Ransomware Is Getting Ugly

Modern ransomware has two dimensions: pay to get your data back, and pay not to have your data dumped on the Internet. The DC police are the victims of this ransomware, and the criminals have just posted personnel records — “including the results of psychological assessments and polygraph tests; driver’s license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories” — for two dozen police officers.

The negotiations don’t seem to be doing well. The criminals want $4M. The DC police offered them $100,000.

The Colonial Pipeline is another current high-profile ransomware victim. (Brian Krebs has some good information on DarkSide, the criminal group behind that attack.) So is Vastaamo, a Finnish mental heal clinic. Criminals contacted the individual patients and demanded payment, and then dumped their personal psychological information online.

An industry group called the Institute for Security and Technology (no, I haven’t heard of it before, either) just released a comprehensive report on combating ransomware. It has a “comprehensive plan of action,” which isn’t much different from anything most of us can propose. Solving this is not easy. Ransomware is big business, made possible by insecure networks that allow criminals to gain access to networks in the first place, and cryptocurrencies that allow for payments that governments cannot interdict. Ransomware has become the most profitable cybercrime business model, and until we solve those two problems, that’s not going to change.

Posted on May 14, 2021 at 6:30 AM47 Comments

Comments

Szymon Sokół May 14, 2021 6:45 AM

One more problem that could be fixed by global ban on cryptocurrency trading.

Ron Helwig May 14, 2021 7:30 AM

“The DC police are the victims of this ransomware, and the criminals have just posted personnel records — “including the results of psychological assessments and polygraph tests; driver’s license images; fingerprints; social security numbers; dates of birth; and residential, financial, and marriage histories”

OK, now do Congress please.

Who? May 14, 2021 7:52 AM

Modern ransomware: if you pay you get your data back, if you do not pay you get your data back too.

Seriously, corporations should be concerned about:

  1. The huge amount of information they are stocking, most of it on Internet-reachable servers.
  2. How sensitive this information is.
  3. How insecure these platforms are; they are making the same mistakes they did in the nineties, using the same toy operating systems.
  4. Backing up data.

Corporations suffer from digital diogenes syndrome combined with an excesive greed for personal information. Surveillance capitalism at its worst.

jeff May 14, 2021 8:06 AM

We should absolutely shut down Tether, which illegally prints USD. We could regulate crypto-currency exchanges more tightly too. Yet..

Although financial regulations sound strong, they remain permissive if you’ve enough money for good lawyers, largely because real business must actually work within them, but also because financial criminals write the rules. We regularly learn of financial giants like Goldman Sacks intentionally aiding money launderers.

At this point resource tokenization appears inevitable, so if excess regulation. As a borderline case Cloudflare shall deploy a “prove your human” multi-use token:
https://blog.cloudflare.com/privacy-pass-the-math/
https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/

These fancy new proof-of-stake coins like ETHv2, Cosmos, Polkadot, Cardano, Insane Clown Posse (ICP), NEAR, etc. all sell smart contract runtime or some other “blockchain as a service” notion. In other words, they are basically public transparent databases with some token paying for traffic, and with some limitations like transparency compared to Amazon EC2.

You’ll do more harm than good if you regulate this too tightly. And Amazon, Google, etc. could entrench themselves through regulatory capture.

What can be done?

We need a legal framework for taxing investors who hold environmentally destructive investments anywhere globally, so initially proof-of-work crypto-currencies like BTC and ETH, but then later oil companies, car companies, and meat producers.

It’s actually holding BTC or ETH that creates the externalities, because only transferability gives future value, and proof-of-work secures transfers only by wasting energy, so tax the holders of proof-of-work crypto-currencies.

We’ll have tax cheats of course, but this would nuke all crypto currency market values, inducing a shock that scares away investors, and thus kill mining operations.

We also gain a powerful new legal tool to help save the planet from the oil and meat industries, which all countries can apply locally without worries about WTO evilness.

At the same time, we should adopt blind signatures based payment systems like GNU Taler. blind signatures are relatiely understood 40 year old technology that destroys the false privacy claims made by many blockchain proponents.

SocraticGadfly May 14, 2021 8:08 AM

@Who?

“Seriously, corporations should be concerned about:

The huge amount of information they are stocking, most of it on Internet-reachable servers.
How sensitive this information is.”

“Should be”? Really?

Companies far beyond Hucksterman (FB) mine data for any info they think is of capitalist value.

Vibes May 14, 2021 8:57 AM

It seems that infosec community have to focus on the decryption keys of the Ransomware.
There are lots of Ransomware which are getting better with advanced techniques, and community should look on this.

