Hackers Find Bugs, Extort Ransom, Call It a Public Service

Reader msm1267 shares a report on ThreatPost about an ongoing security trend: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."

It'd be a shame,,,,,

[dasgoober]

... If someone ELSE broke in and found the information, and then released it to the public - but I wouldn't do such a thing. ... heheheh

Private Enterprise at work finding holes

[BoRegardless]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Re:Private Enterprise at work finding holes

No! Because these despicable hackers are black hearted, law breaking CRIMINALS. See, there's a law against doing that and everything. Now, if they just started a legal TAX PAYING business offering their services to LAW ABIDING companies (and taking out the proper legal BONDS and INSURANCE so the businesses would be INDEMNIFIED) then everything would be...
No. Hold on a second. It looks like that's against the law, too.
As a matter of fact, it looks like my writing about this being against the law might be against the law.
There's a knock at the door. I'll be right back.

Re:Private Enterprise at work finding holes

If a home security service broke into your house and left behind a pamphlet advertising their superior lock service for the low-low-discount price of only $1000, I suspect there would be more of a response than "What a great way to advertise a profitable business!"

Re:Private Enterprise at work finding holes

[gurps_npc]

Nope.
If I find a need for your home to require a fire alarm, I can't break into your home and install one, then demand money for the 'work' I did.

Re:Private Enterprise at work finding holes

[geek]

Isn't this the way capitalism is supposed to work? Find a need and fill it?

Yes. They are called pentesters. These however are no pentesters.

Re:Private Enterprise at work finding holes

[fustakrakich]

It's also anti communist. The people that report bugs for free are being thrown into jail. Damn hippies!

Re:Private Enterprise at work finding holes

[bluefoxlucid]

Yes, and government is meant to regulate and facilitate capitalism. Faced with a need, hundreds of frauds will try to sell you a useless product or service, and others will attempt to manufacture a need by such methods as causing you harm and selling you the means to repair said harm. Governments place regulations and laws providing standards and punishment for such actions so that such exchanges are voluntary and beneficial.

Re:Private Enterprise at work finding holes

[davester666]

Nope, if you incorporate, and then get valued at, say, $50mil or more, then you can probably do this legally, because you are in the "security" business.

Re:Private Enterprise at work finding holes

[Qzukk]

Who's installing one?

What this sounds like is that they break in, find you have no fire alarm, then tell you "hey bud, you've got a major fire code violation on your hands. For $x, I'll tell you what it is. Otherwise, well, who knows what the next inspection will turn up?"

Re:Private Enterprise at work finding holes

[geekmux]

If a home security service broke into your house and left behind a pamphlet advertising their superior lock service for the low-low-discount price of only $1000, I suspect there would be more of a response than "What a great way to advertise a profitable business!"

Bad example.

It takes at least some skill and training to break into a network.

It takes an idiot with a brick to break into a house.

Which is exactly why you hear about the latter happening FAR more than the former, and therefore no shady tactics by home security companies are needed, only FUD sales tactics.

Re:Private Enterprise at work finding holes

Well, if you shut down gubbermint, who'll protect you from such practices?

Re:Private Enterprise at work finding holes

[jthill]

This is the confusion the FBI et al. are capitalizing on. A physical lock that's more expensive to break than the value of what it's protecting would be absurd.

Re: Private Enterprise at work finding holes

Hey, you coming back? I made bacon pancakes and everything!

Re:Private Enterprise at work finding holes

[scarboni888]

We were hoping you would take care of that, AC. AC??

Until the FBI shows up

[captaindomon]

It's all fun and games and your "living" until the FBI (or insert your country's equivalent here) breaks your door down at 3:00 AM. Try to convince a judge "I broke into his house and stole his cat and held it ransom because I wanted to let him know his windows are breakable."

Re:Until the FBI shows up

terrible analogy - you'd have to break in and make a clone of the cat and take that clone to be even a little bit close.

Re:Until the FBI shows up

[barbariccow]

terrible analogy - you'd have to break in and make a clone of the cat and take that clone to be even a little bit close.

Not according to RIAA and the supporting court system..

Re:Until the FBI shows up

Wait... intersting point. If the company data the attacker stole included Jane's pirated MP3 collection, Tim's torrented season 2 of Game of Thrones, and Bob's collection of midget porn, would *AA pursue a take down of the entire collection of data?

