Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Red October" Espionage Malware Campaign Uncovered

Posted by samzenpus on from the protect-ya-neck dept.

L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."

53 comments

  1. Not just that- by Anonymous Coward · · Score: 5, Funny

    It also stole first post! How devious!

    1. Re:Not just that- by Anonymous Coward · · Score: 4, Funny

      One ping only.

    2. Re:Not just that- by alphatel · · Score: 3, Informative

      Captain Ramius: Re-verify our range to target... one ping only.
      Capt. Vasili Borodin: Captain, I - I - I just...
      Captain Ramius: Give me a ping, Vasili. One ping only, please.
      The Hunt for Red October

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    3. Re:Not just that- by Anonymous Coward · · Score: 0

      One ping ought to be enough for everyone!

    4. Re:Not just that- by tacokill · · Score: 1

      Beautiful reference. Long overdue on /.

    5. Re:Not just that- by Anonymous Coward · · Score: 1

      ping -c 1 target

  2. Surefire Oscar idea by Anonymous Coward · · Score: 0

    You know, I have an idea. We could make a movie based on this, and how they found it. We'll call it, "The Hunt for Red October".

    I think the head security researcher should have a Scottish accent.

    1. Re:Surefire Oscar idea by Anonymous Coward · · Score: 0

      I think the head security researcher should have a Scottish accent.

      I think you're remembering the roles of the characters in that movie incorrectly. Fail.

    2. Re:Surefire Oscar idea by Anonymous Coward · · Score: 0

      You know, I have an idea. We could make a movie based on this, and how they found it. We'll call it, "The Hunt for Red October".

      I think the head security researcher should have a Scottish accent.

      I think the Russian Captain should have a Scottish accent.

      FTFY

    3. Re:Surefire Oscar idea by xQuarkDS9x · · Score: 1

      You know, I have an idea. We could make a movie based on this, and how they found it. We'll call it, "The Hunt for Red October".

      I think the head security researcher should have a Scottish accent.

      Too bad the book was a hell of a lot better when you look at how they significantly changed the storyline in the movie. Especially when in the book the british were involved :P

      --
      You must master your joystick like a fisherman masters bait! - Gimpy
  3. Least-interesting targets by Anonymous Coward · · Score: 2, Interesting

    Most of those IP addresses were in Switzerland, Kazakstan, Greece and Belarus

    In other words, it's mostly collecting information from the least-interesting countries in Europe (geopolitically speaking.) One has to assume that the real target(s) are just being drowned out by collateral traffic.

    If, and that's a big if, there actually is a defined target.

  4. This is why you always need to be prepared by cristiroma · · Score: 1

    And have a reliable phone in your toolkit - http://en.wikipedia.org/wiki/Nokia_5110.
    It has Snake, you know ...

  5. Time to ask some hard questions by Papa+Legba · · Score: 5, Interesting

    Its time we started to grill our malware detecors and virus scan makers because somethnig is going very very wrong. This makes the third or fourth MAJOR espionage virus/malware/trojan of a very large size that has been apparently rampaging for years. How can I now trust symantic to find a zero day and protect my systems when they have been unable to find things like red october and flame for years, and they are huge programs!

    I am not a big conspiracy theorist, but something is going on here. Why aren't these things being spotted and reported?

    --
    Papa Legba come and open the gate
    1. Re:Time to ask some hard questions by Errol+backfiring · · Score: 2

      True. I want to know who this Russian is who has a backup of my files.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:Time to ask some hard questions by Anonymous Coward · · Score: 3, Funny

      True. I want to know who this Russian is who has a backup of my files.

      his name is Kaspersky

    3. Re:Time to ask some hard questions by Charliemopps · · Score: 5, Informative

      How can I now trust symantic to find a zero day and protect my systems...

      You can't. You do not understand how malware/viruses work. If I wanted to write a virus to infect YOUR computer, it would never be detected. Antvirus software protects you against known threats. That's it. Someone, somewhere, figures out they are infected, figures out the file doing the infection and sends it in to Symantec or whomever. They find common code in the infected file that resembles other files that are infected and now they have something to look for when scanning. If no-one ever figures out that they are infected, and the people that wrote the virus didn't use bits of code from other viruses, then there's no way for the anti-virus companies to search for it.

      Some of the better antivirus packages scan for "suspect behavior" and such, but it really doesn't do much good. Antivirus protects you from getting the eveil toolbar viruses... stuff written by the worlds intelligence organizations that do not take over the computer and infest it with ads so the users never has a clue anything is wrong? It's never going to find that.

    4. Re:Time to ask some hard questions by Anonymous Coward · · Score: 0

      As other replies said, malware and viruses only can be stopped if they are known, there was also the proof of concept about knitted code a while ago that looks for files that are used with little but enough frequency and then a virus writing command hooks inside. In a sense this is always where we were headed, it's just that the majority of the world has opted for cheap solutions to problems without developing robust security on the back end. This isn't anyone's fault per say, it's more like everyone choosing to be fat all at once in America, it's not like we decided this together, we just are all being collectively lazy and greedy, same applies to many corporate and gov't IT approaches.

    5. Re:Time to ask some hard questions by Runaway1956 · · Score: 5, Interesting

      You've had some good answers posted already to the question, "How can I now trust symantic to find a zero day?"

      Let me make this painfully clear for you. Antivirus is a reactive defense. Malware writers are an active offense. In any kind of gamesmanship, be it real life combat, business, online gaming, or whatever, the offense always has the advantage. Hence, the old adage, "The best defense is a good offense."

      People who rely on antivirus programs to protect them are playing the game all wrong. It's a losing game, short term and long term.

      Want a better method? How about we catalog and fingerprint all programs and processes on our machines. A new or changed process can be identified and sandboxed or killed. Screw the whole antivirus strategy - all that does is to ineffectively use system resources that might be better used in another manner.

      Whether we fingerprint all processes or not, we can monitor communications. Each system establishes "trusted" protocols, ports, and addresses, everything else is blocked by default. That might throw a whammy into advertising networks, but so be it.

      Heuristics are far better than any semi-static list of "bad things", even if that list is updated every day, or every week.

      ALERT: An untrusted program is attempting to communicate with an unknown destination. Do you want to permit "PWNDMUTHAFUCKA.exe" to communicate with "bonedyomama.net" located at a proxy server in Singapore?

      That may be a waste of time though. Most users will just click "yes", even if the details of their recent banking transactions are printed below the warning.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    6. Re:Time to ask some hard questions by sl4shd0rk · · Score: 1

      Its time we started to grill our malware detecors and virus scan makers because somethnig is going very very wrong.

      Dude, get serious. AV isn't going to stop 0-day (which these attacks were *NOT*) anyway so it's pointless to expect 100% efficacy. AV is a last-ditch defense. If it worked like everyone thinks it does it would be magic. This is another run-of-the-mill application exploit caused by yet another exploit in some really popular software that I don't need to point out. Said software had 5 YEARS to fix the problems and did not. This is simply negligence on the part of the software vendor. Just saying.. put the blame in the right place.

      --
      Join the Slashcott! Feb 10 thru Feb 17!
    7. Re:Time to ask some hard questions by Anonymous Coward · · Score: 0

      Thas is why we have military offensive cyber abilities, when the usual means aren't working and it becomes a threat to the lifeblood of the economy, or the strategic state interest.

    8. Re:Time to ask some hard questions by Nocturnal+Deviant · · Score: 1

      its called a 0day for a reason. Exploiters dont run around screaming about the new buffer overflow they found.

      Look at the browser competitions, you really think they cracked it in about 20 seconds? They had that exploit for MONTHS, all they did was streamline how fast they could do it.

      For that matter, it is Not hard to turn off an antivirus or to slightly change the code of an already widely available virus to avoid detection.

      --
      -Noc
    9. Re:Time to ask some hard questions by Anonymous Coward · · Score: 0

      There is one way: Whitelisting. Why can't we have super insane whitelist mode?

    10. Re:Time to ask some hard questions by TheLink · · Score: 1

      How can I now trust symantic to find a zero day and protect my systems when they have been unable to find things like red october and flame for years

      You can't. The "Detect Malware Problem" is harder than the Halting Problem (which is unsolvable in the general case). You can use heuristics for specific cases and typical cases but you are not going to defeat a competent determined attacker.

      I don't bother running AV on my machine because the AV makers are more likely to screw up my machine than a virus is (they seem to screw up every 2 years or so). Slashdotters have flamed me and accused me of being stupid, but it works for me. I configure my browsers (and other network apps) to run different user accounts, so if my Slashdot browser gets pwned the malware still needs a privilege escalation exploit to affect my banking browsers and other stuff. And I never log in using the user accounts that my browsers run as (they are like the "nobody" account in unix- you can hide accounts in windows so they don't show up on the login screen). I can upload stuff to VirusTotal if I'm suspicious of it. I don't download and install stuff very often, so why pay the AV resource cost every day, and also risk the AV screwing up your machine? The stuff that's not found by VirusTotal is still not going to be found if I installed AV on my machine with all the costs and risks.

      This approach is not suitable for normal users of course, there are many inconveniences for example the browser can't update itself automatically - doesn't have the permissions.

      We're still in the dark ages of security. Lots of people here think too highly of Unix/Linux. The standard Unix security model isn't that great. With what we know in modern times, OS and application sandboxing could be a lot better. In some ways the mobile OSes are ahead of the Desktop ones in this area.

      Even getting the application to _propose_ its desired sandbox upfront is better than the AV approach ( as I've proposed: https://bugs.launchpad.net/ubuntu/+bug/156693 ). A sandbox is like "solving" the halting problem by forcing the program to halt after a time limit. Basically you can easily solve the halting problem if the operating system forces the program to declare upfront how much time it wants! An application that asks for too much becomes suspicious. You can have 3rd parties audit the sandbox request and approve+sign it.

      If I were a malware author I think that sort of thing would make my life more difficult than the current AV concept. Of course if I were a malware author I might write my malware in stuff like perl, ruby and python - just to see how the AV makers cope with TIMTOWTDI taken to the extreme :).

      --
    11. Re:Time to ask some hard questions by dgatwood · · Score: 2

      Some security software actually does just that (to varying degrees). For example: Little Snitch, Gatekeeper (classic Mac OS), Gatekeeper (OS X), and so on.

      The problem is that it's really hard to identify certain types of attacks in that way. For example, if there were a security hole in a web browser, unless the attacker modifies the browser to send data over a port other than port 80 or port 443, any side channel retransmission of your data is likely to be entirely transparent to any sort of external profiling that you could reasonably do. This is why it is so critically important to make sure that web browser code is, in fact, robust against attacks to begin with.

      This is also arguably a valid reason for moving away from general-purpose browsers for high-security transactions, and using separate apps instead. For example, a banking app would be whitelisted for the bank, period, and if it tried to communicate with any other server, that would be suspicious.

      Or we could just pass a law requiring that all financial transactions be signed using a non-Internet-connected PK crypto dongle and be done with it, but I digress.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    12. Re:Time to ask some hard questions by Anonymous Coward · · Score: 0

      ALERT: An untrusted program is attempting to communicate with an unknown destination. Do you want to permit "PWNDMUTHAFUCKA.exe" to communicate with "bonedyomama.net" located at a proxy server in Singapore?

      That may be a waste of time though. Most users will just click "yes", even if the details of their recent banking transactions are printed below the warning.

      I may be wrong about this, because I obviously do not react the same way the average computer user does, but judging from how I have often seen people respond to unexpected pop-ups they expect their computer to know what's best. I suspect that is because they are confronted with too many unexpected pop-ups asking questions they don't understand that are legitimate. They have been trained to answer "yes".

