Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway (wordpress.com)

← Back to Stories (view on slashdot.org)

Pro-Privacy Webmail ProtonMail Pays Ransom, But Hit By DDoS Attack Anyway (wordpress.com)

Posted by Soulskill on Friday November 6, 2015 @11:10AM from the lesson-learned dept.

An anonymous reader writes: The new pro-privacy, pro-encryption webmail service ProtonMail has been under a sustained DDoS attack since November 3. They received a ransom demand a few days ago, along with a brief demonstration of how effective the DDoS attack was. They were advised to pay the ransom, and they complied. Unfortunately, the attackers launched the DDoS anyway. Here's a quote from their press release:

"Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us."

101 comments

Min score:

Reason:

Sort:

Thanks, idiots by Opportunist · 2015-11-06 11:14 · Score: 4, Insightful

The attackers want to thank all the people who are too stupid and lazy to protect their machines against being part of a botnet. Without your aid, this would not have been possible.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Thanks, idiots by fustakrakich · 2015-11-06 12:06 · Score: 1
  
  Yeah well, an appliance shouldn't be so easy to hack. And automatic updates shouldn't cause so many breakdowns, even if it is good for the repair/cleanup business. Computers are still not ready for prime time. They are way too frail. The word "robust" doesn't enter the picture.
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Thanks, idiots by Anonymous Coward · 2015-11-06 13:32 · Score: 1
  
  The blame should fall on programmers not users.
3. Re:Thanks, idiots by Anonymous Coward · 2015-11-06 16:18 · Score: 0
  
  How about we just make the users fall on the programmers? From, say, 10 feet up? Or do you want them higher?
4. Re:Thanks, idiots by hcs_$reboot · 2015-11-06 17:01 · Score: 1
  
  The attackers want to thank all the people who are too stupid and lazy
  stupid or lazy, actually.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
5. Re:Thanks, idiots by Anonymous Coward · 2015-11-06 17:23 · Score: 0
  
  What do you mean "still". They used to be fine, then people got cheap and lazy.
6. Re:Thanks, idiots by Anonymous Coward · 2015-11-06 17:31 · Score: 0
  
  With proper programming, an appliance shouldn't need constant, automatic updates.
  Security is a solved problem. Look at the PS4 and XBox One. 0% piracy, and the previous generation had a 0% piracy record for almost five years.
  Want a secure appliance?
  1: Run a secure OS. QNX and other embedded operating systems might cost a licensing fee, but are developed from the ground up to be up to par for everything including life safety systems.
  2: Don't cheap out and slap a mainstream distro on an embedded appliance. Go Wind River Linux or some other distro made for the task at hand.
  3: iptables and ebtables are your friend. Use them, and have default DENY rules.
  4: Run something untrusted? Stuff it in a VM. If there is enough CPU/RAM available, maybe even run an embedded firewall (PfSense comes to mind) as a VM. That way, if the attacker does smash something, they are still well separated from bare metal, barring a F0 0F or ring 0 exploit.
  5: Have a background program like Fail2Ban running, so if something is trying a known exploit, that IP address gets a ball gag stuffed in it for a period of time.
  6: Turn off IPv6 support, unless it is required. IPv6 is just asking for 0-day attacks.
  7: Have separate physical ports. At the minimum, the machine will always have a management network.
  Secure appliances are easy. Sony and Microsoft have had hack-proof consoles going on years now, and satellite has gone a decade without a single exploit. Even Blu-Ray hasn't been definitely cracked yet. It just takes doing it right.
7. Re:Thanks, idiots by Opportunist · 2015-11-06 21:49 · Score: 1
  
  Not quite. It was just that computers were no longer "so expensive and such a big hassle to get online" that the cheap and lazy people got one.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:Thanks, idiots by Opportunist · 2015-11-06 21:50 · Score: 1
  
  The usual 90/10 rule applies. Are you willing to pay about ten times what you pay for your computer? Then a (nearly) 100% secure system is a possibility.
  Else, the 90% you got will need patching. But that means that you have to accept the responsibility and actually patch the box.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
9. Re:Thanks, idiots by Opportunist · 2015-11-06 21:51 · Score: 1
  
