zlacker

The donation is more or less virtue signaling rather than actual insight.

The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.

The amount donated should've rather be invested into better protections / hiring a person responsible in the company.

(Context: The hack happened on a not properly decomissioned legacy system.)

>>lexlam+(OP)
There is not much to research. If companies want security, they should pay for security.

>>lexlam+(OP)
It is virtue signaling, especially considering the fact that doing the hard to swallow thing of paying the ransom would probably be the best outcome from a customer perspective.

Yes there are negative externalities in funding ransomware operations, not paying is still much more likely to hurt your customers than paying.

>>lexlam+(OP)
What is the problem with virtue signaling? By all means signal virtue! Perhaps you are concerned by cheap virtue signals, which have little significance.

The point here is that this is an expensive virtue signal. Although, it would be more effective if we knew how expensive it was.

>>lexlam+(OP)
At the stage we're at, I would far prefer virtue signalling to the more widespread vice signalling.

>>lexlam+(OP)
> The donation is more or less virtue signalling rather than actual insight.

I see it more as a middle finger to the perps: “look, we can afford to pay, here, see us pay that amount elsewhere, but you aren't getting it”. It isn't signalling virtue as much as it is signalling “fuck you and your ransom demands” in the hope that this will mark them as not an easy target for that sort of thing in future.

>>lexlam+(OP)
I don't know what virtue signaling means. I think you mean they just did it out of spite.

>>varisp+p1
> If companies want security, they should pay for security.

Or just properly follow best-practise, and their own procedures, internally.⁰

That was the failing here, which in an unusual act of honesty they are taking responsibility for in this matter.

--------

[0] That might be considered paying for security, indirectly, as it means having the resources available to make sure these things are done, and tracked so it can be proven they are done making slips difficult to happen and easy to track & hopefully rectify when they inevitably still do.

>>varisp+p1
Security is an arms race. Don't expect a leap; do your part to stay ahead.

>>dspill+07
It also serves as a proxy for a punishment. They are, from one perspective, paying a voluntary fine based on their own assessment of their security failings.

For customers it signals sincerity and may help dampen outrage in their follow up dealings.

>>lexlam+(OP)
They should have watched Ransom (1996).

https://www.youtube.com/watch?v=xllIU0lPgqs

>>lexlam+(OP)
Yes but I think it's a good virtue to signal considering the circumstances. If they paid the ransom that would signal that ransoming this company works, incentivizing more ransoms. If they refuse to pay the ransom it might signal that they care more about money than they do integrity. Taking the financial hit of the ransom, but paying it to something that signals their values, is about the best move I can imagine.

>>wallet+L3
Paying ransomware fines is never the smart move to do unless you happen to trust what cyber criminals tell you.

You send them the payment, they tell you they deleted the data, but they also sell the data to 10 other customers over the dark-web.

Why would you ever trust people who are inherently trustworthy and who are trying to screw you? While also encouraging further ransomware crimes in the future.

>>lexlam+(OP)
> Proper practices for protections are well established and known

Endpoint security is a well known open problem for what no sufficient practices and protections exist.

>>saberi+Vx
It’s a sliding scale.

If you don’t pay, the odds they will publish your data are closer to 100%. If you do pay, the odds have historically been much closer to 0% than 100%

You aren’t paying to be sure, but to improve your chances.

>>lexlam+(OP)
Virtue signaling is an insult that you can for example use against greenwashing or against someone who pledged to donate a lot of money to some charity but actually donated none or much less. Hypocrisy is also a form of virtue signaling.

It's also a term you can use against political opponents because it's much easier to speak well than to actually do good.

Refusing to negociate with criminals and help fund security seems like the proper long-term reaction for everyone.

>>lexlam+(OP)
Requiring everyone to implement proper practices is one way of addressing the problem, I might call it Sisyphean & impossible.

Making it illegal to pay ransom is likely a much easier to implement and more effective solution.

And this isn’t virtue signaling - they literally did the virtuous thing that is better for society at the expense of their bottom line. That is just virtue.

>>wallet+L3
Doing the positive externality thing at expense of your bottom line is to be praised. It is not ‘virtue signaling’ - it is actually doing a virtuous thing.

>>whimsi+F31
Very small positive externality at the expense of their customers. Probably doesn’t even come close to balancing out.

Besides, if they were genuinely interested in positive externalities they would be spending the money lobbying for a ransomware payments ban and not donating to universities.

>>blitza+Ed
I was just thinking of this scene as I read their report.

>>AlienR+E7
Refusing to pay a ransom and instead giving the money to the "ennemies" of the attackers isn't "virtue signaling" (as someone already commented: it's a "fuck you" to the attackers).

In french we call that a "pied de nez". "Turning the table" / "Poetic justice" / "Adding insult to injury" would all be more correct than "virtue signalling".

If there was no attacker and the company gave half a mil out of nowhere to a security company (or a charity) and boasted publicly about it, that would be virtue signalling.

But refusing to pay the ransom and giving the exact same amount to security researchers is just a big, giant, middle finger.

And a middle finger ain't no virtue signalling.

>>Tactic+jw2
If they wanted to meaningfully give a middle finger to the attackers they’d be spending the money lobbying for a ransomware payments ban, not throwing away money by giving it to universities that have a plenty of money and will probably do absolutely nothing to reduce ransomware attacks in the foreseeable future.

>>lexlam+(OP)
Sidenote, it's interesting how the term "virtue signaling" is arguably objectively an individualistic right-wing dog whistle these days.

I would argue that it is being used all over the media to complain about anyone showing any signs of not being purely individualistic, as if individualism is the only true thing people actually honestly feel. This is obviously incorrect, empathy, professionalism, a desire for a sense of purpose, are all things that people objectively feel in the real world, everyday, everywhere.

I would argue that the expression "virtue signaling" is used systematically in individualistic right wing media by the right about anyone who say, for example, that they care about minorities or less fortunate people or to take action to support them, as if it was false. I would argue that this is harmful.

People do care a good fraction of the time, and they should be recognized for their positive actions, and encouraged. I would argue that we should definitely strive for a culture where individualism is not seen as the only true emotion that people can feel.

So, knowing the negative political and philosophical baggage, I would not use that expression, especially if you don't have actual proof that they don't care about security, professionalism, etc.