JB May 14, 2021 9:19 AM

Those who pay ransom are not much better then those doing the extortion. They enable future ransomware attacks.

I am sure it’ll never happen, but it could help it the cost of paying ransom were much greater then the actual ransom that no one would ever consider paying it. Such as:

  • Fined based on some large multiplier of the ransom amount
  • Fined equal to total revenue for past x years
  • Executive forfeiture of all compensation for past x years
  • Decades in prison
  • Revocation of corporate charter
  • All of the above

Then, perhaps… maybe… hopefully… they would finally be motivated to secure their systems.

ATN May 14, 2021 9:32 AM

I have seen a documentary on TV (sorry, do not remember channel, to reward the makers), where they explain how to cash-in/wash black money from drugs:
Get your pile of cash, go to the name/address they gave in Belgium to buy a big pile of gold (unlimited quantities, even if illegal to buy big amount of gold with cash), fly to middle east where they buy your gold and transfer the money in your bank account in Europe.
Because it is a international money transfer, that doesn’t trigger any watchdogs. Your money is now cleaned.

If there were no crypto-currencies, you would probably have to pay in gold.
Police not interested to arrest the gold for cash seller, police not interested to catch the gold tranfer, police cannot identify where the gold comes from…
It is just quicker to do the transfer with bitcoins…

V May 14, 2021 9:41 AM

@V: If corporations are people – true in the US – then lawbreaking corporations should be subject to Genuine People Penalties. Maybe not the death penalty, except in some of the more advanced forms of treason, but being subject to house arrest and not allowed to use computers would wake some ‘people’ up.

JonKnowsNothing May 14, 2021 10:41 AM

@All

As has been pointed out many times in the blog, Companies get “hoist on their own petard” by not investing in “better management” of important “data-assets”(1); they make theft of these assets more likely.

One of the many problems with modern economic theory is that such assets are not truly accounted for their “true” value in any financial setup (bookkeeping, financial reporting).

Companies that have their valuation entangled with data-assets (a la FB) may (or may not) have better recovery systems in place but are likely to have more recovery options than companies that do not have such data considered as an asset in of itself.

Normal reporting shows Cash-In-Out and valuation is marked by Cash Flow. Physical Assets are only a means to providing Cash Flows and Data-Assets have no intrinsic value.

The same problems occur during physical disasters: fire, flood, hurricanes, tornadoes etc. When total destruction of the data-asset happens the chances of a business recovery is dim.

  • People will contact you with what you owe THEM
  • People won’t contact you with what they owe YOU

This causes a cash flow crises: All Out Go and No Income.

IT hammers backups and recovery procedures, the larger the company the more likely they have something in place, but this is not enough to actually recover a catastrophic failure.

Partially because the data-asset is held in an intangible form, the recovery of “dead air data” has a different profile from paper based reports. Long history is lost too. Some internet companies catering to general public have done hatchet jobs on personal histories with date truncation or wholesale deletion.

Until there is some method of financial valuation attached to the data-asset, companies will continue with their not very effective procedures.

===

1) Data-Asset = the electronic representation of data required to conduct normal business activities. Data-Assets represent Physical Assets.
  Customer Name, Customer Address = Physical Data Asset
  Data-Asset is the electronic encoding of that information.

ht tps://en.wikipedia.org/wiki/Hoist_with_his_own_petard

  • “Hoist with his own petard” is a phrase from a speech in William Shakespeare’s play Hamlet that has become proverbial. The phrase’s meaning is literally that a bomb-maker is lifted (“hoist”) off the ground by his own bomb (a “petard” is a small explosive device), and indicates an ironic reversal, or poetic justice.

metaschima May 14, 2021 10:58 AM

Here’s something to think about. What will it take for politicians and regulators to react appropriately to the secondary global pandemic of ransomware. What kind of attack will do it? I feel the colonial pipeline attack came close to getting things done. I’m thinking either a major attack on infrastructure like power, water, communications, etc. Or how about cyberterrorism ? What if they meltdown a nuclear power plant, or what if they breach a nuclear missile silo and launch a nuke unless someone pays and then launch it anyway? I’m just wondering the scale of the attack that is necessary to get things moving, how much blood must be spilled to pay for change (in the minds of politicians). It’s pretty clear that hospitals are a huge target and certainly patients have received poorer care and maybe even died due to cyberattacks.

1&1~=Umm May 14, 2021 11:35 AM

@JB:

“Then, perhaps… maybe… hopefully… they would finally be motivated to secure their systems.”

Sorry what you propose is already known to not work.

Thus who have had moral, ethical, or legal issues with paying ransoms “contract it out” to others.