      Of course vendors try to have their software do as much as possible without confronting the user with the gory details. To me it seems that in addition to the positive effects this has it also makes the computer seem to have more of a life of its own, to be more autonomous and magical. In contrast to what I'm used to (Linux, not a heavy desktop environment but a leightweight window manager) Windows sometimes make me feel the computer is operating me. I think that is part of the problem. If a computer is a thing that doesn't show initiative hopefully a spontaneous popup asking permissions for "PWNDMUTHAFUCKA.exe" would be so out of the ordinary that people would be much more suspicious than they are now. The less magic, the more insight.

    13. Re:Time to ask some hard questions by jacknifetoaswan · · Score: 1

      I'm not sure if I'm reading things right, or not, but when they refer to 35 infected systems in Russia, is that 35 networks? 35 companies? 35 government offices? 35 computers?

      The way I read it, it's 35 computers, and if so, this is NOT a large, or even a medium sized attack, this is a couple of pissants who figured out an exploit, and it just happened to show up in a few random computers. But I could be wrong. It's happened before.

    14. Re:Time to ask some hard questions by aphelion_rock · · Score: 1

      True. I want to know who this Russian is who has a backup of my files.

      his name is Kaspersky

      Me too My hard drive crashed and I want to know if they can restore some of the files I lost...

    15. Re:Time to ask some hard questions by jbmartin6 · · Score: 1

      This would require the user to know what is required for the system to do what they want, which isn't going to happen. Malware doesn't come named "PWNDMUTHAFUCKA.exe" anymore, it comes named msexplorer.exe or something like that. How many users recognize that THAT file shouldn't be allowed? The only way to implement this approach for an ignorant user (just a fact, not a put down) would be the walled garden approach.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    16. Re:Time to ask some hard questions by Areyoukiddingme · · Score: 1

      Want a better method? How about we catalog and fingerprint all programs and processes on our machines.

      Some of us do. On Linux, it's called tripwire. It's been in repositories at least as far back as Debian 4.0, so it's undoubtedly available on all modern Debian derivatives, and probably all RedHats and its derivatives. It fingerprints all the system directories, crytographically, and stores the results. Then it checks the system against the hashes, usually every day. If you're paranoid and have a lot of system resources to spare, move its file from /etc/cron.daily to /etc/cron.hourly. If you're less paranoid and don't have many resources to spare, move it to /etc/cron.weekly. However often you let it run, it does precisely what you describe, at least as far as the binaries are concerned. Everything involved in running the system is fingerprinted, then periodically verified.

      Behavior is a different story, outside its purview.

    17. Re:Time to ask some hard questions by a_hanso · · Score: 1

      This may be a dumb question, but why aren't everyone doing this? I know nothing about desktop apps, but if I were to do this on a server environment, I would catalogue all the executables with their checksums and verify it every time before launching. Then (if I had that sort of influence), I'll create a system where all respectable software vendors (and OSS writers) separately distribute checksums as well. That'll take care of infections of legit software.

      Why even use AV software? This safeguard could be directly built in to the OS. Of course, this won't prevent you from downloading unknown crap from the Internet. I always verify the vendor before installing anything and I always download directly from the source. I haven't had an infection of any sort in YEARS. All we need is the same process, streamlined so that the average non-technical user can do it without the same investment in time.

      And as you say, monitoring and permissioning program behaviors should take care of a lot of problems, even if we don't fingerprint (although that's a considerable amount of work to be done on existing OS's). For example, I don't want my word processor accessing or writing anything outside designated document directories (why should it?), or accessing the Internet unless I allow it.

      Or is this an overly simplistic view?

    18. Re:Time to ask some hard questions by Runaway1956 · · Score: 1

      Simplistic? Certainly it's a simplistic view. But, from an engineering point of view, simple is good! KISS: Keep It Simple Stupid!

      Overly simplistic? Depends on who you're talking to. Here we delve into business and politics, mingled together. Add in a dash of everyday opinion, from whomever you might be talking to.

      Let's start with Microsoft, who believes that they have some kind of inherent "right" to control who uses their operating system, and how. They want a degree of control over the operating system, for benevolent reasons, as well as for selfish reasons. (pushing critical updates, for instance) Many Windows users agree with allowing Microsoft some degree of control. That's alright - the owner of the machine has the right to decide to allow Microsoft that control, no matter how foolish I think it might be. The problem is, when politicians accept campaign donations, aka bribes, to represent the views of Microsoft and other businesses that think like Microsoft - RIAA, MPAA, and the list goes on.

