Reply
 
Thread Tools Display Modes
  #1  
Old 08-08-2019, 04:01 PM
MaverocK is offline
Guest
 
Join Date: Dec 2013
Posts: 191

Why did Florida city agree to pay hackers $600k to get computer systems back?


The link to the article: https://www.mazechmedia.com/2019/06/...-systems-back/

Quote:
The city hopes the hackers will provide a decryption key ó meaning thereís no guarantee that that will happen.
What I don't understand is why NSA did not help? They could crack it. Florida city is part of the US, right? Am I wrong?
  #2  
Old 08-08-2019, 04:11 PM
Cleophus is offline
Guest
 
Join Date: Jul 2000
Location: Philadelphia, PA
Posts: 1,386
Quote:
Originally Posted by MaverocK View Post
The link to the article: https://www.mazechmedia.com/2019/06/...-systems-back/



What I don't understand is why NSA did not help? They could crack it. Florida city is part of the US, right? Am I wrong?
Why do you think this? The NSA is often thought of as having virtually magical computing abilities, but properly implemented encryption with a strong encryption key is practically unassailable.
  #3  
Old 08-08-2019, 04:15 PM
Inner Stickler's Avatar
Inner Stickler is offline
Guest
 
Join Date: Jul 2005
Location: Minnesota
Posts: 15,151
Even when businesses and cities pay for consulting and security help, the consultants often simply pay the ransom and get the key and charge the business the cost of the ransom plus a markup.
  #4  
Old 08-08-2019, 04:18 PM
bob++ is offline
Guest
 
Join Date: Jan 2013
Location: Worcestershire UK
Posts: 6,773
There might also be a case of 'you made your bed...'. No doubt all public authorities get advice from central government about beefing up their security, but they are often reluctant to spend the money.
  #5  
Old 08-08-2019, 04:19 PM
Rysto is online now
Guest
 
Join Date: Jun 2002
Posts: 7,185
And if the NSA did have the capability to decrypt strong encryption, they wouldn't give the game away by helping out some random city over a piddling $600K. (Not that I believe that they actually have that capability)
  #6  
Old 08-08-2019, 04:20 PM
KneadToKnow is offline
Voodoo Adult (Slight Return)
Charter Member
 
Join Date: Jul 2000
Location: Charlotte, NC, USA
Posts: 26,578
I know it's a very old book, but Cliff Stoll's The Cuckoo's Egg provides some insight into the NSA. First a quote from someone he met there: "NSA listens rather than talks." More succinct is the joke that "NSA" stands for "Never Say Anything."

Fixing hacked municipal computer systems would involve, if nothing else, admitting that they can fix hacked municipal computer systems.

Last edited by KneadToKnow; 08-08-2019 at 04:20 PM.
  #7  
Old 08-08-2019, 04:24 PM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Also, paying the hackers is a pretty reliable way to recover data. The hackers have a strong incentive to be honest - otherwise nobody would ever pay the ransom.
  #8  
Old 08-08-2019, 04:36 PM
MaverocK is offline
Guest
 
Join Date: Dec 2013
Posts: 191
Quote:
Originally Posted by Cleophus View Post
Why do you think this? The NSA is often thought of as having virtually magical computing abilities, but properly implemented encryption with a strong encryption key is practically unassailable.
If you look at the history of cryptography, every algorithm gets broken eventually. NSA has so much resources and is back by the US government.
  #9  
Old 08-08-2019, 04:45 PM
Telemark's Avatar
Telemark is online now
Charter Member
 
Join Date: Apr 2000
Location: Just outside of Titletown
Posts: 22,989
Quote:
Originally Posted by MaverocK View Post
If you look at the history of cryptography, every algorithm gets broken eventually. NSA has so much resources and is back by the US government.
And yet, they still can't break effective encryption. And if they could, they wouldn't do it in this case.
  #10  
Old 08-08-2019, 04:50 PM
MaverocK is offline
Guest
 
