Wednesday, May 25, 2022

Black Mesa Definitive Edition

An absolutely outstanding update to a classic game.

"Black Mesa is a 2020 first-person shooter game developed and published by Crowbar Collective.  It is a third-party remake of Half-Life (1998) made in the Source game engine.  Originally published as a free mod in September 2012, Black Mesa was approved by Half-Life developers Valve for a commercial release; the first commercial version was published as an early-access version in May 2015, followed by a full release in March 2020 for Microsoft Windows and Linux.

Black Mesa was developed in response to Half-Life: Source (2005), Valve's port of Half-Life to the Source engine, which lacked new features or improvements.  Two teams wanted to improve on the Source remake and eventually merged to become Crowbar Collective.  While they had originally targeted a release by 2009, the team realized they had rushed to this point and reevaluated their efforts to improve the quality of the remake.

Since then, attention to details, adapting the game to an improved version of the Source engine, and completely reworking the oft-derided final chapters of Half-Life (known as Xen) had lengthened the development efforts of the remake.  Due to its long development time, the modification became notable for its delays on the status of its completion.  Major changes include re-skinned collection of textures, models and NPCs, a longer runtime, improved level and puzzle design along with challenging enemy artificial intelligence, and additional dialogue and story elements." - Wikipedia

The game consists of chapters/episodes:  Office Complex, We Have Got Hostiles, Blast Pit, Power Up, On a Rail, Apprehension, Residue Processing, Questionable Ethics, Surface Tension, Forget About Freeman, Lambda Core, Xen, Gonarch's Lair, Interloper, Nihilant, Endgame (high-lighted are the additions to the original Half-Life game)

Game play consists of solving 'puzzles' aka finding objects you need, performing jumps, finding paths to locations, all the while while fending off enemies.  Really, really fun to play.

There are good guides and walkthroughs including "Black Mesa Definitive Edition FULL GAME Gameplay Walkthrough No Commentary (PC)" video.

Saturday, November 20, 2021

RPG - Kingdom Come: Deliverance

Kingdom Come: Deliverance is a 2018 action role-playing video game developed by Warhorse Studios and published by Deep Silver for Microsoft Windows, PlayStation 4, and Xbox One.  It is set in the medieval Kingdom of Bohemia, an Imperial State of the Holy Roman Empire, with a focus on historically accurate content.

The story takes place during a war in Bohemia in 1403, in the times of King Wenceslaus IV.  On the orders of Hungarian King Sgismund, half-brother of Wenceslaus, Cuman mercenaries raid the mining village of Skalitz, a major source of silver.  One of the survivors of the resulting massacre is Henry, the son of a blacksmith.  Destitute and vengeful, Henry joins the service of Lord Radzig Kobyla, who leads a resistance movement against Sigismund's invasion.  As Henry pursues justice for his murdered family, he becomes involved in an effort to restore Bohemia's rightful king and Sigismund's half-brother, Wenceslaus IV, to the throne.  The game features branching quest lines, an open world environment, and period-accurate weapons, clothing, combat techniques, and architecture (recreated with the assistance of architects and historians), which encourages immersive gameplay.  - Wikipedia

I just completed my first full game play-through and found this is an outstanding RPG game.  Especially with the Developer Mode enabled (more later).

A Before You Buy look:


Kingdom Come: Deliverance is an action role-playing game set in an open-world environment and played from a first-person perspective.  It utilizes a classless role-playing system, allowing the player to customize their skills to take on roles such as warrior, bard, thief, or a hybrid of these.  Abilities and stats grow depending on what the player does and says through branched dialogue trees.  During conversations, the time a player takes to make a decision is limited and has an effect on their relationships with others.  Reputation is based on player choices and therefore can bring consequences.

Character bodies and faces are created through the combination of multiple, individual pieces with finishing touches.  The clothing system features 16 item slots and items on many areas of the body that can be layered.  For example, a heavily armored knight may on his upper body wear a Gambeson, followed by mail and plate amour, with a Tabard or Surcoat over top, for a total of four clothing items in the chest slots.  Each clothing type provides different levels of protection against different types of weapons.  Clothing also gets progressively more worn, dirty, or bloody through use, affecting the character's appearance.  The player is able to use a variety of weapons, including swords, knives, axes, hammers, and bows.  Horses are featured heavily in the game, and are designed to act with their own AI while under the player's control, moving or jumping to avoid small obstacles or dangers.  The player can also fight from horseback and use their steed to carry items if they need additional inventory space, but warhorses are also competent combatants with their own AI.  Steeds come with five slots for armor and attachments.

Character bodies and faces are created through the combination of multiple, individual pieces with finishing touches.  The clothing system features 16 item slots and items on many areas of the body that can be layered.  For example, a heavily armored knight may on his upper body wear a Gambeson, followed by mail and plate amour, with a Tabard or Surcoat over top, for a total of four clothing items in the chest slots.  Each clothing type provides different levels of protection against different types of weapons.  Clothing also gets progressively more worn, dirty, or bloody through use, affecting the character's appearance.  The player is able to use a variety of weapons, including swords, knives, axes, hammers, and bows.  Horses are featured heavily in the game, and are designed to act with their own AI while under the player's control, moving or jumping to avoid small obstacles or dangers.  The player can also fight from horseback and use their steed to carry items if they need additional inventory space, but warhorses are also competent combatants with their own AI.  Steeds come with five slots for armor and attachments.

Kingdom Come: Deliverance also features a needs system which requires the player to sleep and eat in order to stay healthy.  Equipment and clothing also degrade and require repair.  Foodstuffs and other perishable items will spoil over time.  The game uses skill/stat-based mini-games for many of these tasks, including weapon and armor repair, as well as for gathering new items by Picking Locks or Pockets, distilling alcohol, or creating medicines.  The game uses long- and short-ranged weapons in combat which is based on a physics system using inverse kinematics to determine the reactions of both combatants based on the speed and weight of a blow.  This system aims to add greater variety and realism to the combat, coupled with a variety of basic combat moves and combination moves, some of which can be unlocked by skill points.  Different weapons have different characteristics, making them useful for different purposes.  For example, a sword is a quick weapon for striking and parrying, but is not very effective against heavy armor.

Character bodies and faces are created through the combination of multiple, individual pieces with finishing touches.  The clothing system features 16 item slots and items on many areas of the body that can be layered.  For example, a heavily armored knight may on his upper body wear a Gambeson, followed by mail and Plate Amour, with a Tabard or Surcoat over top, for a total of four clothing items in the chest slots.  Each clothing type provides different levels of protection against different types of weapons.  Clothing also gets progressively more worn, dirty, or bloody through use, affecting the character's appearance.  The player is able to use a variety of weapons, including Swords, Knives [aka Daggers for stealth kills], Axes, Hammers, and Bows.  Horses are featured heavily in the game, and are designed to act with their own AI while under the player's control, moving or jumping to avoid small obstacles or dangers.  The player can also fight from horseback and use their steed to carry items if they need additional inventory space, but warhorses are also competent combatants with their own AI.  Steeds come with five slots [Inventory (transfers from player Inventory), Tack] for armor and attachments.

