[gumby]

Since literally everybody who has cloned a repo has a full copy of it, and since git is a decentralized revision control system, what on earth can it mean to hold a repo for ransom? The write up even says so: to recover, just push your code back up to our repo.

I really don't understand what they are talking about. It's as if someone showed me a photo of my child and said, "pay me or I'll burn this photograph".

What am I missing?

[NateEag]

The threat cited in the article said not just that the code would remain deleted, but that it would be "leaked" - presumably many of these were private repos.

You could never trust that the attacker actually deleted their copy of the repo, but then, the whole cryptolocking business model falls down if the attacker isn't at least moderately honest, so I can see why people would respond to that threat.

[Someone]

”the whole cryptolocking business model falls down if the attacker isn't at least moderately honest”

Nitpick: it only requires most attackers to be somewhat honest. Having a few unscrupulous ones may make life harder for the “honest” ones, but they themselves can be better of, e.g. by, after receiving payment, demanding more money.

[cwkoss]

Is it more unethical to release an "honest cryptolocker" or one that lies and never gives the files, degrading the trust the entire cryptolocker grift relies on?

[johnday]

It's pretty obvious that it's worse to be an actual criminal, than someone who goes around and pretends to be one.

In the same way that it's worse to shoot someone with an actual gun than to threaten to shoot them with a Nerf gun.

The negative network effects on other scammers are also nice.

[kekebo]

In this case both are actual criminals but one returns your data after payment while the other doesn't

[vokep]

I'm not so sure.

An "honest cryptolocker" helps support more cryptolocker use, as people trust that if they pay the criminal they'll get their stuff

If dishonest ones were the norm, than maybe cryptolocking would cannibalize itself as nobody would pay since they know its useless. So in a sense the dishonest one while having less ethical intention has more ethical results. But only at scale. Hmmm.

[skrebbel]

Sounds like we need a review site for extortionists.

[saalweachter]

Would you charge the extortionists to remove their negative reviews?

[WrtCdEvrydy]

No, they just have to prove they're the real person with photo ID and admit they are the person being referred to as the criminal.

[jeltz]

Or maybe an escrow service for extortionists who makes sure the amount is refunded if the extortionist does not deliver.

[michaelcampbell]

If I remember correctly, WannaCry had a small customer support call center =D

[NateEag]

Very fair point.

[bin0]

For what it's worth, I really hope people don't pay if they can avoid it. Guy I know consults for a company which recently got ransomware. They had insurance, payed $1.5 million, got their files back. FBI came in and figured out it was the north koreans. This is happening more and more often, and will increase as we continue sanctions pressure.

This is a classic prisoners' dilemma: if no one payed, every one would be better off, but it is very hard to be that one guy or company who loses all his files for the "greater good".

[caprese]

its easier to trust private hackers than organizations that have the law on their side

society works with mutual cooperation and hackers seem to understand that more than the "technically cooperating in this context" that the legal field would employ

[cwkoss]

Vast majority of cryptolockers are fake, they just keep asking for more and more money but never unlock.

(This is probably not true, but society would benefit from "cryptolockers are usually fake" being in the zeitgeist)

[p1necone]

In my experience there's enough people who don't understand how git works for a shotgun approach to find plenty of marks to fool.

[bregma]

Your experience converges with mine.

[unilynx]

Private repositories. You may not want their contents to become public

[ajross]

How certain are you that the photo archive you use had a copy of that photo? I mean, yeah, most people have local trees. Inevitably someone won't, and like spam this is a volume scam.

[empath75]

There’s probably a lot of code sitting in private git repos where like one guy worked on it five years ago and then quit the company and gitlab/github might be the only place it exists.

[rileymat2]

I don't keep all my git code local, only the projects I am currently working on.

[bigiain]

Do you rely on just one 3rd party like gitlab/bitbucket/github to keep your _only_ copy of your non-current projects?

That seems unwise. I don't have many local repos on this 128GB MacBookAir, but as well as BitBucket all the projects I have ever worked on are on other several machines and/or hard drives I have locally, and also zipped up in S3 buckets and on tarsnap.

Like they say, there's two kinds of people. People who've lost important data because they didn't back it up properly, and people who haven't yet.

[rovr138]

> Through immediate independent investigations, all three companies observed that user accounts were compromised using legitimate credentials including passwords, app passwords, API keys, and personal access tokens.

Part of your backup strategy depends on external services. Not necessarily in your case, but people who only have their backups externally on a service could be affected.

> all the projects I have ever worked on are on other several machines and/or hard drives

And depending on your strategy, since they're so distributed it could mean they're outdated repos. If not, and they pull automatically, they could be affected.

Local backups also have issues. The disk might die, the data might be corrupted or any other myriad of things could happen.

> People who've lost important data because they didn't back it up properly, and people who haven't yet.

Is there such a thing as a perfect backup strategy?

[bigiain]

> Is there such a thing as a perfect backup strategy?

At work, there's "Can meet contractually agreed RPO and RTO with 99.99% certainty". Automate the standard setup, and sleep well at night. Perfect.

At home, there's "I've done enough that I think the next improvement is an unfeasibly large amount of extra time&money for an unreasonably small improvement".

I've, for myself at home, settled on Apple's Time Machine backing up my Macs (and their phone/ipad iTunes backups) to a raid 10 set, that raid 10 set rsynced to another one at the opposite end of the house, and a weekly backup of that stored on a single drive that only powers up for 6 hours every Sunday night then powers back down again - so if my whole network gets breached and cryptolockered (for example) I'll still have at most 7 day old data at home. I also push that weekly backup out to S3 and tarsnap for off-site in-case-my-house-burns-down, or I've set it all on fire and moved to Belize scenarios...

I've been running most of that for ~8 years now. I've called it "done", while not "perfect", its certainly good enough against "not-Mossad threat models". If Mossad or The NSA want to delete my backups, so be it - I'll go be a carpenter or a gardener or something.