[myrandomcomment]

1. It should be illegal for any company to pay ransomware attacks. Period. No pay out ever. 2. The penalty for being the attacker should be linked to the system they violated. If you do this to a hospital and someone dies you are life in prison / chair. The minimum sentence should be so painful that it deters the attack.

No this will not stop this and companies need to be held accountable for their lack of security investment. Every attack should be investigate if the company met an agreed industry standards best practices and staffing, etc. The penalties for not meeting the requirements should be punitive.

[parliament32]

> It should be illegal

It should be illegal to host insecure services, especially when you're dealing with PII. Breaches keep happening and nobody gives a fuck, because the worst that'll happen is you might lose a handful of customers and buy some "credit monitoring".

Incidents like this should be followed by an audit and charges being laid. Send corp officers to jail for negligent security failures. If you can go to jail for accounting fraud, you should be able to go to jail for cybersecurity-promises-fraud.

They claim to be compliant with a number of security standards [1]. I would love to see a postmortem audit of how much of this they actually implemented.

[1] https://www.instructure.com/en-au/trust-center/compliance

[rcoveson]

I don't think that criminal negligence is the most helpful legal tool for incentivizing improved security. It's too hard to prove negligence.

Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets.

This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval.

[jedbrown]

And this strict liability will come with an expectation of insurance. The insurance policies will necessitate audits, which will actually improve security.

[walletdrainer]

I feel like there’s a tendency here to seriously overestimate how damaging these leaks are to individuals.

For most individuals impacted by these hacks, appropriate restitution would be $0. Anything more than that would go beyond making them whole.

[Kiro]

It's not a popular opinion but I agree. I live in a country that has a very extensive principle of public records, and often times these leaks disclose much less than you would get by simply calling the authorities and ask. Now, whether that's good or bad is a different story.

[paulddraper]

We use to hand out whole books of this information to as many people as possible. (phone books)

[Neikius]

Leaking school or medical record can have serious personal consequences that cannot even be enumerated

[crazygringo]

It can, but not for most people. For most people leaking that stuff would still have damages of zero dollars.

Which is what the comment above was referring to. "Most people". Not "all people".

[Avicebron]

The only right answer.

[anonzzzies]

Let's do this.

[phainopepla2]

How could you possibly make it illegal to host insecure services? Is any service 100% secure? And if it were how would we know?

I do agree with the audit and punishments for clear failure to adhere to established standards.

[bawolff]

This is a solved problem in pretty much every other domain of life - if you are following best practises but something that wasn't reasonably forseeable happens, then you're fine, but if the bad thing happens as a result of negligence then you are in trouble.

[jameshart]

Criminal law isn't about making things alright for the victim. That's what insurance is for.

Even if you leave your door unlocked, if someone walks in and steals your stuff, it's a crime. The state has an interest in prosecuting crimes even if the victim didn't do everything they could to prevent it.

[JumpCrisscross]

> Criminal law isn't about making things alright for the victim

Restitution and retribution are the components of justice [1] entirely about "making things alright for the victim."

[1] https://www.unodc.org/e4j/en/crime-prevention-criminal-justi...

[bawolff]

The company is not the victim here. Its users are. [I suppose my previous comment was a bit ambigious - i meant something bad happens to someone else not to yourself]

A better version of your analogy would be if your landlord failed to repair your front door in a reasonable period of time and as a result soneone walked in and stole your stuff. Yes the theif is the primary responsible party, but the landlords negligence in maintaining the property probably also exposes them to some liability.

P.s. This is neither here nor there, but restitution is a part of criminal law.

[jameshart]

Some liability, sure. Civil, not criminal, though, right?

But the post I was responding to said it should be a crime to have unsecured systems.

That is equivalent to saying it should be a crime to leave your door unlocked.

[isityettime]

"Best practice" in cybersecurity is largely vendor-driven with little to no independent empirical validation.

That standard is likely to lock people into buying some pretty bad software, but it does little to ensure that they're running reasonably secure systems.

[SoftTalker]

I like to relate it to operating an automobile. You can follow every traffic law and still be liable in an accident, because you owned the vehicle that caused the damage. This is why you have insurance.

[MagicMoonlight]

In civil law maybe, but you aren’t allowed to blame a rape victim for choosing to walk down rape alley…

[hsbauauvhabzb]

No building has a 100% chance of not caving in, yet somehow I think charges would be laid if a skyscraper caved in.