Re: Until the FBI shows up

[phorm]

I don't know that the RIAA would have a problem with the midget porn, unless it had a copyrighted soundtrack.

After all ,they look after the music industry, not the little guys.

Headline should be...

[mongothesecond]

Bug bounty participants decide they want a raise.

Re:Headline should be...

[TheCastro1689]

More that they wanted to get paid at all, how many times have we heard of bounty programs not paying out or lying?

Why not?

[fustakrakich]

The good Samaritans are being being treated like criminals anyway. This makes it worth the risk. We can blame the authorities for this turn of events. Treat people like criminals, you're gonna get criminals.

Re:Why not?

I'll always be amazed by the intellectual hoops some people will jump through to blame anyone but themselves for their own choice of actions.

Re:Why not?

[fustakrakich]

Right or wrong, most people will follow the example that leads to the highest rewards.

Re:Why not?

[AK+Marc]

That statement has a chance of being true only if the poster has done it. When the corporate overlords are acting evilly, why is a character flaw to act similarly in response?

Work both ends...like the cable companies

[xxxJonBoyxxx]

>> Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun

If that's true, then these enterprising young job creators are missing a viable revenue stream: also selling copies of the data. (In other words, anyone who says this is still full of it.)

Re:Work both ends...like the cable companies

[wierd_w]

I dont extort money from people this way, nor do I attack production systems to find vulnerabilities. (The most I do is set up my own deployment, and then do horrible things to that, and then only out of personal curiosity)

However, I feel compelled to point out-- Not everyone is a sociopathic ass weasle. For some, the extortion of money is more a means than an end. In other words, they dont really want the money, the demand for money is just something used to coerce the corporate overlords they see running lackluster operations into fixing their shit. EG, when they can just blow it off and pretend it never happened, to the sociopath, it never happened. There has to be a publicly exposed element, and personal loss before the problem is actually a problem. That's what the ransom does.

Now, I doubt that MOST of the people doing this have such high minded ideals behind the ransom demands, but asserting blandly that all of them are money grubbing sociopaths hints pretty strongly that you either spend way too much time with that kind of crowd, or that you belong to that crowd yourself.

Re:Work both ends...like the cable companies

[Gavagai80]

If it's genuinely not about the money, demand that the company donate the specified amount to a specified charity.

Re:Work both ends...like the cable companies

Donations are tax deductible, hence, not really "costing" them anything and because just another tax write off

Re:Work both ends...like the cable companies

Why give them an opportunity for a press release patting themselves on their backs?

Re:Work both ends...like the cable companies

[wierd_w]

That's how you get "sued then ignored."

Holding the data makes them have to take you seriously.

It's a terrible thing, but the downward spiral is being driven by the obsinate corporation's sociopathy, not the grey hats.

Re:Work both ends...like the cable companies

[UsuallyReasonable]

If you don't understand how tax law works, posting comments regarding it is a bad idea. Tax deductibility does not make something free.

Post More FUD

[zenlessyank]

Meanwhile corporations put profit over security. Some body calls them out for it and they claim terrorism. Fix your shit or get owned. Blaming somebody for walking in front door when you left the door unlocked is stupid. This is the real world. Not some fantasy place where your wish is everyone else's command. Self righteous spin will come back to haunt you.

Re:Post More FUD

[bluefoxlucid]

Corporations are minimizing *cost*; profits are not directly under corporate control. When you reduce cost, you can reduce price to take a stronger market position--and that works until your competitor does the same, at which point you need to reduce cost further and get in line with whatever your profit margin was in the first place.

That's usually a maximizing strategy. Spending excess for something (e.g. security) means something else is not made, because that consumes labor; likewise, the uptick in a product's cost means the price goes up, and thus consumers can't buy as many other things with their income (which, happily, aligns with the "the people who were making other things are now busy making this thing instead" problem). Couple that with technical progress and you get phenomena such as food getting cheaper (30% of the median family's income in 1950, 14% of their income in 2000, 11% today) and people having better access to medical care, smart phones, or ALL THE OTHER SHIT THAT MAKES US ACTUALLY CARE ABOUT COMPUTER SECURITY.

