Sign in to follow this  
NeedleinA

To pay the ransom OR not pay the ransom? That is the question

Recommended Posts

So, what do you think... should Colonial have paid the $5 million in ransom to the hackers of the east coast pipeline?

Should hospitals who get ransomware do the same?
Somali pirates?
Hostage takers?

What would be better in the long run?
Feed the beast now, only to condition it to repeat the same behavior again?

 

Edited by NeedleinA

Share this post


Link to post
Share on other sites

Frankly, the decision to pay ransom (or not) depends on large part on what your alternatives are.

If Moroni hadn’t known where the Lamanites were keeping the captive Nephites (or was satisfied that their prison was impregnable), he may have been much more willing to do a deal.

Edited by Just_A_Guy

Share this post


Link to post
Share on other sites

As a rule of thumb, I default to not pay the ransom. 
 

here is my logic. (Whether it is good logic or not is undetermined and untested)

- death and pain is bad, but more death and more pain is worst.

- Paying ransoms incentivized more hostage holding.

Share this post


Link to post
Share on other sites

There was a movie in the 90’s called “Ransom” where Mel Gibson turns the tables on kidnappers who kidnapped his son. 

SPOILERS AHEAD

Instead of paying ransom to the kidnappers he puts a price on the head of the lead kidnapper on national television. Very cool idea, for a movie. 

 

Share this post


Link to post
Share on other sites
1 hour ago, Fether said:

- Paying ransoms incentivized more hostage holding.

This is essentially the same as frivolous lawsuits.  Too many people are willing to settle to avoid court costs.  That then incentivizes people to sue even more.  This got put on steriods by patent trolls.

It is also the reason why we shouldn't have government funded welfare.  And it is the logic behind why the US has a policy of not paying off terrorists (at least that's the official story).

Share this post


Link to post
Share on other sites
19 minutes ago, NeedleinA said:

This didn't take long:
Untitled-1.jpg.26fb2cb891625cb0249bc91bd55f18e5.jpg

Thank you all for your comments by the way.

Well, I was never comfortable with the idea of a nationalized healthcare system with every citizen’s critical health data being kept in a nationally-managed database—but I have to admit that even I wasn’t keeping this particular contingency in my “what-could-possibly-go-wrong?” file . . .

Share this post


Link to post
Share on other sites

I was shocked at how terrible the Colonial Pipeline Information Technology holes were.  They have money obviously.  Fix your security holes. 

A good Information Technology staff would have ignored the ransomware demands and had their systems back up and running within hours.  A better staff would have not been so open and vulnerable to attacks.  Do not put your vital operating systems open to the Internet as it leaves you open to hacking attacks.

Edited by Still_Small_Voice

Share this post


Link to post
Share on other sites

There is so much more to these stories than what is covered in the press.  I have mentioned before that I have a brother that was on the executive board of an energy company.  For background he holds a masters degree in software auditing.  I sought his opinion in this matter.  He said that when he was working that on an average day when he came to work there were about 12,000 attempts to hack into the company's internal network.   He assured me that the number was not an exaggeration.   He is also well versed in what is called "risk management" on pipelines.   Many of you (like @Still_Small_Voice) think that energy companies operate pipelines and other infrastructure) with large amounts of available cash.  This is hardly the case because infrastructure is regulated by government oversight - which closely monitors operations, standards and what is spent as well as returns on investments.  In short government (through regulations) have as much or perhaps more control over the operation of infrastructure (such as pipelines and roads) as private companies - even if the infrastructure is owned by private concerns.  But in this I would point out that very few pipelines reside inclusively on private lands.  And for information; this is also true of transmissions lines for electrical power. 

But the problem gets even worse - hacking and attempting to hack into a private network is not criminal, except and only if the hacking is followed up with provable damage.  It is criminal for a company to "retaliate" against hackers on their own.  The only recourse against hackers is through the courts - which my brother informed me is almost impossible, especially if the hacker is on foreign soil and again, more difficult it the foreign country is somewhat unfriendly.

But there are other problems - our government is not adverse itself to using cyber attracts against unfriendly countries and this is not a internet only problem.  For 10 years I worked on government military programs (over 30 years ago) and I have some knowledge of ways to hack (dismantle) infrastructure.  Experts have been saying for decades that our infrastructures are vulnerable and something needs to be done - starting with government regulations.  I agree.  I have not said much myself because I have not wanted to give terrorists any ideas.  However, I would say this - I know the means by which and individual (working as a lone wolf) could cause of death of up to 20 million Americans with a budget of less than $20,000 (or less).  I have personally spoken to FBI agents of my concerns and they have validated that it would currently be impossible to stop such an attack.   

I am not happy with the appearance of response - not just by the operators of the pipeline but more so by our government officials.    If those that intend us harm do not fear our response - there is nothing to prevent them and protect us for deadly harm - a lesson we should of learned from 9/11.

 

The Traveler

Share this post


Link to post
Share on other sites

It seems it was only their ability to bill others and track financial accounts that was compromised.  The actual pipeline transportation of fluids was not. 

They were able to restore most by backups after wiping the affected computers.

HOWEVER, if it had actually been a compromise of the pipeline where a foreign entity gained control...I'd have considered it an act of war.  I think in such a scenario it should be treated as such.

Challenge the nations the hackers are part of if the nation doesn't give up the hackers and if they don't...then treat an act of war with the ensuing treatment.  Control of your energy resources by another entity to that degree is not where you pay off the enemy actors, but you destroy them so that they cannot do this to you again.

This may seem a little extreme though.  I'm one who feels we should go after the phone scammers who take money from US citizens as a terrorist threat as well that we should also go after (though with SEAL teams and such instead) currently, so maybe not the best take.

