructive targeted masquerade.
Hmm • August 29, 2018 5:22 PM
“Quite a waste of zero-day vulns and side-jumping techniques if they were only after money.”
-I had meant to add, because they got very nearly NO MONEY out of it!
gordo • August 29, 2018 9:21 PM
Off-topic . . . The M.E.Doc/NotPetya episode certainly did nothing to help Kaspersky Lab: “This is one reason why software updates can be so dangerous. . . .“
Winter • August 30, 2018 3:48 AM
@Vesselin Bontchev
“Instead, what we have, is sheer incompetence. Clearly, the idea was to hit Ukraine (and maybe everybody who was doing business there) and they didn’t even bother to think about the possibility of the thing spreading outside the country. That fits the profile of stupid cyber criminals – not of serious intelligence professionals.”
Clearly, the idea was to hit an Ukrainian air-force plane, not a Malaysian airliner. That they hit the MH17 and killed 300 odd civilians was sheer incompetence.
Still, those involved were part of the Russian military forces and the orders came from Russian officers.
Stupidity and incompetence are widespread. The CIA behaves in incompetent and outright stupid ways, so do Russian officials, and Chinese.
saunterer • August 30, 2018 11:41 AM
Attribution is a mugs game here, it’s not a rabbit hole worth chasing without hard data. Particularly since it’s tied so closely to nation-state identity these days. (Unless you like being played by propaganda agencies).
The more interesting aspects here relate to other things:
- lousy security, everywhere, all the time.
- lousy policy on good IT hygiene
- tactical capabilities of an adequately equipped “cyberwarfare” offensive unit. (criminals, intel, military, basement dwelling 14 year olds, whatever).
An interesting question might be what a cyberwarfare defense unit would look like. What could they do, defensively? What policies and politics would be required to effectively detect & contain this class of threat.
What would have been required for a defense unit to detect Maersk’s impending infection and isolate the attack vectors?
Hmm • August 30, 2018 12:48 PM
@saunterer
“What could they do, defensively?”
Maersk replaced 10,000 pc’s within a week. Probably not feasible for most shops.
Expect disruptions. How many companies are going to have redundant infrastructure on different platforms that they can switch to seamlessly? How many states/municipalities will?
Defense is d/c and shutting down machines as fast as possible until the threat is understood.
It requires realtime knowledge that you’re under serious attack. Most shops don’t have that.
Imagine what a coordinated attack that instead intended to do massive damage could look like, as opposed to NPetya which did massive damage anyway despite being relatively uncoordinated in distribution and control. Instead of even having the chance to frantically unplug machines as/before they were infected, most machines in a platform are silently infected/mapped and a coordinated C&C waits to activate destructive payloads simultaneously to achieve the massive % outages as the goal. Now imagine that attempted on several major platforms at once, tens or dozens of zero days, coordinated overlapping sustained campaigns.
It does sound far fetched, but if you would have asked Maersk about the state of their security in the days before NotPetya one imagines they likely would have responded fairly confidently. They must have had some decent contingency planning ready to go to be in a position to replace 10k machines in a week. Still, that’s a tough week, and this was for a relatively uncoordinated single worm attack. It could go a lot worse.
saunterer • August 30, 2018 1:00 PM
@Hmm
part of the narrative from the Wired article is that they’d had substantial deferred security tech debt prior to the attack.
my contemplation is less of what an individual company can do, and more what a nation-state’s defense units could do.
I wonder if a Great Firewall of Defense could be stood up (deep packet inspection, pattern matching, etc, etc, etc) and companies who want to be defended against by the cyberdefence unit route their comms through there. Maybe the cyberdefence unit could offer on-machine agents to monitor behaviors and feed into a C&C defense center. What could be done here?
(this is speculative, I expect most companies would never route comms and place an on-server/laptop daemon)
Clive Robinson • August 30, 2018 2:11 PM
@ Hmm, Saunterer,
They must have had some decent contingency planning ready to go to be in a position to replace 10k machines in a week.