I said *usually* a maximizing strategy. Even with computer security as today, these types of breaches carry a cost and, notably, they carry risk: that $30,000 cost isn't just a $30,000 cost, but the *potential* for lost customers and UNCONTROLLED COSTS. Those uncontrolled costs could be immeasurable: they could be millions, they could be a percentage of your business, or they could be a blunt disruption to operations resulting in either immediate failure *or* a temporary loss of operating ability shifting business toward a competitor and leading to a downward spiral of your business's market position until it ceases to be a business.

"We don't know how much we need to charge for our product to stay in business" tends to turn into "we need to charge more than our competitors, and are losing business because their products are cheaper", which tends to motivate businesses to deploy better security to control those risks. As we've seen, this isn't *always* true; it's typically *reasonably* true, and even the best security gets breached (something you're unfairly ignoring)--just much less often.

It's also true that, as you suggest, businesses will under-spend for security when that spending doesn't provide them a direct return due to the consequences being borne by the market. That is: security breaches generally cost a business unknown money, thus are addressed naturally as a risk; and security breaches *can* cost the consumer in ways which aren't covered by actions which protect the business, thus creating a gap in which a certain action would provide an economic benefit, but not be a natural action for a business to take.

That gap is filled by GOVERNMENT REGULATION. Use sparingly, but use where required.

So, business cost-minimizing and cost-controlling actions: Good. Government regulations: Good. These two things cover for each other. Without business behavior as such, we need some kind of command economy (Marxism, Communism); without government regulation as such, capitalism outright fails (we get anarchocapitalism and then corporatism, leading to fascism--corporate dictatorship by controlling market interest such that "voting with your dollars" creates widespread poverty and worse immediate problems than accepting the rule of the elite).

Re:Post More FUD

Very nice post, thanks for taking the time to write it.

Sensationalist title

Unless we know they usually do release the data they gathered (which apparently they don't) the company has the option of paying or not paying, depending on whether they consider the information valuable enough. It's no different than hiring a pentester, except that you already know in advance that you'll get a vulnerability fixed.

This isn't extortion

Extortion would be to threaten the company with releasing the data if they refuse to pay.
This is simply fishing for bug bounties from companies that don't already offer them. It might be illegal but its definitely not extortion.
There's also no reason they should disclose the vulnerabilities for free- that's providing penetration testing (a legitimate job) for free.
On the flip side, if the companies don't want to pay the hackers and choose not to, that's their own choice and also perfectly legitimate.

There should be an established legal way to perform this kind of work. Security vulnerabilities affect everyone, not just the companies that have them. If there were some sort of license which would allow you to perform this work without fear of legal repercussions while protecting the acquired data, we would see a lot more white hat hackers and maybe less black hat/malicious ones.

Call racketeering for what it is

This is extortion.

"honestly"????

[mark-t]

Like seriously anyone can possibly be expected to believe that?

If the person is willing to break the law and hack into somebody else's computer without permission, why the heck would they have any compunction about lying about not releasing the data? They've already showed willingness to ignore what the law requires them to do (or not do), so there is no reason to believe that they would not release the data.

Re:"honestly"????

Seriously? You don't see any difference here in those two actions? "A thief has demonstrated they have no compunction about breaking the law so why should we believe that they wouldn't murder someone?"...now, don't get me wrong, out of pragmatism you'd be foolish to not have some assurances somehow that the data they took was not released and all copies are destroyed (not an easy thing) but it's not obvious that someone breaking in to a site & holding data to ransom is also going to release it...especially given the numerous cases of people trying to help via normal reporting & getting themselves attacked by the government...not the least of which was the latest guy who discovered confidential data on an anonymous ftp server & being raided for reporting it (thanks guys THAT will surely enticement all 'proper thinking people' to try to help now wouldn't it????).

Push comes to shove if you're going to treat people trying to do the right thing as criminals than why be surprised if they start actually acting like criminals.

Re:"honestly"????

[mark-t]

I didn't suggest that computer trespass was akin to murder though, did I? *YOU* were the one who brought up that comparison. I suggest only that computer trespass is akin to things such as fraud and theft, which is also what selling the data to someone else would be.

Re:"honestly"????