The others claim they should be able to recover data or crack the encryption. What some do is “sub contract” the “work” to some organisation in a nation that does not have legislation against paying ransom. They pay the ransom, the key is obtained, the data recovered and the owner of the data is never told what realy happened. Because “plausable deniability” is maintained in atleast two places.

It’s a useful deciet that even LEO’s turn a blind eye to because they know that they have zero opportunity of solving the crime let alone helping the person who has lost data.

LEO’s just don’t have the budget, as “investigation value bars” and no international co-operation make their job impossible. Which is before the almost hopeless ability to accurately attribute where the criminals operate let alone who they maybe.

Heck even the most highly paid Intel Agencies in the world get attribution wrong sometimes embarisingly so.

Bcs May 14, 2021 11:46 AM

“As long as nobody ends up dead, we won’t ask how the perpetrator ended up somewhere they can be arrested. We won’t even ask if the person getting paid the bounty was a member of the perp’s own crew.”

SpaceLifeForm May 14, 2021 2:41 PM

@ Anders, Clive, ALL

Allegedly, Darkside has shutdown.

Maybe, maybe not.

As I mentioned, following the money laundering via the Bitcoin ledger was likely to make the attackers visible. Also note that the 75 Bitcoin was on Saturday, not Monday. Interesting that Bloomberg did have it correct after all. But then what really happened on Monday? Was that when colpipe reimbursed a middleman?

To wit:

https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims

Elliptic has identified the Bitcoin wallet used by the DarkSide ransomware group to receive ransom payments from its victims, based on our intelligence collection and analysis of blockchain transactions. This wallet received the 75 BTC payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations – leading to widespread fuel shortages in the US.

The wallet has been active since 4th March 2021 and has received 57 payments from 21 different wallets. Some of these payments directly match ransoms known to have been paid to DarkSide by other victims, such as 78.29 BTC (worth $4.4 million) sent by chemical distribution company Brenntag on May 11.

In total, the DarkSide wallet has received Bitcoin transactions since March with a total value of $17.5 million. Ransoms associated with previous attacks were paid to other wallets.

But by tracing previous outflows from the wallet, we can gain insights into how DarkSide and its affiliates were laundering their previous proceeds. What we find is that 18% of the Bitcoin was sent to a small group of exchanges. This information will provide law enforcement with critical leads to identify the perpetrators of these attacks.

Anders May 14, 2021 3:23 PM

@SpaceLifeForm @Clive @ALL

hxxps://www.cnbc.com/2021/05/12/former-nsa-hacker-argues-russian-government-connected-to-colonial-pipeline-attack.html

At least this hacker seems to be on right track.

tfb May 14, 2021 4:39 PM

@metaschima

An obvious thing would be an attack on a suitably large number of bits of critical financial infrastructure. That might be just one large bank or it might be several (which is very possible because they likely all use the same ‘security’ tools which require both privileged access and automatic updates of their tool…). Faced with what didn’t, quite, happen in 2008 even Boris Johnson might pause from his rutting long enough to pay attention.

Clive Robinson May 14, 2021 5:07 PM

@ Anders, SpaceLifeForm, ALL,

At least this hacker seems to be on right track.

Hmm I’m not so certain David Kennedy is on the right track. Here is some comments he made a little while ago,

https://gcn.com/articles/2021/03/01/secure-os-supply-chain-attacks.aspx

I’m of the belief that a Trusted Computer System Evaluation Criteria (TCSEC, Rainbow books) Class A1 operating system is not realy going to be workable in a commercial environment.

The reports of the extream difficulties of deploying and using A1 OS’s are as you would expect for systems that have a requirment for armed guards, and have very limited capability CLI UI’s, requiring all sorts of terminal communications security including some that are still technically clasified in the US.

Whilst using the highest rated secure OS sounds good, there are from memory none being made anymore as the demand for such systems put the prices up beyond which even US Government agencies with very large almost infinite budgets would baulk at aquiring one. So other less costly and more flexible solutions were investigated then deployed instead.

I’m not knocking A1 systems for their security, but you have to accept they have a very niche place in the security hierarchy and have quitelimited capabilities by design. If we were to come up with an equivalent product these days in all probability we would not go down the A1 route or anywhere close to it.

Anders May 14, 2021 5:13 PM

@metaschima

You are comparing non-comparable. Data is always personal,
extremely personal and only person itself grasp it’s value.
For a person family pictures may mean more that all the govt
secrets alltogether. So all those “nuclear” etc arguments are
irrelevant here.

Important however is that WE allow this to happen.
First – no ransomware can operate in dark, it has to
call “home”, always, no exception. So why we have those
important system connected 24/7 to the internet?

