The Market Ticker
Commentary on The Capital Markets- Category [Technology]

This is thought of as an easy attack.

CNBS ran a story this morning.  I've personally have had two friends who ran into this and had their files encrypted over the last year.  There is typically no way to un-do that; you can restore the machine but of course the files are still gone.

Here's the problem, as I see it: How is it that a "program", in this day and age, can be run from the Internet (or a received email) that wants to insert itself into the disk I/O system and operate in the background, both of which have to happen for this sort of attack to work, and not cause the operating system to throw up all over it without multiple, dire-warning style notifications that you are very likely about to be screwed?

There are a handful of capabilities in operating systems that are without a doubt useful but their legitimate and useful scope of action is extremely limited -- and it is not only very unlikely that a user will want those capabilities to be used for a legitimate purpose such a desire by the user of the device will never occur "in secret" or "accidentally."  Among them are "hooking" the "human interface" input and outputs (screen drivers, keyboard and mouse inputs), background operation of programs (runs without a visible application "head") and storage drivers for the I/O (that is disks, USB keys or SD cards, etc) subsystem.

You might want to hook the I/O subsystem to install an online cloud backup application, for example.

You might want to hook the keyboard system to be able to "stuff" input from something like a password safe program.

But the odds of you wanting to install a new "something" of this sort on a routine or random basis are literally zero, and to the extent where you do want to do so a very "in your face" warning requiring confirmation that what you're about to do gives unbridled and potentially dangerous access to your keystrokes and data is not only appropriate it damn well ought to be mandatory in this day and age!

If I have a pool, do not erect a fence around it and a 2 year old wanders into my yard despite the fact that said 2 year old had no right to be there and is trespassing I'm going to get sued to beyond the orbit of Mars if said toddler falls in my pool and drowns! It matters not that I think such a capability to sue when the person had no right to be there and was not invited in is ludicrous; the law imposes that liability on me in the absence of a fence because if said toddler wanders into my yard he or she is both unlikely to understand the gravity of the risk and be severely harmed or killed.

The same situation exists here.  I know damn well that anything in an email that is "executable" in any form is damn dangerous and likely a booby-trap.  But I've been computer-savvy since the 1970s and do this sort of thing as a profession.  The average user has no such expectation or knowledge -- just like the average toddler has no idea that a pool is a potentially dangerous thing, especially if you can't swim!

The usual defense is that "it's just a program" and like "any other program" it can do bad things.

Nonsense.

These "programs" require insertion into operating system hooks that exist for legitimate purpose but their legitimate purpose and scope of action is rare and unlikely to be used in the general sense by any form of general-purpose software.  The OS Vendors put the equivalent of exposed 240V lugs on the side of your house, which you could use to power a pump in an emergency and which attach to wires going inside to run all the electrical appliances, but which are most-likely going to wind up getting someone electrocuted if left out in the open.  As a result it is required that said lugs are contained inside a grounded box so that inadvertent contact with them is impossible.

How is it that Apple and Microsoft, since they're the major vendors, are not held corporately liable for all of these attacks and their damages since it is trivial for them to implement such a protection yet despite over a decade of trojan and similar activity they have failed and refuse to do so and instead have left these facilities out in the open and unprotected.

There is a reasonable level of care that people are required to exhibit; I cannot shoot random bullets into the air because what goes up must come down and it might come down and go through your head!  When you take money from someone that standard goes up, not down, and both Apple and Microsoft take lots of money from people for software just like you whether you pay it directly or indirectly in the price of your new computer.

I'm not talking about security "bugs" here; these programs use well-established and documented means of hooking into these systems, which allow them to do so without any sort of explicit warning that the act they're about to undertake could have extremely dire consequence and should only be allowed by the user if said user is completely certain that the software in question is authorized and desired.

Such a prompt would stop these "ransomware" attacks dead in their tracks, permanently.

Microsoft and Apple should both be held civilly and criminally liable for the failure to provide such protections and warnings under the very simple perspective that they are knowingly and intentionally leaving the fence out of their pool construction, despite many people having drowned in same.

I'm tired of this crap and you ought to be too.

View this entry with comments (registration required to post)
 

Main Navigation
MUST-READ Selection:
The Rule Of Law

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.