The thought occurs as to just how many of those 10K machines were connected to the Internet and Why?
Nearly every company I’ve visited have most if not all their desktops and servers located internally where you could if you knew just a little more than “Joey the script kid” access them from a public network or access point.
When I ask people “Do you leave all the windows and doors open?” it takes a moment for them to realise I’m talking “tangible world” physical objects not “intangible world” information objects. But when they answer “no, of course not” and I ask “Then why do you do it with your ICT?” they start to get the message.
Whilst computers might be free with their favours to anyone who knocks, there is no reason why your business should be the ICT equivalent of a brothel…
And no employees in the main do not require Internet connectivity, external Email, or external Instant messaging, etc. the sooner business leaders grasp this fact the easier the job of the ICT staff will become.
Oh and based on other information going back to the hey day of short hand, office staff are likely to be somewhat more productive.
Hmm • August 30, 2018 2:17 PM
“What could be done here?”
It’s a good question but they already have monitoring going on at the backbone level.
They can shut down routes and sinkhole domains, whole ISPs, there’s a lot that “can” be done.
It’s dependent on the attack and what the least-effort effective mitigation is right?
But that takes time. You have to see that coming, you don’t want to be caught flat at zero hour.
So you have to actively seek out these code bases, actor groups, signatures, methods, motivations.
They do a pretty good job of it I think, there’s a lot of resources “watching” for things.
Do they see everything ahead of time? Absolutely not.
https://en.wikipedia.org/wiki/V-weapons – Vergeltungswaffen, reprisal weapons.
If we are attacked, “someone” is thus attacking. There would no doubt be reprisals.
Deterrence. The nuclear option. That’s probably a big chunk of what “can be done” beforehand. “You kill our networks, we’ll kill yours.” Either way the mantra : expect disruptions.
Clive Robinson • August 30, 2018 3:03 PM
@ Vesselin Bontchev, winter,
… they didn’t even bother to think about the possibility of the thing spreading outside the country. That fits the profile of stupid cyber criminals – not of serious intelligence professionals.
From what I remember stuxnet had all sorts of “serious intelligence professionals” working on it.
But it poped up in unexpected places…
In fact it was this that alerted me to the fact that stuxnet’s real target could be another country than Iran. The appearance in asia gave rise to who it could be and the “Hermit Kingdom” of North Korea so sprang to mind. Further checking improved my confidence as to why it should be both Iran and NK, and it was Pakistans Abdul Qadeer Khan and his little Swiss organisation.
I gave my reasons and got told I was wrong, then the US came out and admitted it…
As for NotPetya the most obvious perps are disefected Russian’s, but in the “Great Game” of “Smoke and Mirrors” what is “most obvious” may well be what another party wants you to think.
Attribution is hard and realy can not be done by the way many go about it. I would fully expect the likes of the NSA and GCHQ et al to only get it right less than half the time when it comes to the likes of those who can think at or near their level (which is a lot more people than you might at first guess).
It’s something you need “Human Intelligence” on, by either “methods or sources”. As we know from loose lips in the US both the Dutch and Israelis have used technical methods to gather HumInt, which are now “ashes on the floor”. The UK are known to run sources via boots on the ground which again loose US lips have “burnt”. The loose lips of I. Lewis “Scooter” Libby sometime lawyer and sidekick to Dick Cheney apparently burnt one of their own. Not exactly a good record…
Oh then we get to hear all those other little US security slips that the Chinese are alleged to have benifited from greatly… But currently it’s “Russiafobia” driven by Democrat interests…
But guess what the US IC lost some tools, which also included some designed to do “False Flag” type false attribution… So the US appears to get a “low grade” on being “serious intelligence professionals”…
But once you consider “False Flag” software and similar methods, it could have been anybody running such an Op to look like who ever they wanted it to look like…
All jolly good fun, as you chase the white rabbit down it’s burrow, at the end of which is a maze of twisty little passages each nearly the same but different, which way to go, do you leap left, right, or just run ahead, or to and fro?”
