June 19th, 2014


Just the tip, please.

I blog mostly over at my own domain now, weev.net. As an aside, my continued work is supported by readers like you.

Do you enjoy my work infuriating snobby SJWs, corporate executives, and federal agents? Perhaps you appreciate the sacrifices I've made defending your liberty? Please consider sending tips to help me continue doing it. You can do this through a number of ways.

The major ways to support my work are as follows.

I can currently receive recurring credit card payments via HatreonThe service is still invite only so please use invite code OLCRGFRQBOEX when signing up.

I heartily encourage you to consider cryptocurrency, including Bitcoin: 1JTeYcsx37XTq5NRgjepAHDqaLHTZUL88a

  • also Etherium: 0x3BDD560c6827D4CA9B91630c757e2aD3BD88eCdb

  • Dash: XyrbhhXnH2NPtxXKuJyfRgA3F1HAtvF4KR

  • Litecoin: LbaSXjPXTc8dCyQ4b6CMRQvBtny4JGiAV7

  • Zcash: t1MrZZx5krpaM1mnjbVCheUTnZsxav4qnJ9

  • Ripple: r4P5frZybdemjxiLt2E25qHSVCLgPdD74E

  • and also Monero, which best maintains our privacy (I prefer this most):



A tale of two data ransoms: Nokia and CodeSpaces.

This week we learned about two events of data ransom. One is in the distant (by the Internet news cycle's terms) past, and the other is quite recent. In 2007, a group of people got ahold of the private key that Nokia used to sign smartphone software, including operating system updates. Once you get ahold of the signing keys like this, it becomes pretty trivial to do something like turning every Nokia phone into a device dedicated to showing people Goatse. The fact that they had the signing key is an implicit indicator of further compromise. Once you are so deep on someone's network that you grab their signing keys, that means you popped everything else on the way there.

Nokia carefully weighed the realities of how fucked they were and what was best for their customers. They did the right thing: paid out the millions of euros that were asked of them. That was the last they heard of it. We in fact would have never even heard of this incident had Finnish police not been dumb enough to comment on it to Finnish newsmedia. Just goes to show that calling the cops will never help you in a situation like this.

Two days ago, a company called CodeSpaces was compromised to a similar degree. CodeSpaces company mission is to provide, I quote, "secure Source Code hosting and project managements". The very description of their business is security and they completely failed at it. I'm sure this level of incompetence will follow founder Floyd Price and CTO Adrian O'Conner around to future job interviews and investment proposals. CodeSpaces got owned. They were asked for a payout. They refused to comply. CodeSpaces's backups had been poisoned. They were popped end to end. Everything got deleted and there are no useful backups. CodeSpaces is no longer in business.

There's a lesson here. You need to take care of information security in advance. If you don't, and you get owned, pay the fuck up. Some people ask, "what's to stop my attackers from coming back and demanding more money later?". Firstly, think about it from the perspective of self-interest in the marketplace. This is the question everyone is asking when they are pondering paying out. Now, if you're the kind of person that makes his living from extortion you need to establish a reputation that you are going to make good on your promises. If everyone knows that they aren't actually going to get what they ask for when they pay out, they no longer have an incentive to pay. Nobody can actually identify cases of data ransom where people's businesses were interrupted after a payout. There is a clear reason for this: it is bad for the business of data ransom.

Secondly, think about this from the perspective of game theory. If you pay the fee, it is a cost of doing business and you have a hope of recovering from the loss with future revenues. If you don't pay the fee, you can rest assured that you will be ruined completely and there will be no possibility of recovery. There is only one avenue of action that leads to a positive result: paying up. So seriously, for the good of your business, and the good of your customers, do the right thing. Whip out your fucking checkbook when it is asked of you.