Second reason – WHY we use systems, that allow remote code
execution in our systems over the network via PsExec?
This is one favorite lateral movement method along the
powershell. DOS didn’t allow that. Win9x family didn’t
allow that. This is direct feature, that allows hackers
to take over the internal network via lateral movement,
fast. First they drop phishing email, then get foothold
in one client’s computer, get credential via Mimikatz,
them move on, using PsExec and powershell.

Again, why someone can start code in MY computer just
over the network so that i don’t even know that? PsExec
is just that kind of thing. This is design flaw, a feature
that i don’t need. This allows remotely taking over the
computer in LAN, plant there ransomware, encrypt our data.
I should control my computer. Only from keyboard and from
mouse.

You think Russians are guilty? You are barking at the wrong
tree, this is Microsoft fault that companies are ransomware
victims.

ABC May 14, 2021 5:56 PM

So is Vastaamo, a Finnish mental heal clinic. Criminals contacted the individual patients and demanded payment, and then dumped their personal psychological information online.

Those weren’t criminals. Not under that system of laws at any rate. It was most likely the cops who had their suspects dosed with mental health medications and interrogated by professional counselors and therapists. They wanted their findings published for maximum damage to the reputations of the mental health suspects // patients.

My ancestors left the vice district of Finland long ago, and those horrors and atrocities against human rights continue to haunt us even five and six generations later.

Anders May 14, 2021 6:33 PM

@ALL

hxxps://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/

Jonathan Wilson May 14, 2021 7:02 PM

It doesn’t help that you have agencies all the way from local cops right through to the most powerful US intelligence agencies who all want to keep known flaws in software secret so they can use those flaws to exploit things in the name of catching “bad guys”.

ABC May 15, 2021 12:51 AM

@ Jonathan Wilson • May 14, 2021 7:02 PM

It doesn’t help that you have agencies all the way from local cops right through to the most powerful US intelligence agencies who all want to keep known flaws in software secret so they can use those flaws to exploit things in the name of catching “bad guys”.

Thieves. Thieves in law or thieves within the law, воры в законе. Crooks who somehow got jobs at government agencies, police departments, or in the court system.

They have slandered the names of the just and the righteous with permanent and false criminal records.

Security Sam May 15, 2021 9:18 AM

As long as folks are money hungry
Ransomware will keep getting ugly
Seeking easy loot across the country
To buy caviar and champagne bubbly.

1&1~=Umm May 15, 2021 4:45 PM

@Security Sam:

Change last line to,

‘Pizza hot and cold beer bubbly’

Sounds better and is probably more accurate, unless you want to change the beverage to “jolt cola” or “Red Bull” 😉

Anders May 15, 2021 6:36 PM

@JonKnowsNothing

If Russland attack that pipeline again, the result will be
cold pizza and warm beer 🙂

So last line will be:

Seeking easy loot across the country
Resulting cold pizza and piss-warm brewski

Security Sam May 16, 2021 8:01 AM

@1&1~=Umm
I believe you are confusing cyberspace “gentlemen of fortune” with “petty thieves.”

ResearcherZero May 16, 2021 4:18 PM

@ATM

Here you could sit up behind the police station and watch the cops come out the back, dig up the meth, walk up the hill and sell it to dealers. Sometimes they just walked out the front with a duffel bag in the middle of the day and handed it over. The officers were testing 1 out of 5 positive for meth, but in the stations where it was 5 out of 5, that’s where they were holding the cash.

Money laundering still works as it did in the 1980’s, through businesses that are ‘fronts’ for washing cash, and in some cases, the same businesses. The lower level stooges get out of jail and go straight back and open the same business again and start washing cash. The high level stooges, well they are paying the prosecutors a lot of money, so they don’t go to jail.

For ransomware, which is online, crypto-currencies are convenient. It’s apolitical of course, Putin would never give the green light to people to attack hospitals in a pandemic, or not in a pandemic, containing people he wants to target, outside of the 12 member states? Just as he’d never pump drugs into countries to undermine their populations, and corrupt the structures of their societies? No one has ever conducted asymmetrical warfare using drugs, especially not with large tins of ephedrine pills?