Quests are intended to be nonlinear, with multiple ways to complete objectives to allow multiple character types to be viable.  The storyline features some large-scale events such as castle sieges and large battles.  Every non-player character (NPC) has a daily routine, and every routine can be affected by the player.  Characters are able to react to all player actions and adjust their routines to them.  NPCs will report crimes to authorities, who will punish the player accordingly, either with a fine or time in jail.  Crime will affect economics and people will get suspicious or aggressive after unresolved crimes.  - Wikipedia

Quests & Tasks

Main Quests - These are the primary quests that need to be done to complete the game.

Side Quests - These are quest that MAY be need to complete a Main Quest in which case they automatically start, or are standalone quest that can be ignored.

Tasks - These need to be done as needed by a quest and are loaded automatically (steps in a sequence) and sometimes can be skipped.

Inventory/Player/Horse/Questlog/Map/Other Displays


Developer Mode - Cheats

The first thing is to go to Nexus Mods Kingdom Come: Deliverance cheat page (current version 1.3.5).

Highly, HIGHLY, suggest printing the full Install & Usage instructions.

Key cheat commands which are case sensitive (lower):

  • cheat[Tab] will list all cheats
  • Enter a cheat code followed by [space]?
  • EXAMPLE: "cheat_add_item ?" (without quotes) will list any parameters required and examples.

Most useful codes:

  • cheat_add_item id: string:{string} amount:# (# default = 1)

Another example using unique string: cheat_add_item id:torch amount:5 - This will add 5 troches to you Inventory, Weapon tab.  Warning you need equip a torch when in a town or you are committing a crime.

  • cheat_add_buff_immortal (no parameters) - This is the equivalent of God Mode and needs reset each game start.
  • cheat_repair_all_items (no parameters) - Does what it says including spoiled food, you need to check you Inventory to re-equip repaired items.
  • cheat_add_money amount:# - Where # = the amount of Groschen (name of money in game) x 0.1 (9000 = 900).
  • cheat_teleport_horse (no parameters) - Will teleport your hose (AFTER you own one Pebbles) to your location IF he is on the map.


Most helpful game guide site Game Pressure.


CLOSING: For those who like RPG games this one is well worth playing.

Monday, May 24, 2021

HELD FOR RANSOM - Colonial Pipeline and U.S. Infrastructure

"The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms" by Renee Dudley and Daniel Golden, ProPublica 5/24/2021

This story was co-published with MIT Technology Review.

On Jan 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough.  It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the U.S. and Europe.  Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw.  Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help.  By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims.  The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said.  “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks.  This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500 mile pipeline that carries 45% of the fuel used on the East Coast, quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast and closures of thousands of gas stations.  Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files.  “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told The Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals and government agencies across the country.  The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyber-warfare: Don’t let your opponents know what you’ve figured out.  During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked.  Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims.  Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire.  From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data.  And then the security researcher angle says, ‘Don’t disclose any information here.  Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept.  In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said.  “That’s how they gain entrance to these oftentimes highly secured networks in the first place.  They download the decryptor, they disassemble it, they reverse engineer it and they figure out exactly why we were able to decrypt their files.  And 24 hours later, the whole thing is fixed.  Bitdefender should have known better.”

It wasn’t the first time that Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to.  Gillespie had broken the code of a ransomware strain called GoGoogle and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020.  Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania-based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide.  Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said.  Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said.  “We are well aware that attackers are agile and adapt to our decryptors.”  But DarkSide might have “spotted the issue” anyway.  “We don’t believe in ransomware decryptors made silently available.  Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”

The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant.  President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks.  DarkSide said it was shutting down under U.S. pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide.  “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware.  Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications.  That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the U.S.  DarkSide, for instance, is believed to operate out of Russia.  Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The U.S. Secret Service also investigates ransomware, which falls under its purview of combating financial crimes.  But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting Presidents, Vice Presidents, major party candidates and their families.  European law enforcement, especially the Dutch National Police, has been more successful than the U.S. in arresting attackers and seizing servers.

Similarly, the U.S. government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses.  Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination.  The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe.  The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official.  The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them.  Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial.  The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.

Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments.  The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic — not just in the U.S. but in Canada, Latin America and Europe.  As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Since 2019, numerous gangs have ratcheted up pressure with a technique known as “double extortion.”  Upon entering a system, they steal sensitive data before launching ransomware that encodes the files and makes it impossible for hospitals, universities and cities to do their daily work.  If the loss of computer access is not sufficiently intimidating, they threaten to reveal confidential information, often posting samples as leverage.  For instance, when the Washington, D.C., police department didn’t pay the $4 million ransom demanded by a gang called Babuk last month, Babuk published intelligence briefings, names of criminal suspects and witnesses, and personnel files, from medical information to polygraph test results, of officers and job candidates.

DarkSide, which emerged last August, epitomized this new breed.  It chose targets based on a careful financial analysis or information gleaned from corporate emails.  For instance, it attacked one of Tantleff’s clients during a week when the hackers knew the company would be vulnerable because it was transitioning its files to the cloud and didn’t have clean backups.

To infiltrate target networks, the gang used advanced methods such as “zero-day exploits” that immediately take advantage of software vulnerabilities before they can be patched.  Once inside, it moved swiftly, looking not only for sensitive data but also for the victim’s cyber insurance policy, so it could peg its demands to the amount of coverage.  After two to three days of poking around, DarkSide encrypted the files.

“They have a faster attack window,” said Christopher Ballod, associate managing director for cyber risk at Kroll, the business investigations firm, who has advised half a dozen DarkSide victims.  “The longer you dwell in the system, the more likely you are to be caught.”

Typically, DarkSide’s demands were “on the high end of the scale,” $5 million and up, Ballod said.  One scary tactic: If publicly traded companies didn’t pay the ransom, DarkSide threatened to share information stolen from them with short-sellers who would profit if the share price dropped upon publication.

DarkSide’s site on the dark web identified dozens of victims and described the confidential data it claimed to have filched from them.  One was New Orleans law firm Stone Pigman Walther Wittmann.  “A big annoyance is what it was,” attorney Phil Wittmann said, referring to the DarkSide attack in February.  “We paid them nothing,” said Michael Walshe Jr., chair of the firm’s management committee, declining to comment further.

Last November, DarkSide adopted what is known as a “ransomware-as-a-service” model.  Under this model, it partnered with affiliates who launched the attacks.  The affiliates received 75% to 90% of the ransom, with DarkSide keeping the remainder.  As this partnership suggests, the ransomware ecosystem is a distorted mirror of corporate culture, with everything from job interviews to procedures for handling disputes.  After DarkSide shut down, several people who identified themselves as its affiliates complained on a dispute resolution forum that it had stiffed them.  “The target paid, but I did not receive my share,” one wrote.

Together, DarkSide and its affiliates reportedly grossed at least $90 million.  Seven of Tantleff’s clients, including two companies in the energy industry, paid ransoms ranging from $1.25 million to $6 million, reflecting negotiated discounts from initial demands of $7.5 million to $30 million.  His other three clients hit by DarkSide did not pay.  In one of those cases, the hackers demanded $50 million.  Negotiations grew acrimonious, and the two sides couldn’t agree on a price.