Join Date: Dec 2013
Posts: 191
Quote:
Originally Posted by Telemark View Post
And yet, they still can't break effective encryption. And if they could, they wouldn't do it in this case.
How do we know that NSA is not able to break a currently used effective encryption? The fact that they have not publicized it does not mean they have not broken it. Am I wrong?
  #11  
Old 08-08-2019, 05:18 PM
Exapno Mapcase is offline
Charter Member
 
Join Date: Mar 2002
Location: NY but not NYC
Posts: 31,639
Quote:
Originally Posted by MaverocK View Post
How do we know that NSA is not able to break a currently used effective encryption? The fact that they have not publicized it does not mean they have not broken it. Am I wrong?
Has the "there's no evidence so it must be true" argument ever worked?
  #12  
Old 08-08-2019, 05:19 PM
Defensive Indifference is offline
Guest
 
Join Date: Jul 2007
Location: St. Louis, MO
Posts: 7,248
First, all encryption is breakable given enough time and computing power. We can estimate the processing effort required to break a certain type of encryption and the amount of CPU cycles, and we can come up with an estimate like "it would take 1000 CPUs eleventy gazillion years to break this". Breaking modern encryption algorithms, if they are effectively implemented, is said to be "computationally infeasible". That is, it would require so much time or so many CPU cycles, that it's effectively impossible, even for massively resourced organizations.

Second, the NSA is in the business of spying, not providing support to local cities or other organizations.

Third, lots of cities, faced with the need to get services back up ASAP, elect to pay the ransom. Many cybersecurity insurance policies will reimburse you for the cost of the ransom, so if you have the insurance, paying the ransom is often the least painful option. This has the unfortunate side effect of encouraging the hackers, but if you're a city administrator and you need to keep the buses running, and provide 911 service, and everything else, paying the ransom is mighty attractive.

Last edited by Defensive Indifference; 08-08-2019 at 05:20 PM.
  #13  
Old 08-08-2019, 05:37 PM
k9bfriender is online now
Guest
 
Join Date: Jul 2013
Posts: 11,504
Quote:
Originally Posted by MaverocK View Post
How do we know that NSA is not able to break a currently used effective encryption? The fact that they have not publicized it does not mean they have not broken it. Am I wrong?
There is no brute force way to break the encryption. Not unless they have some pretty powerful computers they haven't disclosed, or that they have found a way to factor numbers in polynomial time. Both are possible, but possible in the sense that me winning the lottery fifteen times in a row is possible, without buying a ticket.

That there may be some clever way to exploit a vulnerability in the encryption is a much better possibility. And if the NSA has discovered such a vulnerability, they are absolutely not going to disclose that they have done so, and close their window into surveilling what criminals thought was safe.

So, most likely answer is that they did not help out because they are not able to. It is not possible to do. The second most likely answer is that they could do it, but doing so would disclose too much of their capabilities, prompting criminals and terrorists to develop a newer more secure cryptography system.
  #14  
Old 08-08-2019, 06:19 PM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Quote:
Originally Posted by MaverocK View Post
If you look at the history of cryptography, every algorithm gets broken eventually.
What makes you think that??
  #15  
Old 08-08-2019, 07:19 PM
Melbourne is offline
Guest
 
Join Date: Nov 2009
Posts: 5,322
Quote:
Originally Posted by scr4 View Post
What makes you think that??
Um, it's history.

Tangent: are the Floridians feeling embarrassed by the subsequent revelation that billions of dollars are flowing to the Norks?

Last edited by Melbourne; 08-08-2019 at 07:20 PM.
  #16  
Old 08-08-2019, 07:41 PM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,351
Quote:
Originally Posted by Melbourne View Post
Tangent: are the Floridians feeling embarrassed
Itís Florida.
  #17  
Old 08-08-2019, 07:43 PM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Quote:
Originally Posted by Melbourne View Post
Um, it's history.
"Every algorithm gets broken eventually"? No, history doesn't say that. Unless maybe you use a very generous definition of "eventually". Then it only proves that encryption can be broken after decades of advances in computer hardware and software.
  #18  
Old 08-08-2019, 07:54 PM
Chronos's Avatar
Chronos is offline
Charter Member
Moderator
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 85,116
[Moderating]
Since the OP is evidently not interested in factual answers, let's just move this to IMHO.
  #19  
Old 08-08-2019, 08:27 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,024
Quote:
Originally Posted by k9bfriender View Post
So, most likely answer is that they did not help out because they are not able to. It is not possible to do. The second most likely answer is that they could do it, but doing so would disclose too much of their capabilities, prompting criminals and terrorists to develop a newer more secure cryptography system.
This is the answer.