  If users were willing to pay what had to be paid for secure computers, we'd have them.
  If computers could kill people, we'd have secure computers that cost about as much as a car does.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
10. Re:Thanks, idiots by Opportunist · 2015-11-06 21:52 · Score: 1
  
  Yes, one would do. Most of those numbnuts are both.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
11. Re:Thanks, idiots by alvinrod · 2015-11-07 02:20 · Score: 3, Insightful
  
  You can't stop someone who knowingly downloads and installs a program that compromises and takes over their machine. No amount of programming can fix that.
12. Re:Thanks, idiots by bmo · 2015-11-07 02:44 · Score: 1
  
  Are you willing to pay about ten times what you pay for your computer?
  Most security doesn't cost a penny, if you bother to learn.
  It's the people who decide to remain ignorant about security that wind up paying lots more for insultants, insurance, and break-ins.
  --
  BMO
13. Re:Thanks, idiots by Anonymous Coward · 2015-11-07 04:21 · Score: 0
  
  Then use OpenBSD for free.
14. Re:Thanks, idiots by Xenx · 2015-11-07 04:55 · Score: 1
  
  and/or, people are more then capable of both.
15. Re:Thanks, idiots by Anonymous Coward · 2015-11-07 05:30 · Score: 0
  
  more _than_, you who are too stupid and/or lazy to spell correctly!
16. Re:Thanks, idiots by Opportunist · 2015-11-07 06:28 · Score: 1
  
  So we're back at "people being too stupid and lazy to protect their machines"?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
17. Re:Thanks, idiots by Anonymous Coward · 2015-11-07 08:29 · Score: 0
  
  The possible.
  w
  Well anyone with the slightest hint of a brain would know that this has been carried out by the government of the USA and it's agents but you aint got the balls to see it .
18. Re:Thanks, idiots by bmo · 2015-11-07 13:20 · Score: 1
  
  "Trust in god but tie your camel." -- Some Arab Proverb That Probably Isn't Real But I Agree With.
  "Trust but verify." -- Russian proverb adopted by St. Ronnie Raygun
  "Park it and lock it! Not Responsible!!" -- Firesign Theatre
  --
  BMO
How's that appeasement workin' out fer ya? by idontgno · 2015-11-06 11:18 · Score: 4, Insightful

"Millions for defense, but not one cent for tribute."
-- Robert Goodloe Harper

--
Welcome to the Panopticon. Used to be a prison, now it's your home.
1. Re:How's that appeasement workin' out fer ya? by turkeydance · 2015-11-06 11:29 · Score: 1
  
  isn't it "penny" instead of "cent"?
2. Re:How's that appeasement workin' out fer ya? by Anonymous Coward · 2015-11-06 11:29 · Score: 0
  
  "The more ransom you pay, ProtonMail, the more DDoS attacks will slip through your fingers."
  -- Princess Leia
3. Re:How's that appeasement workin' out fer ya? by Anonymous Coward · 2015-11-06 12:23 · Score: 1
  
  In practice, paying the tribute is more cost-effective than dying. But if you RTFS you'd know the problem most likely isn't that paying off didn't work, but that only one of the attackers wanted money:
  
  ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors.
  Protonmail can't outspend the US government.
4. Re:How's that appeasement workin' out fer ya? by Chris+Mattern · 2015-11-06 12:40 · Score: 1
  
  Nope, although it's often misquoted that way: http://www.bartleby.com/73/804....
5. Re:How's that appeasement workin' out fer ya? by Anonymous Coward · 2015-11-06 13:00 · Score: 0
  
  Star Wars quote has score of 0.
  The world is healing.
6. Re:How's that appeasement workin' out fer ya? by Chris+Mattern · 2015-11-06 13:36 · Score: 1
  
  More appropriately:
  And that is called paying the DDOS geld
  But we've proved it again and again
  That if once you have paid them the DDOS geld
  You never get rid of the DDOS!
7. Re:How's that appeasement workin' out fer ya? by tsm_sf · 2015-11-06 17:29 · Score: 2
  
