Paying Hacker Extortion

An anonymous reader writes "A friend works as CIO at a medium sized publicly traded company. The company was contacted by a hacking group and told to pay $100,000 to prevent their company from being hacked/attacked. They actually paid the extortion (told authorities after). The authorities said the company could be charged with supporting Terrorists. Seeing that most publicly known hacks are costing companies this size nearly a million dollars, Is this supporting terrorists or supporting stockholders?"

And now

[The MAZZTer]

They'll just be hacked anyway.

Short answer

[Volante3192]

Is this supporting terrorists or supporting stockholders?

One in the same...

Here's a thought

[Dunbal]

How about hiring someone who actually has some idea about security. THAT is supporting stockholders.

Re:And now

[odin84gk]

They will get asked for money on a yearly basis.

Supporting Criminals

[Jaime2]

Paying ransom is almost always a bad idea for the community as a whole. The authorities are simply trying to make the company do the right thing instead of the selfish thing. The biggest problem with security is that the incentives are rarely aligned with the responsibilities; this is a classic case of re-aligning those by pushing the societal cost back to the people who are in a position to make the decision.

Solution: Fire middle management.

[copponex]

With the savings your friend could hire some real security experts to keep their systems online.

As for the terrorism bit, it makes me wonder when we can sue members of Reagan Administration for arming the proto-Taliban, Saddam Hussein, and Iran. Clinton and Obama owe us a few bucks for Pakistan too, when they inevitably start arming terrorist in the near future. What's good for the goose is good for the gander, right?

Re:How exactly did they pay them?

[Anonymous Coward]

The same way that people have been transferring money illegally for decades: wire transfers to Caribbean banks with strict privacy laws and lax banking regulations.

Neither

[Rary]

Is this supporting terrorists or supporting stockholders?

"Supporting terrorists" is a stupid description, and the idiot who said that needs a kick in the teeth. However, also stupid was paying these jackasses. Take every precaution you can, get the authorities involved as a backup, maybe even alert your shareholders to the threat, but do not pay extortionist script kiddies.

Re:Here's a thought

[interkin3tic]

It does seem like $100k spent on security would have longer benefits than one payoff. For that matter, maybe a $100k insurance policy would be a better investment.

Re:Supporting Criminals

[Anonymous Coward]

The authorities are simply trying to make the company do the right thing instead of the selfish thing.

And threatening them with a crime is always a good way to encourage them to talk to the cops next time, because I'm sure the cops would have put that right at the top of their todo list before the money had traded hands.

Right...

Re:And now

[jmorris42]

> They will get asked for money on a yearly basis.

Which is why you never pay Danegeld. It never gets rid of the Dane.

Trillions for defense, not a penny in tribute is the only long term strategy for dealing with aggression. And these threats are aggression and weakness in the face of aggression always invites fresh demands. We should be tracking down these 'hacking' groups with the same vigor we go after other organized crime and terrorism. If that means dropping a Hellfire missile down on a few houses in countries where the local authorities won't take this stuff serious I'm not going to lose sleep over it. Can we bomb the spammer/phishers too while we are at it?

Re:How exactly did they pay them?

[melikamp]

This is utter BS. I bet it was the execs themselves who stole the money, probably long before they were "contacted by hackers". If it looks and smells like The Big Lebowski...

Re:False dichotomy

[Hatta]

That's the whole point of "terrorism". You can label anything terrorism, and all of a sudden none of the old rules apply.

Re:And now

[MaxBooger]

Oh... I didn't realize this was an article on norton/mccafee antivirus.

Re:everyone loses

[Anonymous Coward]

the united states invading iraq and afghanistan would also be considered terrorism in some circles

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:everyone loses

[Noelnonymous Coward]

By paying taxes, you're supporting somebody's terrorists. Cue flames.

Re:everyone loses

[pclminion]

Quit diluting the meaning of the word "terror." Terror is fearing you might be blown into bloody pieces while standing in line at a sandwich shop. Terror is fearing your elementary school kid will die a fiery death in an exploding school bus. Terror is wondering whether the building you work in is going to be on the receiving end of a trans-continental jet liner moving 500 MPH. These things are terrifying.

We already have words for the sort of thing the article is talking about: extortion, blackmail, etc.

Re:Short answer

[Volante3192]

do you have a 401K or a pension? You're likely a shareholder of something.

Nope. Basically, I'm fucked come retirement...assuming I don't kill myself with cirrhosis first. I've made peace with that though.

Re:And now

[dcollins]

He already said he wants to pay trillions. He preemptively out-crazied you by more than 6 orders of magnitude.

Re:And now

[jmorris42]

> Sounds great, until the news media hears about how somebody said "Fuck YOU!"
> to those who demand random in e.g. Somalia (Real pirates there) and people get
> actually killed because of it.

Better to spend ten times the demand on mercenaries and attempt a rescue than pay ransom. Better still if to develop a reputation for disproportional reprisals.

I.e. Do something like what the (possibly apocryphal story) Russians did in the M.E. back in the 80's when some of the fools wearing a diaper on their empty noggin didn't understand the difference between the US and the Soviet Union and kidnapped one of their people. Russian intelligence hunted down a relative of the leader of the terror group and mailed the terrorists the guy's nuts in a jar. Hostage was promptly released and the lesson was learned. Russians were not to be held for ransom.

In the case of Somalia, if America still had a spine we would just tell the pirates the US Navy would be hunting them at sea on general principle but that if they were ever stupid enough to touch an American flag vessel or anyone bearing US papers that we would hurt them so bad they would be screaming "war crime" in Geneva. As in sink everything that looked like it COULD float, knock down any and every building that might possibly be related to the pirates, etc. on a first offense. If the warlords still didn't take the hint and police themselves go in on the ground and kill anyone armed on a second offense. Make a proper example once and the problem never recurs.

Re:everyone loses

[twidarkling]

I'm sorry, but that's a retarded response. Even if I think the reaction to 9/11 was overblown, hacking a company is a completely different scale than wide-spread physical destruction and loss of life. To try and equate them means you're not an individual who should ever be included in a rational discussion about proportional response or morality. If I had to guess, I'd say you're probably one of the "nuke 'em all and fuck sorting them out" types, right?

Re:everyone loses

[digitig]

I think the response of the victims of the 9/11 attacks would likely have been terror. I've been working in a place where the IT department was dealing with a cracking attack, and nobody was screaming or throwing themselves from windows.