Hmm • August 30, 2018 3:39 PM
@Clive
“But currently it’s “Russiafobia” driven by Democrat interests…”
Uh, nope. That’s driven by DOJ/FBI interests. The law.
If it were actually a ‘witch hunt’ you wouldn’t find so many witches turning state’s evidence.
You were right about attribution being difficult. Your political bent however is disprovable.
Hmm • August 30, 2018 3:45 PM
You don’t have to trust CNN, but they’re just reporting what the FBI said.
Mueller, Republican. Comey, Republican.
Sessions, Republican appointed by Trump.
Rosenstein, Republican appointed by Trump.
Brennan, Republican.
Clapper, Republican.
Mccain, Republican.
Getting to the bottom of the collusion question : A Republican focus also.
Don’t fall for disinformation Clive.
Clive Robinson • August 30, 2018 4:21 PM
@ hmm,
Don’t fall for disinformation Clive.
I generaly don’t. But in this case I’m going on which MSM organisations started the Russiafobia and have drumed it up before most joined in on the band waggon so as not to appear odd man out.
So are you saying the democratic leaning side of the US MSM were spreading disinformation?
Just don’t trip over your own rhetoric, as expected –when I indicated it some time ago– President Trump has still got his feet under the table in the Oval office. And he’s only got to stay there a little over 2 months to make my prediction true… As I said the other day it looks increasingly likely he will be carving the Turkey come thanks giving. The question I guess is which turkey will he pardon and who’s craw it will stick in the most…
Hmm • August 30, 2018 4:32 PM
“But in this case I’m going on which MSM organisations started the Russiafobia”
You’re going back that far? I guess the 1940’s are still relevant, sure…
You just implied there was no actual basis for investigating Russian interference, that the MSM is inventing and drumming it up.
I’m just pointing out that’s really not true as you stated it, although Russophobia (A Kremlin pushed term these days) no doubt has existed prominently at points in American history. There were also lulls in that, however, like before Russia invaded Crimea or shot down that passenger plane, killed ex-spies with WMD’s in the UK or used kompromat tactics to influence the sitting American president into blackmail positions from which he has yet to escape.
But you’re right, Trump’s feet are under the desk when they aren’t up on the bed, tweeting away some bizarre unfounded smokescreen conspiracy theory that even the FBI feels duty bound to publicly refute on the evidentiary merits.
I guess you can believe what you want, but your characterizations are disprovable above.
Hmm • August 30, 2018 4:34 PM
As for the Turkey, it will be carved either way. The goose is already cooked.
Don’t take my word for it, but if you want to refute the “entire” media, you’ll need evidence.
Not a conspiracy theory, not a trotted-out trope that is provably false.
Here, from the mouth of babes:
http://www.foxnews.com/politics/2018/08/21/whos-been-charged-by-mueller-in-russia-probe-so-far.html
Clive Robinson • August 30, 2018 7:18 PM
@ Hmm,
You just implied there was no actual basis for investigating Russian interference
Actually no I’ve not implied anything of the sort. It is you who stated,
If it were actually a ‘witch hunt’ you wouldn’t find so many witches turning state’s evidence.
I said nothing of the sort. There is are several “country miles” between a fobia and a witch hunt, which most here would say you should darn well know.
Thus you are the one making things up yet again trying to make it appear that I am saying things I am not. Something you have been repeatedly warned about and not just by @Moderator.
To make it clear I was not talking about “Trump-Russia” allegations of collusion of which there is no evidence yet presented that I am aware of. As I’ve said all along we will wait for the evidence should anything that is credible actually be produced in the near future.
As for Russia doing more or less the same as the US has done for the past sixty years, it’s rather yawn worthy old news that goes back atleast to 2014/5 and pre-Trump. So to be frank the fact the US thinks it’s got a little of what it’s been handing out to the rest of the world, yipee you finally realise what the rest of the world has been complaining about, now stay awake long enough to amend your nations behaviours.
