Paying Hacker Extortion

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Tuesday June 21, 2011 @08:38AM from the bad-place-to-be dept.

An anonymous reader writes "A friend works as CIO at a medium sized publicly traded company. The company was contacted by a hacking group and told to pay $100,000 to prevent their company from being hacked/attacked. They actually paid the extortion (told authorities after). The authorities said the company could be charged with supporting Terrorists. Seeing that most publicly known hacks are costing companies this size nearly a million dollars, Is this supporting terrorists or supporting stockholders?"

52 of 412 comments (clear)

Min score:

Reason:

Sort:

everyone loses by alphatel · 2011-06-21 08:39 · Score: 2

Is this supporting terrorists or supporting stockholders?
1) Neither, it could be a 12 year old with hotmail sending threatening emails.
2) Both, it is another corporate goon protecting his stock options.
3) None, they were paid out in Botcoins.

--
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
1. Re:everyone loses by bipbop · 2011-06-21 08:45 · Score: 5, Informative
  
  Criminal, yes. The crimes in question have absolutely nothing to do with terrorism, though.
2. Re:everyone loses by AliasMarlowe · 2011-06-21 08:46 · Score: 4, Interesting
  
  For $100k they could have got an internal security person for a year, or possibly a decent external consultant. Either way, hacking in would be made a bit harder in the future (but not impossible). As it is, they've set themselves up as a future victim for the next round of extortion.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
3. Re:everyone loses by cgenman · 2011-06-21 08:53 · Score: 5, Funny
  
  Or, more likely, they paid the 100,000 with the hopes that the hacker would be caught, then paid IBM 1 million dollars to secure their network.
  IBM then pays an external contractor 200,000 to do it. They pay the hacker $100,000 to do it. Hacker walks away with 200k and a springboard to legitimate work.
  
  --
  The ______ Agenda
4. Re:everyone loses by AliasMarlowe · 2011-06-21 08:58 · Score: 3, Funny
  
  Depressingly, your reading of the affair is possibly correct.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
5. Re:everyone loses by Riceballsan · 2011-06-21 09:04 · Score: 2
  
  It is the very definition of terrorism. Per the Webster dictionary "the systematic use of terror especially as a means of coercion". Now admitted this definition can also refer to everything from 9/11, to the school bully saying "give me your lunch money or I punch your face in".
6. Re:everyone loses by digitig · 2011-06-21 09:10 · Score: 2
  
  And the response to a threat of hacking is to be terrified? Or is it merely to be concerned?
  
  --
  Quidnam Latine loqui modo coepi?
7. Re:everyone loses by Anonymous Coward · 2011-06-21 09:16 · Score: 2, Insightful
  
  the united states invading iraq and afghanistan would also be considered terrorism in some circles
8. Re:everyone loses by houghi · 2011-06-21 09:29 · Score: 4, Insightful
  
  No, it doesn't. Even IF the money would go to Al Qaida itself, the act would have nothing to do with terrorism. It is blackmail.
  Do not confuse one crime with another. Copyright infringement is not theft. Blackmail is not terrorism.
  
  --
  Don't fight for your country, if your country does not fight for you.
9. Re:everyone loses by Jane+Q.+Public · 2011-06-21 09:41 · Score: 3, Informative
  
  Agreed. People need to stop throwing this word around willy-nilly, and get it through their heads that terrorism is a specific kind of crime: do what we demand (politically) or we'll start blowing people and things up.
  
  If demands aren't made (generally in advance), then it's not terrorism, even if they blow something up. If they don't blow things up (or at least really conspire to do so), then it's not terrorism... it's just attempted extortion. Terrorism is generally something that threatens many people, not just a hostage... though I supposed you could call taking a political leader hostage to be a form of terrorism.
  
  But the point is: broadly speaking, terrorism is a conspiracy to make political gains by means of threatening people en masse. It is pretty hard, though possible, for a single individual to qualify as an actual terrorist.
  