  Spot on. Here is the original for the interested:
  It is always a temptation to an armed and agile nation
  To call upon a neighbour and to say: --
  "We invaded you last night--we are quite prepared to fight,
  Unless you pay us cash to go away."
  And that is called asking for Dane-geld,
  And the people who ask it explain
  That you've only to pay 'em the Dane-geld
  And then you'll get rid of the Dane!
  It is always a temptation for a rich and lazy nation,
  To puff and look important and to say: --
  "Though we know we should defeat you, we have not the time to meet you.
  We will therefore pay you cash to go away."
  And that is called paying the Dane-geld;
  But we've proved it again and again,
  That if once you have paid him the Dane-geld
  You never get rid of the Dane.
  It is wrong to put temptation in the path of any nation,
  For fear they should succumb and go astray;
  So when you are requested to pay up or be molested,
  You will find it better policy to say: --
  "We never pay any-one Dane-geld,
  No matter how trifling the cost;
  For the end of that game is oppression and shame,
  And the nation that pays it is lost!"
  - Rudyard Kipling
  
  --
  Literalism isn't a form of humor, it's you being irritating.
8. Re: How's that appeasement workin' out fer ya? by Anonymous Coward · 2015-11-06 22:43 · Score: 0
  
  a shitload of moneyed people 'rediscover' danegeld even at the present day. money rots the mind.
9. Re:How's that appeasement workin' out fer ya? by petteyg359 · 2015-11-07 05:33 · Score: 1
  
  More appropriately:
  And that is called paying the DDOS geld But we've proved it again and again That if once you have paid them the DDOS geld You never get rid of the DDOS!
  Perhaps you meant "guild"? Or are you really saying " the " (verb the verb)?
10. Re:How's that appeasement workin' out fer ya? by Anonymous Coward · 2015-11-07 07:18 · Score: 0
  
  In German and Dutch, 'geld' means 'money'
11. Re:How's that appeasement workin' out fer ya? by Chris+Mattern · 2015-11-08 00:26 · Score: 1
  
  You need a better dictionary. "Geld" can also be a noun with a very different meaning, although that usage is a bit archaic.
Poor thought process by s.petry · 2015-11-06 11:28 · Score: 5, Insightful

I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.
Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.
Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:Poor thought process by Anonymous Coward · 2015-11-06 11:49 · Score: 1
  
  Quite possibly law enforcement told them to pay the ransom. It's easier to follow the money than determine the true source of a DDoS attack.
2. Re:Poor thought process by Anonymous Coward · 2015-11-06 11:56 · Score: 1
  
  Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth.
  Are you suggesting that one should fight a mugger because they're likely to attack you anyway? Do you have any evidence of this? My personal experience of family+friends is two or three "give me your money". In every case, they've handed it over - including the physically powerful ones who might have been able to overcome an attacker - and the mugger has just run off. Employees of businesses are almost invariably advised to hand over money because it's not worth it.
  There are some good reasons to resist what might be a mugging, e.g. some cheeky ass walking up to you and saying, "Give me money," with no evidence they have any weapon. But if someone's holding a knife in front of your face, you were almost certainly already too slow. If you say no, their best way forward if they still want your money is to threaten you, then to attack you in a way that disables you but does not kill you (and almost all knife attacks in the UK are non-fatal, because who wants to be hunted for murder?). If you tackle them, you're intentionally getting close up, so you better have damn good training.
  As to areas which allow you to carry a gun, if someone threatens you with a knife and you have a gun, you do have the option to take it out and hope there's not an accomplice behind you, of course. Again, the average citizen is not well trained.
  
  The most unlucky of that bunch ended up raped, or dead.
  As a proportion of muggings go, these are extremely fucking unlikely. "Dead" especially, in most Western countries.
3. Re:Poor thought process by myowntrueself · 2015-11-06 12:43 · Score: 1, Flamebait
  
  <p>As to areas which allow you to carry a gun, if someone threatens you with a knife and you have a gun, you do have the option to take it out and hope there's not an accomplice behind you, of course. Again, the average citizen is not well trained.</p>
  </p></quote>
  
  You've probably heard the saying "Don't take a knife to a gun fight". Well the reverse also holds true; "Don't take a gun to a knife fight."
  