[wierd_w]

Be careful with those bandwagon fallacies.

Like all actions undertaken by people, the issue revolves around motive.

If Motive == "Personal enrichment" Then
      ExtortMoney="true"
      SellStolenData="true"
Else
    If Motive=="End-User security improvement" then
            If LegitimateEthicalDisclosureSuccessful="True"
                        ExtortMoney="false"
                        SellStolenData="false"
                  Else
                        ExtortMoney="True"
                        SellStolenData="false"
            End if
End If

EG, the extortion is just a means to compel the obstinate corporation running the grossly insecured system into actually taking SOME action besides "sue and ignore".

When enough well meaning grey hats get "sued and ignored" for Big Corporate Profits, expect their tactics to change to less benign methods than just simple "uhm, hey guys-- You totally have all your shit on a public facing anon FTP server. I can see all your exchange server's dirty laundry. Consider fixing it, m'kay?" into a "Look bros, Not only are you stupid fucks that treat user data like its nothing, you left all your dirty, illegal practices open to public scrutiny by being idiots with your security. Here's how you should properly secure that shit-- Now pay me 30k for the service."

And, if the idiots running these shitty services continue balking about having to actually do things right, expect it to escallate even further to "If you blow me off, I will give the data to somebody who could actually use it." which is the next logical step.

I have done some grey-hat things, (I have literally stumbled across servers that were not intended to be internet facing, that contained privileged data. Thankfully they were from research groups and universities, not corporations. Google indexes LOTS of interesting places.) but I did not exploit that-- I found ethical disclosure to the site operator was sufficient. From what I have been reading though, corporations tend to sue first, and thank never. Instead of getting friendly letters alerting them to the issue, they have forced people to have to hold the data hostage.

Re:"honestly"????

[mark-t]

Nobody's forcing the hackers to hold the data hostage.... they could, if they really were so inclined to do things on the up-and-up, resorted to doing *LEGAL* things instead of breaking the law. The only reason they could ever somehow feel forced to sell or distribute the data in the event that they didn't get paid for the service of knowing how the hack was accomplished is because they broke the bloody law in the first place. In fact, the only logical reason I can think of for them to do things illegally at all is because the profit incentives might be better, so it is far more likely that profit is the incentive for the action than any genuine desire to improve security.

Sheesh.... talk about blaming the victim for a crime.

Re:"honestly"????

[wierd_w]

Want a specific example?

A few years ago, I was looking for a copy of a specific file, and constrained my google searches in such a way that I was getting only raw file indexes from google.

My crime: Using google.

What I found-- You know the Atlas experiment? Part of the LHC at CERN? They had an insecured, public facing HTTP server online that had the file I was looking for. The server was clearly not intended to be publicly facing: It had engineering data on the ATLAS detector, some preliminary data from the experiment, employee photos, and some other "clearly not for public disclosure" information on it, being blissfully cataloged by Google's metacrawler.

Did I decide that I needed copies of all that data?
No.

Did I decide that I needed to give that data out to interested parties?
No.

Did I politely disclose the unintended disclosure their servers were doing to the site's admin after looking them up?
Yes.

Am I glad that they made the server more secure afterward?
Yes.

Was I interested in money at any point in this matter?
No.

Could I have been prosecuted for unauthorized access to a computer system, under modern antihacking laws?
HELL YES.

You see it pretty frequently these days: Somebody stumbles upon a vulnerability by mistyping a URL for their bank statement, and get somebody else's statement. BOOM, Criminal access. They do due dilligence to make sure it isnt a fluke-- access a few other statements-- then attempt ethical disclosure. Instead of being thanked for the heads up to the breach, they instead get arrested. (and the hole left unpached.)

When this happens often enough, people who stumble on these things, who really just want it fixed, end up having to take measures to protect themselves. This has now clearly escallated to hostage taking.

Blaming victims indeed.

Re:"honestly"????

[Jumunquo]

And that is exactly the very valid point that was made - that is willingness to commit computer trespass and ask for money does not necessarily equate a willingness to release secret company information.

I can switch the question back onto you - why would the criminal not just threaten to release the info then? Wouldn't that be better at compelling you to pay the ransom? I'll try to make an educated guess here: I bet they are trying to give themselves an excuse for their behavior or they are following some sort of self-imposed rules for their skewed sense of ethics. Would they release it if ignored? I don't think you can assume one way or another.

