I wonder if this is a good decision - you have to be very afraid of the publication of this data to pay millions to blackmailers without being sure that they won’t be at your door again soon.
It’s becoming the standard to just pay the ransom. Many large companies have a cybersecurity insurance policy anyways. Plus on the hackers side, they have a reputation to maintain. If word gets out that a specific group isn’t decrypting after payment, they will be less likely to get paid in the future.
This isn’t a crypto locker hack though where you can verify pretty immediately if they’re going to keep their word by them decrypting your data.
In this case the hackers actually physically have the data and are threatening to make it public if you don’t pay.
There’s no way to verify that they will never release it once you pay them. They could just sit on it for years after getting paid and then come back and say pay up again or they’ll release it.
I work in the casino industry, our databases are full of ssns, addresses, emails, telephone numbers, birthdates, food/liquor/tobacco/vacation/entertainment preferences, players with lines of credit through us, people cash checks or get cash advances through their credit cards through us so we have that info, through our play history data you can infer habits of where someone is or isn’t at certain times, some casino companies are now offering “cashless/chip less” play which is an app on your phone hooked up to a bank account we set up for you and tie to Experian, etc etc etc
Casinos are essentially banks now, we have fuckloads of secure information and the casino industry hires the cheapest fucktards it can find on purpose to keep profits high. It’s no wonder we’re being targeted, we’re damn juicy targets. Even if IT tries our hardest, we’re handcuffed by cheap management and flat stupid users that fail phishing tests left and right and write down passwords on notepads or excel sheets
We can’t offer player points (that can be used on free play or free food or free hotel stays) without them being online and tracking the level of play on your card
It does if that user has rights to access those databases, that would be a non-zero number of marketing analysis, p&a, data scientists, IT staff who maintain that infrastructure, etc. The most dangerous one is a compromised IT admin account and from the looks of it that happened to MGM this week
Sadly this will probably not change unless attacks become so frequent that paying the ransom is more expensive than hiring competent people and teaching them proper opsec.
It’s bound to happen at some point, but I wouldn’t hold my breath.
Sadly we’ll never be able to reach proper IPsec to all staff, Kyle in marketing is ALWAYS going to fuck it up because he thinks he’s a big shot who makes great business moves by buying cheap casserole dishes to give to players as gifts. That numbnuts is going to click the obvious scam link every time thinking he just found a new deal
Much of that we do need to satisfy our regulatory requirements or offer products/services to players. You don’t get to be a big casino company by throwing a bunch of standalone slot machines in a building and having no reward/points program.
Are they a national group? A competitor? Another casino?
Or
A foreign government or a foreign entity … which begs the question … if it came to light that it was a hostile government … would it be classified as an act of provocation or even war?
For hacking a casino? A private business unrelated to any US domestic or foreign interests?
Not a chance in hell it would be an act of war. Businesses get hacked by China, Russia, North Korea, and Iran all the time. Hell, China hacked the US Office of Personnel Management and stole the security clearance records for 22 million people in 2015 and even that wasn’t declared an act of war.
If an adversarial government hacking the US military and stealing security clearance records isn’t an act of war, a bunch of rich mobsters having their casinos hacked sure as shit ain’t.
No one is going to war over a casino breach, now if they got Boeing or Lockheed or Raytheon and it’s proven to be the Russian state doing it then there’s a possibility but that would still be unprecedented to start a war over a cyber attack
Paying the ransom is the stupidest thing you can do when you’re hit with an attack.
Why?
Emboldens the attacker to keep attacking you because now they know you’ll pay them
Funds the attacker’s future attacks
No guarantee they’ll actually stop or recover your data
No guarantee they’ve actually left your environment without a complete rebuild.
A better use of ransom money would be to invest in a decent cybersecurity infrastructure to prevent this from happening in the first place, and to keep offsite backups.
Man, I wish people put this kind of effort into more important shit. Shitty wages, inhospitable environment incoming, and useless CEO fucks causing it all, BUT DAMN YOU UNITY!
Going after Vegas Casinos is funny but probably a bad idea for your long term health. Those kinds of people get pretty grumpy when you steal from them.
So, the leadership of Unity is a complete piece of shit, but death threats (or really, any other threat of violence) are just straight up idiotic. It’s a game engine company. There are much more fun and interesting (and, you know, legal) ways to kill the company in a commercial sense.
I feel bad for the regular workers there who can’t choose the direction of the company and need that job to live.
But frankly if they were all directed just to the CEO, I couldn’t be less bothered. Wealthy assholes don’t have empathy, don’t listen to reasons, aren’t bound by rules. Even lawsuits today are decided more by who has the most money than who is in the right. Maybe it’s not so bad if folks put some fear in him, specifically.
Sure, there are more worthy causes to direct that sort of outrage to. Then again there’s the livelihood of a large number of smaller creators to consider. This isn’t just about a fictional thing not being the way someone wanted.
Mm, I’m curious as to what the threats actually were. I’ve seen people claim they got death threats because someone tweeted “kys” at them in response to their homophobic bullshit.
Shitty Executive: “Oh shit, our terrible idea turned out to be wildly unpopular and we’re getting massive negative feedback! Quick, play the death threats card to make us look like the victim!”