  At the ranges within which knife fights take place a gun is a liability and thinking the gun will give you leverage or protection is just wrong and will get you maimed or killed.
  
  --
  In the free world the media isn't government run; the government is media run.
4. Re:Poor thought process by Anonymous Coward · 2015-11-06 12:59 · Score: 0
  
  What is that criminal is the NSA trying to destroy encryption that can't break?
5. Re:Poor thought process by Anonymous Coward · 2015-11-06 13:14 · Score: 0
  
  May I introduce you to my friend the preview button? Comes free with every Slashdot post.
6. Re:Poor thought process by Anonymous Coward · 2015-11-06 13:20 · Score: 0
  
  ... their morality allows them to bend you over once ...
  
  One can make the same argument concerning anyone having a gun in his hand but people tend to obey someone well-armed. Once again, it's about choosing the (predicted) minimum cost but surrendering to such aggression means one is trusting them to not commit more crimes.
7. Re:Poor thought process by Anonymous Coward · 2015-11-06 14:26 · Score: 1
  
  Quite possibly law enforcement told them to pay the ransom.
  Indeed. For example, the FBI is on record as recommending that CryptoWall victims pay the ransom as a best practice.
8. Re:Poor thought process by myowntrueself · 2015-11-06 14:28 · Score: 1
  
  May I introduce you to my friend the preview button? Comes free with every Slashdot post.
  Yeah I know, I'd set it to extrans for a post the other day and forgotten to switch it back and missed the obvious on preview.
  My point still stands though!!
  
  --
  In the free world the media isn't government run; the government is media run.
9. Re:Poor thought process by deKernel · 2015-11-06 14:58 · Score: 1, Informative
  
  Well, that might work for you, but I would suggest to everyone else that you ALWAYS take a gun to a knife fight if you want to win. I can have my gun out just as fast as some idiot can pull their knife out....PERIOD. Here is a hit, don't walk around oblivious to your surroundings, and you will always be in a position where your side arm (even concealed) can be accessed long before issues arise.
10. Re:Poor thought process by s.petry · 2015-11-06 15:01 · Score: 1
  
  Are you suggesting that one should fight a mugger because they're likely to attack you anyway?
  You invented a statement that I never made, and then defended your fake argument with a personal anecdote. Topping that off, you claim I need to give citation when I never made a claim that a person should be fighting a mugger. YOU DID! What I did state is that believing you are not going to be harmed by a criminal because you gave in to their criminal demand is irrational. There is more than one option.
  And by way of personal anecdote I come from Detroit where giving a mugger money shows them that you have some, and they thump you down looking for more. That same behavior is well known in most of South America and Asia as well.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
11. Re:Poor thought process by Anonymous Coward · 2015-11-06 15:18 · Score: 0
  
  I'm not usually for regulation but maybe governments need to make it a crime to pay ransoms on this sort of thing. That way, companies and individuals won't even consider it to be a valid option and it will eradicate the entire ddos/cryptowall industry.
12. Re: Poor thought process by Anonymous Coward · 2015-11-06 15:30 · Score: 0
  
  Interesting idea but who do you suppose would report that crime? Both the extorted and the extortionist have negative motivation to do so
13. Re:Poor thought process by KGIII · 2015-11-06 17:55 · Score: 2
  
  I got mugged once, years ago, on the outside of the swamp headed into Miami (just after alligator highway or whatever it's called - not the main route, the one south of it). The guy was nervous as fuck and carrying what appeared to be an unloaded Jennings .25. (I could not see the small tab that protrudes where the magazine goes but wasn't going to risk it.) Hell, it's a Jennings and a .25 - it might not even have fired.
  Anyhow, he was nervous as fuck and I talked to him calmly and gave him my money and not my wallet. He said just give me your wallet and I told him that I could not do that but that I'd give him my cash. Meh... It was pretty tame, really. I was more calm than he was. I'd say, if you're getting mugged then, by all means, pay up but remain calm. Chances are they're scared. I'm not worried about someone who's holding a firearm and pointing it at me with seriousness. I'm worried about the idiot who's pointing a firearm vaguely in my direction and is scared. The first one would have already shot me, the second one is quite likely to screw the whole situation up. Just stay calm and give them the money.
  There's more to the story but that's the gist of it. It was over in what felt like a few minutes but was probably closer to just one minute. Time seems to slow and you get hyper-alert. My first thought was to attempt to disarm them and then I realized that would be a terribly stupid thing to do. The last thing I wanted to do was cause a scene which would make them nervous or, worse, turn a mugging into a hostage situation or, worse, get someone else hurt. If someone were threatening to DDoS a service or extort money then I'd probably either let the cops follow the money or I'd put a notice up on the page saying something along the lines that service will likely be disrupted because $group expects us to be cowards. I'd rather prorate customer bills than be subjected to blackmail in the future and it's not likely to be a life and death situation or anything.
  