DarkSide’s representatives were shrewd bargainers, Tantleff said.  If a victim said it couldn’t afford the ransom because of the pandemic, DarkSide was ready with data showing that the company’s revenue was up, or that COVID-19’s impact was factored into the price.

DarkSide’s grasp of geopolitics was less advanced than its approach to ransomware.  Around the same time that it adopted the affiliate model, it posted that it was planning to safeguard information stolen from victims by storing it in servers in Iran.  DarkSide apparently didn’t realize that an Iranian connection would complicate its collection of ransoms from victims in the U.S., which has economic sanctions restricting financial transactions with Iran.  Although DarkSide later walked back this statement, saying that it had only considered Iran as a possible location, numerous cyber insurers had concerns about covering payments to the group.  Coveware, a Connecticut firm that negotiates with attackers on behalf of victims, stopped dealing with DarkSide.

Ballod said that, with their insurers unwilling to reimburse the ransom, none of his clients paid DarkSide, despite concerns about exposure of their data.  Even if they had caved in to DarkSide, and received assurances from the hackers in return that the data would be shredded, the information might still leak, he said.

During DarkSide’s changeover to the affiliate model, a flaw was introduced into its ransomware.  The vulnerability caught the attention of members of the Ransomware Hunting Team.  Established in 2016, the invitation-only team consists of about a dozen volunteers in the U.S., Spain, Italy, Germany, Hungary and the U.K.  They work in cybersecurity or related fields.  In their spare time, they collaborate in finding and decrypting new ransomware strains.

Several members, including Wosar, have little formal education but an aptitude for coding.  A high school dropout, Wosar grew up in a working-class family near the German port city of Rostock.  In 1992, at the age of 8, he saw a computer for the first time and was entranced.  By 16, he was developing his own antivirus software and making money from it.  Now 37, he has worked for antivirus firm Emsisoft since its inception almost two decades ago and is its chief technology officer.  He moved to the U.K. from Germany in 2018 and lives near London.

He has been battling ransomware hackers since 2012, when he cracked a strain called ACCDFISA, which stood for “Anti Cyber Crime Department of Federal Internet Security Agency.”  This fictional agency was notifying people that child pornography had infected their computers, and so it was blocking access to their files unless they paid $100 to remove the virus.

The ACCDFISA hacker eventually noticed that the strain had been decrypted and released a revised version.  Many of Wosar’s subsequent triumphs were also fleeting.  He and his teammates tried to keep criminals blissfully unaware for as long as possible that their strain was vulnerable.  They left cryptic messages on forums inviting victims to contact them for assistance or sent direct messages to people who posted that they had been attacked.

In the course of protecting against computer intrusions, analysts at antivirus firms sometimes detected ransomware flaws and built decryption tools, though it wasn’t their main focus.  Sometimes they collided with Wosar.

In 2014, Wosar discovered that a ransomware strain called CryptoDefense copied and pasted from Microsoft Windows some of the code it used to lock and unlock files, not realizing that the same code was preserved in a folder on the victim’s own computer.  It was missing the signal, or “flag,” in their program, usually included by ransomware creators to instruct Windows not to save a copy of the key.

Wosar quickly developed a decryption tool to retrieve the key.  “We faced an interesting conundrum,” Sarah White, another Hunting Team member, wrote on Emsisoft’s blog.  “How to get our tool out to the most victims possible without alerting the malware developer of his mistake?”

Wosar discreetly sought out CryptoDefense victims through support forums, volunteer networks and announcements of where to contact for help.  He avoided describing how the tool worked or the blunder it exploited.  When victims came forward, he supplied the fix, scrubbing the ransomware from at least 350 computers.  CryptoDefense eventually “caught on to us ... but he still did not have access to the decrypter we used and had no idea how we were unlocking his victims’ files,” White wrote.

But then an antivirus company, Symantec, uncovered the same problem and bragged about the discovery on a blog post that “contained enough information to help the CryptoDefense developer find and correct the flaw,” White wrote.  Within 24 hours the attackers began spreading a revised version.  They changed its name to CryptoWall and made $325 million.

Symantec “chose quick publicity over helping CryptoDefense victims recover their files,” White wrote.  “Sometimes there are things that are better left unsaid.”

A spokeswoman for Broadcom, which acquired Symantec’s enterprise security business in 2019, declined to comment, saying that “the team members who worked on the tool are no longer with the company.”

Like Wosar, the 29-year-old Gillespie comes from poverty and never went to college.  When he was growing up in central Illinois, his family struggled so much financially that they sometimes had to move in with friends or relatives.  After high school, he worked full time for 10 years at a computer repair chain called Nerds on Call.  Last year, he became a malware and cybersecurity researcher at Coveware.

Last December, he messaged Wosar for help.  Gillespie had been working with a DarkSide victim who had paid a ransom and received a tool to recover the data.  But DarkSide’s decryptor had a reputation for being slow, and the victim hoped that Gillespie could speed up the process.

Gillespie analyzed the software, which contained a key to release the files.  He wanted to extract the key, but because it was stored in an unusually complex way, he couldn’t.  He turned to Wosar, who was able to isolate it.

The teammates then began testing the key on other files infected by DarkSide.  Gillespie checked files uploaded by victims to the website he operates, ID Ransomware, while Wosar used VirusTotal, an online database of suspected malware.

That night, they shared a discovery.

“I have confirmation DarkSide is re-using their RSA keys,” Gillespie wrote to the Hunting Team on its Slack channel.  A type of cryptography, RSA generates two keys: a public key to encode data and a private key to decipher it.  RSA is used legitimately to safeguard many aspects of e-commerce, such as protecting credit numbers.  But it’s also been co-opted by ransomware hackers.

“I noticed the same as I was able to decrypt newly encrypted files using their decrypter,” Wosar replied less than an hour later, at 2:45 a.m. London time.

Their analysis showed that, before adopting the affiliate model, DarkSide had used a different public and private key for each victim.  Wosar suspected that, during this transition, DarkSide introduced a mistake into its affiliate portal used to generate the ransomware for each target.  Wosar and Gillespie could now use the key that Wosar had extracted to retrieve files from Windows machines seized by DarkSide.  The cryptographic blunder didn’t affect Linux operating systems.

“We were scratching our heads,” Wosar said.  “Could they really have fucked up this badly? DarkSide was one of the more professional ransomware-as-a-service schemes out there.  For them to make such a huge mistake is very, very rare.”

The Hunting Team celebrated quietly, without seeking publicity.  White, who is a computer science student at Royal Holloway, part of the University of London, began looking for DarkSide victims.  She contacted firms that handle digital forensics and incident response.

“We told them, ‘Hey listen, if you have any DarkSide victims, tell them to reach out to us, we can help them.  We can recover their files and they don’t have to pay a huge ransom,’” Wosar said.

