Re: [projectvrm] Privacy enhanced ransomware

... also a nice example of a privacy-preserving self-sovereign technology
stack using public blockchains and Tor routing to an agent endpoint.

Adrian

On Fri, Apr 19, 2019 at 12:56 PM <t.rob@ioptconsulting.com> wrote:

> Bleeping Computer has an interesting story detailing how Robbin Hood
> ransomware touts victim privacy.
>
>
>
> The thing I find so fascinating is that as a security consultant I find it
> is difficult to put a value on security.  If I’ve done my job well the
> client won’t be breached.  If they spent $1M on the security controls they
> can reasonably wonder if they would have been effectively protected for
> half that price.  We can in hindsight analyze a breach and determine the
> cost of the controls that would have prevented it but until the breach
> occurs it’s impossible to narrow the choice down to a specific control or
> set of controls.  When selling security engagements I find there’s a “sweet
> spot” below which the risk is too low and above which the remediation cost
> is too high, even though the actual impact is grossly disproportionate to
> the cost even at the high end of the scale.  (I described to one client
> that they had ‘Target store level exposure and existential risk’ only to be
> told that remediation would cost too much.)
>
>
>
> By the time a victim is presented with the privacy benefits of Robbin
> Hood, the loss has occurred and the focus is on mitigating damage.  The
> malware stresses that the victim’s identity is protected by use of a unique
> bitcoin address, and the deletion of encryption keys, IP addresses and
> other identifying information once payment is made.  They even provide
> assurance that victims can choose to not report the breach which, in itself
> , could damage a company’s reputation.
>
>
>
> Hypothetically, let’s say we are talking about the same incident in two
> cases: 1) I am selling security to prevent it; and 2) Robbin Hood is
> selling privacy after the breach.  Even though it’s the same impact, I’m
> framing it as a probabilistic gain whereas Robbin Hood presents it as a
> definite loss. According to Tversky and Kahneman, these are at extreme
> opposite ends of the framing cognitive bias.  Put quite simply, the Robbin
> Hood pitch is a lot more compelling and a lot more valuable than my
> prevention pitch in all cases.  Day in and day out, I’ll make far fewer
> sales for far less money than Robbin Hood, even when we are talking about
> the exact same breach.
>
>
>
> This disparity of pre- vs post-breach value explains a lot in the world of
> security and privacy.  Such as why even though I’m a global authority on
> IBM MQ security I mostly earn a living doing staff augmentation and
> troubleshooting.  And why “people don’t care about privacy” is a myth.  As
> Robbin Hood shows, people absolutely care about privacy when it’s framed as
> a sure loss.  The catch-22 here is that the closer privacy is framed as a
> sure loss for purposes of policy discussion or sales, the more the
> proponent is accused of spreading FUD.  Except of course for ransomware
> because the breach itself removes all uncertainty and doubt.
>
>
>
> (This also, by the way, explains why Cassandra Syndrome runs rampant among
> Security & Privacy professionals but that doesn’t make that weight any
> easier to bear.)
>
>
>
>
> https://www.bleepingcomputer.com/news/security/robbinhood-ransomware-claims-its-protecting-your-privacy/
>
>
>
> Kind regards,
>
> -- T.Rob
>
>
>
> T.Robert Wyatt, Managing partner
>
> IoPT Consulting, LLC
>
> +1 704-443-TROB (8762) Voice/Text
>
> https://ioptconsulting.com
>
> https://twitter.com/deepqueue
>
>
>
>
>
-- 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: https://patientprivacyrights.org/donate-3/