Some dripping sarcasm their, in line with the poison dripping from the fangs of the Wizard Spider…

“The initial access came from phishing emails containing links to google drive that when clicked, downloaded a Bazar Loader backdoor executable.
The time from initial Bazar execution to domain recon was 5 minutes, and deployment of Cobalt Strike beacons was within 10 minutes.”

hxxps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/

“Despite being in the throes of a pandemic that’s already over-burdening global public health infrastructure, ransomware crews have been escalating their operations against hospitals for months now.”

hxxps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/

“Ryuk includes many of the “greatest hits” when it comes to what should be considered non-standard user endpoint behaviors as it utilizes the standard fare of “commands no standard end user should ever run”.”

hxxps://www.scythe.io/library/threatthursday-ryuk

“the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim to have stolen 700 GB of unencrypted files from the HSE, including patient info and employee info, contracts, financial statements, payroll, and more.”

hxxps://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/

Those guys are entirely more competent than the fools that tried to hack the hospital here in 2017, when a couple of GRU agents were trying to kill my wife and I, again. I’ve noticed too that the police still haven’t arrested them. Oh that’s right, the DPP has all that extra pocket money, in spite of the ludicrous amount of salary that we already pay senior prosecutors, and that one judge, and that other magistrate (who’s qualifications are completely fraudulent I might add).

It sort of smells to me like the rotting carcass of a society that has turned a blind eye to it’s own stench for far too long, which leaves it’s gaping open wounds uncovered, and therefor vulnerable to attack.

Attacking hospitals is very low, gutter stuff, made all the easier by those savings Health Ministers made on the IT system, so they could brag “Under Budget, Completed Eventually”.

Hospitals are full of very important patient files and information, great to see them cutting corners on the IT systems, very smart stuff, it just fills me with confidence that those budget savings will not have any devastating long term costs.

But that’s nothing, the savings on the Justice System IT budgets, they were really big, and those systems, well st, that’s how you would describe them.
More s
t than Colonial, 4th Graders could hack your local Justice registry, and all the fruit hanging off of it…

“Make no mistake, unilateral control over the collection and processing of personal data is one of the strongest emergent forms of power in the information age.”

hxxps://consult.sauvik.me/posts/surveillance-capitalism-grassroots/

…but we get heaps of human intelligence through the money laundering networks, so if you are wondering why they still haven’t passed all the anti money laundering legislation still, after more than three decades, that would probably be one reason.

ResearcherZero May 16, 2021 4:25 PM

And if you give evidence against money laundering, they drive up and shoot all your mates from signals in the chest. Blam, blam, blam. But sometimes they miss LOL.

dret May 17, 2021 6:33 PM

“Ransomware is big business, made possible by insecure networks that allow criminals to gain access to networks in the first place, and cryptocurrencies that allow for payments that governments cannot interdict. Ransomware has become the most profitable cybercrime business model, and until we solve those two problems, that’s not going to change.”

It is sad that the best people can come up with to address this problem is to just OK a business and governmental authoritarian wish list.

Companies store too much data, don’t do updates and backups and have crummy security. And the solution is for innocent parties to lose freedom and flexibility? I’m sorry: it’s a scam.

The security industry is largely corrupt: The black hat hackers and the white hats are the same people, maybe offset a few years. If they don’t sell out to crooks they sell our privacy out to police and corporations.

The blockchain industry is a bunch of folks who actually can write correct code and secure their operations. In this age of people claiming to care about the vulnerable while doing nothing that actually helps them, distributed finance lets everyone have access to financial tools despite their place in the hierarchy. It gives poor people suffering under a weak currency a way to preserve their savings. It lets third world people earn and invest on a equal basis with the privileged first world.

If people actually believed their pretensions, they would be blockchain supporters.

Irish May 18, 2021 6:37 AM

We’re a small country so it doesn’t get much attention, but the entirety of the Irish hospital system is currently crippled by a ransomware infection. It’s devastating. The criminals have no concerns about who or what is damaged – next step will be electricity and water networks.

This is effectively terrorism, and in instances where criminals are protected by states it is close to war. I’m not sure what the answer is, but simply expecting everyone everywhere in the world to harden their networks is not realistic (at least in the short term). Neither I suspect is regulating cryptocurrencies, although we should try and at least make it more difficult to hide proceeds of crime.

I suspect myself that the situation is getting so serious that we will have to do something drastic like walling off parts of the Internet. Not perfect, but when the Vikings were pillaging up and down the coast of Ireland a thousand years ago the answer was not to expect every village to be able to combat them, and instead retreat away from the coast and into castles.

Rob Lewis May 18, 2021 9:49 AM

As Bruce concludes, ransomware is a perfect storm set up by exploding attack surface on insecure networks and enabled by anonymous cryptocurrency. Many orgs, especially healthcare and SMBs are years behind the security maturity continuum, and it would be impossible to drag laggards to a secure posture in any kind of timely fashion. Security is hard and expensive. If it wasn’t then it would be performed better already.

Backups are by definition reactive and restorative. They are not prevention except for preventing data loss and ransom payments. Data corruption and operational disruptions are still likely.