The DarkSide hackers mostly took the Christmas season off.  Gillespie and Wosar expected that, when the attacks resumed in the new year, their discovery would help dozens of victims.  But then Bitdefender published its post, under the headline “Darkside Ransomware Decryption Tool.”

In a messaging channel with the ransomware response community, someone asked why Bitdefender would tip off the hackers.  “Publicity,” White responded.  “Looks good.  I can guarantee they’ll fix it much faster now though.”

She was right.  The next day, DarkSide acknowledged the error that Wosar and Gillespie had found before Bitdefender.  “Due to the problem with key generation, some companies have the same keys,” the hackers wrote, adding that up to 40% of keys were affected.

DarkSide mocked Bitdefender for releasing the decryptor at “the wrong time…., as the activity of us and our partners during the New Year holidays is the lowest.”

Adding to the team’s frustrations, Wosar discovered that the Bitdefender tool had its own drawbacks.  Using the company’s decryptor, he tried to unlock samples infected by DarkSide and found that they were damaged in the process.  “They actually implemented the decryption wrong,” Wosar said.  “That means if victims did use the Bitdefender tool, there’s a good chance that they damaged the data.”

Asked about Wosar’s criticism, Botezatu said that data recovery is difficult, and that Bitdefender has “taken all precautions to make sure that we’re not compromising user data” including exhaustive testing and “code that evaluates whether the resulting decrypted file is valid.”

Even without Bitdefender, DarkSide might have soon realized its mistake anyway, Wosar and Gillespie said.  For example, as they sifted through compromised networks, the hackers might have come across emails in which victims helped by the Hunting Team discussed the flaw.

“They might figure it out that way — that is always a possibility,” Wosar said.  “But it’s especially painful if a vulnerability is being burned through something stupid like this.”

The incident led the Hunting Team to coin a term for the premature exposure of a weakness in a ransomware strain.  “Internally, we often joke, ‘Yeah, they are probably going to pull a Bitdefender,’” Wosar said.

Tuesday, November 3, 2020

PC GAMING - The Outer Worlds (Updated)

The Outer Worlds is an action role-playing game developed by Obsidian Entertainment and published by Private Division.

The Outer Worlds is an action role-playing video game featuring a first-person perspective.  In the early stages of the game, the player can create their own character and unlock a ship, which acts as the game's central hub space.  Though the player cannot control their ship directly, it serves as a fast travel point to access different areas in the game and acts as the player's persistent inventory space.  The player can encounter and recruit non-player characters as companions who have their own personal missions and stories.  When accompanying the player, the companions act as an aid in combat.  Each companion has its own individual skills and special attacks, and it can also develop its own skill specialization.  When exploring, the player can bring up to two companions alongside them, while the rest stay on the ship.  The player can make numerous dialogue decisions, which can influence the game's branching story.  They can also respond to NPCs in various ways, such as acting heroically, maniacally, or moronically.

During combat situations, the player can use various weapon types such as melee and firearms, which have three ammo types:  light, heavy and energy.  These weapons can be customized to add elemental damage.  The player can use stealth or social skills (persuasion, lying and intimidation) to avoid combat altogether.  As the player progresses, they gain experience points, which the player and their companions can use to level up and unlock new skills.  The player can develop their technical skills, which are further divided into three categories: Science, Medical, and Engineering.  For instance, the player can use a shrink ray to shrink down an enemy.  The player is able to invest points into these skills, which will unlock new perks that enhance combat efficiency.  The player can also enter a "Tactical Time Dilation" state, which slows down time and reveals opponents' health statistics, which grants the player tactical advantages.  As the player leads their companions, they improve their companions' combat strength and resilience.  The player can also gain a "flaw" that occurs when the player fails repeatedly in certain gameplay segments.  Flaws impede the player in some way, but also give additional perks and advantages.  - Wikipedia


Best reference: The Outer Worlds Wiki


As of this date there are 2 DLCs:

  1. Peril on Gorgon
  2. Murder on Eridanos

WARNING:  There is a bug in "Peril on Gorgon" (a Preserved Eye is not in Lucky's safe) that will prevent completion.

Saturday, October 24, 2020


"Vampyr is an action role-playing game played from a third-person view.  The player controls Jonathan E. Reid, a doctor who was made into a vampire, and whose thirst for blood compels him to kill innocent people.  To do this successfully, he must study and change his targets' habits, collect clues, and maintain relationships with the sixty citizens under his care in London, which serves as a fictionalized semi-open world built around hubs of neighborhoods tethered to other areas.  A skill tree facilitates the improvement of abilities, which is fueled by experience points gained from blood and, alternatively, investigation.  Feeding on human blood provides nourishment in addition to unlocking new vampire powers.  Abilities can be manually activated and passively upgraded.  Active skills afford defensive, aggressive, healing, and tactical measures; passive skills increase health, stamina, the blood gauge and absorption, bite damage and regeneration, and carry capacity." - Wikipedia


Before You Buy

I've just started playing this game on my Win7 PRO 64bit Desktop rig with 8GB RAM, Intel Core i5-4690 CPU @ 3.50GHz, NVIDIA Corporation GK104 [GeForce GTX 770] 2048 VRAM, and it is outstanding to play.

All you need is to view the "Before You Buy" video to see if Vampyr is for you.


Saturday, September 5, 2020

SIMULATION - Ancestors: The Humankind Odyssey

"Good luck, we will not help you much." (from intro)

Ancestors: The Humankind Odyssey is a survival game developed by Panache Digital Games and published by Private Division.  It was released for Microsoft Windows, PlayStation 4, and Xbox One in late 2019, along with a Steam release in August 2020.  In the game, players control a lineage of primates and are tasked to ensure its survival in prehistoric Africa and facilitate its evolution.  It was directed by Patrice D├ęsilets." - Wikipedia

This title is a simulation of 'Humankind' evolution.  It is not really a game.

Ancestors: The Humankind Odyssey is a survival game played from a third-person perspective.  In the game, players control a member of a primate clan and have to manage the player character's health by eating, drinking, and sleeping.  The game starts in an African jungle, an open world filled with threats including Machairodus, Metridiochoerus, Crocodylus thorbjarnarsoni, Adcrocuta hyenas, African Rock Python, giant Miocene otters, African buffalo, and more.  Players can climb trees, and will suffer injuries if they fall down or are attacked by predators.  As players progress, new areas are opened up for players to explore.  When a primate is exploring new locations or being hunted by predators, it will enter a state of "fear" which can be overcome by finding glowing orbs of light, or else it will descend into a state of hysteria." - Wikipedia

There are only automatic saves but only at critical steps.  After all, there are no quick-saves in real life (you don't have a save before that drive on a freeway where you got into an accident).

I have played this simulation for several weeks and have yet to survive beyond two generations.  So it is hard.  But I will stubbornly stay with it.

There are many walkthroughs and guides available.

Below are two videos that will give you an idea of what Ancestors is.

Tuesday, October 29, 2019

SECURITY - Ransomware Hunting League Hero

"The Ransomware Superhero of Normal, Illinois" by Renee Dudley, ProPublica 10/28/2019

Thanks to Michael Gillespie, an obscure programmer at a Nerds on Call repair store, hundreds of thousands of ransomware victims have recovered their files for free.

