Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"The hackers stated that they attempted to contact Red Hat with an extortion demand but received no response other than a templated reply instructing them to submit a vulnerability report to their security team."

Just hilarious



You didn't give the kicker:

"According to them, the created ticket was repeatedly assigned to additional people, including Red Hat's legal and security staff members."

Summarized: Given enough eyeballs, all extortion demands are fallow.


And then there's more, via 404:

“Since RedHat doesn't want to answer to us,” the hackers wrote in a channel on Telegram viewed by 404 Media, suggesting they have attempted to contact Red Hat. [...]

“We have given them too much time already to answer lol instead of just starting a discussion they kept ignoring the emails,” the message added. In another message, the group said it had “gained access to some of their clients' infrastructure as well, already warned them but yeah they preferred ignoring us.”

https://www.404media.co/red-hat-investigating-breach-impacti...


https://archive.ph/l9Hxh


"Since RedHat doesn't want to answer to us"

First rule of having someone reply: spell their name correctly.


To be fair, once your data has been stolen, it doesn't make sense to engage with the hackers. There is no way to guarantee that the stolen data won't be used.

What you must do immediately is notify the affected customers, bring down or lock the affected services, and contact the authorities.


I'm a customer and the first I'm hearing about this is from HN.


There is no guarantee anywhere (strictly speaking, including in the legal market), but that doesn't mean the paying has no effect of the probability of data being dumped. Notification is an independent requirement.


There is an interesting dynamic/risk in play:

If an attacker make an extortion threat, but then still follows through on the release/damage after being paid, then people are not incentivized to engage with you, and will go into attack mode right away, making it riskier for you.

HOWEVER, if the attacker make the extortion threat, takes payment, and then honors the agreement, and ends the transaction, then parties are more inclined to just pay to make the problem go away. They know that the upfront price is the full cost of the problem.

I've seen that there are 'ethical attackers' out there that move on after an attack, but you never know what kind you're dealing with :-/ "Never negotiate...."


Then the hacker org spins up a new name(like a shitty construction llc) and robs the next guy.

Reputation isn't all that useful for extortion.

Running all your crimes as the "Wet Bandits" makes it much easier for law enforcement if they do catch up with you.


There's no way to guarantee that I won't get in a car accident. So I pay for insurance. I may never need it, it may never come in handy, but it still makes sense to carry the policy.


fallow == marked by inactivity

Thanks, hadn't encountered this word before.


Normally used with farming; you run the land two years, and then leave it fallow for a year to recover.


Linus' Law used a different word.


Corpo cyberpunk


This whole process happening is exactly what happens in a quest in Cyberpunk 2077. There’s an e-mail chain where a gang tried to extort a corporation and gave up after being unable to reach a person.

I sincerely hope that the game doesn’t become prophetic in the manner Idiocracy has.


Can't be extorted if you can't be reached. such a two-brain move!


made my day




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: