Pre-crypto ransomware operations receiving billions through bank transfers is fantasy, or less euphemistically, a lie. Trying to hand wave away the absolutely-real logistical difficulties groups would be plagued by if they shifted to using global financial institutions instead of crypto is additionally dishonest.
It's neither fantasy, nor a lie. You shouldn't throw around accusations like that without actually familiarizing yourself with the topic.
Banking trojans were doing just that, and receiving that money is obviously far more challenging than ransom payments because the owner will tend to notice pretty quickly and want it back. Ransomware doesn't have this problem, they can just deliver the keys only after they actually have the money in their control.
BEC groups are stealing billions every year via bank transfers right now.
.ru crime forums are absolutely full of people who will handle the logistics for you. They'll provide you bank accounts to send the money to, and deliver you whatever is left after their cut. A regular customer with high volumes will get excellent rates. The logistics aren't a challenge because there is absolutely massive pre-existing infrastructure already available.
Ransomware isn't big because of crypto(currency), Winlockers were popularized well before crypto payments became common. Ransomware just happened to develop at the same time as crypto, not thanks to it.
That solution is to a problem that is not the topic of conversation here.
The problem is selective waiving of vetting processes due to political pressure and affiliation.
Acting as if the efficacy of the vetting process is a point relevant to this conversation either implies you believe they waived this process for these three due to their ineffectiveness - very much not the belief held my most observers, why just 3 then - otherwise it’s a pure strawman argument. Neither option is good.
If a company hires a new CEO and word leaks that HR exempted him from the background check, would you think “well, background checks have very high false negative rates anyway”, or would you think “what the hell is on that guy’s record!?”
This is not a story of incompetence. This is a story of corruption. Corruption that is seeping into processes that exist solely for the nation’s protection. If you are not arguing in bad faith, then I must assume you are passively commenting and did not care to read the article.
There are procedures to vet senior officials before handing them incredible amounts of power over the rest of the citizenry. These particular officials so happen to be part of an agency basically defined by structure, process, rules, and by a lexicon that does not contain the word "exception." If one step of the vetting process is to count how many freckles the candidate has on their left arm, then that is what they must do - no exceptions, no room for interpretation at the ground level, no "well, we could probably just skip this."
You obviously already know this, and the article of course discusses this as it is a defining component of this story; for example, very concisely:
"People familiar with the matter say his ascent to that position without passing a standard FBI background check was unprecedented."
"In fact, the FBI’s employment eligibility guidelines say all employees must obtain a “Top Secret” clearance in order to work at the agency following a background check. “The preliminary employment requirements include a polygraph examination,” the guidelines say."
"Former FBI officials said they could not recall a single instance in which a senior official like Bongino received a waiver and was then given a top secret clearance."
This story _should_ make one wonder: well, why did they break precedent and skip this part of the vetting process? What would they have been asked that perhaps they were trying to avoid discussing? Is there a chance there are real risks to placing these people in these positions, and why are we circumventing the safeguards intended to mitigate them? Is a podcaster with no qualifications for this role worth breaking security protocol & precedent? This is a story that gained media attention, I wonder if this is not a lone instance - what else could they be bending behind the scenes? Well, let's give them some benefit of the double - Is there perhaps actually a reasonable explanation for this that laypeople like us just wouldn't be aware of?
The article does answer some of these questions, such as "what could they be trying to avoid discussing" -
Polygraph examiners ask a standard list of questions about drug use, criminal history, foreign contacts and mishandling of classified information.
It also helps answer the "is there maybe a reasonable explanation?" question - and the answer is no, there surely is not, as instead of offering such a description they instead offered a lie:
The FBI spokesperson initially said the three officials are so-called Schedule C — a category reserved for political appointees. He said the status would mean they were “not required” to undergo polygraphs. But Daniel Meyer, a former executive director for the Inspector General of the Intelligence Community External Review Panel, told ProPublica that an FBI employee wouldn’t be excluded from taking a polygraph exam simply because they’re a Schedule C employee. Three other lawyers, who specialize in national security matters, said the same.
At no point in thinking critically about the situation relayed by this article should "well, polygraphs are bad anyway, so..." steer your thought. It is so "off" that the old forest-for-the-trees cliche isn't even applicable. Even if wanton and unprecedented disregard for process in a process-defined agency is generally not much of a concern to you, surely the fact that the disregarded process is one intended to weed out incompetence and people with intolerable levels of risk exposure from highly-privileged and sensitive agency roles should still raise significant alarm.
tldr; if your first thought after reading this article is "well, polygraphs are bad anyway" and not "what the hell may they be trying to hide", then you read the wrong article.
If there was some government program I was previously unaware of that pays organizations that were compromised by nation state hackers then I’m going to be upgrading all my networking infrastructure to F5 products and start reading up on BIG-IP migrations.
That is to say, sometimes nation state hackers _were_ behind the compromise. F5 is a very believable and logical target for such groups.
On the other hand, exploiting weaknesses in MITRE’s CVE program to create ticket management primitives, creating “shellcode” that composes them to implement a feature request tracking API, using it to manage your open source organization’s feature roadmap, sure would make for a great 2600 article…
/*
* Claude AI Military Grade - Navy SEAL Level Security
*/
I wonder how an AES implementation written by a Navy SEAL looks.
// Note: Real AES decryption would be implemented here
// For security in military systems, we only support one-way encryption
void mil_crypto_decrypt(const char* ciphertext, char* plaintext, crypto_context_t* ctx) {
// Decryption disabled for security - data remains encrypted
// In real implementation, would use AES-128 decryption
plaintext[0] = '\0';
}
Just beautiful. The essence of vibe coding distilled into a few lines of… well, comments, and like one line of code.
reply