And is crypto-coin going away any time soon?

So what to do? Possible solutions must enable business continuity and to do that, they must alleviate the need for data restores from backup.

How about stepping out of the box and reframing the problem to find ANY way to stymie attackers so that they are unable to fully execute on their objectives and take advantage of Bitcoin? After all, there are several steps in the cyber kill chain and the ransomware kill chain if current efforts are not stopping malware delivery, system exploitation, attack delivery and C&C set up then why not look at the final stage when final execution initiates?

Self-defending data detects and mitigates as soon as attacks on it begin (in milliseconds) and restores data to pre-attack state, automatically. Attempts to leak data are detected almost immediately as well. By intertwining AI/ML, security and blockchain elements with data storage this becomes possible.

The impact of this should hopefully be intuitive.

By defending at the data layer, (where you know attackers ultimately want to go), attackers may breach the network, but they still can’t win. If attack efforts are nullified and data is not lost, there is no means of extortion possible. No recovery from backups necessary. No ransom to demand, nor to pay. No business disruption, so no victimization.

As long as attackers can’t win, then defenders don’t lose.

JonKnowsNothing May 18, 2021 11:12 PM

@All

MSM report that China has banned all use of Cryptocurrencies. It’s a pretty wide spread ban, and might make them less of a target.

Banks are forbidden to allow their customers access to cryptocurrency trading or storage, and told not to provide insurance to cryptocurrency businesses or investments.

Web platforms were told not to host crypto-coin companies, or even allow ads for any crypto-related business activities.

The edict also tells citizens that cryptocurrency has no inherent value and can be manipulated, making it a poor investment.

The new rules follow a 2019 People’s Bank of China decision to block access to all cryptocurrency exchanges and initial coin offering services. China has also discouraged cryptocurrency mining operations.

They may still allow their own digital currency because they control and can track it.

Blocking cryptocurrency mining is a good decision since the process consumes a large amount of energy and they have other uses/needs for it.

ht tps://www.theregister.com/2021/05/19/china_cryptocurrency_crackdown/
(url fractured to prevent autorun)

Clive Robinson May 19, 2021 2:18 AM

@ JonKnowsNothing, ALL,

Blocking cryptocurrency mining is a good decision since the process consumes a large amount of energy and they have other uses/needs for it.

It’s not just the “energy for mining” right now we have a bit of a Integrated Circuit (IC) issue in that a number of fabrication plants are unavailable for several reasons.

The Chinese Government has the choice of people making high end chips for coin mining rigs, or equipment of national interest such as exports and more interesting less publically visable equipment.

I’m not sure if the Chinese have an rquivalent of a “war production act” but I guess we are going to probably find out in the not to distant future.

freedomplease May 19, 2021 10:32 AM

“Ransomware is big business, made possible by insecure networks that allow criminals to gain access to networks in the first place, and cryptocurrencies that allow for payments that governments cannot interdict…. those two problems …”

No, that’s just one problem – insecure networks. Allowing the US government to interdict payments to anybody it doesn’t like would be much worse than the ransomware problem we’d like to solve.

The most common reason for the US govt to try to interdict payments has been to try to prevent journalists from exposing its war crimes.

Phil May 19, 2021 7:12 PM

Most of the comments here are hopelessly naive. Especially the ones that think that government or “regulation” can fix the problem.

Crypto-anarchism is inevitable. It has already begun with cryptocurrencies, which enabled ransomware. Anyone that thinks they can “shut down” cryptocurrencies doesn’t understand the technology. Making something illegal does not shut it down. See: the “war on drugs,” or “gun control.”

The hard reality that progressives have to face up to is that government cannot solve these problems. They are not tractable. This is a matter of mathematics, and human nature. “Mathematics,” because even if you could break SHA-256, tomorrow someone else would invent a new algorithm that you cannot break, and crypto-over-darknet would continue. “Human nature,” because none of this would be happening at all if it were not exactly what many people want, as a consequence of the fundamental principal of human nature, which is the drive for dominance.

In order to continue to function, societies must find a way to exist in a milieu of crypto-anarchism. This means no more centralized government, no more top-down control. No more taxation, either. It’s simply not possible. You are going to have to find a way to run your societies without coercion, because crypto-anarchism makes your coercion impossible.

The people this really scares the shit out of is Progressives (AKA “liberals”) because confiscatory tax schemes, redistribution, “social justice” and all the other hogwash are simply impossible without a centralized, bureaucratic dictatorship like the one currently run out of D.C. Too bad. History is not on your side.