Florida paid because it would cost a lot more to not pay. Look at recent stories about Baltimore. They didn't pay and it cost them 10 times the amount to fix their systems.

The NSA is not going to help with non-National Security or Critical Infrastructure systems. And in the off-chance that they decided to help because they were bored, or the Director has an aunt in Florida or whatever, you'll never know about it. And the people who DO know about won't say anything about it under penalty of jail time.

The Florida system had vulnerabilities because they don't know anything about cyber security, like most governments, companies, and individuals. Almost any system connected to the Internet nowadays can be exploited and subjected to a ransomware attack.
  #20  
Old 08-08-2019, 08:47 PM
Ravenman is offline
Charter Member
 
Join Date: Jan 2003
Location: Washington, DC
Posts: 26,684
Quote:
Originally Posted by MaverocK View Post
How do we know that NSA is not able to break a currently used effective encryption? The fact that they have not publicized it does not mean they have not broken it. Am I wrong?
The head of the Justice Department is saying this week that commercial companies should weaken their encryption so the FBI and other law enforcement agencies can access encrypted devices and communications. Obviously, the FBI is going to have far more access to US Government capabilities than some random municipality in Florida.

What do these facts say to you about your assumption that the US Government can crack strong encryption?
  #21  
Old 08-08-2019, 08:54 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,024
Quote:
Originally Posted by Ravenman View Post
The head of the Justice Department is saying this week that commercial companies should weaken their encryption so the FBI and other law enforcement agencies can access encrypted devices and communications. Obviously, the FBI is going to have far more access to US Government capabilities than some random municipality in Florida.

What do these facts say to you about your assumption that the US Government can crack strong encryption?
My guess is the head of the Justice Department has no idea what various departments of the US government can do.
  #22  
Old 08-08-2019, 08:57 PM
MaverocK is offline
Guest
 
Join Date: Dec 2013
Posts: 191
Quote:
Originally Posted by Chronos View Post
[Moderating]
Since the OP is evidently not interested in factual answers, let's just move this to IMHO.
Why are you saying that I am not interested in factual answers?

Quote:
Originally Posted by scr4 View Post
What makes you think that??
"AES-256 is an algorithm. It can be broken. If you look at the history of cryptography, every algorithm gets broken eventually. That's why we make new algorithms. The question is how long it takes to figure out the math to break it."

Source: https://crypto.stackexchange.com/que...ion-is-cracked

Last edited by MaverocK; 08-08-2019 at 08:58 PM.
  #23  
Old 08-08-2019, 08:58 PM
Chronos's Avatar
Chronos is offline
Charter Member
Moderator
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 85,116
The real problem wasn't a lack of cybersecurity. The real problem was a lack of backups.
  #24  
Old 08-08-2019, 09:20 PM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Quote:
Originally Posted by MaverocK View Post
"AES-256 is an algorithm. It can be broken. If you look at the history of cryptography, every algorithm gets broken eventually. That's why we make new algorithms. The question is how long it takes to figure out the math to break it."
OK, so when we say "eventually" in this context, we really are talking long term, like decades. This is irrelevant to the question of whether a current, strong encryption can be broken now by anybody.