  --
  "So long and thanks for all the fish."
14. Re:Poor thought process by thegarbz · 2015-11-06 19:01 · Score: 1
  
  I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals.
  Are lot of such criminals are nothing more than illegal commercial enterprises. They rely on some facts such as the trustworthyness that paying the ransom will resolve the issue. If they lose that then they lose their source of income.
  We're not talking about Anonymous here. These people do what they do for currency, not for lolz.
15. Re:Poor thought process by Anonymous Coward · 2015-11-06 22:07 · Score: 0
  
  I knive doesn't run out of bullets
16. Re:Poor thought process by Anonymous Coward · 2015-11-06 22:20 · Score: 0
  
  The funny thing in this case is, the criminals claim that they aren't attacking anymore and don't demand more money.
17. Re: Poor thought process by Anonymous Coward · 2015-11-06 23:00 · Score: 0
  
  or so they want to appear. i bet ALL swiss infosec stuff is backdoored. read up on the crypto ag affair. read how they trusted in enigma.
  switzerland is the only place of free allemanic folks, but infosec is NOT one of their strengths. they know they have to kowtow to the power which has surroundwd them.
18. Re:Poor thought process by Anonymous Coward · 2015-11-06 23:49 · Score: 0
  
  If someone pulls a knife on you and you pull a gun, you wouldn't have to fire a single shot before they hightailed it out of there. Whether you want to shoot them in the spine while they do so is another thing.
19. Re:Poor thought process by Anonymous Coward · 2015-11-07 01:07 · Score: 0
  
  Law enforcement! That's liable to end well, AND get results! Perhaps we could also call upon a unicorn?
20. Re:Poor thought process by Anonymous Coward · 2015-11-07 01:29 · Score: 1
  
  My personal experience of family+friends is two or three "give me your money".
  Then I'm glad I'm not in your family or one of your friends; they're apparently criminals.
21. Re: Poor thought process by Anonymous Coward · 2015-11-07 01:37 · Score: 0
  
  How do they know that the people that they paid were the attackers?
22. Re:Poor thought process by JustAnotherOldGuy · 2015-11-07 02:43 · Score: 1
  
  I knive doesn't run out of bullets
  Yes, but you can't use a knife on someone 20 feet away, especially while they're shooting at you.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
23. Re:Poor thought process by myowntrueself · 2015-11-07 14:11 · Score: 1
  
  I knive doesn't run out of bullets
  Yes, but you can't use a knife on someone 20 feet away, especially while they're shooting at you.
  When you are literally eyeball to eyeball my money would be on the knife. Way faster, doesn't need to be particularly aimed, has multiple attack vectors ie isn't only lethal in one direction. Even an unskilled person with a knife can be devastating at close quarters (look for youtube videos of frenzied stabbing attack vs martial artist).
  
  --
  In the free world the media isn't government run; the government is media run.
24. Re:Poor thought process by JustAnotherOldGuy · 2015-11-07 14:52 · Score: 1
  
  When you are literally eyeball to eyeball my money would be on the knife.
  
  If you managed to get that close after being shot repeatedly, then I'd knife you.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
25. Re:Poor thought process by myowntrueself · 2015-11-08 05:20 · Score: 1
  
  When you are literally eyeball to eyeball my money would be on the knife.
  If you managed to get that close after being shot repeatedly, then I'd knife you.
  Your scenario of an assailant who starts off at sufficient distance for your firearm to be useful resembles something like confirmation bias...
  