JonKnowsNothing May 19, 2021 9:19 PM

@Phil

re: Anyone that thinks they [Governments] can “shut down” cryptocurrencies doesn’t understand the technology. Making something illegal does not shut it down. See: the “war on drugs,” or “gun control.”

There are some governments where possessing contraband has extreme penalties. Even in such countries contraband does exist. These countries are not in the Western Sphere of Influence, to which most of your comments apply.

Countries like China, have much greater control over their population and business. They have extreme penalties for “making noise and causing confusion”. If the leaders of such governments do not find an aspect of any business or exchange useful, they will make sure it doesn’t get too far past a bullet.

The rest of your comments, I will leave to you….

===

ht tps://en.wikipedia.org/wiki/Keymaker

Ghost: But you’d have to take out a whole city block to kill the power to a building like that.

Keymaker: Not one, 27.

ROT13(NOP) May 19, 2021 10:26 PM

@Phil

Crypto-anarchism is inevitable

When are you liberals going to learn to quit growing weed on my account?

epi_ircr May 21, 2021 9:33 AM

Some data doesn’t need to remain networked, or even digitized for that matter.

MrV May 21, 2021 11:42 AM

Isn’t the answer “don’t collect it in the first place”. Some of this nonsense is only collected to satisfy voyeuristic HR departments. Why?

JonKnowsNothing May 21, 2021 2:16 PM

@MrV

re: Isn’t the answer “don’t collect it in the first place”. Some of this nonsense is only collected to satisfy voyeuristic HR departments.

Yes and No.

Yes: They do not need the vast majority of the information.

No: There are OTHERS who want the information and these are in at least 2 broad categories:

 1  Law Enforcement including various local, county, state, regional, governmental groups who may or may not be 3Ls. People like the Labor Departments calculating the number of “Lazy A**es” are in their state(1), as well as Social Security (USA) pension systems etc.

 2  Marketing and Data Brokers. Companies sell all the information they can acquire to Data Brokers so that an Algorithm can determine what, where, when you are going to buy XYZ items and how much you are going to pay for it. That is: At what price point you will not reject the item : aka Sales, Discounts, Special Offers, Rebates, Last Year’s Model, Production Overrun Sales, Going Out of Business Sales (fake ones) etc.

Group 1 maybe OK or partially OK.
Group 2 Not so OK.

===

1, Conflicting reports about how Lazy Americans don’t want to work for Low Wages. Wages that are so low that $300 USD a week will prevent someone from taking a job that has a Zero Hours Contract, No Benefits, No Healthcare, No Pension, No Vacations, No Sick Leave.

To know what all those Lazy Americans are up to, or not up to, you have to collect lots and lots of data. To collect that data, you have to be On the Radar. Any method(s) to get you On the Radar will be acceptable.

ht tps://www.theguardian.com/us-news/2021/may/06/montana-greg-gianforte-benefits-covid-

Although Montana’s unemployment rate fell to 3.8% in April, which is about at pre-pandemic levels, the state’s labor commissioner, Laurie Esau, says its labor force is approximately 10,000 workers smaller than it was pre-lockdown, a drop that Gianforte [Greg Gianforte Governor of Montana] assumes is to do with lazy people who, given their new found pandemic benefits, don’t want to work any more. And according to Montana department of labor estimates, nearly 25,000 people are currently filing unemployment claims, a good chunk of whom the governor is eager to push into the state’s 14,000 or so job openings.

But this means there aren’t enough job openings for the number of people unemployed; even if the governor’s plan succeeds in filling those vacant positions as intended, there will still be over 10,000 people without jobs to apply for, forced to subsist on less…

ht tps://www.theguardian.com/business/2021/may/07/truth-behind-unemployment-benefits-myth

Job openings rose to a two-year high in February, according to the US Labor Department’s job openings and labor turnover survey published last month. And in March, employers added nearly 1 million new jobs, with many economists expecting similar or better gains in the April jobs report on Friday.

If job openings accelerate faster than people apply for work, there will be pain for business owners. The pandemic has added some quirks to this economic reality.

ht tps://www.emptywheel.net/2021/05/16/no-one-wants-to-work-for-you-anymore-the-end-of-oligopsony/

by Rayne

There are few ways faster to piss me off than to say, “Slackers don’t want to work” in response to the lack of candidates for low-wage jobs.

This is what it looks like when a monopsonic or oligopsonic labor market is broken. It looks like workers can pick and choose the opportunity which best suits their needs rather than grabbing the first opportunity offered them because they are in precarity.

ht tps://www.theguardian.com/us-news/2021/may/21/us-unemployment-benefits-pandemic-cut-republican-states

At least 22 Republican-led states have announced plans to cut extended benefits, affecting more than 3.6m people.