[sieve]

The equivalent analogy is charging lock/door/drywall/timber makers and suppliers for lapses if a thief entered the house by picking a lock or drilling/sawing through the wall.

[hsbauauvhabzb]

No, it’s more like me storing my money at a bank, and then someone stealing from the bank, who told me they were secure. And turns out they had shitty locks.

[jameshart]

This analogy seems to be portraying 'ransomware hackers' as an unstoppable force of nature akin to gravity.

I'm not sure that's a fair analogy.

[hsbauauvhabzb]

Your analogy portrays gravity as a thing that buildings cannot be built to withstand. There are plenty of structurally sound buildings and while there are plenty of secure apps the problem is there’s no incentive to build the latter.

[jameshart]

On the contrary.

My analogy would be: of course buildings have to be built to withstand gravity. That’s a natural part of the world that cannot be eliminated.

Buildings are built to stand up to natural forces. But not to, for example, the threat of a malicious actor crashing a plane into them. That isn’t typically considered a reasonable thing to architect civilian infrastructure for.

When you built IT infrastructure likewise you should build it to handle the natural forces it will be exposed to. But are you as accountable for securing it against the acts of malicious parties as a structural engineer is for securing a building against gravity, or as accountable for securing against those acts as the structural engineer is for securing that building against terrorists?

[varun_ch]

I think it’s a very fair analogy. The _only_ way to stop them is to make your stuff secure. That’s literally the only way.

[jameshart]

We do not generally hold victims of crimes accountable for failing to defend themselves adequately.

If someone threatens you with a knife and gets you to hand over your wallet, your bank doesn’t get to say ‘you should have hired better security’ when the mugger uses your credit card.

The problem here is the mugger, and that’s who the state goes after. Even if the victim walked into a bad area. Even if the victim could have defended themselves.

Same with ransomware attackers. They are the problem. We might encourage potential victims to behave in ways that make it less likely for them to be targeted. But if they are targeted, we should still focus our societal disdain on the criminal not the victim.

[ryandrake]

The other side of that spectrum portrays the service providers as pure, negligence-free victims. The truth is probably somewhere in the middle.

[morning-coffee]

"established standards" - now who has the incentive to run shitty services? those big enough to control the "established standards".

[primitivesuave]

If Boeing claimed a plane was airworthy, but it crashed because basic engineering controls were skipped, we have collectively put our faith in the NTSB to preserve evidence, run an independent technical investigation, etc. There is no such authority for software - most security auditors (SOC2, HITRUST, etc) are just looking at self-reported data.

Just take a look at the recent Epic vs. Health Gorilla lawsuit to see how nonexistent the protection is around exchanging your medical records, one of the most sensitive types of PII.

[willdr]

Edit: I was incorrect / non-American, I was thinking of your FAA.

[motoxpro]

People who haven’t been hacked just haven’t been looked at. If someone wants to hack you, they will hack you. It’s really unfortunate that people have this level of confidence in their ability.

Here’s an example. https://hacks.mozilla.org/2026/05/behind-the-scenes-hardenin...

[knuckle]

I think you're 100000% correct.

These problems will continue as long as it is legal to operate in an unsafe way.

We've learned this in every other industry, but we can't seem to accept it in software. One of my hopes for AI is that it reduces the cost to behave responsibly to a level where this absurd resistance to acting responsibly erodes.

[a34729t]

Has a corporate officer ever gone to jail or been meaningfully fined for a data breach?

[hxugufjfjf]

Yes, many times.

[AlienRobot]

I have a simpler view on this.

Every service that is online will be hacked eventually, it's only a matter of time.

Time is the most powerful force in the universe.

[JumpCrisscross]

> Incidents like this should be followed by an audit and charges being laid

What? Why? Who died? This whole thing is perfectly dealt with through civil process.

[mikeweiss]

Shouldn’t we be focusing on making it harder to pay overseas criminals in the first place? /ahem/ crypto platforms facilitating transfers to bad actors /ahem/

[protocolture]

Criminals should focus on proven methods, like Steam Gift cards.

[joenot443]

I think the cat is entirely out of the bag on that one, I’m afraid.

There are no shortage of coins and no shortage of sketchy exchanges. The platforms do work with LEOs, when asked, but my understanding is that unless the perp was a serious nonce, chasing the transfers themselves is a fools errand.

[ttul]

But, then, how would Trump’s family and cronies get paid?

