| ▲ | myrandomcomment 9 hours ago |
| 1. It should be illegal for any company to pay ransomware attacks. Period. No pay out ever.
2. The penalty for being the attacker should be linked to the system they violated. If you do this to a hospital and someone dies you are life in prison / chair. The minimum sentence should be so painful that it deters the attack. No this will not stop this and companies need to be held accountable for their lack of security investment. Every attack should be investigate if the company met an agreed industry standards best practices and staffing, etc. The penalties for not meeting the requirements should be punitive. |
|
| ▲ | parliament32 9 hours ago | parent | next [-] |
| > It should be illegal It should be illegal to host insecure services, especially when you're dealing with PII. Breaches keep happening and nobody gives a fuck, because the worst that'll happen is you might lose a handful of customers and buy some "credit monitoring". Incidents like this should be followed by an audit and charges being laid. Send corp officers to jail for negligent security failures. If you can go to jail for accounting fraud, you should be able to go to jail for cybersecurity-promises-fraud. They claim to be compliant with a number of security standards [1]. I would love to see a postmortem audit of how much of this they actually implemented. [1] https://www.instructure.com/en-au/trust-center/compliance |
| |
| ▲ | rcoveson 7 hours ago | parent | next [-] | | I don't think that criminal negligence is the most helpful legal tool for incentivizing improved security. It's too hard to prove negligence. Instead, there should be standard civil penalties for leaking various degrees of PII paid as restitution to the affected individual. Importantly, this must be applied REGARDLESS of "certification" or whether any security practices were "incorrect" or "insufficient". Even if there's a zero-day exploit and you did everything right, you pay. That's the cost of storing people's secrets. This would make operating services whose whole "thing" is storing a bunch of information about individuals (like Canvas) much more expensive. Good! It's far to cheap to stockpile a ticking time bomb of private info and then walk away paying no damages just because you complied with some out-of-date list of rules or got the stamp of approval from a certification org that's incentivized to give out stamps of approval. | | |
| ▲ | jedbrown 4 hours ago | parent | next [-] | | And this strict liability will come with an expectation of insurance. The insurance policies will necessitate audits, which will actually improve security. | |
| ▲ | walletdrainer an hour ago | parent | prev | next [-] | | I feel like there’s a tendency here to seriously overestimate how damaging these leaks are to individuals. For most individuals impacted by these hacks, appropriate restitution would be $0. Anything more than that would go beyond making them whole. | | |
| ▲ | Kiro 43 minutes ago | parent [-] | | It's not a popular opinion but I agree. I live in a country that has a very extensive principle of public records, and often times these leaks disclose much less than you would get by simply calling the authorities and ask. Now, whether that's good or bad is a different story. |
| |
| ▲ | 7 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | Avicebron 7 hours ago | parent | prev | next [-] | | The only right answer. | |
| ▲ | anonzzzies 6 hours ago | parent | prev [-] | | Let's do this. |
| |
| ▲ | phainopepla2 9 hours ago | parent | prev | next [-] | | How could you possibly make it illegal to host insecure services? Is any service 100% secure? And if it were how would we know? I do agree with the audit and punishments for clear failure to adhere to established standards. | | |
| ▲ | bawolff 9 hours ago | parent | next [-] | | This is a solved problem in pretty much every other domain of life - if you are following best practises but something that wasn't reasonably forseeable happens, then you're fine, but if the bad thing happens as a result of negligence then you are in trouble. | | |
| ▲ | jameshart 7 hours ago | parent | next [-] | | Criminal law isn't about making things alright for the victim. That's what insurance is for. Even if you leave your door unlocked, if someone walks in and steals your stuff, it's a crime. The state has an interest in prosecuting crimes even if the victim didn't do everything they could to prevent it. | | |
| ▲ | JumpCrisscross 6 hours ago | parent | next [-] | | > Criminal law isn't about making things alright for the victim Restitution and retribution are the components of justice [1] entirely about "making things alright for the victim." [1] https://www.unodc.org/e4j/en/crime-prevention-criminal-justi... | |
