最有看点的互联网金融门户

最有看点的互联网金融门户
区块链国际资讯

为什么比特币不是造成勒索事件的根本原因?

Peter Van Valkenburgh是Coin Center集团研究部主管,该集团是一个关注加密数字货币技术相关公共政策问题的非营利性研究与宣传集团。

此前,他曾是一名谷歌政策研究员,并在隐私权、监管以及数字版权法项目中与多个数字版权组织进行过合作。

勒索软件已经存在了很久一段时间 –——比比特币的出现还要早20年 —— 但最近洛杉矶医院的混乱事件让它再度成为了人们关注的焦点。

大多数类型的勒索软件都会通过用密钥“锁定”受害者计算机上的文件,直到受害人支付了赎金才能解锁文件。在这些工具出现的早期,通常是以电汇、预付卡或是短信服务和移动支付的方式支付赎金。

现在,支付几乎都通过比特币完成的。

你或许认为,这是因为比特币是一种“匿名”支付方式。黑客都喜爱它,因为他们不必担心被发现身份并最终受到逮捕。但是事实上这并不是比特币受到黑客欢迎的原因。预付卡更具有隐蔽性,因为它们能被邮寄,然后就可以直接使用或在国际间再次出售,但是追踪起来却并不容易。

然而,比特币交易却会在区块链上留下匿名痕迹,如果黑客试图将比特币兑换成当地货币,她还可能会意外泄露姓名或IP地址从而暴露自己的身份。区块链交易能够揭露有组织的勒索罪行结构,用于逮捕和起诉个别黑客。

比特币之所以受到青睐,就是因为这种交易方式更加快速、可靠和可辨识。

黑客可以仅仅观察公共区块链就能知道受害人是否并且何时完成支付;她甚至可以为每个受害者制作一个独一无二的支付地址,并且在确认比特币转移到这个地址后能自动完成解锁文件的过程。

事实是罪犯所使用的工具通常都具有非常严格的设计参数,因为犯罪分子的工具无法执行他们应有的技术支持,合同或合法的追索权。

寻找解决方案

犯罪分子在这种情况下使用比特币,是因为它是一个可以发挥作用的可靠系统。勒索软件的黑客十分类似于禁令中众所周知的酒类走私贩:他们喜欢速度快的定制车,因为几乎所有的人都仍旧在驾驶T Model 。

这些勒索问题是由以下三种因素造成的,而且无论受害者是亲朋好友还是医院,又或者是警察局,情况都是如此:

1,黑客非法访问电脑,获取机密或有价值数据的读/写权限。

2,黑客在电脑上安装恶意软件,使用高级密码加密文件,并且只有他们拥有解锁文件的钥匙。

3,黑客使用比特币接收赎金,从而换取解锁文件的钥匙。

加密和比特币是三连击中最“具吸引力”的部分,因此他们也得到了大部分媒体的关注。

但问题的根源是第一条:非法访问。

安全性和隐私性

例如,俄罗斯的医院方面早就出现了安全隐私事故,黑客可以“成功”访问、阅读、修改和删除所有的机密医疗记录。

无论黑客是加密了文件,还是要求支付赎金都是次要问题 ;因为损害已经形成了。无法保证这些记录的私密和安全会使得病人陷入被人歧视勒索的危险中,当然,也可能会导致贫穷或缺乏照顾。

所以说,勒索事件频发的原因还是要归结于网络安全性。

每个人 —— 尤其是易受攻击机构的员工 —— 都需要更加重视加强机密记录的安全性;我们都需要更好的了解钓鱼电子邮件以及其他能被黑客利用从而获取机密信息的策略。

这个问题自网络诞生起就一直存在,但其实解决方法也是相当简单的:使用高级密码,不要向任何人分享你的密码(即使有人向您发送类似官方的电子邮件),并且不打开陌生发件人的可疑电子邮件的附件。

此外,在这个问题的三个环节中,密码系统和加密货币都已经完全合法化,并且甚至是让我们更加安全的必要手段。

这样第一部分,由于安全性较差造成的非法访问就没有立足之地了。

寻找替罪羊

如果我们试图寻找一种方式来阻止这些攻击,那么我们就需要针对隐私基础中的的弱项,而不是针对利用这些弱点的工具。

我们需要默认使用https 加密术;了解并实施双重认证;讨论密码管理以及如何设计高级密码;考虑不会轻易泄露个人识别信息的支付系统。

忽视非法访问的问题,将责任归咎于密码学和加密数字货币并不会停止勒索事件。事实上,取缔或损害这些工具可能会使勒索事件更加恶化。

这种政策可能会挫伤诚实的个人去学习并使用保障他们安全的技术,而阴暗角落里的罪犯、或者老谋深算的酒类走私犯还是会继续利用这些功能强大的工具继续作恶。

Peter Van Valkenburgh is director of research at Coin Center, a non-profit research and advocacy group focused on the public policy issues facing cryptocurrency technologies such as bitcoin.