  People seem to forget that in the 60s and early 70s, the US had a great many liberal political terrorists within its borders, who committed more bombings in the early 70s, in Washington DC alone, than all the "right-wing" terrorists since, combined.
10. Re:everyone loses by pclminion · 2011-06-21 09:41 · Score: 5, Insightful
  
  Quit diluting the meaning of the word "terror." Terror is fearing you might be blown into bloody pieces while standing in line at a sandwich shop. Terror is fearing your elementary school kid will die a fiery death in an exploding school bus. Terror is wondering whether the building you work in is going to be on the receiving end of a trans-continental jet liner moving 500 MPH. These things are terrifying.
  We already have words for the sort of thing the article is talking about: extortion, blackmail, etc.
11. Re:everyone loses by sconeu · 2011-06-21 09:48 · Score: 4, Funny
  
  I guess he needs to go sit over there on the Group W bench
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
12. Re:everyone loses by twidarkling · 2011-06-21 11:08 · Score: 3, Insightful
  
  I'm sorry, but that's a retarded response. Even if I think the reaction to 9/11 was overblown, hacking a company is a completely different scale than wide-spread physical destruction and loss of life. To try and equate them means you're not an individual who should ever be included in a rational discussion about proportional response or morality. If I had to guess, I'd say you're probably one of the "nuke 'em all and fuck sorting them out" types, right?
  
  --
  Canada: The US's more awesome sibling.
13. Re:everyone loses by digitig · 2011-06-21 11:08 · Score: 4, Insightful
  
  I think the response of the victims of the 9/11 attacks would likely have been terror. I've been working in a place where the IT department was dealing with a cracking attack, and nobody was screaming or throwing themselves from windows.
  
  --
  Quidnam Latine loqui modo coepi?
And now by The+MAZZTer · 2011-06-21 08:40 · Score: 3, Insightful

They'll just be hacked anyway.
1. Re:And now by odin84gk · 2011-06-21 08:43 · Score: 4, Insightful
  
  They will get asked for money on a yearly basis.
2. Re:And now by jmorris42 · 2011-06-21 08:56 · Score: 3, Insightful
  
  > They will get asked for money on a yearly basis.
  Which is why you never pay Danegeld. It never gets rid of the Dane.
  Trillions for defense, not a penny in tribute is the only long term strategy for dealing with aggression. And these threats are aggression and weakness in the face of aggression always invites fresh demands. We should be tracking down these 'hacking' groups with the same vigor we go after other organized crime and terrorism. If that means dropping a Hellfire missile down on a few houses in countries where the local authorities won't take this stuff serious I'm not going to lose sleep over it. Can we bomb the spammer/phishers too while we are at it?
  
  --
  Democrat delenda est
3. Re:And now by MaxBooger · 2011-06-21 09:07 · Score: 3, Insightful
  
  Oh... I didn't realize this was an article on norton/mccafee antivirus.
4. Re:And now by digitig · 2011-06-21 09:30 · Score: 5, Interesting
  
  A former colleague who had worked in some highly corrupt countries told me that the first time he filled in an expenses claim (for a visit to a country where he couldn't even get on the flight back without bribing the check-in clerk) he put down a claim for "Bribery and corruption". The accounts department bounced it and told him to put down "Payments as understood".
  
  --
  Quidnam Latine loqui modo coepi?
5. Re:And now by timeOday · 2011-06-21 09:43 · Score: 2
  
  But let's say your spouse goes to Mexico for business and gets kidnapped. Do you pay? Remember, the kidnappers have to maintain their brand image. i.e. they probably will either kill or return your spouse, your choice. And if you pay, you can stay relatively safe by never crossing the border again.
  Clearly it would be better for potential victims as a whole if you don't pay. But clearly it would be better for you to pay.
6. Re:And now by dcollins · 2011-06-21 10:02 · Score: 4, Insightful
  
  He already said he wants to pay trillions. He preemptively out-crazied you by more than 6 orders of magnitude.
  