Behaviours such as what went on with Silicon Valley billionaires, US hedge fund managers, Cambridge Analytica, and Facebook all involved with election interferance and by the sounds of it illegal financial transactions. I know it’s not “Trump is Treason” stuff but surely you must be aware of it by now?
But no not a word out of you about how shocked and appaled you are and how it must be at the behest of the US President…
But anything even quite tangential to your “Trump Fixation” and you launch right in, hurling fake accusations, strawmen and accusing others of bad debating skill when your own fail to convince anybody.
For your information “Russiafobia” is way way wider than “Trump” and has all the hallmarks of a political campaign about to backfire on some of it’s originators, because it’s become an endless puffery of nothing. Muller and his team have had 15months which is many man years, and sofar nothing other than criminal convictions for financial misconduct that long predates the Trump Campaign and was apparently nothing to do with it either…
The stupid thing is that it’s not Putin you have to thank for giving you the Doh-gnarled but the distinctly odd non democratic voting system peculiar to the US you were given several hundred years ago and the various amendments since. It would appear it was designed to keep stray popular outsiders out of the political club, but now has had the exact opposit effect. Congratulations one for the home team not…
As for,
Don’t take my word for it, but if you want to refute the “entire” media, you’ll need evidence. Not a conspiracy theory, not a trotted-out trope that is provably false.
It’s funny you should say that, when the first sentance of your supposed evidence says,
- Special Counsel Robert Mueller’s inquiry into alleged Russian interference in the 2016 election is ongoing – and secret.
So you have no evidence to present because “it’s secret”, and likewise can not demonstrate anything let alone act as a witness against what you claim air fairily with attendent hand waving is “Not a conspiracy theory, not a trotted-out trope that is provably false.”..
But hang on let’s not dismiss it on just it’s opening sentance. It next goes on about four of Trumps campaign circle who have been charged BUT,
… though none of the charges are directly related to any misconduct by the president’s campaign.
It witters on a bit and then goes on about charges brought against Manafort by Muller which were financial and in a different country and long long preceding any work he did for Trump and allegations relating to Russian interference. BUT it then admits,
- Manafort was found guilty of eight financial crimes on Aug. 21 in the first trial victory of the special counsel investigation into the president’s associates. A judge declared a mistrial on 10 other counts
Because the jury decided the Russian interferance charges had no merit as well as some of the financial charges. Sounds like Muller has been trying on significant “prosecutorial over reach” with over 55% of his charges had no merit. So your evidence so far appears to be the opposit of supporting your Trump Fixation.
As for Rick Gates the article notes two things,
- A superseding criminal complaint says Gates was charged with conspiracy against the United States between 2006 and 2017.
- Like Manafort, Gates was initially indicted in October in connection with foreign lobbying work; he pleaded not guilty at the time. His charges were similar to Manafort’s – ranging from conspiracy against the U.S. to conspiracy to launder money.
So Gates like Manafort, has been charged with behaviour that long precedes his involvment with Mr Trump. But this time around Muller is trying less prosecutial over reach…
So old crimes maybe, but not evidence against Mr Trump even if you belive in time travel.
Because what it does show is that those charged and convicted were upto dirty tricks one way or another long prior to Mr Trump. What the Doh-gnarled knew or did not know at the time about their activities there is currently no evidence even suggested let alone refrenced or supplied.
As I noted the other day this sort of financial misconduct behaviour appears to be quite common place in politics. So if most other “high office” politicians were subjected to the same microscopic examination I suspect you would find the same or similar behaviour going on in the background and consequent charges. It’s the nature of the dirty game politics is and the “fixers” involved across the political spectrum.
What I suggest you do is rather than tell others to present evidence, you actually provide actuall evidence that supports your previous claims that Mr Trump has committed Treason. With one proviso it has to have been provably available openly in the public domain that is the US MSM prior to 25th Aug 2018.
But come the 6th of September 2018 I hope you are prepared to acknowledge what I have said so far as being factual and that you accept it.