Last edited by scr4; 08-08-2019 at 09:21 PM.
  #25  
Old 08-08-2019, 09:44 PM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,351
Quote:
Originally Posted by MaverocK View Post
Why are you saying that I am not interested in factual answers?
You ask a question and argue against the answers. Thatís not asking for a factual answer, thatís starting a debate, or at least trading opinions. Which is cool but not what GQ is for.
  #26  
Old 08-08-2019, 09:46 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,024
Quote:
Originally Posted by Chronos View Post
The real problem wasn't a lack of cybersecurity. The real problem was a lack of backups.
Backups ARE part of cybersecurity.
  #27  
Old 08-08-2019, 10:18 PM
Exapno Mapcase is offline
Charter Member
 
Join Date: Mar 2002
Location: NY but not NYC
Posts: 31,639
Quote:
Originally Posted by MaverocK View Post
Why are you saying that I am not interested in factual answers?



"AES-256 is an algorithm. It can be broken. If you look at the history of cryptography, every algorithm gets broken eventually. That's why we make new algorithms. The question is how long it takes to figure out the math to break it."

Source: https://crypto.stackexchange.com/que...ion-is-cracked
That's a random quote from a random guy on the internet. Not a rock solid source.

Especially since the other random guys on the same page keep making the same arguments that are being made here. E.g.:

Quote:
"You asked a cyber security expert if an algorithm could be cracked, to which the answer is always yes, ..." That might be the given answer, but that doesn't mean it's actually true. There's a huge difference bewteen breaking the algorithm and breaking its implementation or circumventing it (in some larger context, e.g. the mode of operation, the protocol, etc.).
  #28  
Old 08-08-2019, 10:30 PM
Defensive Indifference is offline
Guest
 
Join Date: Jul 2007
Location: St. Louis, MO
Posts: 7,248
Maverock, what answer are you looking for? Almost everyone in this thread is saying some version of the following:

* "breaking" the encryption, while perhaps mathematically possible, is infeasible even with massive computing power;
* paying the ransom is the least painful way for the city to get back to doing its job;
* the NSA doesn't get involved in issues like this.

I'm a university professor of cybersecurity. I think manson1972 is in the field as well, and we're saying about the same thing. I mean, I know I'm just a rando on the internet, but I think I've established my knowledge in the field on this board.

To add a little more context, as computers get more powerful, the threshold for computational feasibility gets lower. Some day, AES 256 will no longer be sufficient to withstand brute force cryptanalysis. However, that day is not here yet. Properly implemented AES256 with a long key is still effectively unbreakable and will remain so until we're all doing quantum computing.

Last edited by Defensive Indifference; 08-08-2019 at 10:32 PM.
  #29  
Old 08-08-2019, 10:49 PM
MaverocK is offline
Guest
 
Join Date: Dec 2013
Posts: 191
Quote:
Originally Posted by Defensive Indifference View Post
Maverock, what answer are you looking for? Almost everyone in this thread is saying some version of the following:

* "breaking" the encryption, while perhaps mathematically possible, is infeasible even with massive computing power;
* paying the ransom is the least painful way for the city to get back to doing its job;
* the NSA doesn't get involved in issues like this.

I'm a university professor of cybersecurity. I think manson1972 is in the field as well, and we're saying about the same thing. I mean, I know I'm just a rando on the internet, but I think I've established my knowledge in the field on this board.

To add a little more context, as computers get more powerful, the threshold for computational feasibility gets lower. Some day, AES 256 will no longer be sufficient to withstand brute force cryptanalysis. However, that day is not here yet. Properly implemented AES256 with a long key is still effectively unbreakable and will remain so until we're all doing quantum computing.
OK. Thank you, everybody, for the answers. At first, I just could not make sense of the answers that I was getting. Now, everything is clear. I thought any encryption could be crack-able and NSA was capable of cracking it. I was wrong.

Last edited by MaverocK; 08-08-2019 at 10:50 PM.
  #30  
Old 08-08-2019, 11:33 PM
Shalmanese is offline
Charter Member
 
Join Date: Feb 2001
Location: Shenzhen, China
Posts: 7,294
It's incorrect that every algorithm has been broken. We move away from old algorithms to new ones out of an abundance of caution, not because there's been a convincing attack on them. About the only best in class algorithm that's been convincingly broken is DES, but more due to the inadequate key size than any deep flaw in the encryption. It's not clear if a 256 bit modified version of DES could be broken, we haven't tried because there are better algorithms that replaced DES.

