If customers suffer when a company doesn’t pay ransom - that’s a good thing.

Those (now former) customers can the be patrons of a competitor that doesn’t let such happen again.

That's just not reality. Not least of which because competitors are exactly the same when it comes to security. Even if they weren't, security isn't something the market can realistically select for because it's not verifiable from a customer's perspective. A customer can clearly see, say, a price difference or feature difference, but cannot see a security difference in any meaningful sense. This is something that needs to be enforced at a regulatory level, there are many problems the free market cannot solve, and in fact market forces actively incentivize neglecting security.

I’ve been wondering this too.

Extortion and terrorism seem similar in many ways except the latter involves physical harm.

I’d asssume a company paying money to terrorists shouldn’t be acceptable.

It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.

Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.

>It also seems especially egregious to pay ransom as a “solution” to the failings that made the attack both possible and consequential in the first place.

You are paying an extra fee for not testing your own software and infrastructure. It was instead tested by a third party. Be glad it wasn't tested by a nation state actor or someone who wanted to do more harm to your customers than just asking for money.

Ideally they should now secure their infrastructure and take this as a gentle reminder that they should spend more on security.

>Might as well use a bank whose safe deposit boxes are made of cardboard… They can just bribe the thieves to give some things back.

You would hope they would then upgrade the cardboard.

When you frame it like that it sounds like the thieves are doing us a favor. Except it should be heavily fined and jailable for the entire executive team and maybe the board too.

The thieves are doing us a favor.

And yes, the companies executive should be jailed.

Except those payments are being passed through, are they not?

Passed through where and how?

Canvas to schools to tax payers

Ah yep, well they might pass on as much of the cost as they can to their customers, but it still costs them in lost customers/prestige etc.

Was it really a problem? Yes, voluntary release of that info by a school would normally likely be a FERPA violation, but this was a criminal act against a third party.

Infrastructure’s motivations must have lain elsewhere…

Does that really shield the schools? HIPAA wouldn't care.

educational LMS should not store real patient health data, so thats the problem of whoever designed that system.

The question was whether the same transitive responsibility applies to FERPA, not whether HIPAA data is involved.

Agree 100%.

Even the most verbose specifications too often have glaring ambiguities that are only found during implementation (or worse, interoperability testing!)

You mean if CloudFlare didn’t protect DDOSers, CloudFlare wouldn’t be able to provide as much service to the victims ?

They probably used AI for the search.

The real game would be to put a “nothing of interest here” prompt injection attack in the original series of prompts so a LLM parsing them later would ignore the attackers’ session.

Is this similar Voltera series in signal processing?

Those things scare the crap out of me…

Even worse are the “extension packs” that combine some normal things and one wonky thing nobody’s ever heard of…

I doubt your “distroless” container is any safer for this vulnerability .

Infecting sudo just makes for a quick demo.

If your container has different processes at different user ids, the exploit would still be effective.

It would likely also be able to “modify” read only files mapped from the host.

distroless rootless containers don't have the syscalls enabled to do anything reasonable with this exploit

United’s pre-flight safety notices make it appear as if they spared no expense…