  --
  In the free world the media isn't government run; the government is media run.
Incentives by Etherwalk · 2015-11-06 11:32 · Score: 2

I'm not sure who told them that the best plan was to attempt to pay criminals not to be... well, criminals. Call Law enforcement, and make arrangements with companies that mitigate these attacks? Absolutely, and the latter may cost a few bucks. But paying out a blackmail threat is about as foolish as it gets.
Hell, even small time crimes rarely benefit from appeasing a threat. Plenty of people have given an attacker cash on demand, only to find themselves waking up in a hospital few hours later missing their belongings and a few teeth. The most unlucky of that bunch ended up raped, or dead.
Never trust a criminal! If their morality allows them to bend you over once, somehow believing they won't do it twice is completely irrational.
It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.
1. Re: Incentives by Anonymous Coward · 2015-11-06 22:45 · Score: 0
  
  if you get threatened, buy a gun and visit the aggressors house at night. shoot in a few windows and quickly diappear.
  danegeld is indeed the most stupid concepr.
2. Re:Incentives by tompaulco · 2015-11-07 02:23 · Score: 1
  
  It's about incentives. If the criminal fails to honor the payment too much, people stop paying. The amount of harm to the company also goes up, as does the interest of major law enforcement task forces. That's why ransomware operators send you keys and private corporations are frequently willing to pay ransoms. But people with a major presence whose operations will be strongly hurt by allowing criminal operations to continue--most obviously the United States Government when dealing with terrorism--are much less likely to pay.
  Yes, but criminals are criminals, and as such are selfish. If they get the money and do the DDoS, then they have made their money and to heck with anybody else (including themselves later, but hey, they're criminals, so they don't think that far ahead).
  
  --
  If you are not allowed to question your government then the government has answered your question.
Runbox too by Anonymous Coward · 2015-11-06 11:50 · Score: 0

Runbox got hit a day ago as well but told them to f-off like they should.
1. Re:Runbox too by Anonymous Coward · 2015-11-06 13:04 · Score: 0
  
  My favorite e-mail provider.
2. Re:Runbox too by Anonymous Coward · 2015-11-06 23:59 · Score: 0
  
  They should also put out a bounty and see if someone is willing to turn in the attackers. Of course the bounty should be fake and the person turning them in should be tracked down and arrested as well since they are likely involved too.
  If assholes like this want to play scummy, then the people they are attacking should too.
3. Re:Runbox too by yuvcifjt · 2015-11-07 12:42 · Score: 0
  
  Err, runbox and hushmail is privacy for kids who don't understand security and the power of well-funded terrorist organisations such as the NSA and GCHQ.
  The fact some of their servers are in the US, not to mention all mail is stored in plain-text and they even tout it's backed up for 6 months - and guess where the backups are stored! ;)
  It only takes one compromised person to infiltrate the entire system and their backups, not to mention their lack of knowledge over encryption and security!
  protonmail on the other-hand is entirely encrypted, like Apple's iMessage, even they don't have access to your messages because they're decrypted after the mail is fetched by your own local computer using a second password. So even if a terrorist company like NSA paid-off a member of staff, they can't do anything about it, because all data is encrypted and impossible to retrieve. This obviously also means that if you loose your second keypass, protonmail can't do anything except simply wipe your entire account and start from scratch.
  Remember, when Edward Snowden made the revelation, he only mentioned one mail provider in the world which couldn't be accessed by NSA, and that was Zoho - and of course the now defunct Lavabit, which also employed encryption - and runbox has been around since year 2000, so the terrorists likely have an easy access to their system, like google.
Talk is cheap by Anonymous Coward · 2015-11-06 12:20 · Score: 1

As a protonmail user it's been nail-biting experience over the last few days.
Protonmail was hit by state sponsored attacks disguised as BC ransom.
Please consider donating.
Thank you.
1. Re:Talk is cheap by Anonymous Coward · 2015-11-06 12:24 · Score: 0
  