Re:"honestly"????

[mark-t]

I would suggest that it may very well be that the desire to at least offer a pretense that they have the best interests of the victim in mind... when in fact, if they genuinely had had their best interests at heart, they would not have chosen to deliberately break the law and hack into their system in the first place, and certainly not hold the details of how they did so for ransom.

Re:"honestly"????

[mark-t]

I would suggest a very pronounced difference here is that you weren't interested in causing any harm to them, financial or otherwise. Can't exactly say that about these guys here, can you?

Re:"honestly"????

[wierd_w]

If you note, that is precisely what I was pointing out-- it all revolves around the motive.

These days, in the climate of people being arrested for pointing out a serious issue, stumbled upon innocently, for technical infractions of modern antihacking laws-- The potential exists for people that just want to see the server fixed, having to resort to unscurpulous practices to see that this happens, where in the past a friendly letter sufficed.

In such cases, the "extortion" is only a means, not the end. The desired end is properly secured servers, and proper treatment of sensitive data.

That's why I responded the way I did. These days, i would be torn between not reporting the exposed server at all (safest), or naming and shaming. if it was a corporate or bank server, I would be seriously fearful of "assertive prosecution"-- possibly enough to consider digging the hole deeper by selling access of the data to secure a way out of the country to evade prosecution- especially if the breach was really severe.

Now, wouldnt it just be better for everyone if there was some good samaritan verbiage on ethical disclosure instead?

People can only do the right thing, when it is safe for them to do the right thing.

Re:"honestly"????

[mark-t]

People can only do the right thing, when it is safe for them to do the right thing.

Perhaps... but even not being safe to go out and actively do the right thing does not mean it should be acceptable to do something to harm or to exploit somebody else... which even at best, is still what these people are doing.

Re:"honestly"????

[wierd_w]

That's part of the problem here-- The person who makes the discovery is systematically excluded from being considered a "good guy", because under the prevailing laws, they did indeed access privileged information without proper authorization. That this happened accidentally, or as a result of a completely harmless search is not important, and the prosecutor will attack with vengence all the same.

This leaves this person, who wants to do what is right (or what they percieve to be right), stuck with only bad choices.

1) ignore the whole thing and hope nobody audits the logs.

    Ethical conundrum-- Knows that people's data is being leaked, and is very easy to obtain, understands consequences, has to rationalize potential victimization of those people agains personal legal safety. not pleasant.

2) Report the problem ethically, and risk being arrested for criminal hacking, and being drummed up as some dread pirate roberts of the hacking world, because some prosecutor has a hardon for being officious.

Ethical conundrum-- Knows that most instances of ethical disclosure do not result in closure of the security hole, and that doing so will almost certainly get them arrested, depending on who is leaking the data, and what data is being leaked.

3) Report the problem as a zero day and get paid for it, and use the money to evade prosecution-- know that people WILL have their data stolen and exploited, but that further use of the exploit will be stopped.

Ethical Conundrum-- Knowingly causes other people to be harmed, but also knows the potential for abuse will stop. Has a possible way of evading being punished by the legal system for essentially being a witness to criminal negligence.

Note, none of those are particularly ethical, and any one of them has their pros and cons-- The properly ethical route-- report, be assured safety for reporting, and being assured the hole will be closed, is not on the table.

A good deal of this modern hacking shit could be stopped in its tracks by fair legislation that makes ethical disclosure a sacrosanct act, with consequences for non-action on the side receiving the notice.

But no, the fiction of supervillian hackers who only want to cause chaos and disruption is too attractive to the media and court systems, and there is no financial incentive for big business to submit to that kind of thing over immediately trying to use the legal system to silence witnesses.

I expect it will be a cold day in hell before such a protection is even discussed, let alone implemented.

And in that time, the position of ethical reporters will only get worse and worse, ever more favoring taking the money and running.

Re:"honestly"????

[mark-t]

Assuming that the intrusion was accidental, you have given three options for consideration:

1) ignore the whole thing and hope nobody audits the logs.
2) Report the problem ethically, and risk being arrested for criminal hacking, and being drummed up as some dread pirate roberts of the hacking world, because some prosecutor has a hardon for being officious.
3) Report the problem as a zero day and get paid for it, and use the money to evade prosecution-- know that people WILL have their data stolen and exploited, but that further use of the exploit will be stopped.