If you consider hashes as well, MD5 is also considered broken while SHA1 is also probably broken. For everything else, there exists a few theoretical attacks that might decrease the order of magnitude by which a brute force attack can happen but nothing where you can produce a piece of software where encrypted text goes in one end and unencrypted text comes out the other in less than the lifespan of the universe.

Besides, there's one encryption system that we are theoretically assured never to be broken which is a properly implemented one time pad system. No amount of algorithmic cleverness or computational power will ever decrypt anything that has been encrypted properly with a one time pad.
  #31  
Old 08-08-2019, 11:54 PM
k9bfriender is online now
Guest
 
Join Date: Jul 2013
Posts: 11,504
Quote:
Originally Posted by manson1972 View Post
Backups ARE part of cybersecurity.
Yeah, restoring from backups is a pain.

Restoring without backups, however...

Quote:
Originally Posted by Shalmanese View Post
It's incorrect that every algorithm has been broken. We move away from old algorithms to new ones out of an abundance of caution, not because there's been a convincing attack on them. About the only best in class algorithm that's been convincingly broken is DES, but more due to the inadequate key size than any deep flaw in the encryption. It's not clear if a 256 bit modified version of DES could be broken, we haven't tried because there are better algorithms that replaced DES.

If you consider hashes as well, MD5 is also considered broken while SHA1 is also probably broken. For everything else, there exists a few theoretical attacks that might decrease the order of magnitude by which a brute force attack can happen but nothing where you can produce a piece of software where encrypted text goes in one end and unencrypted text comes out the other in less than the lifespan of the universe.
Even if it was a simpler, obsolete scheme, and it would only take a few decades, it's still probably cheaper and easier to pay the ransom.

Quote:
Besides, there's one encryption system that we are theoretically assured never to be broken which is a properly implemented one time pad system. No amount of algorithmic cleverness or computational power will ever decrypt anything that has been encrypted properly with a one time pad.
Just make sure your secretary doesn't decide to fix it because it doesn't look random enough.
  #32  
Old 08-09-2019, 12:04 AM
Defensive Indifference is offline
Guest
 
Join Date: Jul 2007
Location: St. Louis, MO
Posts: 7,248
Quote:
Originally Posted by Shalmanese View Post
Besides, there's one encryption system that we are theoretically assured never to be broken which is a properly implemented one time pad system. No amount of algorithmic cleverness or computational power will ever decrypt anything that has been encrypted properly with a one time pad.
Don't discount the power of Rubber Hose Cryptanalysis, though!

Obligatory XKCD: https://xkcd.com/538/
  #33  
Old 08-09-2019, 01:39 AM
DPRK is online now
Guest
 
Join Date: May 2016
Posts: 3,857
Quote:
Originally Posted by Defensive Indifference View Post
Properly implemented AES256 with a long key is still effectively unbreakable
The key length of AES-256 is limited to about 256 bits

As far as particular algorithms being intrinsically "broken" or not, there is a distinction to be made between theoretically decrypting text via brute force, and finding genuine flaws that lower the complexity of finding the key, possibly enough to make an attack practical. E.g. people have been able to shave off a couple of bits in the case of AES, but nothing like a practical attack is yet possible that way. An algorithm may also be unquestionably "broken" in other ways, even without the key being recoverable; for example, if it were possible to recover some information about the plaintext.
  #34  
Old 08-09-2019, 02:03 AM
friedo's Avatar
friedo is online now
Guest
 
Join Date: May 2000
Location: Las Vegas
Posts: 24,430
Quote:
Originally Posted by MaverocK View Post
If you look at the history of cryptography, every algorithm gets broken eventually. NSA has so much resources and is back by the US government.
When was XOR with a one-time pad broken?
  #35  
Old 08-09-2019, 07:25 AM
k9bfriender is online now
Guest
 