| ▲ | bawolff 6 hours ago | parent | prev [-] | | The company is not the victim here. Its users are. [I suppose my previous comment was a bit ambigious - i meant something bad happens to someone else not to yourself] A better version of your analogy would be if your landlord failed to repair your front door in a reasonable period of time and as a result soneone walked in and stole your stuff. Yes the theif is the primary responsible party, but the landlords negligence in maintaining the property probably also exposes them to some liability. P.s. This is neither here nor there, but restitution is a part of criminal law. |
| |
| ▲ | isityettime 8 hours ago | parent | prev | next [-] | | "Best practice" in cybersecurity is largely vendor-driven with little to no independent empirical validation. That standard is likely to lock people into buying some pretty bad software, but it does little to ensure that they're running reasonably secure systems. | |
| ▲ | SoftTalker 7 hours ago | parent | prev | next [-] | | I like to relate it to operating an automobile. You can follow every traffic law and still be liable in an accident, because you owned the vehicle that caused the damage. This is why you have insurance. | |
| ▲ | MagicMoonlight 7 hours ago | parent | prev [-] | | In civil law maybe, but you aren’t allowed to blame a rape victim for choosing to walk down rape alley… |
| |
| ▲ | hsbauauvhabzb 9 hours ago | parent | prev [-] | | No building has a 100% chance of not caving in, yet somehow I think charges would be laid if a skyscraper caved in. | | |
| ▲ | sieve 7 hours ago | parent | next [-] | | The equivalent analogy is charging lock/door/drywall/timber makers and suppliers for lapses if a thief entered the house by picking a lock or drilling/sawing through the wall. | |
| ▲ | jameshart 7 hours ago | parent | prev [-] | | This analogy seems to be portraying 'ransomware hackers' as an unstoppable force of nature akin to gravity. I'm not sure that's a fair analogy. | | |
| ▲ | ryandrake 7 hours ago | parent [-] | | The other side of that spectrum portrays the service providers as pure, negligence-free victims. The truth is probably somewhere in the middle. |
|
|
| |
| ▲ | primitivesuave 8 hours ago | parent | prev | next [-] | | If Boeing claimed a plane was airworthy, but it crashed because basic engineering controls were skipped, we have collectively put our faith in the NTSB to preserve evidence, run an independent technical investigation, etc. There is no such authority for software - most security auditors (SOC2, HITRUST, etc) are just looking at self-reported data. Just take a look at the recent Epic vs. Health Gorilla lawsuit to see how nonexistent the protection is around exchanging your medical records, one of the most sensitive types of PII. | | |
| ▲ | willdr 7 hours ago | parent [-] | | Edit: I was incorrect / non-American, I was thinking of your FAA. |
| |
| ▲ | motoxpro 3 hours ago | parent | prev | next [-] | | People who haven’t been hacked just haven’t been looked at. If someone wants to hack you, they will hack you. It’s really unfortunate that people have this level of confidence in their ability. Here’s an example. https://hacks.mozilla.org/2026/05/behind-the-scenes-hardenin... | |
| ▲ | a34729t 8 hours ago | parent | prev | next [-] | | Has a corporate officer ever gone to jail or been meaningfully fined for a data breach? | |
| ▲ | JumpCrisscross 6 hours ago | parent | prev [-] | | > Incidents like this should be followed by an audit and charges being laid What? Why? Who died? This whole thing is perfectly dealt with through civil process. |
|
|
| ▲ | ivanjermakov 9 minutes ago | parent | prev | next [-] |
| The only way to prevent terrorism is to never meet terrorists' demands. |
|
| ▲ | mikeweiss 9 hours ago | parent | prev | next [-] |
| Shouldn’t we be focusing on making it harder to pay overseas criminals in the first place? /ahem/ crypto platforms facilitating transfers to bad actors /ahem/ |
| |
|
| ▲ | thinkingemote 40 minutes ago | parent | prev | next [-] |
| One of those eye opening moments for me was learning about how these criminals work on trust. They need to be trusted to not release the data or to unencrypt when paid, and by and large they do. One way to weaken any group that works on trust would be to make them less trustworthy. That way victims wouldn't be as confident paying the criminals and thereby making the effort by the criminals less attractive. |
|
| ▲ | chrisjj 5 minutes ago | parent | prev | next [-] |
| [delayed] |
|
| ▲ | bombcar 9 hours ago | parent | prev | next [-] |
| Your "minimum sentence so painful" will certainly dissuade foreign nationals, even foreign governments. |
| |