  --
  We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
7. Re:And now by flaming+error · 2011-06-21 10:14 · Score: 5, Funny
  
  > Trillions for defense, not a penny in tribute is the only
  > long term strategy for dealing with aggression.
  Sounds great, but there are always details.
  In the case of the US, we wanted to get rid of a Bear, so we spent billions raising bees. The Bear grudgingly backed off, so we started trying to drive the bees away, and they attacked us. So now we spend trillions on cruise missiles to get the bees, we strip-search each other for signs of honey, and we look over our shoulder for aggressive Pandas.
  Maybe there's another way.
8. Re:And now by laron · 2011-06-21 10:34 · Score: 3, Informative
  
  I would modify that strategy if necessary. Example:
  In the dark ages, the German King Henry I did have a problem with Hungarians who were in the habit of to looting and pillaging southern Germany. He paid them tribute for a few years, while building castles and city walls and raising militias. When he felt he was ready, he unilaterally reduced the yearly tribute to one (1) dead dog.
  http://en.wikipedia.org/wiki/Riade
  
  --
  "Beware of he who would deny you access to information, for in his heart he dreams himself your master."
9. Re:And now by Xaedalus · 2011-06-21 11:17 · Score: 2
  
  Make a proper example once and the problem never recurs.
  Funny thing: that specific brand of vengeance-fueled morality never seems to work for long. Russians did that to Chechnya, and all they did was breed a whole new generation of pissed-off Caucasian Muslims swearing blood feud against the Rodina for all eternity. Didn't stop the mujahadeen from scalping the Russians (with our help) for a decade in Afghanistan either.
  The only way your proposal DOES work is if you engage in active, wholesale genocide and you do not stop until the entire offending culture is wiped from the face of the Earth. Hardly anyone has the stomach for that these days. Tamerlane did it to the Persians and the other peoples of the steppes (We're lucky we even have Persians these days, he wasn't as thorough as he wanted to be). Genghis Khan did it to the Tibetans (the first recorded instance of complete genocide in recorded history - part of the reason the Chinese don't want to let go of Tibet is because there are no more true ethnic Tibetans, only Tibetans of Chinese ancestry who adopted the Tibetan culture). And of course Rome did it to Carthage (even went so far as to salt the grounds after slaughtering every last man, woman, and child in Carthage to prevent the city from ever rising again).
  So, are you ready to start advocating Genocide and the world-wide rule of Might Makes Right, knowing that if you don't do a complete job, that one day someone will come after your descendents claiming the same divine right to wipe your genome, and all those associated with you from the Earth?
  
  --
  Here's to hot beer, cold women, and Glaswegian kisses for all.
Short answer by Volante3192 · 2011-06-21 08:40 · Score: 2, Insightful

Is this supporting terrorists or supporting stockholders?
One in the same...
1. Re:Short answer by ffejie · 2011-06-21 09:17 · Score: 2
  
  Are you saying that the terrorists are invested in the company they are trying to hack? Unlikely.
  
  Or, are you making the lazy assumption that shareholders are bad people and labeling them terrorists? I got news for you: do you have a 401K or a pension? You're likely a shareholder of something. That probably doesn't make you a bad person, and certainly not a terrorist.
  
  --
  Disagreeing with me does not mean you get to mod me troll.
2. Re:Short answer by Volante3192 · 2011-06-21 09:49 · Score: 3, Insightful
  
  do you have a 401K or a pension? You're likely a shareholder of something.
  Nope. Basically, I'm fucked come retirement...assuming I don't kill myself with cirrhosis first. I've made peace with that though.
How exactly did they pay them? by pudding7 · 2011-06-21 08:41 · Score: 2

PayPal? Besides airdropping suitcases full of cash into the ocean, how do corporations pay ransom these days?
1. Re:How exactly did they pay them? by fuzzyfuzzyfungus · 2011-06-21 08:43 · Score: 3, Funny
  
  Western Union, obviously. The head of Fisrt National Trust Reserve Bank of Nigera, LLC, kindly offered to handle the whole matter in strictest confidence for them.
2. Re:How exactly did they pay them? by Anonymous Coward · 2011-06-21 08:45 · Score: 3, Insightful
  
  The same way that people have been transferring money illegally for decades: wire transfers to Caribbean banks with strict privacy laws and lax banking regulations.
3. Re:How exactly did they pay them? by rwa2 · 2011-06-21 08:48 · Score: 2
  
  Some way that trackable, I suppose? Wired transfer with fractional pennies as a watermark?
4. Re:How exactly did they pay them? by melikamp · 2011-06-21 08:59 · Score: 5, Insightful
  
  This is utter BS. I bet it was the execs themselves who stole the money, probably long before they were "contacted by hackers". If it looks and smells like The Big Lebowski...
Here's a thought by Dunbal · 2011-06-21 08:42 · Score: 4, Insightful

How about hiring someone who actually has some idea about security. THAT is supporting stockholders.

