An Encounter with Ransomware

An organization which I am associated with (not Mozilla) recently had its network infected with the CryptoWall 3.0 ransomware, and I thought people might be interested in my experience with it.

The vector of infection is unknown but once the software ran, it encrypted most data files (chosen by extension) on the local hard drive and all accessible shares, left little notes everywhere explaining how to get the private key, and deleted itself. The notes were placed in each directory where files were encrypted, as HTML, TXT, PNG and as a URL file which takes you directly to their website.

Their website is accessible as either a TOR hidden service or over plain HTTP – both options are given. Presumably plain HTTP is for ease for less technical victims; Tor is for if their DNS registrations get attacked. However, as of today, that hasn’t happened – the site is still accessible either way (although it was down for a while earlier in the week). Access is protected by a CAPTCHA, presumably to prevent people writing automated tools that work against it. It’s even localised into 5 languages.

CryptoWall website CAPTCHA

The price for the private key was US$500. (I wonder if they set that based on GeoIP?) However, as soon as I accessed the custom URL, it started a 7-day clock, after which the price doubled to US$1000. Just like parking tickets, they incentivise you to pay up quickly, because argument and delay will just make it cost more. If you haven’t paid after a month, they delete your secret key and personal page.

While what these thieves do is illegal, immoral and sinful, they do run a very professional operation. The website had the following features:

  • A “decrypt one file” button, which allows them to prove they have the private key and re-establish trust. It is, of course, also protected by a CAPTCHA. (I didn’t investigate to see whether it was also protected by numerical limits.)
  • A “support” button, which allows you to send a message to the thieves in case you are having technical difficulties with payment or decryption.

The organization’s last backup was a point-in-time snapshot from July 2014. “Better backups” had been on the ToDo list for a while, but never made it to the top. After discussion with the organization, we decided that recreating the data would have taken much more time than the value of the ransom, and so were were going to pay. I tried out the “Decrypt One File” function and it worked, so I had some confidence that they were able to provide what they said they were.

I created a wallet at, and used an exchange to buy exactly the right amount of Bitcoin. (The first exchange I tried had a ‘no ransomware’ policy, so I had to go elsewhere.) However, when I then went to pay, I discovered that there was a 0.0001BTC transaction fee, so I didn’t have enough to pay them the full amount! I was concerned that they had automated validation and might not release the key if the amount was even a tiny bit short. So, I had to go on IRC and talk to friends to blag a tiny fraction of Bitcoin in order to afford the transfer fee.

I made the payment, and pasted the transaction ID into the form on the ransomware site. It registered the ID and set status to “pending”. Ten or twenty minutes later, once the blockchain had moved on, it accepted the transaction and gave me a download link.

While others had suggested that there was no guarantee that we’d actually get the private key, it made sense to me. After all, word gets around – if they don’t provide the keys, people will stop paying. They have a strong incentive to provide good ‘customer’ service.

The download was a ZIP file containing a simple Windows GUI app which was a recursive decryptor, plus text files containing the public key and the private key. The app worked exactly as advertised and, after some time, we were able to decrypt all of the encrypted files. We are now putting in place a better backup solution, and better network security.

A friend who is a Bitcoin expert did do a little “following the money”, although we think it went into a mixer fairly quickly. However, before it did so, it was aggregated into an account with $80,000+ in it, so it seems that this little enterprise is fairly lucrative.

So, 10/10 for customer service, 0/10 for morality.

The last thing I did was send them a little message via the “Support” function of their website, in both English and Russian:

Such are the ways of everyone who is greedy for unjust gain; it takes away the life of its possessors.

Таковы пути всех, кто жаждет преступной добычи; она отнимает жизнь у завладевших ею.

‘The time has come,’ Jesus said. ‘The kingdom of God has come near. Repent and believe the good news!’

– Пришло время, – говорил Он, – Божье Царство уже близко! Покайтесь и верьте в Радостную Весть!


