Thanks cryptocurrency! What a useful technology. Wasting electricity, enabling wild financial speculation, and best of all shutting down critical public institutions like hospitals by enabling rampant cyber crime.
Is there anything this miracle technology can’t do?
Can you please not post generic flamewar comments to HN? Regardless of who's right or wrong, the millionth variation of this snarky dismissal is exactly what we're not going for here.
Not to defend crypto, but I can replace the word "cryptocurrency" with, say, "computers" and your sentence is equally true. It's pointless to blame technology for how it's used. Why not blame the people who run randomware operations, or the hospital administrators who don't backup their data? If a ransomware attack is enough to cause the hospital to shut down, that means they were a bad glitch away for shutting down, anyway.
> If a ransomware attack is enough to cause the hospital to shut down, that means they were a bad glitch away for shutting down, anyway.
I'm going to disagree here. A bad glitch isn't likely to encrypted entire systems and prevent any recovery of data. While a bad glitch could cause complete data loss, ransomware attacks are far more common.
You're not disagreeing with me. You've agreed that a glitch that leads to complete data loss is possible. If you still don't backup then you're gambling the operability of the hospital that such a glitch will never happen and that a ransomware attack will never happen.
>You've agreed that a glitch that leads to complete data loss is possible.
Complete data loss of one instance (whether "instance" is a single computer or single site as in the case of a fire/flood). But random glitches, mistakes, or events without any intention behind them are very different from hostile actors. They don't work to spread everywhere. They don't actively work to hide themselves. Random glitches, mistakes, or events don't try to install rootkits and persist themselves.
>If you still don't backup
Ransomware operators aren't stupid either. We've long since passed the point where "just have a backup" naively is enough, ransomware outfits will actively go after backups if it can, trying to move laterally throughout the victim organization, as well as do things like keep a key around long after everything is encrypted so it can stay transparent for awhile. The idea being that even if backups it can't touch are happening, by the time the trigger is pulled and all keys deleted weeks/months of data will still have successfully locked up with the backup systems dutifully backing it up. For many people, individuals even not just businesses, "we can restore but everything for the past 1-2 months will be lost" represents major expense/pain. Particularly in a medical setting.
It's not that there aren't solutions to that too, and yes I'd hope a big organization would cover it, but afaik it's not as easy as I wish it was. I don't think the challenge of malicious for-profit actors should be trivialized in the way you seem to have been doing. And the value function of computers vs crypto is astronomical, I don't think it's reasonable to equate the two as you originally did either.
>It's not that there aren't solutions to that too, and yes I'd hope a big organization would cover it, but afaik it's not as easy as I wish it was. I don't think the challenge of malicious for-profit actors should be trivialized in the way you seem to have been doing.
Yes, it's difficult. Such is the world we live in. It doesn't make sense to blame cryptocurrencies for that, and not the people who didn't do their job. The existence of cryptocurrencies and of ransomware is something that was outside of their control. Their backup policy wasn't.
>And the value function of computers vs crypto is astronomical, I don't think it's reasonable to equate the two as you originally did either.
You misunderstood my point. That, in balance, computers are much more valuable than cryptocurrencies is a matter of opinion (which I agree with). A Luddite could argue that if the hospital hadn't been using computers for billing, the attack would have been impossible, and could have a point that using computers instead of paper ultimately created more problems than it solved. All that changes is that the technology being criticized was computers rather than cryptocurrencies. But both arguments miss the point that neither computers nor cryptocurrencies are the problem, but rather how they're used.
>least because cryptocurrencies are impossible without computers which means by definition any value they offer is a subset of the value of computers.
Oh. In that case the energy waste, the scams, the ransomware, etc. are not harms arising from cryptocurrencies, but merely a special case of the harm arising from computers. I mean, I was keeping the two disconnected in favor of computers, but if you want to lump them together then by all means do so.
The “glitch” in most ransomeware and AP fraud attacks is an employee clicking on something or believing something they shouldn’t have. LinkedIn facilitates this, because it makes it easy to understand the org chart of a company and target newer employees with urgent, personalized requests from the “CEO.” One person at a place where I recently worked actually fell for it and was at a store buying a SECOND round of gift cards with his company card before he finally got a twinge and pinged someone to see if—perhaps—this might not be legit.
Training can only do so much. People have no attention span these days, and all warnings go in one ear and out the other, even in they are well-intentioned people (as this employee was).
> Do we need to legislate having big "FRAUD WARNING" signs on every gift card display, just like we need "do not use in bathtub" labels on hair dryers?
The market has provided these without legislation, at least near me.