Hmm • August 30, 2018 7:26 PM
“Oh then we get to hear all those other little US security slips that the Chinese are alleged to have benifited from greatly… But currently it’s “Russiafobia” driven by Democrat interests…” -Clive Robinson
Citation required on either point. It might be tough if you’re excluding “all media” though.
You constantly imply that Russia has “done no provable wrong” and it’s “Democrat interest” “Russophobia” entirely…
Admit it or don’t. I don’t even care lol. The facts are what they are despite mischaracterizations intentional or deniable.
Hmm • August 30, 2018 7:27 PM
Your defense of Trump is no more informed than your previous defense of Manafort or anyone else.
“Because the jury decided the Russian interferance charges had no merit”
-is a baldfaced lie, yours.
Hmm • August 30, 2018 8:32 PM
I’d like to change the subject but I do hope that exchange will not be censored.
I think it speaks for itself on a factual level. I don’t think either will convince the other.
That’s a strange realization given the circumstances.
Clive Robinson • August 31, 2018 3:35 AM
@ Hmm,
Citation required on either point. It might be tough if you’re excluding “all media” though.
It’s your turn first…
You have been repeatedly challenfged for evidence ever since you started your Anti-Trump rhetoric getting on for two yesrs now, and guess what either you do not provide evidence or it’s a compleate nonsense like your link above.
So I would suggest this request is just another of your silly little tactics of little repute. As for,
I’d like to change the subject but I do hope that exchange will not be censored
Why am I not surprised you want to stop fruitlessly attacking me, your supposed argument and evidence has been shown to be at best faux if not direct lies. Which makes me think it would be better for you if @Moderator did delete your irrelevent start of attack comment at https://www.schneier.com/blog/archives/2018/08/notpetya.html#c6780955 onwards.
But hey I’m easy either way, I’ve no skin in the Anti/Pro Trump game that you appear to have invested so much emotion into, and realy I don’t care as by and large it’s mostly hot air currently which is wasting peoples time and it would appear covering up other things US Citizens should take a lot more interest in, which is maybe why the GOP find him “A usefull idiot”. But from memory most US presidents after “Peanuts Carter” have not been good for the rest of the world one way or another as for the IC and Military they are supposadly in charge of, I think their record speaks volumes to anyone who can be bothered to study history… There is a quote somewhere which I can not find at the moment that in effect says “The last good year for Americans was 1969″…
Any way have yourself a pleasent day.
Weather • August 31, 2018 4:22 AM
@clive rob
In the last week extended out to two..
Sort out your real life thingimejig hmm has been good.
Good luck, 8 hours
Hmm • August 31, 2018 12:50 PM
I’m not really interesting in continuing conversations with people lying to make a point.
What you said was a baldfaced lie. There’s no point in my continuing to engage on that topic.
The record speaks for itself, we’re done here.
Hmm • August 31, 2018 1:06 PM
Interested, I’m not interested in continuing conversations with people lying to make a point.
Interesting is the wrong word. I try to self-correct when I catch an error I’ve made.
Were that more of us were inclined.
Clive Robinson • August 31, 2018 6:15 PM
@ hmm,
-is a baldfaced lie, yours.
You are so tied up in your rhetoric you are making statments that make you appear well… is their a polite way to put it?
The facts as given in the article you linked to are,
8+10 (18) charges a mix of financial and Russian collusion.
The jury only found on 8 of the charges that were according to the artical you linked to financial.
Thus by simple deduction the jury did not find on the Russian collusion charges, there for the were of no merit… The number of charges not found is markedly larger than those found, which is indicative of prosecutorial over reach of the type in the past some have called “Throw it against the wall and see what sticks”. Which by the way is a form of “Rights Stripping” that should be illegal in the type of justice system the US has.
So where is the “baldfaced lie” in that?
If there is one it’s either in the article I’ve commented on because you believe it is evidence of Trump-Russia collision, or it is in your head.
I think others who read the article you linked to can “check both the numbers and the number and type of charges the jury found against him…
But with regards your allegation of,
Your defense of Trump is no more informed than your previous defense of Manafort or anyone else.