Complaining about (BMO) is a Mozilla project activity as old as the hills. Back in 2009, it was realised by the Foundation that to make everyone happy was (and still is) an impossible task, and I was given a mandate to “help people solve their own problems”. So around September 2009, I released the first version of my Bugzilla API proxy software, BzAPI. This software presented a clean, well-documented RESTful interface on the front end, and did all sorts of things on the back end (XML, CSV, RPC, HTML scraping) that developers no longer had to worry about. We made a dev server VM for it so people could try it out –

It was popular. Extremely popular. People started building things, and then more things, all of which depended on this server for Bugzilla data. For various reasons, IT never got around to building a production instance, and so over the last five years, I’ve been maintaining this core piece of Mozilla project infrastructure, which was depended on by TBPL and many, many other tools which interfaced with Bugzilla. At its peak, it serviced 400,000 requests per day.

Over the intervening years, BMO itself acquired a REST API which slowly became more capable, and then a BzAPI-compatible API shim was implemented on top of it by the excellent dkl, so people could change their code to access BMO directly just by updating the endpoint URL. After a few false starts, requests to are now served directly by BMO, via that shim code. Earlier today, the api-dev VM was finally powered down.

Here’s to you, api-dev. Good job.

Alice and Bob Are Weird

Suppose Alice and Bob live in a country with 50 states. Alice is currently in state a and Bob is currently in state b. They can communicate with one another and Alice wants to test if she is currently in the same state as Bob. If they are in the same state, Alice should learn that fact and otherwise she should learn nothing else about Bob’s location. Bob should learn nothing about Alice’s location.

They agree on the following scheme:

  • They fix a group G of prime order p and generator g of G

Cryptographic problems. Gotta love ‘em.

Signed Committer’s Agreements No Longer Required

For a long time, Mozilla has required people gaining commit access to our core repos to sign a Committer’s Agreement. This is not a copyright assignment or a transfer of rights; it’s basically a commitment to good behaviour, and to making sure code which gets into the tree is allowed to be there and is correctly licensed.

However, the logistics of printing it out, signing it, scanning/photographing it back in etc. were always a barrier to participation. In consultation with our legal team, we have decided that people simply assenting to the document is just as good so, as of now, people are no longer required to go through the process of signing it.

However, all people with commit access to any Mozilla repository are still expected to abide by it :-) We may be adding CONTRIBUTING files referencing the document to our Github repos to make this point more clear.

Samuel David Markham

I am overjoyed to announce the birth of our third son, Samuel David Markham, at 9.01am on the morning of 28th January 2015, weighing 8lb 0oz. Mother, father, baby and older brothers are all well :-)

He is called Samuel after:

  • The prophet and leader Samuel, who was called into God’s service at an early age, as recorded in the book of 1 Samuel;
  • Samuel Rutherford (1600 – 1661), a Scottish minister and representative at the Westminster Assembly, whose book Lex, Rex contains arguments foundational to a Christian understanding of good government;
  • Samuel Davies (1723 – 1761), American non-conformist preacher, evangelist and hymn writer, who showed we are all equal in God’s sight by welcoming black and white, slave and free to the same Communion table;
  • Samuel Crowther (1809 – 1891), the first black Anglican bishop in Africa, who persevered against unjust opposition and translated the Bible into Yoruba.

He is called David primarily after the King David in the Bible, who was “a man after God’s own heart” (a fact recorded in the book of 1 Samuel, 13:14).

“Interactive” Posters

Picture of advertising poster with sticker alongside with QR code and short URL

I saw this on a First Capital Connect train here in the UK. What could possibly go wrong?

Ignoring the horrible marketing-speak “Engage with this poster” header, several things can go wrong. I didn’t have NFC, so I couldn’t try that out. But scanning the QR code took me to which, at the time, was advertising for… Just Eat. Not Oops.

Similarly, texting “11518” to 78400 produced:

Thanks for your txt, please tap the link:

Std. msg&data rates may apply
Txt STOP to end
Txt HELP for help

which also produced content which did not match the displayed poster.

So clearly, the first risk is that the electronic interactive bits are not part of the posters themselves, and so the posters can be changed without the interactive parts being updated to match.

But also, there’s the secondary risk of QR codes – they are opaque to humans. Someone can easily make a sticker and paste a new QR code on top of the existing one, and no-one would see anything immediately amiss. But when you tried to “engage with this poster”, it would then take you to a website of the attacker’s choice.

Your Top 50 DOS Problems Solved

I was clearing out some cupboards at our family home when I came across a copy of “Your Top 50 DOS Problems Solved”, a booklet published free with “PC Answers” magazine in 1992 – 23 years ago. PC Answers has sadly not survived, closing in 2010, and its domain is now a linkfarm. However, the sort of problems people had in those days make fascinating reading.