This story was co-published with the Chicago Sun-Times and The Pantagraph.

ProPublica is a nonprofit newsroom that investigates abuses of power.  Sign up for ProPublica’s Big Story newsletter to receive stories like this one in your inbox as soon as they are published.

About 10 years ago, Michael Gillespie and several classmates at Pekin Community High School in central Illinois were clicking on links on the school’s website when they discovered a weakness that exposed sensitive information such as students’ Social Security numbers.  They quickly alerted their computer repair and networking teacher, Eric McCann.

“It was a vulnerability that nobody even knew about,” McCann said.  “They did a quick search on passwords and student accounts, and lo and behold, that file is sitting out there.”

A shy, skinny teenager whose hand-me-down clothes didn’t fit him, and who was often ridiculed by schoolmates, Gillespie was already working after school as a computer technician.  “He was full of information all the time,” McCann said.  “We’d bounce ideas off each other.  You could tell his passion for technology, for computers, for figuring out things.  That definitely made him stand out.”

Without crediting the students, school administrators closed the breach and changed everyone’s passwords.  Gillespie’s anonymous protection of the school’s cyberdefenses was a harbinger of his future.  Like a real-life version of Clark Kent or Peter Parker, the self-effacing Gillespie morphs in his spare time into a crime-foiling superhero.  A cancer survivor who works at a Nerds on Call computer repair shop and has been overwhelmed by debt — he and his wife had a car repossessed and their home nearly foreclosed on — the 27-year-old Gillespie has become, with little fanfare or reward, one of the world’s leading conquerors of an especially common and virulent cybercrime: ransomware.  Asked what motivates him, he replied, “I guess it’s just the affinity for challenge and feeling like I am contributing to beating the bad guys.”

Each year, millions of ransomware attacks paralyze computer systems of individuals, businesses, hospitals and medical offices, government agencies, and even police departments.  Often, files cannot be decrypted without paying a ransom, and victims who haven’t saved backup copies and want to retrieve the information have little choice but to pony up.  But those who have recovered their data without enriching criminals frequently owe their escapes to Gillespie.

The FBI and local law enforcement agencies have had little success in curbing ransomware.  Local departments lack the resources to solve cybercrime, and the ransoms demanded have often been below the threshold that triggers federal investigations.  Security researchers like Gillespie have done their best to fill the gap.  There are almost 800 known types of ransomware, and Gillespie, mostly by himself but sometimes collaborating with other ransomware hunters, has cracked more than 100 of them.  Hundreds of thousands of victims have downloaded his decryption tools for free, potentially saving them from paying hundreds of millions of dollars in ransom.

“He took that deep dive into the technical stuff, and he just thrives on it,” said Lawrence Abrams, founder of a ransomware assistance website called  “Every time a new ransomware comes out, he checks it out.  ‘Can it be decrypted?  Yes, it can be decrypted.  OK, I’ll make the decryptor.’  And it’s just nonstop.  He just keeps pumping them out.”

Gillespie downplays his accomplishments.  “IT [Internet Technology] moves so fast, there’s always something to learn, and there’s always someone better than you,” he said.

Gillespie’s tools are available on, and they can be accessed through a site he created and operates, called ID Ransomware.  There, victims submit about 2,000 ransomware-stricken files every day to find out which strain has hit them and to obtain an antidote, if one exists.

As hackers and their corporate enablers, including cyber insurance providers and data recovery firms whose business models are based on paying ransoms, profit directly or indirectly from cybercrime, one of ransomware’s greatest foes lives paycheck-to-paycheck.  Under his internet alias, demonslay335, Gillespie tackles ransomware either in his downtime at Nerds on Call or at night in the two-story bungalow he shares with his wife, Morgan, and their dog, rabbit and eight cats.  Surrounded by pets, he lies on his living room couch, decoding ransomware on his laptop and corresponding with victims desperate for his help.

Although the FBI honored him in 2017 with an award for his website, it doesn’t systematically recommend ID Ransomware — meaning that some victims may never learn of a resource that could help them avoid paying a ransom.  Many of his friends, relatives and colleagues don’t know the extent of his war on ransomware.  “They do not have a clue because of Michael’s modesty,” said his wife’s grandmother, Rita Blanch.  “Honestly, I don’t think anyone in the family knows what he does for free.  I barely know.”  When he got the FBI award, she added, “I sent out a family text, and they’re like: ‘What?  What?  Our Michael?’”

McCann wasn’t aware of Gillespie’s accomplishments either.  “It kind of gives me goosebumps,” the teacher said.  “He’s sitting here doing all this for free.  That’s incredible.”

On a humid morning in July, Gillespie sat on his covered front porch.  His hair was pulled back into a low ponytail, and he sported scraggly facial hair and a V-neck striped shirt.  Brown leaves left over from the previous autumn and birdseed from a feeder were scattered on the ground.  Gillespie said hello to a cardinal — the Illinois state bird, he pointed out — and a squirrel with a “wonky eye.” He said a family of groundhogs resides under the porch and eats from the front-yard mulberry tree, but they didn’t make an appearance.

He opened his Twitter account.  “Like right now, I have 58 PMs and 120 notifications,” he said.  Most were pleas for help from victims of a ransomware strain, STOP Djvu, which he can sometimes decrypt.

Gillespie’s love of computers and electronics started early.  His paternal grandmother, a video gamer, introduced him to online role-playing games such as RuneScape.  He played Donkey Kong Country on a used Super Nintendo that his uncle gave him.  As emergency services volunteers, his parents communicated with tornado spotters via ham radios.  His father, a land surveyor, taught him how to repair electronics by soldering the radios.

Gillespie gleaned from his mother’s father, a police lieutenant in Florida, the importance of protecting the public.  Reinforcing the message, his parents went out of their way on family trips to pass through Metropolis, Illinois, which proclaims itself to be Superman’s hometown, and pay their respects at the Man of Steel’s bronze statue.  Gillespie was also fascinated by cryptography.  He liked the idea of having secret codes that no one else could figure out — and cracking other people’s.

Struggling financially, his family sometimes had to move in with friends or relatives.  When he was in high school, his parents filed for bankruptcy in the Central District of Illinois, court documents show.

At Pekin High, he helped protect not only the website but also his classmates’ belongings.  One day, noticing that other students were pre-setting codes to the combination locks on their lockers for convenience, he pulled down on every lock in his aisle.  About a quarter of the lockers opened.  He left a Post-it note in each one, admonishing the user to be more careful.

By then, he and Morgan Blanch were becoming close.  They lived down the street from each other but didn’t become friends until their freshman year at Pekin.  They began hanging out at each other’s houses and messaging on Myspace.  They were both in the school show choir and eventually sang in a national competition on the Grand Ole Opry stage in Nashville, Tennessee.

Both sometimes felt like outcasts.  She was overweight.  Gillespie, she said, was “that one kid at school that everybody knows who they are because they’re weird or they’re the butt of people’s jokes.”