--
Seven puppies were harmed during the making of this post.
1. Re:Here's a thought by Wrath0fb0b · 2011-06-21 08:53 · Score: 2
  
  How about hiring someone who actually has some idea about security. THAT is supporting stockholders.
  Short term, he might have a crapload of work to do to implement best practices, clear out infected machines, train users on password complexity all while being attacked and losing business due to unavailability. Shareholders would not appreciate that, nor would any sensible security consultant promise they can dig you out of an attack as it is occurring.
  It might be best to pay them for short term protection and using that breathing space to harden up so the next time they ask, you are prepared.
2. Re:Here's a thought by interkin3tic · 2011-06-21 08:55 · Score: 4, Insightful
  
  It does seem like $100k spent on security would have longer benefits than one payoff. For that matter, maybe a $100k insurance policy would be a better investment.
Can't it support both? by Rivalz · 2011-06-21 08:44 · Score: 4, Funny

It seem's like it is making everyone happy these days.
News agencies are creaming their panties.
Companies get to sweep shit under the rug while their competitors crash and burn. (I bet you Microsoft was heart broken to hear the PSN got hacked.)
Hackers make some money and who knows might eventually get laid.
The Government gets to restrict our freedom's and buy bigger shiny new toys and has even more reasons to keep printing money until it costs more to print it than its worth.
I get the pleasure of changing my password every twenty minutes to something like LKJGDSKLeiojgtqpltjwe4jt]90iejaasdfHippofucknuggets
Everyone WINS!
Supporting Criminals by Jaime2 · 2011-06-21 08:44 · Score: 3, Insightful

Paying ransom is almost always a bad idea for the community as a whole. The authorities are simply trying to make the company do the right thing instead of the selfish thing. The biggest problem with security is that the incentives are rarely aligned with the responsibilities; this is a classic case of re-aligning those by pushing the societal cost back to the people who are in a position to make the decision.
1. Re:Supporting Criminals by Anonymous Coward · 2011-06-21 08:55 · Score: 2, Insightful
  
  The authorities are simply trying to make the company do the right thing instead of the selfish thing.
  And threatening them with a crime is always a good way to encourage them to talk to the cops next time, because I'm sure the cops would have put that right at the top of their todo list before the money had traded hands.
  Right...
Solution: Fire middle management. by copponex · 2011-06-21 08:45 · Score: 2, Insightful

With the savings your friend could hire some real security experts to keep their systems online.
As for the terrorism bit, it makes me wonder when we can sue members of Reagan Administration for arming the proto-Taliban, Saddam Hussein, and Iran. Clinton and Obama owe us a few bucks for Pakistan too, when they inevitably start arming terrorist in the near future. What's good for the goose is good for the gander, right?
1. Re:Solution: Fire middle management. by Abstrackt · 2011-06-21 09:03 · Score: 2
  
  A gander is a male goose. A group of geese is called a gaggle if they're on the ground, a skein if they're in the air, or the group can be referred to as a flock regardless of context.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
Neither by Rary · 2011-06-21 08:46 · Score: 3, Insightful

Is this supporting terrorists or supporting stockholders?
"Supporting terrorists" is a stupid description, and the idiot who said that needs a kick in the teeth. However, also stupid was paying these jackasses. Take every precaution you can, get the authorities involved as a backup, maybe even alert your shareholders to the threat, but do not pay extortionist script kiddies.

--
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
1. Re:Neither by The+MAZZTer · 2011-06-21 08:48 · Score: 2
  
  If they had had the authorities involved from the beginning they might have been able to arrange for the money to be traced.
In an unrelated question... by Anonymous Coward · 2011-06-21 08:47 · Score: 3, Funny

What's the name of your friend's company?
Dubious? by rueger · 2011-06-21 08:47 · Score: 4, Interesting

Am I alone in finding this story incredibly sketchy? Either the company, the poster, and the police are stunning idiots, or it's just bullshit created to inflame a bunch of slashdotters.

If some kind of attribution can't be found, I call BS.