      There are probably tens thousands of businesses and persons who believe that they should be able to control the stuff that runs on computers around the world, whether that stuff be entertainment, highly technical software, the operating system itself, scientific programs, educational programs, antivirus and other security programs.

      Permitting even a fraction of those entities to have even partial control over your machine is a disaster. But, laws are written to permit much of that control that is demanded by "rights holders".

      And, that is a large part of the reason many people migrate to a Unix-like operating system. The OWNER ultimately has control. We can run the tripwire that Areyoukiddingme mentions above, easily and efficiently. But, for the most part, it isn't even necessary to run it, because we live in such a clean environment to start with.

      We get our software from trusted sources, all bundled into the same installation disks for the most part. If/when a source of software squanders it's trusted status, they are simply dropped from the repositories.

      I could go on - gotta head out to work though.

      Simplistic? Simplistic is a good thing. Give me simple any day of the week. Give me a small pool of sources which can easily be checked for reliability by the community, regularly. What we have in the Windows world approaches insanity, if you ask me.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    19. Re:Time to ask some hard questions by cnettel · · Score: 1

      'cause Trusted Computing is eeeeevil. But I start to think that even as a guy using a compiler with a frequency thousands of percent over the mean, it would make sense for most binaries I compile to run in a very limited jail.

    20. Re:Time to ask some hard questions by village+fool · · Score: 2

      You mean "Who is General Failure and why is he reading my hard drive"?

    21. Re:Time to ask some hard questions by drinkypoo · · Score: 1

      No, there's an even better method. It's called selinux and the NSA of all groups developed it. But we still have no convenient tool for creating policies, so it remains drastically underutilized. The user should not have to be a security expert to develop a capabilities policy.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    22. Re:Time to ask some hard questions by Anonymous Coward · · Score: 0

      There is one way: Whitelisting. Why can't we have super insane whitelist mode?

      Nope. If I write a program which says "I'm going to format your hard drive" and it formats your hard drive, that would appear to not be a "virus". (using the vernacular, avoiding semantic debate over virus vs. malware)
      But if I put that on your computer, and make a shortcut to it, and name that shortcut "Click to see the Cute lolCat" now it's malware.

      How do you scan for that? You don't. This is, of course, a very simplistic example meant only to illustrate that in order to catch all malware, you must not only be able to identify behavior, you must also be able to identify intent.

      Hell, several popular AV programs still try to quarantine various hex editors and decompilers as being "suspicious" programs.

    23. Re:Time to ask some hard questions by Anonymous Coward · · Score: 0

      This is exactly what Comodo Internet Security does, and you can sandbox pretty much anything. It's great.

  6. This business will get out of hand by Alranor · · Score: 4, Funny

    It will get out of hand, and we'll be lucky to live through it.

    1. Re:This business will get out of hand by timeOday · · Score: 1

      Hmm, what surprises me is how transparent we're finding things have been all along, and with what little apparent consequence. Not unlike Manning's wikileaks.

    2. Re:This business will get out of hand by cold+fjord · · Score: 1

      Funny? Try insightful.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  7. Question already answered by daveschroeder · · Score: 4, Informative

    "The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses."

    (The linked New York Times story is a great read.)

    1. Re:Question already answered by jbmartin6 · · Score: 2

      Just for fun, here's F-Secure's rebuttal: http://www.f-secure.com/weblog/archives/00002482.html

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  8. This is news? by Anonymous Coward · · Score: 0

    I thought everyone knew the U.S. government had cozy relationships with a/v companies. It's one of the reasons I don't bother using any of the commercial packages. There's no point in buying a lock when the people you want to keep out, already have the master key. I think Kaspersky enjoys shaming the American companies...as he should.