But they could rely on each other.  “We’d get annoyed because our other friends were more flighty,” she said.  “They weren’t dependable, whereas if Michael and I made a plan, we stuck to it.  And we liked that about each other.” They started dating during Christmas break of their junior year.

When he graduated in 2010, Gillespie was named a Prairie State Scholar and an Illinois State Scholar, based on his standardized test scores and class rank.  Instead of going to college, he began working full time at the Nerds on Call store in Normal, Illinois.  Even with financial aid, he said, college would have been too expensive, and he already had everything he wanted.  “I got a job, got a car, got a girlfriend.  Boom.  Life together,” he said.

“He just felt that he could learn better on his own than in a classroom setting,” Morgan Gillespie said.  “He doesn’t really like to be restrained by protocol or by doing the ‘typical’ route of things.  He likes to get in there and figure it out and do whatever it is he feels like he wants to do.”

She enrolled at Millikin University in Decatur, Illinois, but missed Gillespie and dropped out after two months.  They moved into a new apartment close to his job and were married in October 2012, with Rita Blanch officiating.  For the bachelor party, Gillespie and his Nerds on Call friends went to a nearby farm and shot up old computers with his father’s firearms.  “Nobody who was too tipsy got to hold the rifles, but we put a few rounds through some old monitors,” said his best man, former co-worker David Jacobs, who organized the party.

The couple honeymooned in Peoria, Illinois.  The next year, with a Federal Housing Administration loan for lower-income borrowers, they purchased their $116,000 bungalow in a working-class neighborhood in Bloomington, Illinois.  There they could hear Amtrak’s Lincoln Service roar by on its way to Chicago.

At Nerds on Call, Gillespie was known as the Swiss Army Knife for his versatility.  So when a client was hit by TeslaCrypt ransomware in 2015, Gillespie was assigned to recover the files.

He embraced the task.  Not only was it an opportunity to expand his skills, but he also objected to the very idea of paying a ransom.  “I say hell no,” he said.  “There’s all the stuff about how it’s funding terrorism, funding bad stuff.  But more so, it’s just encouraging [criminals] to keep going.”

Gillespie “lives so heavily in the tech world, I think having bad actors involved just bothers him,” Jacobs said.  “Sometimes it’s also a little bit of competition.  ‘It’s me versus the bad guys and I want to win.  I want to be able to outdo their schemes.’”

Gillespie immediately consulted  Established in 2004 by Abrams to provide free advice for any computer problem through tutorials and forums, it had become the go-to site for ransomware assistance.

Sure enough, a BleepingComputer member known as BloodDolly had figured out how to crack TeslaCrypt.  But Gillespie still had to create a key for the client, which required running complex software for hours or days at a time.  “I wanted to post a success story for one of my customer’s systems that was hit this week,” he proudly announced on the forum in August 2015.  “I’ve just successfully decoded a few sample files at home.  … My customer is going to be thrilled we can get her photos back.”

Gillespie realized that Abrams, BloodDolly and other ransomware researchers were overwhelmed with requests for help.  He soaked up everything they could teach him.  Soon he was running software from both his home computer and computers under his desk at work, generating customized keys for scores of TeslaCrypt victims who had posted on BleepingComputer or on social media.

“It was huge, it was insane,” Abrams recalled.  “We were cracking keys left and right.  And Michael got the bug from that.  He came to the site, started cracking keys, starting helping.”

Gillespie also began exchanging private messages on BleepingComputer with U.K.-based ransomware expert Fabian Wosar.  Wosar, now the chief technology officer of antivirus provider Emsisoft, was working to break other strains of ransomware, and he referred TeslaCrypt victims to Gillespie.  Wosar, too, shared his knowledge with Gillespie.

“Sometimes, when people seem genuinely interested, I just ask them if they want to come along,” Wosar said.  “I just open a screen share, and they can watch what I’m doing.  And I explain to them what I am doing and why, and what all this different stuff means.”

Wosar, Gillespie, Abrams and a handful of other volunteers worldwide began communicating over the messaging platform Slack, forming a group they dubbed the Ransomware Hunting Team.  Abrams would hear about a new type of ransomware through users’ posts on his website and send a sample to his teammates.  If they could solve it, they would.

Gillespie creates 90% of the decryptors available on BleepingComputer, Abrams said.  Since May, when Abrams began tracking statistics, decryptors on the site have been downloaded more than 320,000 times.

While BleepingComputer makes money from advertisers, members of the hunting team from time to time have discussed charging for their services.  Each time, “it left a sour taste,” Abrams said.  He recalled a mother who contacted him to say she’d lost photos of her son, a fallen Army veteran, to ransomware.  Abrams helped to decrypt her files.  “I couldn’t charge for that,” he said.

Wosar and Gillespie have each created more free, public decryptors than anybody else in the world.  The two have much in common: neither went to college and both consider themselves autodidacts, learning mostly from internet research.  Both found a home and friendships on BleepingComputer.  And both, Wosar said, suffer from imposter syndrome — feelings of inadequacy that persist despite their success.

“I think we’re all kind of misfits,” Wosar said, referring to members of the team.  “We all have weird quirks that isolate us from the normal world but come in handy when it comes to tracking ransomware and helping people.  That’s why and how we work so well together.  You don’t need credentials, as long as you have the passion and the drive to teach yourself the skills required.  And Michael clearly has it, right?”

As ransomware became increasingly prevalent, the Ransomware Hunting Team had trouble staying abreast of new variants.  “It just got to the point where we just couldn’t keep track any more,” Abrams said.

Gillespie quietly began working on a solution.  “I’m a programmer,” he said.  “What do I do?  I automate.”

At night, on his couch, Gillespie developed a site where victims could upload a ransomware-encrypted file and automatically learn what type it was, whether a decryptor existed and, if so, how to get it.  In March 2016, he launched ID Ransomware with an announcement on Twitter and on BleepingComputer.  “All too often after a ransomware attack, the first question is, ‘what encrypted my files?’, followed by ‘can I decrypt my data?’” he wrote.  “This web service aims to help answer those questions, and guide a victim to the correct information relating to their infection.”

The site took off immediately.  Victims, ransomware recovery firms and other researchers sent encrypted files for analysis.  When they submitted files infected by an unidentified type of ransomware, Gillespie added it to his database.  As before, he and other members of the team worked to create decryptors for newly discovered strains.  ID Ransomware currently can detect more than 780 strains, of which almost 40% have free decryptors, most of them developed by Gillespie or Wosar, and others by cybersecurity firms such as Kaspersky, Avast and Bitdefender.

He’s developed other free applications for victims, which are available on BleepingComputer.  RansomNoteCleaner removes ransom notes left behind after an infection — eliminating the time-consuming task of removing them manually — and CryptoSearch locates encrypted files and makes it easier to back them up, in the hope that a solution may someday be discovered.  ID Ransomware also cross-references the submitter’s IP address with Shodan, a site that can show a computer’s vulnerabilities.  If it detects an open port, which could have allowed the hackers in, ID Ransomware flags the vulnerability — and, like the notes Gillespie stuck in the high school lockers, suggests fixing it.

