When Security Exploits Have Exploits

from the piling-on dept

We’ve talked in the past about how security software sometimes needs security software itself — but what about security exploits? A popular scam these days among some script kiddies is to lock up important data on someone’s computer unless they pay an extortion fee to release the data. Of course, it should come as no surprise that these exploits have exploits of their own… as one security firm discovered this week, releasing the universal password that will unlock your data should you happen to get caught by one of these scams. Apparently, all you need to know is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. Of course, it’s not surprising to find out the a script kiddie scam has exploits, but it does suggest a different kind of race for some security companies. Instead of just focusing on patches, look for ways to break the scam software itself.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “When Security Exploits Have Exploits”

Subscribe: RSS Leave a comment
Razor's Edge says:

Re: Re: Re:

“That is stupid and american. Suing because someone stopped your illegal activity.”

While someone could file a lawsuit for this (and thus, you could say someone was sued for stopping their illegal activity), the case would undoubtedly be dismissed the second the presiding judged stopped laughing himself out of his seat.

Razor's Edge says:


“I wonder if the “ransomware” writers can sue under the DMCA’s anti-circumvention provisions (well, if it was in the States).”

No. According to the dirty hands doctrine, certain aspects of the criminal and civil laws do not apply to persons engaged in criminal activities.

As an example, even if you sign a contract with a prostitute that says you pay her in advance for 12 ‘sessions’ and she refuses to provide any services, you cannot sue her for breach of contract or for fraud. (Assuming this happens in the 99% of the USA that prohibits prostitution.)

While I haven’t heard of a DMCA case being dismissed or lost because of the dirty hands docrtine so far, I can pretty much guarantee that someone who commits several federal felonies will run afoul of it.

Tim Arview (user link) says:

Re: Re:

Actually, it’d be more like suing your neighbor for tapping your phone line and overhearing you plan a bank heist, then using that information to stop you from robbing the bank by, for instance, giving the bank your description and the exact time you’ll be showing up.

The neighbor’s act was illegal, but for the greater good. It’s an argument of justice versus ethics.

A security guard hitting a bank robber is well within his legal rights, and it’s *mostly* ethical (it’s his job and what general society expects him to do). To me, reverse engineering software (even malware) is not within anyone’s legal rights, even though it may be considered ethical.

In my opinion, justice should always win.

Josh (profile) says:


A quote from my own post on the issue earlier today:

“Maybe it’s a good thing, but in the long run, I don’t see how “ransomware” could really make it in the long run. If people are going to find work arounds to software from companies like Microsoft and Adobe with billions of dollars invested in anti-pirating efforts, I doubt even the best “ransomware” virus would last before someone cracked it.”


OK says:

I know a guy in PA that shot a burglar in his home. The burglar fell down the stairs after he was shot and broke his leg. He sued the guy for medical costs, pain and suffering and emotional distress and the burglar won.

Messed up legal system? YES

The right to sue – Priceless

who wants to guess how long it is before Techdirt is reporting the story of the ransomware creators suing under the DCMA?

I say 120 days…

rahrens says:

suing burglers

Real case:

A man was on the roof of a school in California (25+ yrs ago), in the progress of committing burglery. The roof’s access ladders were protected by “Authorized personnel only” signs. He tripped over, and fell through, a skylight in the dark, landing in the building below – breaking his back. He sued, saying that the school district should have placed warning signs to alert persons on the roof to the presence of the skylight. Not only did he win, but his case went all the way to the Supreme Court, AND WAS UPHELD!!

Igor says:

It is not really fair to call people dumb because they get this ransomware on their computer. Keep in mind that many users are new and just are not as savvy as you and I may consider ourselves. Also, these tactics are getting slicker and slicker, so even the experienced user can fall victim to these attacks form time to time. Old people in particular get savaged by these things because they trust all system and security software based notifications (real or not), and they are the ones who are most likely to actually shell out the cash to just get rid of the problem.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...