Join Date: Jul 2013
Posts: 11,504
Quote:
Originally Posted by friedo View Post
When was XOR with a one-time pad broken?
While a well implemented OTP is as close to perfectly secure as is possible, for the purposes of this thread and talking about the hostile encrypting of other people's files, it would not be a practical method of attack, as the one time pad would have to be at least as big as the data being ransomed, and that would be a bit harder to distribute with to unsuspecting users.
  #36  
Old 08-09-2019, 08:06 AM
Ravenman is offline
Charter Member
 
Join Date: Jan 2003
Location: Washington, DC
Posts: 26,684
Quote:
Originally Posted by manson1972 View Post
My guess is the head of the Justice Department has no idea what various departments of the US government can do.
My guess is that you arenít familiar with the FBIís deep links to the intelligence community.
  #37  
Old 08-09-2019, 08:17 AM
BrotherCadfael is offline
Guest
 
Join Date: Feb 2003
Location: Vermont
Posts: 10,316
Quote:
Originally Posted by KneadToKnow View Post
I know it's a very old book, but Cliff Stoll's The Cuckoo's Egg provides some insight into the NSA. First a quote from someone he met there: "NSA listens rather than talks." More succinct is the joke that "NSA" stands for "Never Say Anything."
"NSA - The only part of government that actually listens."
  #38  
Old 08-09-2019, 08:18 AM
bump is offline
Guest
 
Join Date: Jun 2000
Location: Dallas, TX
Posts: 18,431
Quote:
Originally Posted by Defensive Indifference View Post
Don't discount the power of Rubber Hose Cryptanalysis, though!

Obligatory XKCD: https://xkcd.com/538/
My mother-in-law was NOT happy when I pointed out to her that all her paranoid cybersecurity measures, up to and including deliberately turning the computer off when not in use were kind of pointless, because anyone who would actually deliberately target her would just go and break the glass beside the front door, let themselves in, turn the computer on, and go to town. Or break one of the 8 foot tall windows in the computer room and get in that way.

I was trying to point out that the real safety lies in obscurity; if they know who you are, and know they want to steal something, there are much easier ways to get it than cracking even basic router firewalls.
  #39  
Old 08-09-2019, 08:31 AM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,024
Quote:
Originally Posted by Ravenman View Post
My guess is that you arenít familiar with the FBIís deep links to the intelligence community.
My guess is that you are unfamiliar with the fact that the current head of the Justice Department is a moron.
  #40  
Old 08-09-2019, 08:34 AM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,024
Quote:
Originally Posted by bump View Post
My mother-in-law was NOT happy when I pointed out to her that all her paranoid cybersecurity measures, up to and including deliberately turning the computer off when not in use were kind of pointless, because anyone who would actually deliberately target her would just go and break the glass beside the front door, let themselves in, turn the computer on, and go to town. Or break one of the 8 foot tall windows in the computer room and get in that way.

I was trying to point out that the real safety lies in obscurity; if they know who you are, and know they want to steal something, there are much easier ways to get it than cracking even basic router firewalls.
This reminds me of one of the numerous dumb things in "Live Free or Die Hard". The main bad guy sends his henchmen to kill a few computer hackers. Instead of just waiting in their apartment and shooting them, they wire up explosives to their computers, and when they turn them on, they explode. Then, they have the nerve to call this a "cyber attack". God that movie is stupid.
  #41  
Old 08-09-2019, 11:18 AM
RaftPeople is offline
Guest
 
Join Date: Jan 2003
Location: 7-Eleven
Posts: 6,732
Quote:
Originally Posted by k9bfriender View Post
While a well implemented OTP is as close to perfectly secure as is possible, for the purposes of this thread and talking about the hostile encrypting of other people's files, it would not be a practical method of attack, as the one time pad would have to be at least as big as the data being ransomed, and that would be a bit harder to distribute with to unsuspecting users.
But you could come up with a simple and unknown encryption method that would be effectively unbreakable within the time required to be useful.
  #42  
Old 08-09-2019, 03:02 PM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,309
One of the ransomware systems out there is not actually encrypting the data, it's zeroing it out! Apparently a mistake on their part if they're going after good sized fish who would no doubt look at some files to see what's what. (E.g., some older ransomwares just did an xor with a fixed string. Trivial to find the string if you have any backups at all and semi-trivial if you don't.)