I don’t defend President Trump, however nor the others in your list. Donald Trump is like everyone else is in the US like you are to entitled to,
1, The presumption of innocence.
2, The right to see the evidence he is to be charged with.
3, That the prosecution carries the burden of proof beyond reasonable doubt.
But also with President Trump the respect due to the office he currently occupies.
You have repeatedly made outlandish claims of Treason and other accusations. Yet not only do you not offer evidence to support your claims, you try to twist ages old misconduct of a financial nature by others into some conspiracy that Mr Trump knew about…
I’m sorry but your view does not fly, apply a little logic to see why. These charges of financial misconduct date back some considerable time befor Mr Trump gave any indication he was going to run for the Presidential office. For Mr Trump to have been aware of them they must either have been “common knowledge” or he would have had to have been told about them.
That is Mr Trump had no power to make the level of investigation that allegedly has been occurring for the last 15months. Thus if it was “common knowledge” then why had the DoJ/FBI you place such faith in not carried out an investigation upto a decade ago?
But if not common knowledge as appears to be the case, who did have the knowledge to tell Mr Trump? And why did they not do so?
Or are you claiming Mr Trump had knowledge that was not in the common domain but chose not to do anything with it, like say go and find other campaign managers?
If you are making such a claim, as the denouncer / accuser you had better have the evidence to back it up or you are denying President Trump the rights that any US citizen would belive they are entitled to…
That by the way is not me giving “defense of Trump” it’s me pointing out what US citizens believe that one and all of them are entitled to which is equitable justice. Not the behaviour of a Tyrant or Dictator’s Police State secret court where the process of making unsupported claims is only there to give a less than civil venier to Stalinistic behaviour used for delusional purges.
Hmm • August 31, 2018 9:13 PM
As I said I’m not going to engage with someone casually lying to make a point, I’m done here.
Trying to censor me validates what I said months ago.
I’ve moved on. Please Clive, there’s really no point to continue. I think the record stands.
Clive Robinson • September 1, 2018 10:36 AM
@ hmm,
Please Clive, there’s really no point to continue. I think the record stands.
Yes, you’ve been repeatedly @Moderated and returned to past behaviours you’ve been asked to refrain from.
I also wonder about you and sock-puppetry, it appears to follow your unpersuasive rhetoric outbursts.
As you say the record stands, except it does not where the @Moderator has kindly saved your blushes by deleting your more egregious commenting.
Which you might get lucky with yet again.
Hmm • September 1, 2018 1:53 PM
Ongoing personal attacks are completely inappropriate and the factual record stands.
Your calls to censor those who you disagree with are in my opinion very childish.
Get well soon.
I don’t think there’s anything to discuss on this topic between us and I don’t see the point in trying to, especially given how you’re being now. You’re free to believe what you want internally but when you present something as a fact people around you are right and reasonable to check that fact. In fact you lied and doubled down, deliberately.
No, the manafort jury 12:0 convictions on 8 counts and deadlocked 11:1 on 10 counts remaining IN NO WAY “rejected Russian interference” – nor was he charged with that in this case, this trial was about tax and bank frauds. So off the bat that’s nutty.
ONE JUROR had doubts about Rick Gates’ testimony which lead them to have doubts about 5 conspiracy charges and 2 additional related fraud charges. They convicted 12:0 on failure to report foreign bank accoutns, bank fraud x2 and tax fraud x5. The prosecution could re-try him on those 10 if they choose and it could very likely result in total conviction, given 11:1 being a strong indication and post-trial juror interviews confirming the overwhelming evidence.
Again, one single juror held out against the overwhelming evidence, reported a Trump supporter on the jury who admitted she did not “want” to convict, but was compelled to, on all 18 charges. The single holdout was apparently unreachable by logic. Sounds familiar to me.
Paul Manafort certainly has not been exonerated by a jury on “Russian interference,” which he’d have yet to be charged with anyhow – that’s a baldfaced lie with zero merit.
There is nothing to discuss between us on this, I research things before I claim them.
I don’t lie casually to make a point or win an argument, that’s pretty pointless.
