Re: Ransomeware

[Tom Van Vleck <thvv () multicians org>]

On Mar 18, 2006, at 9:39 AM, Richard M. Smith wrote:

> I gave a security talk in NYC this past week and brought up this  
> ransomeware
> virus.  Most people in the room hadn't heard of this kind of extortion
> scheme before.  The first question I was asked was how does the  
> perp collect
> his $300 without being caught.

I shepherded a a paper for the 1996 Oakland conference on
"Cryptovirology: Extortion based security threats" by Adam Young and  
Moti Yung.
I spent a lot of time helping them deal with objections from the  
security
community that this subject should not be discussed at all.
They have since written a book.

See Adam Young's article from last year, "Has Ransomware Learned from
Cryptovirology?" http://www.newsfactor.com/story.xhtml? 
story_id=011000008HCO
I shall not discuss his claim to have "discovered" cryptovirology.

There are vague claims that use of PayPal or e-Gold (as in the Cisco  
case)
might allow a perp to get paid anonymously.  Digicash was much  
discussed in
the 90s as a way of moving money anonymously, and govt resistance to  
this
idea probably cause their downfall (they made me a job offer in 98 after
CyberCash laid me off, glad I didn't take it).

In order for the perp to get paid, there must be some party to
whom the payment is transferred, unable or unwilling to cooperate with
law enforcement, and yet trusted by both ends not to just steal the  
money.
You might be able to come up with a zero knowledge transfer that would
do this. I don't want to think about it. :-)



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.