    You think Microsoft can't create clean code? Maybe you pesky hackers keep finding bugs put there for a reason... Don't think Linux or Mac is excluded, our government participates in many open source projects to make sure their locks get put on the door. The Chinese, Russians, and others all do the same. Unless you've got a lot of time and experience reviewing code, nearly all of our systems are "bugged"....except mine OF COURSE. ;-)

  9. Does this affect all known OS's by drankr · · Score: 1

    ... or just one? Or three? At no point does the article reveal what the target is. IMO, even if this was some universal malware affecting all operating systems known to mankind, it should be indicated. Therefore it is a very crappy article. It would be like saying, "the French are bombing a country". And then going on at length about how the attacks proceed, but never mentioning which damn country. You'd want that information, wouldn't you?

    1. Re:Does this affect all known OS's by Anonymous Coward · · Score: 0

      Does this affect all known OS's... or just one? Or three?

      If you read the CVE's it is using, it looks like it works on Windows variants, and has modules to grab content from and modify iPhones, Nokia phones and Windows Mobile phones; Cisco network phones; as well as Adobe Reader and MS Office.

  10. Anybody find it suspicious by Anonymous Coward · · Score: 1

    That China is not on the map of infected countries? I mean, this is right up their alley, and It is pretty damn suspicious that there are no (known) infections there.

    1. Re:Anybody find it suspicious by Anonymous Coward · · Score: 0

      That China is not on the map of infected countries? I mean, this is right up their alley, and It is pretty damn suspicious that there are no (known) infections there.

      And Canada & Mexico too (as well as a host of other countries)! It's almost like we're smack in the middle of, um, uninfected bystanders!!

    2. Re:Anybody find it suspicious by Anonymous Coward · · Score: 0

      aw but we wouldn't want to say anything for them to lose face..

      remember the Red Dawn movie remake where the foe was China but they digitally altered the movie to replace China as a foe with North Korea as the enemy?

  11. Phishing by schneidafunk · · Score: 2

    And it starts with: "Like most of these APT-style targeted attacks, this one begins with a spear phishing message; one example provided was an announcement of a diplomatic car for sale.The email messages contain one of three attachments, each a different exploit of an existing vulnerability. "

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
  12. Red October? by guttentag · · Score: 4, Funny
    Middle school cafeterias are abuzz with the news:

    When I was twelve, I helped my daddy set up an email server in our basement because some fool in China compromised a few diplomats' Gmail accounts. Well, this thing could compromise a coupla hundred accounts in Washington and New York and no one would know anything about it till it was all over.

  13. Welcome to OZ: Where everyone gets a flying monkey by Anonymous Coward · · Score: 0

    I assume almost everyone is infected with some type of state sponsored malware.

    For those interested:

    http://wikileaks.org/the-spyfiles.html

  14. Insert free advert for Kaspersky Lab .. by Anonymous Coward · · Score: 0

    "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab"

    I call BS on this report ...

  15. Wisdom follows, pay attention! by Anonymous Coward · · Score: 0

    > Want a better method? How about we catalog and fingerprint all programs and processes on our machines

    Regrettably fungerprinting (as in hashing) is broken. The US/IL authors of the "Tilded" military espionage cyber platform are so advanced, they falsified an MD5 checksum in an old, but valid (*) Microsoft certificate to elevate its privileges for malicious use in Win7 and Vista. They didn't simply create a random-junk hash collision, but created a cherry-picked one, which was supposed to be borderline impossible.
    (*) Yeah, more or less "Return of the Jedi" analogy. Wonder how many bothans were hurt in the making of said franken-cert?

    Most experts agree an MD5-crack was utilized so that the powers that be did not need to disclose the funny things they can do with the more up to date tech, like SHA-1 or SHA-256. If you had the same math wizardry and supercomputing prowess at your fingertips, why not cash out the whole Bitcoin configuration space and go party-sailing around the Caribbean, with ladyfolk onboard, for the rest of your life?

    Imaging what would happen to whitelisting organizations and vendors, if the powers that be used their tricks to insert false checksums or carefully crafted "evil twin" files for legitimate hashes? Users would quickly lose confidence in the method and revert to good ol' pattern scan antivirus.