  Me too. I already donated. For the rest of you, there is the donation link:
  https://www.gofundme.com/protonmaildefense
2. Re:Talk is cheap by Anonymous Coward · 2015-11-06 15:42 · Score: 0
  
  So, we should donate to a company that stupidly tried to pay off criminals? Seems like money better spent elsewhere.
Danegeld by YrWrstNtmr · 2015-11-06 12:22 · Score: 1

See Kipling on this.
https://en.wikipedia.org/wiki/Danegeld
danegeld! by Anonymous Coward · 2015-11-06 12:25 · Score: 0

Once thou hast pait him the danegeld, thou'lt never be rid of the dane.
Logic... by wbr1 · 2015-11-06 12:42 · Score: 1

If target pays x to prevent attack, surely they'll pay x + y to stop it.
. Dummies.

--
Silence is a state of mime.
Dane Geld by istartedi · 2015-11-06 13:15 · Score: 2

There is nothing to say on the matter of ransom ware that Rudyard Kipling hasn't already said, with greater eloquence than I could muster. To reference another great saying, "millions for defense, not one penny for tribute".

--
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Good by Anonymous Coward · 2015-11-06 13:19 · Score: 0

Let this be a lesson, Don't Pay the Ransom because they'll just do it anyway.
Noo one pays, they'll move on to their next scam
Likely not criminals. by wheelbarrio · 2015-11-06 13:41 · Score: 5, Insightful

Lots of comments here about the foolishness of paying off criminals. Indeed. But in fact I tip my hat to ProtonMail for their clever strategy for illuminating the likely identity of their attackers. The thing is, when you pay off blackmailers they typically don't then carry through with the initial threat because that's bad business. They may make further demands based on their new knowledge of you being an easy mark, but to carry out the initially threatened action after being paid simply sends the message to you and other potential targets that paying is a waste of money because the threat will be carried out anyway. The profile of the target (encrypted email service) alone combined with analysis of the second attack as having the hallmarks of a state actor would suggest a three-letter agency. The fact that they got hit after paying just clinches it.
1. Re:Likely not criminals. by Anonymous Coward · 2015-11-06 14:02 · Score: 0
  
  agreed
Really Bad Business Model by Idimmu+Xul · 2015-11-06 13:53 · Score: 4, Interesting

This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.

--
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
1. Re:Really Bad Business Model by gweihir · 2015-11-06 15:54 · Score: 1
  
  Incidentally, this may just cut down on the part of the problem created by common criminals. Their "business opportunity" just vanished. Now we mainly have to worry about state-sponsored and employed terrorists, like certain employees of the NSA, GCHQ, Chinese and Russian intelligence, etc.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:Really Bad Business Model by sociocapitalist · 2015-11-07 00:28 · Score: 1
  
  This sets a precedent now so everyone knows not to pay hostage money to people that threaten DDOS attacks as they don't follow through honorably.
  There were evidently two groups of attackers. Quite possibly one stopped and the other one wasn't after money to start with.
  
  --
  blindly antisocialist = antisocial
3. Re:Really Bad Business Model by Anonymous Coward · 2015-11-07 09:40 · Score: 0
  
  Which may be the point. Perhaps ProtonMail is lying about the DDoS to set a precedent. Or perhaps some third party is doing it in order to set said precedent, or even just to make a competing blackmail group look bad.
Simple to Stop by Anonymous Coward · 2015-11-06 17:11 · Score: 0

Simply have upstream provider note IPs and null route (blackhole) them at the router level. Why they did not do this is beyond me.
1. Re:Simple to Stop by Anonymous Coward · 2015-11-07 01:41 · Score: 0
  
  Because then they wouldn't have something to be a victim about. Some clever shit at ProtonMail thought it would be more profitable to get suckers to pay for their DDoS protection service, but they have to sell a good story about being attacked by possible state-sponsored hackers.
  Anyone who donates to their defense fund is a gullible fool.
That's disappointing, I liked protonmail by Anonymous Coward · 2015-11-06 17:47 · Score: 0