| ▲ | Kostchei 9 hours ago | parent | next [-] | | interestingly, having actually done the law enforcement side of these investigations, 50% of them are local. And I understand that this is not 100% solution, but neither is any form of law enforcement, but that doesn't mean we should fail to attempt it. Kids from the local uni having a lark, stalkers, vindictive ex employees, local gangs, criminals who understand their victims because they hail from the same community. These are your local hackers. Sift them from the nation states and international crime groups, then deal with the International as a matter of diplomacy. Because we do this so poorly locally, we have little ammunition to when it comes to diplomacy. "reduce attacks by your crime groups and we buy your natural gas, seel you wheat etc" Want more motivation?- 75% of the local attacks by volume send funds back to terrorist or separatist organizations. It is not an in-soluble problem. Sentences are a fraction of the answer, effective and receptive reporting processes are more important, then government backing for investigation and enforcement, then policy around home-team activities (ie don't do the bad things yourselves Mr Gov). Deterrence comes after all that. | | |
| ▲ | Aurornis 8 hours ago | parent | next [-] | | One tech ransom case I know of was an inside job. It definitely happens. There are already significant penalties for doing anything like this. The guy involved is in prison for a very long time. I don’t recall the exact number of years but I do remember it was so long that he wasn’t going to see his kids grow up. I don’t think anyone who puts a little thought into a crime like this doesn’t understand that the penalties are already very huge. You don’t get a slap on the wrist for extorting a company (or person, for that matter) | |
| ▲ | hluska 8 hours ago | parent | prev [-] | | 50% of ransomware attacks are local to where? You’ll need to cite some sources because I don’t believe that is possible. | | |
| ▲ | nullsanity 8 hours ago | parent [-] | | To the country or an ally of the country they are targeting, duh. it doesn't matter if you believe it, it's been the truth for over a decade. Heck, Sh1nyHunt3rs people were arrested in the UK recently. |
|
| |
| ▲ | da_chicken 9 hours ago | parent | prev | next [-] | | Yeah, they identified themselves as ShinyHunters, and the IP they've put on the demonstration page is geocoded to Russia. Notice this is the same group responsible for the Infinite Campus hack last year. Really, though, if you want someone to blame, Instructure is not a particularly compelling target. Let's review: 1. Iran is intentionally targeting infrastructure due to a war started by the current administration. 2. China is actively seeking corporate secrets to steal and commercialize for themselves, spurred by extreme protectionism and retaliatory tariffs. 3. North Korea is doing anything they can -- including just taking a remote job by proxy -- in order to extract any money. 4. And Russia is working with and aiding all of them, after everything else going on has forced the embargo to break. 5. All of this while completely alienating every single one of the United States' allies. 6. Meanwhile, the American DHS is currently shut down. 7. And this is after Trump cut funding and personnel for CISA severely enough they've had to end the contract with MS-ISAC, meaning all state and local entities can only remain in the organization if they foot the bill for it directly and CISA and other agencies responsible for cybersecurity are more thinly staffed than they have been in decades. In short, the current administration systematically disassembled all the protections we have built over the last 100 years, and then placed infrastructure -- schools, in this case, but also power companies, water treatment facilities, communications companies, local governments, hospitals, food producers -- directly on the front lines of the modern geopolitical conflict. That vast ocean that has kept us safe historically is a poor moat in the modern era. | | |
| ▲ | vasco 7 hours ago | parent [-] | | Having an IP in Russia means about zero regarding their location. Literally anyone doing anything like this is going to get a Chinese or a Russian IP for obvious reasons. Mostly decoy and people like you. |
| |
| ▲ | elictronic 8 hours ago | parent | prev [-] | | Complete internet blockage of nations allowing the attacks. If foreign governments are you can always execute them. We are living in a different world where this is no longer a zero probability occurrence. | | |
|
|
| ▲ | pants2 9 hours ago | parent | prev | next [-] |
| When will countries start treating cyberattacks as an act of war? If the North Korean military came to America and robbed fort Knox of $200M in gold there would be retribution. But hack an American company for the same amount and the feds do nothing. |
| |
