The Cyber... It Burns...

This morning I awoke to a few hundred e-mail messages on the topic of Petya, which is this week's excuse for everyone connected to the Internet to set their hair on fire and run around in circles screaming. See also WannaCrypt from last month. These are crafted attacks called "ransomware", wherein some kind of "initial vector" puts some software into your computer, causing it to first, "move laterally" by infecting other local computers if possible, and then, encrypting all your files in some way. The victim is left with an on-screen message explaining how to convert local currency into "bitcoins" and then irrevocably transfer those bitcoins to the attacker's anonymous account where they can then be converted into the attacker's preferred local currency.

In general, paying the ransom will do the victim no good. Sometimes the whole payment system is a scam and there is no way to decrypt the victim's files; more often there's a bug in the decryption system which won't have been well tested or well enough engineered by the attacker's software team. Payment is actively bad for victims in another way, since it inevitably encourages more attacks of similar kind against all of us. The obvious and best and sometimes the only defense against ransomware is to back up your files regularly, and to periodically test your ability to restore your data from those backups. Noone with backups has ever had to pay a ransom to get their files back! And yet, like oral hygiene, backups tend to be neglected until something really bad happens, like a toothache, a stolen laptop, a crashed hard drive, or ransomware.

The Dunning-Kruger Effect

Humans are uniquely unskilled at knowing what they don't know, and also, comprehending anything they can't see, hear, or touch. Anything that happens too slowly or too quickly, or too rarely or too often, or is too small or too large, has a great likelihood of either escaping our notice altogether, or of never solidifying into a concept we can integrate -- of remaining a "free-floating abstraction" which therefore never impacts the rest of what we think we know. This is dangerous as hell, especially the part where our basic ignorance keeps us from being humble and open minded about the rest of our ignorance.

Computers don't exactly think, but what they do that's like thinking, they do very quickly. Most computers have less memory than a human brain, but what memory they do have, they can address. They can, in theory, know what they know. Humans can't. This is what makes our intuition about network and computer safety so dangerous. It would be necessary for too many people to unlearn far too much before most could even begin to understand how much danger we and our digital communications and works are all in.

The initial vector for Petya appears to have been a Ukrainian government web site involved in tax collection. Many victims were hit at the same time with an unrelated attack in the form of an MS-Word document that was constructed with a malicious "macro" inside it. I have had no small part is trying to educate the world's computer users and also computer professionals who build our technologies that we can't allow network data to be promoted to instructions, and we should not click on attachments, and we should regularly audit and mock-attack our online web properties. Feh. I might as well have asked people to back up their files, for all the good any of those warnings have done. People don't just not know what they don't know, they cannot comprehend the nature of that which they don't know.

The Rescuers?

I am a member of a community of white-hat Internet security professionals that spans the globe. These people are mostly specialists, and when we combine our talents the process can be messy and hard to follow but the results have the unbeatable ring of objective verifiable falsifiable truth. Some of us are motivated by visions of safety and freedom of privacy, some by the quality of the technical puzzles set for us by our "bad guy" adversaries, some by duty, honor, passion for justice, and some even by professional self-respect and a desire to do a job well. The world could not ask for, or construct, or imagine a better "defense team" than this community.

But, we cannot make people back up their files, and we cannot make software vendors eschew the promotion of network data into local instructions. I'll never know what possessed Microsoft to add "macros" to their Word documents, and they'll never accept that a pop-up warning about the dangers of such macros will only be heeded statistically and that the user and document populations are now of incomprehensible size, such that the statistics are so much against us that their "macro" feature represents malfeasance.

We're going to do the best we can, but it won't change the outcome. We will share Indications of Compromise (IOCs), we will try to find patient zero, we will catalogue all the variants, we will ernestly participate in panels at security industry conferences, but the actual outcome will be based on the two main pillars of human nature: laziness and self-deception.

End Game?

There's no rescue. We won't magic away the dangers that come from systems and networks so complex that only their attackers can possibly understand them. There's no silver bullet to kill this monster. You have to back up your files, and you have to patch your systems, and you have to do it every single day, for ever and ever. That's it. The safety of your data, and of your productive contributions to the economy, rests only with you.