Saturday, June 07, 2008

stop trying to decrypt your data

according to a new network world article, gpcode is back... for those that don't remember it's a piece of malware whose payload encrypts your data and holds it for ransom... you have to either pay the bad guys to get the decryption key or you have to hope that the av vendors figure out how to crack it (and probably pay them for their product so you can use it to decrypt your data)...

this is all misdirected effort, though... for all intents and purposes this is a data corrupting payload - the fact that the transformation it performs on your data is reversible is a red herring meant to make people spin their wheels and eventually capitulate and give the bad guys what they want while distracting you from the fact that a data encryptor is no harder to recover from than a data destroyer...

you're prepared for drive failures, right? you have a plan for when something comes along and hoses your data irrecoverably, right? of course you do, they're called backups... those same backups work equally well against maliciously encrypted data as they do against maliciously or accidentally destroyed data so the question i have for those who are concerned about this new version of gpcode is "what's the big deal?"...

and for those working on a way to crack this thing my question is "why bother?"... for all you know the malware writers screwed up their crypto code again but this time in such a way that the data actually is unrecoverable... and if they didn't screw it up then you'll pile huge amounts of effort into cracking the key and either fail or succeed and force the malware writer to take the rather trivial step of creating a new key and releasing a new version of the malware... why bother making the distinction between this and a true data loss event for the user? if the user has backups they're fine and if they don't then this is the kind of event that they actually need in order to learn how important good backups really are... yes it would suck to be them but this is the real world and the real world has consequences that they need to know about rather than be sheltered from... consequences are what help us learn...


*non-update* (since i found out before i managed to post this article): apparently the folks at kaspersky are trying to organize a combined effort to crack the key... there's still nothing to convince me this isn't a waste of time but i should at least acknowledge the difference in opinion... then again, i suppose businesses have a tough time trying to get away with tough love, so i suppose it does make business sense for them to try and coddle their customers in this way...

0 comments: