Believe It Or Not, Password Protected Websites Have A Right To Privacy

When Security Exploits Have Exploits

from the piling-on dept

Thu, Jun 1st 2006 4:36pm — Mike Masnick

We've talked in the past about how security software sometimes needs security software itself -- but what about security exploits? A popular scam these days among some script kiddies is to lock up important data on someone's computer unless they pay an extortion fee to release the data. Of course, it should come as no surprise that these exploits have exploits of their own... as one security firm discovered this week, releasing the universal password that will unlock your data should you happen to get caught by one of these scams. Apparently, all you need to know is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. Of course, it's not surprising to find out the a script kiddie scam has exploits, but it does suggest a different kind of race for some security companies. Instead of just focusing on patches, look for ways to break the scam software itself.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

OK, 1 Jun 2006 @ 5:17pm

I thought it was illegal and against the DCMA to reverse engineer software?

The script kiddies could sue the security firm for this!
[ link to this | view in chronology ]
- Starky, 1 Jun 2006 @ 6:25pm
  
  Re:
  That is stupid and american. Suing because someone stopped your illegal activity.
  
  With that in mind, it will probably happen. Because we’re full of sue-happy idiots here in America.
  [ link to this | view in chronology ]
  - Razor's Edge, 1 Jun 2006 @ 7:14pm
    
    Re: Re:
    "That is stupid and american. Suing because someone stopped your illegal activity."
    
    While someone could file a lawsuit for this (and thus, you could say someone was sued for stopping their illegal activity), the case would undoubtedly be dismissed the second the presiding judged stopped laughing himself out of his seat.
    [ link to this | view in chronology ]
Anonymous Coward, 1 Jun 2006 @ 5:20pm

DMCA
I wonder if the "ransomware" writers can sue under the DMCA's anti-circumvention provisions (well, if it was in the States).
[ link to this | view in chronology ]
- Razor's Edge, 1 Jun 2006 @ 7:11pm
  
  Re: DMCA
  "I wonder if the "ransomware" writers can sue under the DMCA's anti-circumvention provisions (well, if it was in the States)."
  
  No. According to the dirty hands doctrine, certain aspects of the criminal and civil laws do not apply to persons engaged in criminal activities.
  
  As an example, even if you sign a contract with a prostitute that says you pay her in advance for 12 'sessions' and she refuses to provide any services, you cannot sue her for breach of contract or for fraud. (Assuming this happens in the 99% of the USA that prohibits prostitution.)
  
  While I haven't heard of a DMCA case being dismissed or lost because of the dirty hands docrtine so far, I can pretty much guarantee that someone who commits several federal felonies will run afoul of it.
  [ link to this | view in chronology ]
Sean, 1 Jun 2006 @ 5:59pm

Lovin It
I'm loving this offensive mentality that is popping up on the net. We're not just dodging spam anymore, we're fighting back. We're not trying to prevent exploits, we're exploiting the exploits. Fighting fire with fire. I love it.
[ link to this | view in chronology ]
Anonymous Coward, 1 Jun 2006 @ 6:13pm

This would kinda be like saying "I was robbing a bank, and the security guard hit me on my way out, I'd like to sue him."
[ link to this | view in chronology ]
- ehrichweiss, 1 Jun 2006 @ 6:48pm
  
  Re:
  apparently if a burglar trips over your couch and breaks his ankle, he can sue you for damages in the U.S.
  
  who knows what would happen if they found your collection of bear traps, all armed and ready..;)
  [ link to this | view in chronology ]
- Tim Arview, 1 Jun 2006 @ 9:20pm
  
  Re:
  Actually, it'd be more like suing your neighbor for tapping your phone line and overhearing you plan a bank heist, then using that information to stop you from robbing the bank by, for instance, giving the bank your description and the exact time you'll be showing up.
  
  The neighbor's act was illegal, but for the greater good. It's an argument of justice versus ethics.
  
  A security guard hitting a bank robber is well within his legal rights, and it's *mostly* ethical (it's his job and what general society expects him to do). To me, reverse engineering software (even malware) is not within anyone's legal rights, even though it may be considered ethical.
  
  In my opinion, justice should always win.
  [ link to this | view in chronology ]
Josh (profile), 1 Jun 2006 @ 6:15pm

Ransomware...
A quote from my own post on the issue earlier today:

"Maybe it’s a good thing, but in the long run, I don’t see how “ransomware” could really make it in the long run. If people are going to find work arounds to software from companies like Microsoft and Adobe with billions of dollars invested in anti-pirating efforts, I doubt even the best “ransomware” virus would last before someone cracked it."

http://gen.newrandom.com
[ link to this | view in chronology ]
OK, 1 Jun 2006 @ 7:16pm

I know a guy in PA that shot a burglar in his home. The burglar fell down the stairs after he was shot and broke his leg. He sued the guy for medical costs, pain and suffering and emotional distress and the burglar won.
Messed up legal system? YES

The right to sue - Priceless

who wants to guess how long it is before Techdirt is reporting the story of the ransomware creators suing under the DCMA?

I say 120 days...
[ link to this | view in chronology ]
rahrens, 1 Jun 2006 @ 7:33pm

suing burglers
Real case:

A man was on the roof of a school in California (25+ yrs ago), in the progress of committing burglery. The roof's access ladders were protected by "Authorized personnel only" signs. He tripped over, and fell through, a skylight in the dark, landing in the building below - breaking his back. He sued, saying that the school district should have placed warning signs to alert persons on the roof to the presence of the skylight. Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!
[ link to this | view in chronology ]
- Anonymous Coward, 1 Jun 2006 @ 11:32pm
  
  Re: suing burglers
  Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!
  O Rly?! Care to cite the case number (either California Supreme Court or SCOTUS)? No? Can't find it? That's because it didn't happen. Now for some crazy cases that are really happening: http://www.overlawyered.com
  [ link to this | view in chronology ]
Andrew Strasser, 1 Jun 2006 @ 8:43pm

Judges
I'd put more trust in the long arm of the law to take criminals off the street. Literally.
[ link to this | view in chronology ]
Adam, 2 Jun 2006 @ 6:29am

All I know is...
If someone breaks into my house while I'm there, I'm going to take care of the problem, then call for the police and an ambulance. I wonder if you can sue someone for beating you unconscious instead of just killing you.
[ link to this | view in chronology ]
- Anonymous Coward, 2 Jun 2006 @ 7:07am
  
  Re: All I know is...
  play it safe, kill the scumbag, and put a knife in his hand. it was self defense with no one to disagree
  [ link to this | view in chronology ]
|333173|3|_||3, 4 Jun 2006 @ 6:49pm

Oh Really
I bet that this code only works for one particular piece of ransomware, not every piece ever written. Any script kiddie would be smart enough to get rid of/change the release code, even if they copied the entire rest of the code.
[ link to this | view in chronology ]
Hmm, 4 Jun 2006 @ 9:39pm

Interesting
I just think its funny that people would actually be dumb enough to get infected with some kind of ransomware.
[ link to this | view in chronology ]
Igor, 4 Dec 2009 @ 8:21am

It is not really fair to call people dumb because they get this ransomware on their computer. Keep in mind that many users are new and just are not as savvy as you and I may consider ourselves. Also, these tactics are getting slicker and slicker, so even the experienced user can fall victim to these attacks form time to time. Old people in particular get savaged by these things because they trust all system and security software based notifications (real or not), and they are the ones who are most likely to actually shell out the cash to just get rid of the problem.
[ link to this | view in chronology ]