Now I’ve finished blogging quotes from “Producing Open Source Software” (the updated version of which has, sadly, yet to hit our shelves), I think I’ll blog through these on an occasional basis. Expect the first one soon.

Credit as Currency

Credit is the primary currency of the free software world. Whatever people may say about their motivations for participating in a project, I don’t know any developers who would be happy doing all their work anonymously, or under someone else’s name. There are tangible reasons for this: one’s reputation in a project roughly governs how much influence one has, and participation in an open source project can also indirectly have monetary value, because some employers now look for it on resumés. There are also intangible reasons, perhaps even more powerful: people simply want to be appreciated, and instinctively look for signs that their work was recognized by others. The promise of credit is therefore one of best motivators the project has. When small contributions are acknowledged, people come back to do more.

— Karl Fogel, Producing Open Source Software

The Zeroth Human Freedom

We who lived in concentration camps can remember those who walked through the huts comforting others, giving away their last piece of bread. They may have been few in number, but they offer sufficient proof that everything can be taken from a person but the last of the human freedoms – to choose one’s attitude to any set of circumstances – to choose our own way.

This quote is from From Death-Camp to Existentialism (a.k.a. Man’s Search for Meaning) by Victor Frankl. Frankl was an Austrian Jew who spent four years in concentration camps, and afterwards wrote a book about his experiences which has sold over 10 million copies. This quote was part of a sermon yesterday (on contentment) but I share it here because it’s very powerful, and I think it’s also very relevant to how communities live together – with Mozilla being a case in point.

Choosing one’s attitude to a set of circumstances – of which “someone has written something I disagree with and I have become aware of it” is but a small example – is an ability we all have. If someone even in the unimaginable horror of a concentration camp can still retain it, we should all be able to exercise it too. We can choose to react with equanimity… or not. We can choose to be offended and outraged and angry… or not. To say that we cannot do this is to say that we have lost the most basic of human freedoms. No. We are all more than the sum of our circumstances.

The Oatmeal and Religion

I’m a fan of The Oatmeal, with the odd reservation. But one cartoon in particular gets pointed out to me a lot – “How to suck at your religion“.

The trouble with arguing with him is that he’s a popular cartoonist, and I’m not. Cartoons suffer from the Twitter/Facebook effect – a humourous pithy short attack or condemnation of something is far more interesting and retweetable than any nuanced response to it. And then, of course, you get accused of having no sense of humour. And if he ever reads this post and takes offence, there’ll be cartoons lampooning me. Still, Jesus had to endure being mocked, so that’s an OK risk to take.

So, then, a few thoughts in response:

So is judging people wrong, then? Because there seems to be plenty of judgement in this comic. If it is wrong, then who says so, and who died and made them king? It’s easy to mock the moral stance of others, but rather difficult (if your understanding of the world doesn’t include an omnipotent moral lawgiver) to figure out why the morality you are in favour of should apply to other people. Should I not judge because a “silly web cartoonist” (his words) tells me not to? Morality can’t be hung from skyhooks.

This is before we even talk about what Jesus actually meant, in context, by “Do not judge, or you too will be judged”.

The Galileo affair was not the best moment in the life of the church. But the second comic makes the error that so many bits of reporting on stem cells make that one would almost think people are trying to hide the truth. There are two main types of stem cells – adult, and embryonic. Adult stem cells come from, well, adults, and I’ve never heard of anyone who has any theological problem with them. Embryonic stem cells are harvested from embroyos, tiny people who are killed by the process. And that is a problem.

Thing is, which type of cells have been producing all the amazing treatments and treatment possibilities? Adult stem cells. A guy recently became able to walk again after they injected stem cells from his nose into his spine. That’s so awesome. By contrast, despite lots of positive talk, they can’t figure out how to stop the embryonic ones giving you cancer. And yet, every time there’s a “stem cell success” story, the church is castigated for “its opposition to stem cell research”, and people vow to continue the murder of microscopic human beings.