| ▲ | prodigycorp 9 hours ago | parent | next [-] | | Ok, so we treat it as an act of war. Now what? Attack North Korea? Great, the entire city of Seoul gets shelled within five minutes of your attack and hundreds of thousands of innocent people die. It's very easy to play with lives that aren't yours. | | |
| ▲ | kqp 18 minutes ago | parent | next [-] | | Never retaliating is a great way to get people to attack you. Of course escalating to all-out war provokes the same in response, but there does need to be a proportionate response, because it needs to be stupid to hurt us, not good business. t’s a significant failure of the US government when half the world freely loots US citizens and businesses. | |
| ▲ | sayamqazi 2 hours ago | parent | prev | next [-] | | You would be surprised how many people naively think "Why doesn't my country just open a war on X country and this Y problem will be solved forever" in their head they think war is just a flurry of bombardments and the other side (not theirs) is just destroyed to rubble and their country will have only minimal losses | | | |
| ▲ | toraway 7 hours ago | parent | prev [-] | | Exactly. This is the "Declare fentanyl a WMD" of solutions to ransomware. Sounds kinda badass as long as you don't spend too long thinking about it but has no practical relevance to actual enforcement challenges. It's a familiar example of the perennial "[THING] could be solved overnight if [PERSON_OR_GROUP] would just start taking [THING] seriously" trope. |
| |
| ▲ | a2128 9 hours ago | parent | prev | next [-] | | How do you know which country to blame? It is standard practice for foreign actors (or just hackers in general) to use proxies around the world to misdirect and insert false clues as to their origin. It could be an American teenager proxying through North Korea, and it could be a North Korean proxying through another American teenager's residential connection, there's no way to know. | |
| ▲ | bigyabai 9 hours ago | parent | prev | next [-] | | They already do. This is what asymmetric warfare looks like, your weakest links will break in a time of crisis. Focusing on retribution for the Dunder Mifflin cyberattack is pointless, the adversarial motivation is purely to disrupt and extort. The best response to a cyberattack on critical systems is to take security seriously. Document the offense, avoid the same mistakes and invest in penetration testing. Of course, nobody is incentivized to do that until they're attacked, so the cycle perpetuates itself. | |
| ▲ | chrisjj 2 hours ago | parent | prev [-] | | > When will countries start treating cyberattacks as an act of war? When appropriate. I.e. never. |
|
|
| ▲ | charlie90 8 hours ago | parent | prev | next [-] |
| If someone robs a bank and someone inside dies of a heart attack, thats felony murder. I would be happy if the same applied to ransom attacks or other blackmail/leaking of info. If someone commits suicide because of it, its murder. |
| |
| ▲ | scratchyone 6 hours ago | parent [-] | | felony murder is pretty widely regarded as a leading factor in incredibly unjust prosecutions and sentencing decisions. perhaps not the best concept to build your ideas on top of. |
|
|
| ▲ | gruez 7 hours ago | parent | prev | next [-] |
| > If you do this to a hospital and someone dies you are life in prison / chair. If you're going to get the chair you might as well murder some witnesses or destroy some systems to hide the fact you got hacked. "Hack? What hack? Our servers all burned down in an arson attack". |
|
| ▲ | Avicebron 9 hours ago | parent | prev | next [-] |
| We could also throw the CEOs of companies who don't properly secure their infrastructure and pay their security engineers enough in jail. A little justice on both ends. |
| |
| ▲ | scheme271 9 hours ago | parent [-] | | Uh, who determines that the infrastructure wasn't properly secured? Who is willing to risk prison because some intern accidentally committed an API key or made a dumb mistake. Conversely, what's the chances that no one actually gets prosecuted regardless of how sloppy their security practices are? | | |
| ▲ | applfanboysbgon 9 hours ago | parent | next [-] | | > who determines that the infrastructure wasn't properly secured An investigative body, the same kind that determines the who, the why, and the how when an airliner crashes or a bridge collapses. Obviously a lot of work needs to be done to get from point A to point B, and it won't happen overnight, but software development is currently a deeply unserious profession and at some point a genuine software engineering practice needs to be developed. I am, perhaps naively, slightly hopeful that the LLM bullshit plaguing our industry will be the gust of wind needed for the house of cards to collapse and governments to realise that allowing the entire world to be vibe coded is not sustainable. | | |