Perhaps they could pay a small fee to not receive them.
Or purchase the Happy Customer Times Season Pass, where for 12 months they only receive feedback telling them how awesome they’re doing. Only $39.99 per employee!
*fees are liable to change at any time without notice, new prices may be applied retroactively
20 cents for every death threat not sent? Sure! Whos counting? Dont worry, our propiertary system counts every unsent message, you only need to pay up ^(works every previously unsent message, but only if you got more than 200 000 the past year, we got you)
Bit seriously, why do some people always so eager to send death threats? It almost never achieves anything, gets you on the moral low ground and doesn’t even get to the right persons the first place.
I’m sure there’s a PR playbook somewhere with a flowchart that says, did you screw up really badly and you look like the villain? - yes - There’s public outrage? - yes - say there’s death threats
nobody who makes public death threats is gonna do shit. why would you announce and make a public record of a crime you are about to commit? hashtag #bankrobbery? another joke of a corporate move, unless it’s a lie to get sympathy. Way overblown reaction for somebody just angry and probably talking shit.
feel like a beefed up law enforcement presence for a couple weeks enough to stop that if it’s just one person dumb enough to stroll in the front door with a facetiming iPhone and a .45, this seems like an extreme reaction for something that was probably not even a literal death threat to begin with.
I strongly recommend looking in to how this has gone down for a lot of Influencers and the like (since coders and journalists tend to be a lot more quiet about it). For all his flaws, moistcritikal did a really good video on this a few years (?) back regarding one of the bigger female streamers. He, of course, ruined it by treating it like a cool ass event when the stalker got arrested but…
The reality is that cops don’t give a shit. You can provide the details of the death threats against you and they will just say to call them if something happens. And even then, they will do their best to not get involved even while someone is standing outside your door. This is why, every so often, you hear about something like Gavin Free and Meg Turney having their stalker break into their home with a loaded weapon and either dying by suicide or cop. They had reported it countless times before but it wasn’t until the guy was forcibly breaking into their home that the cops gave a shit.
And there are plenty more situations like that which don’t involve two of the most public people on the internet who work for a company that will farm clout out of anything.
Like, back during the height of Gamergate, a very good friend of mine literally had to go into hiding because he was targeted by the mob for the crime of… writing a few articles. He, his wife, and their newborn had reported the death and rape threats to the cops repeatedly and even had a different friend help track down the sources of some of the more credible ones (let’s not go into details on how…) and provide a paper trail. Nothing. He was literally on the phone with 911 begging for help when one of the stalkers was standing outside his home with an assault rifle. Dispatch only even sent a cop AFTER they heard the gunshots on the call as the monster unloaded on their home. And guess what? Cops didn’t give a shit after the fact either and it was up to him to take his family and go into hiding for a few months before taking a new, much lower profile, job writing press releases.
For what its worth? His former employers wanted to go public with that. He threatened to sue them to hell and back if they did because all he cared about was keeping his family alive. And that is not an isolated incident.
sorry tbh I’m sure this may have been a legit point but this was too long of a rant for me to fully read. can someone tldr this for me?
I dunno this feels like some truths were stretched, if you call the cops with a man standing outside your house with an assault rifle they would definitely dispatch someone in any state but maybe texas
People are indeed stupid. There’s a reason the Mafia’s #1 rule was “keep your fuckin’ mouth shut.” If you’re going to commit a crime, don’t talk about it just do it.
Discuss, yes, but only verbally. And even then obliquely. “Take him to that spot, you know the one, over by where Leon used to work.” Stuff should never be written down because you’re just asking for it to turn up as evidence somewhere.
Starting on January 1, developers will be charged a fee every time someone installs a game built in Unity after they reach certain revenue or install thresholds.
Obviously death threats are not ok, but for fucks sake, that change is insane. People may install games many times for many reasons, like switching drives, computer, OS or debugging, or corruption, or because they go back to it after not playing for a while.
How is it a good model to charge for repeated installs?
The decision sparked an astonishing backlash against Unity from across the gaming industry,
I bet, this will threaten some people on their livelihood, and if you are 90% finished on a project, it’s an insane change that will force you to switch to another engine, and could kill several projects.
Also as a user, this increases the need and amount of DRM mechanics, which we need less not more of.
I hope Unity will see a massive dive in customers on these policies. This is the kind of decision a company deserves bankruptcy for. And the CEO John Riccitiello deserves to be fired without benefits, and never hired as CEO again.
Edit PS:
The fee is up to $0.20, that’s steep and would mean the end of sub $10 games. This would hurt single and indie developers very much.
Luckily there are other engines, but Unity used to be among the good ones, now they’ve become an untrustworthy player, and that decreases competition for the entire field.
Unreal is much more entrenched than Unity is. At the AAA level, more places hire Unreal devs than Unity devs.
Unity is popular with indies because it’s dead simple (Unreal is a complex monster of an engine). But even Unreal doesn’t have a monopoly, between things like Source, Lumberyard (which is now FOSS and run by the Linux Foundation), etc. Not to mention you can always roll your own engine, which many places already have.
engadget.com
Hot