Millions of unemployed workers face hardship after a wave of Republican governors announced they will seek to cancel federal extended unemployment benefits of $300 a week in response to claims from the restaurant, food service and hospitality industries that they are experiencing difficulties in hiring workers.

At least 22 Republican-led states have announced plans to cancel the extended benefits, including Montana, South Carolina, Alabama, Iowa, Idaho, Missouri, Wyoming, North Dakota, South Dakota, Oklahoma, Indiana, New Hampshire, Mississippi, Arkansas, Tennessee, Ohio, Utah, Alaska, Georgia, West Virginia, Texas and Arizona.

(url fractured to prevent autorun)

Clive Robinson May 21, 2021 3:07 PM

@ Mr V, JonKnowsNothing,

As @JonKnowsNothing has pointed out there are some highly undesirable people collecting data on the citizens any which way they can. As with German National Socialism they are being ably supported by the likes of IBM, or are doing it on behalf of the likes of Costain etc.

Put simply there are two ways you can get someone to work for you,

1, Pay them the rate and offer the conditions they will accept.

2, Use coercion/compulsion.

German National Socalism was not keen on the former as it ment a direct cost to the hierarchy in their monumental plans and they did not have the reserves to pay people (this can be seen by other indicators such as adulterating the gold reserves with lead and similar).

So they went the other way of which one of the more visable asspects historically were labour camps.

One technique used to break workers was to identify them and their dependents and those who might support them through austerity, then basically sack them. Word would be put around they were “not to be employed” so they remained jobless. Any one suspected of supporting them waa subject to intimidation or other sanctions including being sent to concentration camps.

Thus the person was forced into a labour camp where their previous employer would pick them up for fractions of what they formally earned. As the employee was the equivalent of a felon they and their family were subject to very stiff sanctions, thus their employer could do what they liked wirh them. This obviously served as a very significant intimidation tactic.

It only realy effected the waged classes either semiskilled or more often skilled. It did not realy effect the bourgeois (middle) classes who were in effect self employed shop keepers and employers of others.

If you care to look around the US work system prior to the pandemic you will see the US system especially in Republican states were heading down the same roaf as German National Socialism in the 1930s.

As @JonKnowsNothing has observed it’s the “dregs jobs” that nobody in their right mind would do for the wages on offer, unless forced into them some how.

The fact that the pandemic has actually created a labour shortage in the very bottom end of the socio economic ladder is hardly surprising as they had no health cover etc. As the figures show when adjusted against age, the low end socio economic workers have been disproportionately hit by COVID thus unsuprisingly they are nolonger available to fill the “dregs jobs” whilst others finding they can get better jobs are “moving up”.

This is an absolute horror for neo-con types who’s real objectives are to have a “serf / indentured” labour force that is only alowed to “rebt seek” so that they can be controled more easily.

But to do this they have to have data they can manipulate. Look up William Barr and his nasty little habits from pre-2016, he would take figures and manipulate them in various ways to “tell a tale” and “not a truthfull tale” at that.

The same sort of manipulation is currently going on in other “for profit” areas. I would fully expect to see new “crimes” to come into existance to force more people into state and lesser jails, where the labour they will be forced to carry out will be expanded. Thus whilst they will not be called “work houses” or “labour camps” that will be the real purpose to supply labour to emoloyers at fractional costs, but the up keep of the labour camp system will come from the middle class tax payers, because the wealthy and most major employers of such labour will be “tax exempt” for one reason or another…

Ollie Jones June 1, 2021 9:44 AM

Here’s a serious question: Should citizens insist on some sort of transparent infosec auditing of their local governments, hospitals, and service agencies?

Municipalities have been whacked pretty hard by ransomware (Baltimore and now DCPD). And it seems some of them were a little lax on their updates, passwords, and other infosec measures. Is there a reasonable way to mitigate this?

Many munis have various boards populated by citizens: zoning boards of appeal, school committees, and so forth. Some boards are elected, others appointed. Some are paid, others volunteer.

Does it makes sense for cities / towns / counties to convene citizen infosec boards with the power to ask questions like “when do you update your software?” and “what infosec training do you require for muni employees?” Sometimes asking the question is enough to prompt remediation.

The alternative is forcing munis to hire (expensive) infosec audit firms. Obviously big-budget operations should do that. But the cost-saving argument is strong in local governments.

A public board could recommend that kind of expensive intervention if necessary. Such a recommendation would take the heat off the mayor / council / selectmen, as it would come from indepedent voices.

Dr. Schneier, who could draw up a set of guidelines for munis who want to do this and the people chosen to serve? Kennedy School? Carnegie Mellon’s team? The US federal government?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.