Gillespie worked nonstop.  “I felt like I never saw him,” his wife said.  “We would be hanging out in the evening, and he would be like, ‘Oh my gosh, I have to go do this.’ And he would just disappear for hours.”

Volunteers around the world have translated ID Ransomware into two dozen languages, from Swedish to Nepali.  Only 26% of submissions to the site have come from the U.S.  “He collects amazing data because so many people use it,” Abrams said.  “He has tons of information.  You can see statistics, trends, what kinds of attacks are happening and when.  Everyone uses it.”

Those users include law enforcement, on both sides of the Atlantic.  Europol and Netherlands police flattered ID Ransomware by imitation, launching a similar but less comprehensive site.  An FBI agent from the Springfield, Illinois, field office asked to meet Gillespie, and they got together with another agent at a local Panera restaurant.

“The first meeting was nerve-wracking for me because, you know, why does the FBI want to talk to me?” Gillespie recalled.  “I was so awkward at that meeting.  I wasn’t thinking, ‘Am I gonna get arrested.’  But I did have in the back of my mind, ‘Am I gonna say something stupid?’”

The FBI needed help.  Victims often don’t report attacks to the bureau because they don’t want investors or the public to learn of their security lapses.  In 2018, the FBI received only 1,493 reports of ransomware — compared with the 2,000 queries daily to Gillespie’s site from about 750 different IP addresses worldwide.

At first, the agents sought information about the origins of a specific ransomware attack, something Gillespie does not investigate.  Then they began requesting lists of IP addresses that had uploaded files to ID Ransomware, which could help identify victims, as well as ransom notes and other material.  Gillespie, who discloses on the ID Ransomware homepage that email or bitcoin addresses uploaded to the site may be shared with “trusted third parties or law enforcement,” complied.

His assistance appears to have paid off.  Gillespie said agents indicated to him that his information may have been instrumental in last year’s indictment of two Iranian hackers wanted in connection with SamSam ransomware, which paralyzed computer networks across North America and the U.K. between 2015 and 2018.  Although the suspects have not been arrested, it was the U.S. government’s first indictment of cyberattackers for deploying a ransomware scheme.

Gillespie continues to meet regularly with FBI agents.  He tips them off, for instance, when a ransom note or extension on a file uploaded to the site identifies the targeted business.  Cooperation from such victims could help law enforcement learn more about the source of the ransomware, he said.

Some other ransomware hunters are warier of the FBI.  Abrams expressed concern that, despite the ID Ransomware acknowledgment, there could be “repercussions” from victims who might be upset that Gillespie identified them to the bureau.  Gillespie “is a little too trusting” of law enforcement, Abrams said.  “I do think that he’s not very worldly and that he sees things a little more black and white than with a lot of shades of gray.  And I think in that case he could be easily manipulated and taken advantage of.”

In 2017, the FBI awarded Gillespie a Community Leadership Award for his “public service, devotion and assistance to victims of ransomware in the United States and Internationally.”  Gillespie prominently displays the award in his home.  In April 2018, he and his wife flew to Washington for the award ceremony, accompanied by his boss at Nerds on Call.  The joke around the office was that the boss “went with him to try to nerf anybody trying to recruit him,” said Gillespie’s former co-worker, Jacobs.  “He would be very difficult to replace.”

Philosophically opposed to charging victims, Gillespie keeps ID Ransomware free.  He put up a link for donations to help cover the costs of running the site, but he didn’t bother to register it as a nonprofit, which would have enabled donors to deduct gifts from their taxes.  Contributions were scarce.  One $3,000 donation through PayPal proved to be a scam — Gillespie speculated that it may have been revenge by hackers whose ransomware he disabled — and PayPal demanded the money back.  He couldn’t repay it and switched to another service.

Gillespie “doesn’t chase money,” Jacobs said.  “If he were chasing money, he would have been living on the East or West Coast by now and doing something for some company that we’d all heard of instead of a little service provider in the Midwest.  But he’s one of those guys, he operates very heavily on principle.”

To make ends meet, Gillespie supplemented his Nerds on Call salary with a 2 a.m. paper route, delivering the local newspaper on his bike.  While he had enjoyed having a paper route in junior high, the job now depressed him.  But the family bills were mounting, especially for health care.  Morgan Gillespie struggled with diabetes and other medical issues.  Over the years, Michael Gillespie noticed blood in his urine, and in the fall of 2017, his wife finally made him see a doctor.  The physician removed a tumor and diagnosed bladder cancer, which rarely affects young adults.  Gillespie took one day off for surgery and one to recover before returning to work.  He underwent immunotherapy treatment weekly for two months, and the cancer has been in remission since.  Although he was insured through Nerds on Call, the costs for his care still added up.

The couple reached a financial breaking point.  They racked up credit card debt and fell behind on payments on Morgan Gillespie’s Nissan.  They rotated which utility bills they would pay; one month their electricity would be turned off, and the next month it would be gas.  They surrendered the car to the bank, which sold it at a loss at auction and forced them to make up the difference.  Last year, around the time his wife lost her job as a nanny, they missed four mortgage payments on their house and began to receive foreclosure notices, Michael Gillespie said.

Gillespie said he’s considering charging other security researchers for the statistics he gathers on the site, but he will always keep the tools free for victims.  Friends and family members nagged Gillespie to collect fees from ID Ransomware users.  Even his wife’s grandmother, whom Gillespie calls “grammy,” brought it up.  “I try to not interfere in that area,” Rita Blanch said.  “Unless, being silly at times, when I would say to him, ‘Babe, you need to charge, you could, like, be rich.’”

Other relatives “have been like: ‘Why isn’t he charging?  Why isn’t he making money off of this?’” said his wife, who recently found a part-time job as a babysitter.  “They think it’s almost dumb, the fact that he does what he does.  But that was just never what the deal was for us.  He just doesn’t want to take advantage of people who are already being taken advantage of.”

Instead, his fellow ransomware hunters stepped in.  Abrams covered the $400 cost of obtaining a certificate that lets users know they’re downloading from a trustworthy site.  Wosar began donating to ID Ransomware, and his employer, Emsisoft, hired Gillespie part-time this year to create Emsisoft-branded decryptors.  The money enabled the Gillespies to catch up on mortgage payments.

“He’s doing so much, how do you not support him if you can?” Abrams said.

After dinner one summer evening, Gillespie took a visitor to the Normal office of Nerds on Call, one of the company’s three locations in central Illinois, nestled in a strip mall between a check-cashing store and a Great Clips hair salon.  Gillespie, who has worked for Nerds on Call for 11 years, has keys, so he was able to open the office and disable the alarm system.  In the back, behind the retail area, is his desk, adorned with framed photos of his cats.

As his wife’s relatives often remind him, he could earn three times as much somewhere else.  But he’s happy at Nerds on Call, which gives him the freedom to work on ransomware in his downtime.  This year, he figured out fixes for the STOP Djvu ransomware, which was infecting files through pirated software.  Victims — who were unlikely to seek law enforcement assistance since they were committing a crime themselves — continue to press Michael for help unceasingly.  “It’s borderline harassment,” he said.