There's no ethical conundrum with this last point. Giving that information to a third party is devoid of almost any intention to practice ethics at all, and the only interest it serves is one's own desire to profit at other people's expense. If you get caught, expect some prison time.

That leaves option 1 and 2. Consider option 1, where you have a chance of getting found out even if you don't admit to what you did... while even if what you did was accidental, choosing to ignore the problem and hope it goes away may create to other people that you are trying to conceal your activities, may suggest to other people that your activities were deliberate, and thus hurting you even more if they found out. Although this option costs you the least in the best case, it also has considerable legal penalties if things should go south on you... and you have no control over just how bad they might get.

Option 2 is probably the most ethically desirable option, assuming no real harm was done (or any harm was negligibly minor, and you have offered restitution for it), even though it has a distinct non-zero possibility of turning out unfairly for you. Bearing in mind that if they decided to prosecute you anyways,, especially if they are pushing for penalties that are utterly disproportionate to the damage that was actually done when you have openly tried to apologize for it (and offered resitution for the minor damages that were done), then *THEY* are the ones being assholes. While you have no control over how ethically other people may behave, you still *DO* have control over your own actions, and how other people may unethically react to you should not override your willingness to practice ethical behavior... choosing to do otherwise is subjugating your own will to do only what those around you might want or expect, making you effectively a kind of slave to others, some of whom might even choose to exploit that fact. At the very least, admitting what had happened up front, explaining how it happened and what you were actually trying to do would not leave anyone with any basis to *rationally* conclude that the intrusion was actually malicious in intent. This should be apparent in court, and any actual legal penalties that might ensue are almost certain to be far milder than the legal consequences for either of the other two options, assuming you were caught. Ideally, if no harm was truly done, then no charges will be pressed at all, and everyone lives happily ever after.

Re:"honestly"????

[wierd_w]

I agree, which is why i took option 2.

The problem is that when confronted with almost certain reprisal of the legal kind (corporations are sociopaths, and DO NOT engage ethically! if they can make you into a boogieman that just wanted to hard their customers, truth be damned-- it means that they can lie, say their systems are perfectly secure from most types of intrusion (despite the objective reality), and that by apprehending and prosecuting you, they have removed the threat to their customers. Their customers dont know any different, the corporation DOES NOTHING to improve security, all the while other, less ethical hackers are silently just scooping the details and making use of it clandestinely.) the choice becomes:

Report , and be hanged publicly-- attrocities continue.

Force the attrocities to light by giving the details to literal thugs, who then blow the lid off the thing with their excesses-- FORCING the attrocities to be stopped.

Either way, you are assured of being reamed. One of the two assures the attrocities stop.

That one is the most ethically dubious.

Denial is first and foremost what these big corps do, when confronted with an ethical disclosure. It costs nothing to do nothing, and anything that costs them extra detracts from shareholder value. Detracting from shareholder value is the single cardinal sin for corporations. Imaginary losses that could happen are not their concern. Downplaying the severity of the problem and ignoring it is their tactic of choice. ironically, this is why many young greyhats feel it necessary to scrape data from the unsecured server-- It PROVES that the server is insecure. it also proves that they did illegal access. The corporation already retains a legal team. Sicking them on you is an already justified business expense. Fixing the problem is not. They choose to fix the problem by arresting you, because ignoring the problem is easier and cheaper.

As an ethical reporter, you observe this. You see that people's data is being treated in a very dangerous and negligent manner. You consider it unethical to turn a blind eye to this, because this is people's privileged data they are mishandling. As a single person, who is disadvantaged from a legal position from the start, you only have the two above options. You can choose to martyr yourself and accomplish only your own downfall, or you can expose it publicly, see an initial outbreak of people being hurt, but rest assured that the hole WILL be fixed, and that after this period no further people will be silently victimized.

The ideal solution is to come forward and be protected for coming forward, and for the legal system to focus its attention on the negligent actions of the data's administrators for gross mishandling-- But that isnt how the world works.

Judges dont know the first thing about advanced searches, or why you might be looking for a publicly exchanged file from yesteryear that is no longer available from the original download source-- They eat the sob story about how you shamelessly violated some server some where, greedily seeking data that was not meant to be public, out of pure greed and malice. Because they dont know any better.

The media? they LOVE sensationalism, and "Evil hacker apprehended!" sounds so much better than "Data mismanagement leads to case of wrongful prosecution."

You are an ethical discloser. Your first and major desire is to see that the hole is closed. You see that the game is rigged.

You can choose to be impotent, and get slaughtered.

OR, you can choose to cause some chaos to ensure that no further harm happens later, and get slaughtered.

Either way, you will get slaughtered. The first one is the most ethical from a personal behavior point of view-- conducting one's self in the most ethical way they can, despite the poor outcome of abuse continuing silently. The second is the most ethical from the total societal point of view-- You exchange an unknown degree of abuse agains an unknowing public, i

Re:"honestly"????

[mark-t]

speaking for myself, since I cannot control what other people may or may not do, I do not allow whatever unethical responses I might expect from them to prevent me from acting ethically, because the choice to act ethically or not *is* something I can control. While it's not my desire to invite bad consequences into my own life, I'm ultimately still not responsible for how unethically other people might act, even if such responses can be theoretically anticipated in advance. I can only assume responsibility for my own choices and actions. If I let what other people might do to me for doing the right thing because I am afraid of some unfair reprisal that may or may not happen (and the choice to do so is theirs, not mine), then I am abdicating personal responsibility for my actions, and blaming other people for *MY* choices. Whether ithat is, as you say, not how the rest of the world works, it's not any kind of life worth living in

Garbage journalism

[ShanghaiBill]

... If someone ELSE broke in and found the information, and then released it to the public - but I wouldn't do such a thing. ... heheheh

According to TFA that is NOT what they are doing. Also, according to TFA, that is exactly what they are doing. When an article is written this incompetently, and contains contradictory statements, and zero actual examples, it is best not to draw conclusions from anything it says.

Clever.Hacking less of a crime than blackmail?

[evolutionary]

Technically, prosecutors can't charge blackmail because they haven't said your data will be exposed unless you pay. They are only asking to be paid for how to patch the security flaw. (White hacking + data extraction) Of course the idea is to add "incentive" with the data being in public, unauthorized space. But they haven't said it would be leaked unless payment is given (or only take it down on the same terms). Of course the victim could turn that around and say, "before we discuss the merit of your services, let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist, you tell me how your broke into my system and how to patch it up and in exchange I don't send your name, and your communications to me to the cyber crimes division of the FBI, it's a bargain considering the alternative, and some free advice in return for your assistance...stop short of actually stealing files before asking for a fee for your proactive "good citizenry". Appreciate your efforts".

Re:Clever.Hacking less of a crime than blackmail?

[Stan92057]

"Quote"Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw."End Quote"

Yep that's blackmail, holding something they stole from you and demanding something in return to get it back/prevent being made public is blackmail/extortion/against the law. They are criminals no matter how its painted. they are no heroes they are not the good guy, the good guy will tell you and demand nothing but even then breaking into anything without permission is against the law unless you have a warrant or were invited.or give permission.

Re:Clever.Hacking less of a crime than blackmail?

[stephanruby]

"...let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist...

So you're demanding root access to all his servers, email accounts, cloud accounts, passwords, phones, tablets, external drives, usb flash drives, SD Cards, burned DVDs, tape backups, any accounts of his friends and family, his garage, his home, his gym locker, any and all his body cavities, etc.

And even then, do you realize that even if he gave you all of these things, that it will never guarantee that the data "was destroyed and no spare copies exist". No, no. If your data has been compromised. It has been compromised. Once the cat is out of the bag, you should simply assume that every bad guy has it by now, or will have it at some time in the future. And you're better off just biting the bullet now and letting your management, any other stakeholder, and your customers know about the breach as soon as possible. Because even if you did pay them money to keep this information secret, there is simply no guarantee this blackmailer won't turn around and sell your secrets to other groups of people, or won't turn around and ask for more payments down the road.

Re:Clever.Hacking less of a crime than blackmail?