If you're going to be that evil just write random bits.

And if somehow magically the NSA got involved, there's nothing they can do at the bulk scale. Recovering overwritten bits on a HD can sometimes be done with significant effort. An SD can be partially recovered at best.

At the data center level, the payment is cheaper and hopefully more reliable. Except that some ransomware folk aren't providing the key anymore. Money down the drain.
  #43  
Old 08-09-2019, 03:35 PM
Skywatcher's Avatar
Skywatcher is online now
Charter Member
 
Join Date: Mar 1999
Location: Somewhere in the Potomac
Posts: 35,061
Here's a related thread from a couple years ago. Ransomware: What is the alternative to paying the ransom?
  #44  
Old 08-10-2019, 12:13 AM
edwardcoast is offline
Guest
 
Join Date: Jan 2014
Posts: 1,148
Quote:
Originally Posted by MaverocK View Post
The link to the article: https://www.mazechmedia.com/2019/06/...-systems-back/



What I don't understand is why NSA did not help? They could crack it. Florida city is part of the US, right? Am I wrong?
What I don't understand is why some organizations are so lax with computer security they have no backups or disaster recovery plan is in place. The article said they believe it started with someone opening an e-mail with a virus. We easily have ways to filter out a virus. We have snapshot backups to be stored off-site and online.

I just don't get it. Something has been lost along the way, that they think reasonable computer security, backups and testing are no longer needed.
  #45  
Old 08-11-2019, 12:43 PM
scr4 is offline
Guest
 
Join Date: Aug 1999
Location: Alabama
Posts: 16,081
Quote:
Originally Posted by bump View Post
My mother-in-law was NOT happy when I pointed out to her that all her paranoid cybersecurity measures, up to and including deliberately turning the computer off when not in use were kind of pointless, because anyone who would actually deliberately target her would just go and break the glass beside the front door, let themselves in, turn the computer on, and go to town.
I don't think that would work. If she was paranoid about data security, I'm sure she used full disk encryption like Bitlocker, which should be effective against this type of attack.
  #46  
Old 08-11-2019, 01:06 PM
Pantastic is offline
Guest
 
Join Date: Sep 2015
Posts: 4,293
Quote:
Originally Posted by edwardcoast View Post
I just don't get it. Something has been lost along the way, that they think reasonable computer security, backups and testing are no longer needed.
Usually it's a matter of management not wanting to budget for it. Slapping on some AV software is cheap and you can tell people you've done something security wise. Creating a comprehensive system of backups, including offsite backups, disaster recovery, centrally managed AV, and training/enforcing users not to bypass it (by doing things like saving important files to a local drive instead of the network drive that gets backed up) all need money and people. And if management isn't familiar with IT and doesn't have anyone pressing them to do it, they're really not going to want to spend money on these sort of invisible background protections until after a disaster.

A lot of states are waking up and enforcing standards for state and local agencies, but it's nowhere near universal. Until they do, lots of cities and smaller agencies will just have horrible IT practices and will be highly vulnerable to situations like this. I mean, I know of an agency that finally got rid of their last Windows 2000 web servers about a year ago, even though windows 2000 stopped getting security patches around a decade ago.