... I signed up for an account a few months ago and waited for the approval. The fact they're stupid enough to pay Danegeld when threatened makes me think they don't really understand the nuances of running a truly secure business. They had the technical side down pat, but to deal with hackers like this? They just roll over to extortion? WTF?
We need an absolutely defiant email provider out there... I thought they were the one. Sigh.
Why would you pay? by Anonymous Coward · 2015-11-06 19:07 · Score: 2, Informative

The self-righteousness of slashdot know-it-alls sucks.
Protonmail made it quite clear, the ISP and carrier made them pay after the whole datacenter with hundreds of other customers went down. It's not like they did not know that you should not pay. But if you are close to being put out on the street, you reassess your policies.
DDoS protection against this size of attack is expensive and it is obvious that a provider of secure email can not simply hand out the ssl key to a CDN. If you want to make sure the next attack is hit with the visor down and the defense in place, then go and support their defense fund, so they are no longer tempted to pay.
1. Re:Why would you pay? by Anonymous Coward · 2015-11-06 22:30 · Score: 0
  
  So it was the ISP and carrier that are asking for danegeld. You still don't pay, because paying still won't save you.
2. Re: Why would you pay? by Anonymous Coward · 2015-11-07 04:29 · Score: 0
  
  So the ISP should have fronted the danegeld if they were that worried about it. As it is, relocating to a real ISP probably would have been cheaper than the ransom.
They were pressured into paying by dnaumov · 2015-11-06 22:09 · Score: 2

They didn't just decide to pay the ransom of their own volition. They were pressured into it by third parties who were suffering major economic losses due to the attack. Their ISP was basically taken offline, along with all of their other business customers.
Here is your money. by Opportunist · 2015-11-06 23:19 · Score: 1

Look at it, for it's as close as you'll ever get to it.
I'm not going to pay you. Instead, this money goes to whoever brings me your head. I don't care what he does with the rest. I only need your head.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Here is your money. by Anonymous Coward · 2015-11-10 12:17 · Score: 0
  
  This is interesting. Take the amount of the ransom, triple it and announce a bounty!
U.S government by Anonymous Coward · 2015-11-07 01:32 · Score: 1

and its lackeys most likely behind this. The typical cyber-criminals are pro-privacy, while the U.S gov is the fiercest opponent to it.
Never pay ransom by tompaulco · 2015-11-07 02:32 · Score: 1

Never pay ransom.Never pay bribes. Never pay blackmailers. You are honest. They are not. You have no guarantee they will do what they say, they will use your honesty and your reputation against you to continue to suck even more money out of you. You will also make the list of targets who will pay, and will be hit again and again.
Charities and Volunteer organizations also use the same tactics.

--
If you are not allowed to question your government then the government has answered your question.
Idiots. by ledow · 2015-11-07 02:33 · Score: 1

I've just mugged you for your wallet.
"Give me your phone and I'll give you your wallet back."
Yeah. Right.
Yes you can by Anonymous Coward · 2015-11-07 13:11 · Score: 0

Stop them being able to download it in the 1st place by blocking the sources of malware and botnet communication http://it.slashdot.org/comment...
Blue Frog by Anonymous Coward · 2015-11-07 23:58 · Score: 0

It happened before with Blue Frog tool - https://en.wikipedia.org/wiki/Blue_Frog#Controversy . The had to shut down.
I built this for those folks... apk by Anonymous Coward · 2015-11-08 11:21 · Score: 0

For "common users": It stops botnet communcation using hostnames (the majority by far): APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...
---
FREE & not 'souled-out' to advertisers + adds speed, security & reliability & does FAR more w/ FAR less more efficiently vs. redundant browser addons & locally installed DNS servers @ home + fixes DNS' many security issues & it stops a LOT of tracking @ webpage + DNS levels combined too from 1 file you already NATIVELY have - firewalls do the rest (on lesser used IP address based tracking vs. host-domain name type).
---
It obtains data vs. online threats & for adbanner blocking from 10 reputable sites in the security community!
---
It SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed vs. remote DNS also aiding reliability) vs. other "so-called security 'solutions'" SLOWING YOU!
---
It does all that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!
---
MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...
&
It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...
+
In its 32-bit model too https://www.virustotal.com/en/...
---
* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".
APK
P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:
"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!
(Accept NO substitutes!)
...apk