Over a sufficiently long time scale, every organization will eventually have a disgruntled employee who intentionally tries to sabotage their systems out of spite or revenge or even as part of a criminal embezzlement scheme. Competent IT managers need to recognize and guard against that threat. Smaller hospitals may not have the scale or financial resources to hire such people so the only practical solution is to outsource their entire IT infrastructure to a larger vendor that can bring in the necessary competencies. It's sad that the situation has reached this point but we have to face the reality that IT security threats will only continue getting worse.
Hospitals are particularly vulnerable to ransom ware.
I don’t think you grasp the hodgepodge of obsolete computer systems that are attached to computer networks to run lab equipment, MRI machines, process pharmacy prescriptions, and manage a patient’s chart. Keeping all of this secure and properly backed up is pretty much impossible.
Seriously, I’ve seen machines in use running everything from ancient versions of Sun Solaris to Windows 95.
First, it's not impossible, it's just difficult. And however difficult it is, if those systems are necessary to maintain operation, then they're mission-critical and it's someone's job to make sure that they continue to operate.
Second, a ransomware attack isn't going to attack stuff like medical equipment, which wouldn't hold any important files anyway. It's going to attack workstations and servers likely running some version of Windows. If your IT staff can't keep that stuff backed up then you don't have IT staff.
It’s impossible to patch systems that are out of support and the security patch literally doesn’t exist. In some situations the original vendor themselves don’t even exist anymore.
Also regarding the servers and workstations, recovering from ransom ware isn’t as simple as just restoring from a backup. You’re still looking at days of effort restoring backups, reimaging workstations, and validating that everything works.
A vulnerable system that can't be patched shouldn't be in a position where that vulnerability can be exploited, if it's mission-critical. If it's mission-critical, it's vulnerable and can't be patched, and has to be exposed, then it's not fit for purpose and has to be replaced, or have a replacement (i.e. a backup) on stand-by.
Yes, restoring a backup requires effort. But surely less effort than losing the data altogether.
> I don’t think you grasp the hodgepodge of obsolete computer systems that are attached to computer networks to run lab equipment, MRI machines, process pharmacy prescriptions, and manage a patient’s chart. Keeping all of this secure and properly backed up is pretty much impossible.
> Seriously, I’ve seen machines in use running everything from ancient versions of Sun Solaris to Windows 95.
And yet the parking lot will be full of BMW and Porsches. There's definitely money coming-in; why not spend it on making sure the infra can perform when needed?
The hospitals themselves operate on relatively thin margins usually. Insurance companies, labor costs, pharmaceuticals, blood products, single use sterile items, housekeeping, taking care of uninsured patients that can’t pay the bills, and other regulatory requirements are extremely costly and eat up most of the budget. Reinvesting in IT infrastructure isn’t something that is a priority.
Crypto does have a valid case for paying people for work across country boundaries when financial systems to do this are unreliable or non-existent. (Or has prohibitive fees.)
Before anyone says paying criminals for illegal drugs is a victimless crime, remember that a significant portion of the illegal drug trade is run by the cartels and other organized crime organizations which do victimize people.
I'm already paying criminals every time I pay my taxes. Hell, even when I fill up my car with gas, or when I buy meds. If you really want to live ethically and not pay criminals, you have to be autonomous.
The real crime here is preventing me from opening my third eye!
Or honest people who live in countries that have a lot of criminals and/or have a corrupt government.
Life is extremely tough for legitimate businesses in countries such as Nigeria, due to the government's incompetence (some say active collusion) in dealing with fraud. Banks generally won't touch them, and even if they do, transactions are often delayed for weeks.
I get paid in USDC for programming gigs and third party exchanges in Iran convert it to Rials for me.
The third party exchanges resell crypto to other Iranians who want to use it to buy sanctioned digital goods.
It is the widespread use of crypto that makes this possible if it wasn't mainstream then there wouldn't be a difference between getting paid in crypto and a Google Play gift card.
Or people deemed to not deserve access to services (the entire nation of Russia recently). Or people who were cut off from payment processing, like Wikileaks.
If crypto was, at any point, not a tool of the rich elite of those countries then immediately, it would be banned.
Crypto isn't magic -- indeed, it's vastly more sensitive to state control, since anyone in control over any local part of the network can completely disable the system.
I mean it's actively used in countries with high inflation and bad currency management. Just because it's not used in your Wal-Mart doesn't mean it doesn't exist.
I generally disagree with your popular comparison with,
There is building a knife, and there is building a knife that is optimized to cut human flesh, with supportive ergonomics.
I'm sorry, but if you think cryptocurrency invented crime, I have no idea what to say. Ransomware existed welllll before widespread adoption of cryptocurrency, and some of the big ones still use the old infrastructure. Like Moneypak. Even Cryptolocker was mostly paid through vouchers.
Is there anything this miracle technology can’t do?