[1]: https://www.haskell.org/ghc/blog/20210309-apple-m1-story.htm...

Break the population into groups:

1. Have a working dishwasher / don't need one

2. Old dishwasher is failing, looking for a new one

3. Just bought a new dishwasher, it works great

4. Just bought a new dishwasher, going to return it

I suspect group 4 is who they're targeting.

These are criminal actions, as they're not endorsed by the state.

But it doesn't have to reach the scale of war to be bad. The broader narrative is We Have To Do Something. And that Something is always grant the government more power. Why is it a good thing, for instance, that we're taking "unprecedented" steps?

The US has been dealing with ransoms, piracy, extortion since its founding. "From the halls of Montezuma, to the shores of Tripoli," the latter was one of our first expeditions to deal with piracy.

As there is plenty of precedent for dealing with this stuff, we should be very skeptical when the government insists it needs new powers.

I really came back to this post because I was struggling with Gradle and if there is a more perfect illustration of how a dry run mode could help than that, I don't know what it could be. Gradle builds are a fucking mystery, every time, and there's no excuse for it.

[1]: https://palletsprojects.com/p/click/

> I also get a lot of email from idiots who don't know their own address

Holy crap there are a lot of them. I've got one bank sending me the dude's statements. He's also been on some interesting trips, seen all his hotel stays, etc.

    1. do-step-one --dry-run
    2. (do validation)
    3. do-step-one --real-run
    4. (do validation)

Internally, I'd like an enum flag that's clearly dry_run or real_run, so the guards are using positive logic:

    switch(run) {
      case dry_run:
        print("Would do this...");
      case real_run:
        do_real_thing();
    }

[1]: https://www.investopedia.com/terms/business-owners-policy.as...

[2]: https://www.thebalancesmb.com/insuring-against-ransomware-an...

[3]: https://www.robertsonryan.com/2021/05/18/ransomware-insuranc...

The person who bought it.

There are cases covering a justifiable use of force because intentionally killing or harming a person is illegal, and self-defense is a defense against those charges.

It's normally perfectly legal to pay someone whatever you want. You don't need a defense against something that's not a crime. There's no conflict in paying a ransom, so there's no case law.

Regarding OFAC, as your link points out:

> One issue is that victim organizations are required to check the list of sanctioned entities; however, many times the true identity of the cybercriminals are not known.

I'm guessing there's no case law regarding paying ransoms to SDNs because nobody has an identity they can check.

But do we need case law when OFAC says:

> OFAC will consider a company’s self-initiated, timely and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining the enforcement outcome if the situation is determined to have a sanctions nexus.

If someone wanted to make a law against paying ransom, it would be quite novel and courts would have to look for applicable doctrine. I think the doctrine of self-defense would be a roadblock.

> Build it Yourself

> The DIY Edition is the only high-end laptop you can customize and assemble yourself from a kit of modules. Coming in at just 15.85mm thick and 1.3kg, the Framework Laptop delivers the modularity of a desktop in the form factor of a thin and light 13.5” notebook.

It's why, I think, such a law wouldn't pass Constitutional review.

If your person is threatened with imminent danger, you have a right to self-defense, we'll even let you commit intentional homicide if the threat is serious enough.

And self-defense also covers your property and livelihood to a lesser extent.

I think it'd be extremely hard to convince courts that this right to self-defense doesn't include negotiating with an attacker. Imagine if it were a crime to toss some money at a mugger and run away, for instance.

Arguably the bigger problem is you don't know that the ransomer will actually give you a valid key, but suppose you guess a likelihood P that they do.

Now you have some scenarios:

1. Don't pay. We're out $C.

2. Do pay, and get a valid key. We're out $R.

3. Do pay, and get no key. We're out $R + $C.

So the limit is at scenario 1 being equal to the combination of 2 and 3.

Set C = PR + (1-P)(R + C), and your max ransom R = CP

(You could probably work in additional costs for cleaning up even if the ransom is paid.)

Being legal means that you can run big mining operations, so you could clamp down on those and slow mining. That would not stop it, though.

Being legal means that it can be used to trade goods and services, and you could clamp down on that and harm its value as a currency.

And being legal means that legal businesses can exchange it for other currencies, so clamping down on that harms its liquidity.

Even if you can make it broadly illegal across the globe, it's hard to see how effective that would be. Illegality has made anything else on the black market go away, after all, and the whole point of a crypto-currency is to thrive despite government suppression.

For instance, look at the consumer market, which is where an executive without security knowledge is coming from. All the big VPN vendors make security promises that are, frankly, false advertising. AV products are notorious for including warnings for viruses that pad their counts. That's not counting all the security applications that are malware.

And if they talk to someone familiar with the industry side, they should hear some skepticism. All the static analyzers are full of flags for things that are there to drive up their numbers. There have been a few HN stories on junk CVEs that are filed so people can put them on their resume. I had to set up a WAF at work that proudly said it mitigated the OWASP top-ten (why the top ten? is #11 not important?) which include recommendations like logging that a WAF is plainly not doing. And then I tested its defense against SQL injection and it was trivial to bypass.

And if a business that isn't a tech company hires contractors to fix security issues, most of the time, those guys will do a lot of check the box BS. It's fundamentally difficult, from a business operations perspective, for a company to do security because: 1. the horizon problem that you bring up 2. it's a cost-center 3. it's not their core expertise 4. if you even ask what secure looks like, you either get filibustered with long lists of best practices, or a lot of hand waving but strident proclamations.