[joenot443]

Are you earnestly under the impression that Trump does the things he does such that he can be paid later in secret bitcoin transfers?

Like is that your actual model? I’m curious

[mikeweiss]

He may be referring to the fact that the Trumps have strong business ties and interests to crypto industry, and as we've seen in the last year this administration is a strong friend of the industry. Money is being made one way or the other and if you don't think so you are completely blind.

[pants2]

When will countries start treating cyberattacks as an act of war? If the North Korean military came to America and robbed fort Knox of $200M in gold there would be retribution. But hack an American company for the same amount and the feds do nothing.

[prodigycorp]

Ok, so we treat it as an act of war. Now what? Attack North Korea? Great, the entire city of Seoul gets shelled within five minutes of your attack and hundreds of thousands of innocent people die.

It's very easy to play with lives that aren't yours.

[sayamqazi]

You would be surprised how many people naively think "Why doesn't my country just open a war on X country and this Y problem will be solved forever" in their head they think war is just a flurry of bombardments and the other side (not theirs) is just destroyed to rubble and their country will have only minimal losses

[flexagoon]

Many country leaders also clearly think the same

[kqp]

Never retaliating is a great way to get people to attack you. Of course escalating to all-out war provokes the same in response, but there does need to be a proportionate response, because it needs to be stupid to hurt us, not good business. t’s a significant failure of the US government when half the world freely loots US citizens and businesses.

[toraway]

Exactly. This is the "Declare fentanyl a WMD" of solutions to ransomware. Sounds kinda badass as long as you don't spend too long thinking about it but has no practical relevance to actual enforcement challenges.

It's a familiar example of the perennial "[THING] could be solved overnight if [PERSON_OR_GROUP] would just start taking [THING] seriously" trope.

[bigyabai]

They already do. This is what asymmetric warfare looks like, your weakest links will break in a time of crisis. Focusing on retribution for the Dunder Mifflin cyberattack is pointless, the adversarial motivation is purely to disrupt and extort.

The best response to a cyberattack on critical systems is to take security seriously. Document the offense, avoid the same mistakes and invest in penetration testing. Of course, nobody is incentivized to do that until they're attacked, so the cycle perpetuates itself.

[a2128]

How do you know which country to blame? It is standard practice for foreign actors (or just hackers in general) to use proxies around the world to misdirect and insert false clues as to their origin. It could be an American teenager proxying through North Korea, and it could be a North Korean proxying through another American teenager's residential connection, there's no way to know.

[chrisjj]

> When will countries start treating cyberattacks as an act of war?

When appropriate. I.e. never.

[gruez]

> If you do this to a hospital and someone dies you are life in prison / chair.

If you're going to get the chair you might as well murder some witnesses or destroy some systems to hide the fact you got hacked. "Hack? What hack? Our servers all burned down in an arson attack".

[Avicebron]

We could also throw the CEOs of companies who don't properly secure their infrastructure and pay their security engineers enough in jail. A little justice on both ends.

[scheme271]

Uh, who determines that the infrastructure wasn't properly secured? Who is willing to risk prison because some intern accidentally committed an API key or made a dumb mistake. Conversely, what's the chances that no one actually gets prosecuted regardless of how sloppy their security practices are?

[applfanboysbgon]

> who determines that the infrastructure wasn't properly secured

An investigative body, the same kind that determines the who, the why, and the how when an airliner crashes or a bridge collapses. Obviously a lot of work needs to be done to get from point A to point B, and it won't happen overnight, but software development is currently a deeply unserious profession and at some point a genuine software engineering practice needs to be developed.

I am, perhaps naively, slightly hopeful that the LLM bullshit plaguing our industry will be the gust of wind needed for the house of cards to collapse and governments to realise that allowing the entire world to be vibe coded is not sustainable.

[dghlsakjg]

Pretty famously, aviation incident investigations are almost always not done with prosecutorial intent, and more about truth finding. It leads to people involved being cooperative to prevent future problems instead of ass covering to prevent jail.

Aviation’s safety record is not coincidental.

[allthetime]

In a darker reading; strong aviation safety is mostly motivated by not killing customers. An airline or plane maker who kills more customers than others will rapidly bleed those same customers and lose them to less lethal competitors. If no one cared about dying people I imagine aviation safety wouldn’t be so impressive.

As someone else here said, software, for the most part, is a deeply unserious industry. The stakes are so comparatively low and the consequences less obvious that it’s a lot easier for companies like intuit to maintain their supremacy simply by being entrenched, having strong sales teams, and the hearts & minds of non-technical managers.

In recent times it seems Boeing has been flirting with enshitification and half-assery but critics are not quiet and not falling on deaf ears

[dghlsakjg]

Sure, fatal stuff is bad for the bottom line, but that is a vanishing minority of what gets investigated.

You may not be aware, but there are thousands of non fatal incidents reported per year that just don't make the news.

There is a strong culture of self reporting instilled right from basic flight training, even when there is no damage or injuries, and even when the incident would have never been noticed by the authorities. You are almost guaranteed not to face consequences if you are open and honest about an incident. The FAA openly says that they would much rather educate than punish, and they tend to do that with pilots who own their mistakes. As long as there is no intent behind the fuckup, pilots are unlikely to lose their job, let alone their license.

[JumpCrisscross]

> An investigative body

This just in: Anthropic, Harvard and Jimmy Kimmel have been investigated and found guilty of not securing their infrastructure.

[Avicebron]

Ideally the chances are high to certain they get prosecuted for sloppy security practices. It's part of the gig of being a CEO, if you imagine you are such a visionary/ideas guy/leader/whatever, risk taker (always a risk taker) then you can gamble spending 20 to life because you weren't actually as good as you thought.

[sayamqazi]

When a great product is built it was the leadership and when a mistake was made it was always the employee that did it. Cool!

[chrisjj]

> Uh, who determines that the infrastructure wasn't properly secured?

ShinyHackers, obviously.

[bombcar]

Your "minimum sentence so painful" will certainly dissuade foreign nationals, even foreign governments.

[Kostchei]

interestingly, having actually done the law enforcement side of these investigations, 50% of them are local. And I understand that this is not 100% solution, but neither is any form of law enforcement, but that doesn't mean we should fail to attempt it.

Kids from the local uni having a lark, stalkers, vindictive ex employees, local gangs, criminals who understand their victims because they hail from the same community. These are your local hackers. Sift them from the nation states and international crime groups, then deal with the International as a matter of diplomacy. Because we do this so poorly locally, we have little ammunition to when it comes to diplomacy. "reduce attacks by your crime groups and we buy your natural gas, seel you wheat etc"

Want more motivation?- 75% of the local attacks by volume send funds back to terrorist or separatist organizations.

It is not an in-soluble problem. Sentences are a fraction of the answer, effective and receptive reporting processes are more important, then government backing for investigation and enforcement, then policy around home-team activities (ie don't do the bad things yourselves Mr Gov). Deterrence comes after all that.

[Aurornis]

One tech ransom case I know of was an inside job. It definitely happens.

There are already significant penalties for doing anything like this. The guy involved is in prison for a very long time. I don’t recall the exact number of years but I do remember it was so long that he wasn’t going to see his kids grow up.

I don’t think anyone who puts a little thought into a crime like this doesn’t understand that the penalties are already very huge. You don’t get a slap on the wrist for extorting a company (or person, for that matter)

[hluska]

50% of ransomware attacks are local to where? You’ll need to cite some sources because I don’t believe that is possible.

[nullsanity]

To the country or an ally of the country they are targeting, duh. it doesn't matter if you believe it, it's been the truth for over a decade. Heck, Sh1nyHunt3rs people were arrested in the UK recently.

[da_chicken]

Yeah, they identified themselves as ShinyHunters, and the IP they've put on the demonstration page is geocoded to Russia. Notice this is the same group responsible for the Infinite Campus hack last year.

Really, though, if you want someone to blame, Instructure is not a particularly compelling target. Let's review:

1. Iran is intentionally targeting infrastructure due to a war started by the current administration.

2. China is actively seeking corporate secrets to steal and commercialize for themselves, spurred by extreme protectionism and retaliatory tariffs.

3. North Korea is doing anything they can -- including just taking a remote job by proxy -- in order to extract any money.

4. And Russia is working with and aiding all of them, after everything else going on has forced the embargo to break.

5. All of this while completely alienating every single one of the United States' allies.

6. Meanwhile, the American DHS is currently shut down.

7. And this is after Trump cut funding and personnel for CISA severely enough they've had to end the contract with MS-ISAC, meaning all state and local entities can only remain in the organization if they foot the bill for it directly and CISA and other agencies responsible for cybersecurity are more thinly staffed than they have been in decades.

In short, the current administration systematically disassembled all the protections we have built over the last 100 years, and then placed infrastructure -- schools, in this case, but also power companies, water treatment facilities, communications companies, local governments, hospitals, food producers -- directly on the front lines of the modern geopolitical conflict.

That vast ocean that has kept us safe historically is a poor moat in the modern era.

[vasco]

Having an IP in Russia means about zero regarding their location. Literally anyone doing anything like this is going to get a Chinese or a Russian IP for obvious reasons. Mostly decoy and people like you.

[elictronic]

Complete internet blockage of nations allowing the attacks. If foreign governments are you can always execute them. We are living in a different world where this is no longer a zero probability occurrence.

[zulban]

"It should be illegal for any company to pay ransomware attacks. Period. No pay out ever."

You seem to think "if it's illegal it won't happen". Instead you need to think about unintended consequences and what would actually happen if this were law. People would hesitate to contact the police for help before they've decided, or not do it at all. And not report it.

[charlie90]

If someone robs a bank and someone inside dies of a heart attack, thats felony murder. I would be happy if the same applied to ransom attacks or other blackmail/leaking of info. If someone commits suicide because of it, its murder.

[scratchyone]

felony murder is pretty widely regarded as a leading factor in incredibly unjust prosecutions and sentencing decisions. perhaps not the best concept to build your ideas on top of.

[thinkingemote]

One of those eye opening moments for me was learning about how these criminals work on trust. They need to be trusted to not release the data or to unencrypt when paid, and by and large they do.

One way to weaken any group that works on trust would be to make them less trustworthy. That way victims wouldn't be as confident paying the criminals and thereby making the effort by the criminals less attractive.

[dev360]

> No this will not stop this and companies need to be held accountable for their lack of security investment.

I think in principle, its sound. Im also just baffled hearing anecdotes from friends that are in big corp world and hearing the type of incidents they have, and how they respond to it.. It makes me wonder if there is enough capable talent to go around for the "boring corp" crowd.

Hint: I don't think there is nearly enough talent to go round, but for these companies, its either that they think they have solid experts (and didn't), OR its not a real priority until you get hit.

[matthewfcarlson]

I don't think there should be an investigation. Data got leaked? That's a fine. Consequences happened? The people who stole it are accountable but so are the people who had the data in the first place. Just don't have the data. There are plenty of companies out there who don't have cyber security incidents despite being huge targets, what are they doing? Insurance is also a thing if companies are that worried about fines or getting sued.

[Ekaros]

Failure to protect computer system from forseen failure should result passing corporate veil and resulting all stock holders and managers/leadership of funds to be jailed for same period as perpetrator. It is only way to ensure that these things are taken seriously and enough pressure is put on leadership of companies.

[itsalwaysgood]

It's not necessarily a lack of investment. Cyber security researchers are using AI to discover and post very serious Linux vulnerabilities that give root. We should expect to see more of this type of activity for a while.

We're talking about vulnerabilities that have existed 10+ years but nobody noticed until AI.

[0123456789ABCDE]

i disagree wholeheartedly with this.

a loved one, gun to the head: "please pay the ransom, i don't want to die!"

what's your play now? save loved one, and go to prison? or worse, bank blocks transfer, and they die?

go ahead and tax ransom payments (0 tax if human life at risk, 10x otherwise) if you have to, but making it illegal feels disconnected from the messiness of the real world. then, go after the attackers.

[hootz]

The idea behind blocking ransom payments is to disincentivize asking for ransom. If you know it's almost impossible to pay ransom, the risk of not getting paid for your attack is much higher.

[TheSkyHasEyes]

This reminds me of the 'fine the johns to mitigate prostitution' argument.

[ivanjermakov]

The only way to prevent terrorism is to never meet terrorists' demands.

[bux93]

Or maybe it should be mandatory for all companies to pay ransomware attackers. Think of it as an involuntary bounty program. Now they get to just say 'sorry (for your hurt feelings)' and suffer no consequences.

Apart from the 4% of the total worldwide annual turnover fine that theoretically could be levied under GDPR, but has never been imposed in full.

[protocolture]

1. It should be illegal to run insecure services. Massive Fines.

2. The payout to the hackers should form part, but not all of the penalties. Pay those guys for their great service to humanity they earned it.

[chrisjj]

> It should be illegal for any company to pay ransomware attacks. Period.

That makes as much sense as illegal to give your wallet to a mugger.

I.e. no sense.