In the last panel, is he really asserting that anyone can make any old thing up, and the universe will bend to accommodate the wishes of the person concerned? Or just that it’s cool and righteous to affirm people in whatever rubbish they make up in their own minds? Also, no matter how politely phrased, “No-one really knows for sure” is dogma, plain and simple. All education is indoctrination – the question is simply “whose doctrine?”. What he is really saying is “don’t use your doctrine, use mine”.

I wonder if the Oatmeal had a kid, who was told “no-one really knows”, and who replied “well, I think God then decides who goes to heaven and who goes to hell, and I’m worried about your eternal soul”, he’d say “sure, sweetie”, or “NO. NO-ONE REALLY KNOWS FOR SURE AND THAT’S FINAL.” Given the rest of the comic’s antipathy towards Christianity…

My religion gives me no anxieties about my sexuality at all. However, what the Oatmeal is really saying is “any parameters religion puts around the correct use of sex are evil”. So is he in favour of no parameters at all (permitting every vile act one could imagine – you know I could list all the usual things which every country makes illegal) or does he just want to impose different parameters to the ones Christianity does? And if so, apart from the detail of what’s in and what’s out (ahem), how is his principle of imposing laws regarding the expression of sexuality any different from the principle that he mocks?

Christians who try and convince others that what they believe is true are not trying to “validate their beliefs”. There are no points from God for making more Christians. In fact, Christians can’t make more Christians – only God can do that. We don’t get any credit when it happens. Also, Christians are (or should be) specifically encouraged to avoid groupthink – the idea that if lots of people believe something, it must be true. (Incidentally, if you think Buddhists all leave people alone, read this and this.)

Fortunately, the real and true “awesome shit” is available to everyone. Including the Oatmeal.

Calling something ‘crazy’ is not an argument. It’s hard to refute a sneer. And, of course, his summary of what Christians believe is wrong in several places. If it’s such crazy nonsense, why not illustrate using the version Christianity teaches, rather than a straw man? Or is the real view not so crazy after all?

Amen to the general point here. Although the idea (which, I agree, is not his main point) that one should vote based on which policies are better for you personally is a sad, divisive and dangerous one. One should vote based on which policies are best for society as a whole. (For me, those are generally policies which make the law conform more closely to God’s law. YMMV.)

Yes, indeed. Je suis….

Yes, I would die for Jesus. Adam4d puts it well:

No, I would not kill for Jesus. However, the point of Christianity is not to “inspire people to help people” (although it does) or to make you happier (although it might) or to help you cope with the atheistic feeling of cosmic helplessness (although it does deal with it very effectively). Christianity is not utilitarian. The point is to have a real relationship with your Creator – to know Christ. Which is the most awesome thing in the world. Having experienced it, who would ever want to keep it to themselves?

Using Instantbird to Connect to IRC Servers Requiring a Username and Password

[Update 2014-01-16: A point of clarification. There are two possible ways to send a password for IRC. One is supported in the Instantbird UI – it’s the one that automatically identifies your nick with NickServ, the bot which makes sure people don’t steal other people’s nicks. The other, which is rarer but which I needed, involves sending a password to connect at all, using the PASS command in the IRC protocol. That is what is documented here.]

I was trying to do this; turns out it currently requires about:config manipulation and is not documented anywhere I can find.

Using about:config (type /about config in a message window, or access via Preferences), set the following prefs:


to the obvious values. Other useful tip: if the IRC server uses a self-signed cert, connect to it on the right port using Firefox and HTTPS, and you can save the cert out of the warning/exception dialog you get. You can then import it into Instantbird using the deeply-buried Certificate section of the Advanced Preferences and it will trust the cert and connect. (I think this is what I did, although memory is hazy.)

Avoid Mystery Process

Although the discussions around adding any particular new committer must be confidential, the rules and procedures themselves need not be secret. In fact, it’s best to publish them, so people realize that the committers are not some mysterious Star Chamber, closed off to mere mortals, but that anyone can join simply by posting good patches and knowing how to handle herself in the community. In the Subversion project, we put this information right in the developer guidelines document, since the people most likely to be interested in how commit access is granted are those thinking of contributing code to the project.

— Karl Fogel, Producing Open Source Software

Consumer Security Advice

Here’s an attempt at consumer security advice that I saw at a railway station recently. Apparently, secure sites are denoted by “https//” (sic). And it conflates a secure connection with trustworthiness. It’s good that people are trying, but we have a way to go…