Insulting or badgering, censoring someone won’t make what you said any more truthful.
We’re through here, the record stands and we’ve evaluated your statement as non-factual.
Need more to read about this? Here.
https://www.vox.com/2018/8/21/17692626/manafort-guilty-charges-verdict
Have a great day, but do try to admit mistakes instead of making them worse.
Your issue has nothing to do with me.
Hmm • September 1, 2018 2:00 PM
Arguing the factual record with someone who doesn’t want to acknowledge it faithfully is pointless.
So I again now will change the subject back to NotPetya and the WIRED article.
There’s a lot more room to discuss credible doubts in that, for all parties.
Clive Robinson • September 1, 2018 6:28 PM
@ hmm,
Arguing the factual record with someone who doesn’t want to acknowledge it faithfully is pointless.
Yes it is when you present an article as “factual evidence” and you get comments back solely on what you “claimed” as “factual evidence” that you do not like, then throw a hissy fit.
I quoted directly from your alleged “factual evidence”, if you now want to say it was not “factual evidence” that you provided to debate then by all means do so, it matters not a jot, because as I pointed out I was replying on what you claimed was “factual evidence” and I was pointing out it was not as you claimed (go read it again if you think otherwise).
Again I will repeat the points I’ve made before, which you so frequently ignore.
Firstly I do not give a stuff one way or another if President Trump did or did not know what was going on, or was even involved, you obviously do to the point of mania. You also do incomprehensible things like claim Trump is guilty of “Treason” when that realy won’t fly under US legislation at present. Then you get upset when told that. Both the mania and behaviour have caused you to be censured by @Moderator more than once, and have your offending comments deleated.
Yet despite acknowledging your behaviour was wrong you are back at your old habits. What does this say about you and your intentions now and in the future?
But as you’ve already compounded the issue it begs the question “Do you understand Einstein’s alledged definition of insanity?
Personally I don’t care about your very partisan political views, except when you repeatedly try and involve me in any which way you can, usually by false statment, and you have had more than fair warning I have no choice but to rebut, as I find myself having to do yet again.
However what I do care about, which you apparently fail to understand on all occasions, is real evidence of the sort a court will accept as such and put before a jury.
So to put it another way, I care not about the idiot box quotes the US MSM is full off –which you confuse with evidence– along with it’s Russiafobia.
But like “fake news” I do care about the effect it has on others (Russiafobia for instance handily masks the fact that US-China trade relations “Have gone to hell in a handcart” which is starting to hurt most people outside of China but they don’t yet realise it as it has not yet worked down the supply chain enough to be blatantly obvious to many).
That is I actually believe in the basic principles of justice one of which is the right not to have any future case prejudiced by press speculation, innuendo, and all other shady methods that others claim goes into Fake News. Which you appear to be quite happy to over actively promulgate. To the point in fact, as you have with your opening attack on me above, interpret an unrelated comment as being against your chosen highly partisan political windmill tilting. Thus use it to rudely jump in with both clod feet as you did at 3:39PM on August 30, 2018. I most certainly did not mention “witch hunts” or anything what so ever to do with the sitting president, his campaign team, or any action against them, it was all you and you alone. They were in no way relevant to what I was talking about as anybody can see (but you). But you had to jump in clod feet first and hijack the thread.
Worse though you made a compleatly unjustified claim of “Your political bent”, which is very clearly a personal attack yet again.
My view on politics I suspect is fairly well known here, I regard them all as “Monkeys in suits” acting as though at “a chimps tea party” and more dishonest than average, and I’ve said so here on several occasions. I likewise regard them as uninformed and unacceptably crass especially when they, like the camel of alleged legend, stick their nose in the tent. I only mention “party politics” when I have to and within a context to do with security.
As for,
Your calls to censor those who you disagree with are in my opinion very childish.
Another falsehood from you, I’ve not called for you to be censored in fact if you look back up this page I’ve actually done the opposit. What I have also done, as in the past, is warn you of the likely outcome of you pushing your pet peeve, which has on more than one occasion in the past resulted in your comments being deleated.
So whilst you might blithely carry on with your false accusations arising from your pet peeve I’m aware the @Moderator may well behave as they have in the past. I realy hope not because if your comments remain here, there will be a permanent record of your behaviour, which will be to every one elses benifit as a refrence in future.
Now I was quite happy to not have to go and point out yet again why things are not as you think, but you don’t actually want to stop do you?
Whilst you might claim to in each such post, you make other detrimental comments that even you should know are inflamatory and need rebuting. Especially when you say as you have done,
In fact you lied and doubled down, deliberately.
So your claim I guess is at best false and a way to excuse your behaviour to avoid other potential sanctions from @Moderator or our host @Bruce.
Well as I’ve said I realy hope they don’t delete what you have written here, I doubt any reasonable person would doubt your true intent on reading the above.
But on a more basic level, if you actually understood the debate process, You would have known what I wrote, about the supposed “factual evidence” you supplied to support your continued attack on me, was quite correctly about that document and it’s contents alone.
Debates have rules, one of which is about the supporting evidence supplied by an opponent. I stuck within those rules and treated it as your only independent supporting argument (which it was). You picked it, so your bad when it gets ripped for what it says (I even supplied quotes from it as part of the process).
Now having realised your mistake in supplying such bad independent supporting argument as your “factual evidence” for your attack you are back tracking and trying again, this time with statments of your own.
But you stil don’t get it do you?
You appear to not understand that when a jury does not find a person guilty on a charge then the jury does not find the charge of merit.
It matters not a jot if all but one jury member do think the defendent is guilty when the burden of proof the prosecution has to meet is for the jury vote to be unanimous on guilty beyond reasonable doubt. The prosecutors would have known the risks before presenting to that jury.
That as they say “are the rules of the game” just like the rules that will alow the prosecution to try to convince another jury unanimously that the charges have merit. But that will in no way change the fact that this jury did not unanimously find for the prosecution.
Like it or not it’s also the US presidential election rules that put Mr Trump in the Presidential Palace as President, and likewise there are rules by which people debate.
The fact you do not like these sets of rules or find them inconvenient is not relevant to the outcome, get over it, or more usefully use your real name not a “Nom de Plume” and start campaigning for change.
Railing against me when I say the rules are the rules and I realy don’t care as I’m not a US Citizen and have no intention of ever visiting the USA again –for very sound reasons– only makes you look at best impotent at worst, well I’ll leave it for others to judge, which is why I hope @Moderator does leave your comments up.
But your allegation I lied is unforgivable as I said I was using the supposed independent “factual evidence” you supplied and that alone as the rules prescribe. Go back and read your “factual evidence” again, you will find everything I said was justified on what was in it. You might not like it but it was your choice and your choice alone. Go argue with the author, you never know they might actually respond.
But you claim not to wish to continue the debate, so stand by it… do your reading and analysis in private.
After all as you so aptly put it,
Have a great day, but do try to admit mistakes instead of making them worse.
Your issue has nothing to do with me.
It never did, right from the get go, as anyone can see from the above.
Moderator • September 2, 2018 3:29 AM
@Hmm, please disengage.
Hmm • September 14, 2018 10:18 PM
Update : Manafort has plead guilty and is cooperating with Mueller’s investigation.
There is no question at this point of his guilt, and no possibility of a pardon.
He certainly wasn’t acquitted of anything. There is no doubt left.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
smgerasimov • August 28, 2018 7:29 AM
Hi, Bruce.
I’m Russian, but I’ll try to be as objective as possible.
Also, I’m a backup administrator, a Microsoft certified professional, etc.
Every organization that has a serious IT attitude should have turned off this protocol at least 1-2 years ago from the time of the attack.
In my opinion, IT professionals and managers responsible for this should be permanently suspended from work in IT.
“We have evidence, but they are secret” – this is nonsense not evidence.
As IT professionals we must be calm and fact-oriented. We are not enemies and do one job – make world more secure and reliable.