--
Three Squirrels
1. Re:Dubious? by bartwol · 2011-06-21 10:03 · Score: 2
  
  Very dubious. Slashdot often posts BS stories simply because doing so engages their readers. It is not a requirement of the editors that a story has integrity; only that a certain percentage of the stories have integrity. That's enough to keep people coming back with hope that their time isn't going to be wasted.
  This time, we're losers. And, yes, to me, it is mildly humiliating to be a participant in this.
  Slashdot. Not journalism. Infotainment. Hi BS quotient.
  (And that's why I read and respond less and less every year.)
Danegeld by Rudyard Kipling by wolfsdaughter · 2011-06-21 08:47 · Score: 5, Informative

Dane-geld
(A.D. 980-1016)
IT IS always a temptation to an armed and agile nation,
To call upon a neighbour and to say:—
“We invaded you last night—we are quite prepared to fight,
Unless you pay us cash to go away.”
And that is called asking for Dane-geld,
And the people who ask it explain
That you’ve only to pay ’em the Dane-geld
And then you’ll get rid of the Dane!
It is always a temptation to a rich and lazy nation,
To puff and look important and to say:—
“Though we know we should defeat you, we have not the time to meet you.
We will therefore pay you cash to go away.”
And that is called paying the Dane-geld;
But we’ve proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray,
So when you are requested to pay up or be molested,
You will find it better policy to says:—
“We never pay any one Dane-geld,
No matter how trifling the cost,
For the end of that game is oppression and shame,
And the nation that plays it is lost!”

--
"Are they made from real Girl Scouts?" ~Wednesday Addams
1. Re:Danegeld by Rudyard Kipling by PerformanceDude · 2011-06-21 10:01 · Score: 4, Informative
  
  Actually, Dane-geld comes from the Viking age. A good example is that the French king paid the Danes to stop destroying Paris. So they took the money and left, only to come back later and ask for more money. So yes - paying Dane-geld does not get rid of the Dane... http://en.wikipedia.org/wiki/Danegeld
  
  --
  Meus subcriptio est nocens Latin quoniam bardus populus reputo is sanus callidus
Sound Like a Money Laundering Scheme? by InitZero · 2011-06-21 08:55 · Score: 5, Interesting

So you say a mid-sized company paid a $100,000 extortion? That money with 'poof', right? Untraceable, right? Call me the suspicious sort but are we sure this is extortion and not embezzlement?
Cheers,
Matt
They did! by Weezul · 2011-06-21 08:59 · Score: 2

They bought something for that $100k, namely the hacker document his hack. I'm sure she even did a contentious job for a coked up Belorussian teenager who's english does not extend beyond text speak.
Yeah, sure $100k sounds steep for simply documenting a handful of security bugs, but they were the bugs that might've bitten you for $1M. And surely you saved way more by building your site using cheap ass Visual Basic developers, right?
Anyways, anyone who views hacking as terrorism is a moron, especially the authorities who threatened the company.

--
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Re:False dichotomy by Hatta · 2011-06-21 09:03 · Score: 2, Insightful

That's the whole point of "terrorism". You can label anything terrorism, and all of a sudden none of the old rules apply.

--
Give me Classic Slashdot or give me death!
Re:One AND the same... by Catnaps · 2011-06-21 09:05 · Score: 4, Funny

Quite frankly, I could care less. After all, it's not rocket surgery.
Stupidity. by drolli · 2011-06-21 09:26 · Score: 2

a) i wonder which idio put his/her signature under such a transfer. I presume there was no life in danger, which is the only reason one could think about supporting criminals. Fuck these guys (the crackers and the company). For 100000 dollar i can invest enough time to hack (presumably by social engineering and really simple attacks) into at least 10 companies; and i am not a professional, neither white-hat, nor black-hat.
b) From the formal viewpoint, this looks like corruption. You pay people without any proof that they did something for you for a lot of money. Who keeps some employee from sharing his secrets and getting something back from some friends? Would be too easy!
c) If they have been hacked already and just pay the blackmail money not to see their customer details in the newspaper, then it would be better to be completely honest about it.
d) I dont think it should be considered to be "supporting terrorists", but it could be funding well organized crime.