Nice effort, but by copying sensitive files, you've already compromised your "client's" data. Not a good way to initiate a "business relationship", of which this sort of cockery is nothing of the sort.

However, if a company avoids taxes, they should not be afforded assistance from the State.

Re:Clever.Hacking less of a crime than blackmail?

[rahvin112]

Access without permission is a violation of the CFAA and the penalties are severe.

Re:Clever.Hacking less of a crime than blackmail?

If I have access without being asked for permission, no crime was committed. QED.

Re:Clever.Hacking less of a crime than blackmail?

Access without permission is a violation of the CFAA and the penalties are severe.

Only for We The People.

from Ransomware to Ransom as a Service?

[Gravis+Zero]

sounds like these blackhats just got their MBAs. ;)

Says the mercenary. . .

[smooth+wombat]

as they put a loaded gun to the head of these criminals:

I do this job for a living, not for fun.

How to Be Taken Seriously 101

[penguinoid]

After decades of "We'll fix that as soon as possible (maybe 20 years)" or "How dare you threaten/embarrass us, you evil criminals!" as a response to disclosure of security vulnerabilities, I can sympathize with this course of action. After all, they're at about as much risk of legal action either way, in fact probably less this way.

Re:How to Be Taken Seriously 101

I can see where this started as a defense mechanism.

"Hey so I was just probing your site and - hey! why did you send the police to arrest me?"

turns into.

"Hey so I was just probing your site and just a heads up before you send the police to arrest me: I can cause major financial harm to your business. Now that that's out of the way, you have bug/sec flaw X,Y,Z. You need to fix it."

demanding money is just a small step from that.

It wuz haxx0rz

"Hacker" is a completely empty term by now. You could have written what you know, instead of stooping to empty words. But you didn't.

Keep it up, and I keep on not reading you. Why would I? You keep on telling me you don't know anything, anyway.

Not a Ransom

[GezusK]

They're not threatening to release the data, so it's not a ransom. They're just not going to tell you how to do your job and secure your data. They're not going to get that service for free any where else...and at least this way they're not getting screwed by a real breach.

Re:Not a Ransom

[Dareth]

There has been a breach and anyone involved is under obligation to report it as such. I am sure enough people will pay to keep it quiet and this type of action profitable.

security insurance

... for as much as $30,000 ...

Not sure how cyber-security insurance works but this sounds like a bargain. What's needed to control this opportunistic capitalism, is 1) corporations treating IT infrastructure and maintenance as an asset, not an expense; 2) A forum/newsgroup for sharing solutions to known problems. Obviously the software/firmware vendor has the biggest incentive for offering such a forum/newsgroup.

Meh

[tsotha]

Whether or not this is actually extortion depends on whether or not the hackers release the data if the company decides not to pay. If the company says no and that's the end of it I can't get too excited, though the act of breaking in is itself illegal in most places.

Not a bad price

[BlueCoder]

Even if you a small company and frivolously sued lawyers will tell you to settle for anything less then 30K. Why? Because that is how much it is going to cost you to win the case.

If I owned two million dollars worth of personal stuff and a thief robbed me then offered to return everything for 30K and tell me how he robbed me so I could fix the problem with my security.... I would think 30k for 2 million would be a bargain.

The public service here is that the company was lax in protecting their data and taking security for granted. You don't lock up your business with a $2 padlock and have a right to think it's secured and protected and that the police and the law will protect you. An insurance adjuster would laugh at you and give you an outrageous premium.

Computer security is serious business and you need to be spending at least $200,000 a year just on audits and penetration testing. Otherwise don't collect and hold the data, instead subcontract it to another company.

Just because you can skimp with a $2 padlock doesn't me you should. Pay the salaries for a good IT department and contract outside consultants. Stop being cheap asses just because you can. You are aiding and abetting a the id and credit fraud out there. The government should fine you more than 30K for each time your hacked... Does the government need to do your security auditing for you?

You reap what you sow

Since the companies will take white hat hackers to court over exposing vulnerabilities that the companies have refused to fix, taking data hostage to be used as leverage seems like the logical next step.

It's all fun and games until....

[Tempest451]

You try to extort the wrong "organization" and they come knocking at your door.

Same as CIA (and 17% mole FBI)

Dig a big big big fucking tomb.