| ▲ | dghlsakjg 9 hours ago | parent | next [-] | | Pretty famously, aviation incident investigations are almost always not done with prosecutorial intent, and more about truth finding. It leads to people involved being cooperative to prevent future problems instead of ass covering to prevent jail. Aviation’s safety record is not coincidental. | | |
| ▲ | allthetime 7 hours ago | parent [-] | | In a darker reading; strong aviation safety is mostly motivated by not killing customers. An airline or plane maker who kills more customers than others will rapidly bleed those same customers and lose them to less lethal competitors. If no one cared about dying people I imagine aviation safety wouldn’t be so impressive. As someone else here said, software, for the most part, is a deeply unserious industry. The stakes are so comparatively low and the consequences less obvious that it’s a lot easier for companies like intuit to maintain their supremacy simply by being entrenched, having strong sales teams, and the hearts & minds of non-technical managers. In recent times it seems Boeing has been flirting with enshitification and half-assery but critics are not quiet and not falling on deaf ears | | |
| ▲ | dghlsakjg 6 hours ago | parent [-] | | Sure, fatal stuff is bad for the bottom line, but that is a vanishing minority of what gets investigated. You may not be aware, but there are thousands of non fatal incidents reported per year that just don't make the news. There is a strong culture of self reporting instilled right from basic flight training, even when there is no damage or injuries, and even when the incident would have never been noticed by the authorities. You are almost guaranteed not to face consequences if you are open and honest about an incident. The FAA openly says that they would much rather educate than punish, and they tend to do that with pilots who own their mistakes. As long as there is no intent behind the fuckup, pilots are unlikely to lose their job, let alone their license. |
|
| |
| ▲ | JumpCrisscross 6 hours ago | parent | prev [-] | | > An investigative body This just in: Anthropic, Harvard and Jimmy Kimmel have been investigated and found guilty of not securing their infrastructure. |
| |
| ▲ | sayamqazi 2 hours ago | parent | prev | next [-] | | When a great product is built it was the leadership and when a mistake was made it was always the employee that did it. Cool! | |
| ▲ | Avicebron 9 hours ago | parent | prev | next [-] | | Ideally the chances are high to certain they get prosecuted for sloppy security practices. It's part of the gig of being a CEO, if you imagine you are such a visionary/ideas guy/leader/whatever, risk taker (always a risk taker) then you can gamble spending 20 to life because you weren't actually as good as you thought. | |
| ▲ | chrisjj 2 hours ago | parent | prev [-] | | > Uh, who determines that the infrastructure wasn't properly secured? ShinyHackers, obviously. |
|
|
|
| ▲ | Ekaros 4 hours ago | parent | prev | next [-] |
| Failure to protect computer system from forseen failure should result passing corporate veil and resulting all stock holders and managers/leadership of funds to be jailed for same period as perpetrator. It is only way to ensure that these things are taken seriously and enough pressure is put on leadership of companies. |
|
| ▲ | bux93 an hour ago | parent | prev | next [-] |
| Or maybe it should be mandatory for all companies to pay ransomware attackers. Think of it as an involuntary bounty program. Now they get to just say 'sorry (for your hurt feelings)' and suffer no consequences. Apart from the 4% of the total worldwide annual turnover fine that theoretically could be levied under GDPR, but has never been imposed in full. |
|
| ▲ | dev360 8 hours ago | parent | prev | next [-] |
| > No this will not stop this and companies need to be held accountable for their lack of security investment. I think in principle, its sound. Im also just baffled hearing anecdotes from friends that are in big corp world and hearing the type of incidents they have, and how they respond to it.. It makes me wonder if there is enough capable talent to go around for the "boring corp" crowd. Hint: I don't think there is nearly enough talent to go round, but for these companies, its either that they think they have solid experts (and didn't), OR its not a real priority until you get hit. |
|
| ▲ | 7 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | 5 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | protocolture 7 hours ago | parent | prev [-] |
| 1. It should be illegal to run insecure services. Massive Fines. 2. The payout to the hackers should form part, but not all of the penalties. Pay those guys for their great service to humanity they earned it. |