Previously, he was a Google Policy Fellow and collaborated with various digital rights organizations on projects related to privacy, surveillance, and digital copyright law.

Ransomware has been around for a while – turns out it's about 20 years older than bitcoin – but it's been in the news again recently because of a particularly upsetting case involving a Los Angeles Hospital.

Most types of ransomware software "lock" the files on a victim's computer by encrypting them with a key that the hackers withhold until a ransom payment is made. In the early days of these tools, payment was typically made with wire transfer, prepaid cards or by SMS and mobile payments.

Now payment is almost always demanded in bitcoin.

You might think that this is because bitcoin is an "anonymous" payment method, and that hackers love it because they don't have to worry about being identified and ultimately caught. That's not actually why bitcoin is a good fit. Prepaid cards are actually more anonymous because they can be mailed and then used or resold internationally with effectively no trace.

Bitcoin transactions, however, leave a trail of pseudonymous breadcrumbs on the blockchain, and if the hacker tries to cash out into local currency, she might accidentally put a name or an IP address to those pseudonyms and give herself away. Blockchain transactions can reveal the structure of organized ransomware crime rings, and individual hackers can be and have been caught and prosecuted.

No, bitcoin is particularly useful here because it's fast, reliable, and verifiable.

The hacker can simply watch the public blockchain to know if and when a victim has paid up; she can even make a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address.

The truth is that criminals have, as usual, very strict design parameters for the tools they use because there's no tech-support, contract or legal recourse for a criminal whose tools fail to perform as they should.

Jumping to solutions

Criminals are using bitcoin in this case because it's a reliable system that just works. Ransomware hackers are rather like the proverbial rumrunners of prohibition: they like fast custom cars because almost everyone else is still driving a Model T.

Three ingredients make ransomware the problem it is, and these things are just as true whether the victim is your Aunt Alice or a hospital or police station:

1,Hackers gain unauthorized access to a computer with read/write permission over sensitive or valuable data

2,Hackers place malware on that computer to encrypt its files using strong cryptography and a key which only they control

3,Hackers use Bitcoin to receive payment in exchange for the key.

Cryptography and bitcoin are the "sexy" parts of that trifecta, and accordingly, they get most of the media attention.

The root problem though, is number one: unauthorized access.

Security and privacy

In the hospital context, for example, it's already a security and privacy disaster that random hackers in Russia can access, read, modify and delete all of your sensitive medical records.

Whether the hacker then encrypts the files, or demands a ransom is a secondary issue; the damage is already done. Failing to keep those records private and safe puts patients in danger of discrimination, personal blackmail, and, of course, poor or compromised care.

So, to be very, very clear, the problem of ransomware begins with bad security.

Everyone – and especially employees of vulnerable institutions – needs to take the security of sensitive records more seriously; we all need to better understand phishing emails and other social engineering tactics that can be used by hackers to gain access to sensitive information.

This is a problem that's been around as long as the Internet, and yet the solutions are actually fairly straightforward: use strong passwords, don’t share your passwords with anyone (even people sending you official-looking emails) and don’t open suspicious email attachments from senders you don’t know.

Additionally, of this three-part problem, both cryptography and cryptocurrencies have entirely legal and even essential applications that make us more secure.

The first part, unauthorized access caused by poor security, has no upside.

Looking for a scapegoat

If we’re looking for a way to stop these attacks we need to target weaknesses in our privacy infrastructure, not the tools that some may use to exploit those weaknesses.

We need to use https encryption by default; we need to understand and practice two-factor authentication; we need to talk about password managers and what makes a strong password; and we need to think about payment systems that don’t consistently hemorrhage our personal identifying information.

Ignoring this problem of unauthorized access and putting the blame on cryptography and cryptocurrencies will not stop ransomware. In fact, outlawing or compromising these tools will make ransomware significantly worse.

Such policies would discourage honest individuals from learning about and utilizing the very technology that could make them safe; while criminals in darker corners of the world, the sophisticated rumrunners with strict design standards, would continue to use these powerful tools for evil.


用微信扫描可以分享至好友和朋友圈

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

朱孔达 | 未央团队未央编辑团队

88
总文章数

TA还没写个人介绍。。。

[未央翻译]Fintech国际资讯周报|2017年第36周

高旭 09-08

日本最大C2C票务市场Ticket Camp宣布接受比特币支付

Kevin Helm... 08-21

[未央翻译]Fintech国际资讯周报|2017年第33周

zhangpeiqi 08-18

加密货币太高调?英国警方草拟比特币罚没指南

Jamie Redm... 08-14

韩国比特币监管法案面世,5亿韩元成市场准入门槛

Kevin Helm... 08-11

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1