That said, the pipeline, from what I understand, was never itself, compromised.  Instead, it were the computers that kept track of who purchased what and kept track of finances which is a different matter entirely.

Share this post


Link to post
Share on other sites
On 5/14/2021 at 6:02 AM, Fether said:

- death and pain is bad, but more death and more pain is worst.

- Paying ransoms incentivized more hostage holding.

Very related story:

https://www.history.com/news/native-american-slavery-mormon-utah

Share this post


Link to post
Share on other sites
15 minutes ago, NeuroTypical said:

Related and unabashedly slanted. That article is not an honest, evenhanded attempt to describe and assess what happened. People who write articles like that deserve to be assiduously ignored.

Share this post


Link to post
Share on other sites

Huh.  I found it a rather charitable attempt to explain the good intentions behind regrettable bits of history, with obvious similarities to paying ransom to thieves to get your pipeline back.

Share this post


Link to post
Share on other sites
On 5/24/2021 at 9:21 AM, kathyleen said:

Just for me it's a great opportunity for working with big money. The Software Development Life Cycle encompasses software requirements, technical analysis, and design and programming. The Software Development Life Cycle helps to link technical team members, non-technical team members and outside project stakeholders to convert your unique concept to a practical software product or service. Software Development Life Cycle (SDLC) starts with the definition of goals and requirement, designing and testing of concept and coding, and finally maintenance and support of software. An app development company may use different methods to develop an app and thus each step in the SDLC has a direct link with the next one. For instance, in the first phase of SDLC, the software is developed using the user stories or architectural designs. More information you can find there https://mlsdev.com/blog/how-to-build-a-social-network-website-from-scratchThe second phase includes the functional requirements of the software in terms of both functions and users. The third stage will include the formal verification of the functional requirements. This includes verification of data models, code and program logic. Users are then considered to be the final review target for software development services and software testing. After the testing phase, the software is ready to be released under the end-user license.

What is you concept of self modifying software and artificial intelligence by design? 

 

The Traveler

Share this post


Link to post
Share on other sites
On 5/14/2021 at 11:25 AM, Just_A_Guy said:

Well, I was never comfortable with the idea of a nationalized healthcare system with every citizen’s critical health data being kept in a nationally-managed database—but I have to admit that even I wasn’t keeping this particular contingency in my “what-could-possibly-go-wrong?” file . . .

Since the introduction of computer and computing into modern life there have always been fears that every benefit could be turned into liability even before the internet existed.  Dare I be so alarmists as to say that any system can be hacked - despite the rhetoric of the current administration (and this includes systems not connected to the internet).  

I will suggest that the first step towards solving the hacking problem is to make attempting to hack a serious legal offense and as much an act of war as bombing or destroying any other form of infrastructure.   I no longer consider myself an expert that I was 20 years ago - except that things will only get worse until we become more serious about hacking.  Currently the benefits (including honor and prestige) of hacking far (very much far) outweigh the deterrents. 

 

The Traveler

Share this post


Link to post
Share on other sites

Elder Porter visited my mission in San Antonio and spoke at a conference. He provided the following scenario due to recent kidnappings and ransoms. He said, "President Hinckley asked the following question, 'What would you do if I am kidnapped and a ransom was given'"? He answered his own question with, "Nothing. You do nothing." He then said, "This goes the same for you."

It was under the impression that if any of the leaders of the Church were to be kidnapped and a ransom paid, then it would only encourage/entice more kidnappings and ransoms. I thought the story was interesting.

Share this post


Link to post
Share on other sites
On 6/4/2021 at 11:03 PM, Anddenex said:

Elder Porter visited my mission in San Antonio and spoke at a conference. He provided the following scenario due to recent kidnappings and ransoms. He said, "President Hinckley asked the following question, 'What would you do if I am kidnapped and a ransom was given'"? He answered his own question with, "Nothing. You do nothing." He then said, "This goes the same for you."

It was under the impression that if any of the leaders of the Church were to be kidnapped and a ransom paid, then it would only encourage/entice more kidnappings and ransoms. I thought the story was interesting.

While living in Seattle I met a most interesting guy that was involved in international business and use to live in South America.  He relocated to the USA when over 100 rounds hit his home when his next door neighbor was kidnapped and held for ransom.  What was interesting is that he said you will never see a Coca Cola executive kidnaped (this was about 40 years ago).  He told me that the reason is because Coca Cola hired mercenaries that went into the backwater places of South America and met with the organizations involved with kidnappings.  During the meetings the mercenaries said that no ransom would ever be paid - BUT!  Then an scrap book of pictures of the families of the organization was shown.  They said that mercenaries vowed that they would kill everyone in the book until the kidnappers surrendered to them. 

I have heard rumors that the KGB also utilizes such tactics - I have never heard of a Russian diplomate being kidnapped (or attacked as was one of our Ambassadors under H. Clinton) - nor have I ever heard of Coca-Cola having any problems.  Sometimes I am convinced that the only way to stop certain things from happening - is when the risk of retaliation us greater than any possible rewards.  However, I wonder how Church Leaders have (at least in recent history) avoided what seems to be building up in these Last-days.

 

The Traveler

Share this post


Link to post
Share on other sites

By the way:

https://www.npr.org/2021/06/08/1004223000/how-a-new-team-of-feds-hacked-the-hackers-and-got-colonial-pipelines-bitcoin-bac

Quote

The Department of Justice on Monday touted the recovery of $2.3 million — about half — of the ransom that was collected by hackers in the Colonial Pipeline attack last month. Experts say it was a surprising outcome to an increasingly frequent and severe crime.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this