Quote:
Originally Posted by bump View Post
My mother-in-law was NOT happy when I pointed out to her that all her paranoid cybersecurity measures, up to and including deliberately turning the computer off when not in use were kind of pointless, because anyone who would actually deliberately target her would just go and break the glass beside the front door, let themselves in, turn the computer on, and go to town. Or break one of the 8 foot tall windows in the computer room and get in that way.
If she knew what she was doing and using cyber security measures, then they'd turn the computer on, and not be able to get in because they couldn't get past the encryption software. If she's 'regular paranoid' it would just have a password, if she's 'seriously paranoid' it could require some kind of physical device to get by. Encrypting drives that have data (and routinely cleaning drives that shouldn't) massively reduces the risk of exposure from physical access.
  #47  
Old 08-11-2019, 02:25 PM
k9bfriender is online now
Guest
 
Join Date: Jul 2013
Posts: 11,504
Quote:
Originally Posted by scr4 View Post
I don't think that would work. If she was paranoid about data security, I'm sure she used full disk encryption like Bitlocker, which should be effective against this type of attack.
Except for the password taped to the side of the monitor, or the dongle sitting on the tower.

People are bad at physical security.
  #48  
Old 08-11-2019, 02:57 PM
SamuelA is online now
Guest
 
Join Date: Feb 2017
Posts: 3,713
Quote:
Originally Posted by Defensive Indifference View Post
I'm a university professor of cybersecurity. I think manson1972 is in the field as well, and we're saying about the same thing. I mean, I know I'm just a rando on the internet, but I think I've established my knowledge in the field on this board.

To add a little more context, as computers get more powerful, the threshold for computational feasibility gets lower. Some day, AES 256 will no longer be sufficient to withstand brute force cryptanalysis. However, that day is not here yet. Properly implemented AES256 with a long key is still effectively unbreakable and will remain so until we're all doing quantum computing.
Bolding mine. The two statements you made are inconsistent with each other. If you really have the background you claim, you would know that, short of non-classical computers or a breakthrough in mathematics, AES 256 is impossible to break with any computer that could be built with all the matter in the observable universe.

It's entirely possible that AES or other well known algorithms contain a mathematical flaw that the NSA is keeping under wraps. Some of the leaked documents hint, actually, that they might have something like that. But this isn't a matter of computing power - if the NSA can break such messages, it's using a trick that allows them to do it with supercomputers that are feasible in the here and now.

And obviously, if they did have such a trick, it's going to be classified and kept secret to the maximum possible extent, so that foreign adversaries are unaware their secret communications are being decrypted. They aren't going to "help out" over a mere $600k.
  #49  
Old 08-12-2019, 10:50 AM
bump is offline
Guest
 
Join Date: Jun 2000
Location: Dallas, TX
Posts: 18,431
Quote:
Originally Posted by Pantastic View Post
If she knew what she was doing and using cyber security measures, then they'd turn the computer on, and not be able to get in because they couldn't get past the encryption software. If she's 'regular paranoid' it would just have a password, if she's 'seriously paranoid' it could require some kind of physical device to get by. Encrypting drives that have data (and routinely cleaning drives that shouldn't) massively reduces the risk of exposure from physical access.
Well of course; that was my point. She didn't have a password or disk encryption software, but for some bizarre reason, she thought that turning the thing off every night somehow materially enhanced her security, despite having file cabinets full of sensitive stuff in the same room with the easily breakable windows. It was ignorant paranoid.

It was a case of seriously flawed risk assessment- in her thinking, the risk was from random internet hackers somehow getting access to her PC, figuring out her bank info, and stealing her blind, not someone deliberately targeting her and getting into the house somehow.

It's like setting off on a hike through Death Valley and worrying more about whether you have enough toilet paper than if you have enough water.

Last edited by bump; 08-12-2019 at 10:51 AM.
  #50  
Old 08-12-2019, 12:11 PM
Defensive Indifference is offline
Guest
 
Join Date: Jul 2007
Location: St. Louis, MO
Posts: 7,248
Quote:
Originally Posted by SamuelA View Post
Bolding mine. The two statements you made are inconsistent with each other. If you really have the background you claim, you would know that, short of non-classical computers or a breakthrough in mathematics, AES 256 is impossible to break with any computer that could be built with all the matter in the observable universe.
Do you mean "non-classical computers" like, for example, quantum computers which I mention in the very post you quoted?

And I want to see a cite for that "all matter in the observable universe" claim.
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:28 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright © 2019 STM Reader, LLC.

 
Copyright © 2017