this post was submitted on 06 Dec 2023
1631 points (99.2% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
54716 readers
212 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
====================
Edit: Can any fellow infosec nerds chime in and say whether this is readable or not? I feel like I just wrote it incoherently because I was stoned. I hope that's what happened anyway, and people pirating software aren't actually this ignorant about network security.
tl;dr: Disgruntled employee wants to make a bunch of easy crypto from the company he hates. cracks contain viruses a non-minimal amount of the time. This turned into a story about an easier way this coworker could be doing it to introduce his own ransomware and get away with it, and then I went into how I would do it if that was the intention.
I have no idea if this is the reason or if OPs colleague really hated scrolling down and clicking Accept. Maybe he just wanted the legit version for himself.
====================
This sounds like a great way to introduce your 2-year-delay ransomware on the company without it being as risky of a charge if you're caught. Only fired for causing a ransomware infection out of neglect and stupidity if caught, just make sure you tell a few coworkers about it.
Although it'd be easier to plug in a USB drive you found in the parking lot with folder [company name blackmail] which contains "[hot male coworkers name] NUDES.zip.ws" and "[hot female coworkers name] NUDES.zip.ws"
Just make sure you buy a throwaway laptop and install a Russian or Chinese language pack and use that as the primary system language when opening the final source code before you add some CN/RU strings in the file and compile. Use Google Lens to translate in realtime from a burner smartphone /e/OS and location disabled. Make 3 drives and toss 2 of them from your car window in hard to find places a week before, with multiple days between. Then on the day you find yours, covertly chuck it from the roadway an hour before opening in the general area you park, and show up 5 minutes early in the spot you usually park. Make sure you always show up somewhat early. Then "notice it" and walk in and plug it in.
Ransomware starts after a 2 day delay, they being in LE and find the others that were dropped. Make sure to use neoprene gloves, as latex can pass fingerprints through.
Haha okay infosec engineer here.... I think this blurb is hard to read maybe a little because you wrote it high and maybe a little because you're overestimating what the average person knows about security.
Your first paragraph there makes sense but it would've definitely benefited from a little additional explanation. I don't think it was super clear you were referring to an insider threat scenario. People probably could've got that by breaking it down a little more, but naturally they jumped to the next part hoping for more context.
But you jumped into a hypothetical alternative means to introduce ransomware to a device. And it's not necessarily that people don't know plugging in strange thumb drives is bad, as you suggested in another comment. It's the jargon (maybe not really jargon but thats the best word that came to mind) you used. You talked about a lot of things a bad actor would do, but the average Joe does not know why you'd be doing most of those things. And even if they do it's still not going to make much sense if they didn't grasp what you were saying in the first paragraph.
But ultimately yes, what you said does make sense if you have some Security knowledge (at least a bit more than just basic awareness training) and break down what you're first paragraph is trying to say.
I can see that. Appreciate you taking the time to break it down like that.