His frustration with the deluge of entreaties occasionally boiled over in his tweets.  “Everything you could possibly need to know is IN THE FUCKING FAQ, and its in BIG BOLD RED LETTERS,” he once responded.  “I’m losing sleep, losing time at my job, losing fucking sanity at this point.”

Some STOP Djvu victims thanked Gillespie.  Adam Hegedus of Szolnok, Hungary, was surfing the internet on his girlfriend's laptop in August when he disabled the anti-virus and firewall protections.  Ransomware crippled the computer, and a text file demanded $1,000 to restore access.  Hegedus' girlfriend is a teacher, and her lesson plans, thesis and other important documents were encrypted.  Hegedus felt so guilty that he couldn't sleep, and he sought assistance from several forums, including  This month, Gillespie replied with some good news; he had a decryption key.  Hegedus called his girlfriend, who rushed home and was delighted to be able to use her files again.

"You cannot imagine how grateful I am," Hegedus wrote to Gillespie.  "Everything has been decrypted and this is only because of your hard work." Hegedus offered a donation, but Gillespie declined.

Gillespie hopes that someday his services will no longer be needed, because businesses and people will have learned proper cybersecurity.  “If the world had backups, then we wouldn’t have ransomware,” he said.

In the meantime, he said, he plans to keep plugging away, even as hackers and their enablers pile up profits.  “There’s a time in every IT person’s career where they think, ‘I’m on the wrong side,’” he said.  “You start seeing the dollar amounts that are involved.  But nah, I can’t say that I ever have.  I just don’t care to go that way.”

ProPublica research reporter Doris Burke contributed to this article.

Tuesday, May 21, 2019

WARNING - Automatic Agreement to Web Site Terms

"Soon You May Not Even Have to Click on a Website Contract to Be Bound by Its Terms" by Ian MacDougall, ProPublica 5/20/2019

A private and influential legal group you’ve never heard of is about to vote on what critics call a fundamental rollback of consumer rights.

If you’re like most people, you’ve probably clicked “I agree” on many online contracts without ever reading them.  Soon you may be deemed to have agreed to a company’s terms without even knowing it.  A vote is occurring Tuesday that would make it easier for online businesses to dispense with that click and allow websites that you merely browse — anything from Amazon and AT&T to Yahoo and Zillow — to bind you to contract terms without your agreement or awareness.

As public outcry mounts over companies like Facebook collecting and selling user information, the new proposal would prime courts and legislatures to give businesses even more power to extract data from unwitting consumers.  If the proposal is approved, merely posting a link to a company’s terms of service on a homepage could be enough for the company to conclude that a user has agreed to its policies.  That includes everything from provisions that allow the sale of customer data or grant the right to track visitors to policies that limit consumers’ legal rights by barring them from suing in court or in class actions.  Some courts have already given their blessing to this practice.  But the proposal up for a vote Tuesday is set to make those kinds of business-friendly rulings all the more common.

The proposal has outraged consumer advocates, state attorneys general and other constituencies.  They see it as improperly tilting the scales in favor of business interests.  They argue that the solution is creating clearer, simpler contracts rather than lengthy, confusing ones that are harder to find.  The proposal’s authors counter that they have simply summarized trends in American law.

There’s been little discussion of the impending change in the general public.  That’s because the vote isn’t before Congress, the Supreme Court or a regulatory agency.  It’s before a private association virtually unknown outside legal circles: the more than 4,700 judges, legal scholars and practicing attorneys that constitute the American Law Institute [ALI].  The new proposal was drafted by three law professors affiliated with the organization.

Almost a century old, ALI is about as elite an institution as the United States has to offer.  It counts among its founders two chief justices of the U.S. Supreme Court — one of whom, William Howard Taft, was also the 27th president — and its membership is a who’s who of the American bar.  Speakers at ALI’s annual conclave in Washington this week include Chief Justice John Roberts and former Justice Anthony Kennedy.

For decades, ALI has exerted profound influence over American law and life through the publication of what it calls the “Restatements of the Law.”  The Restatements are, in essence, guidebooks to the common law.  That body of law — created by judicial opinions rather than statutes — plays a central role in governing everything from property rights to contract disputes to who’s liable when accidents happen.  But it’s a messy realm; courts in each state are free to create or put their own spin on common-law rules.  The point of the Restatements is to clarify the common law and impose order on it.

The reputation of the Restatements is such that for decades courts have treated them as something close to an authoritative explanation of what the law is and where it’s heading.  “The ALI is the unofficial College of Cardinals of the U.S. legal profession,” said Adam Levitin, a Georgetown University law professor and ALI member who has helped spearhead opposition to the new Restatement.  “Even though its members are not representatives of the public, once the ALI approves these Restatements, lawyers, arbitrators, judges and justices use them as a handy reference guide to what the law is and should be.”

At the heart of consumer advocates’ objections to the Restatement is a section that substantially weakens in the consumer context a core concept of contract law — that a contract requires a “meeting of the minds,” with each party assenting to its terms.  Instead, the Restatement requires businesses only to give customers notice of the contract terms and an opportunity to review them.

The Restatement provides examples of how little businesses need to do to bind consumers to their terms and conditions.  In one hypothetical, a user simply browsing a website becomes bound by its terms of use because the homepage contains a notice that links to the language and reads, “By continuing past this page, you agree to abide by the Terms of Use for this site.”  In another, a user becomes bound by the website’s terms merely by clicking a “Read More” button to access the full text of a webpage.  (Companies can continue using “I Agree” buttons if they prefer.)

The authors of the Restatement — three professors from Harvard Law School, NYU School of Law and the University of Chicago Law School — contend that courts have reasoned there’s no need for businesses to do more, because nobody reads these contract terms anyway.

Consumer advocates and other critics acknowledge that nobody reads online contracts.  But they argue the proposed cure is worse than the disease.  They say it provides businesses an incentive to bury objectionable terms inside ever-longer and more impenetrable contracts — think Apple’s user agreements — instead of identifying better ways to alert consumers to significant or intrusive contract terms.

“Weakening the requirement of mutual assent is not only contrary to fundamental principles of contract law,” New York State Attorney General Letitia James wrote in a May 14 letter to ALI, “but will encourage a veritable race to the bottom, as market forces will drive businesses — which will know they can bind consumers to all but the most odious terms — to draft standard form contracts with egregiously self-serving terms.”  The letter was signed by 23 other state attorneys general and top consumer protection officials.  All but one are Democrats.

Worse still, critics claim, the proposed Restatement departs from the traditional role of Restatements — to synthesize the law as it is — and doesn’t accurately reflect the state of the law.  Opponents assert that the Restatement’s authors have relied on faulty empirical methods and cherry-picking from case law to reach their preferred rules.  “They’re being a little disingenuous,” Levitin said.  “They claim they’re following what courts are doing, and this is out of their hands.  Except that it all depends on some rather constrained readings of the cases.”

One lawyer who represents financial institutions offers a similar view.  “It’s not a good portrayal of the common law of contracts as it applies to consumers,” said Alan Kaplinsky, an ALI member and partner at the law firm Ballard Spahr.  (The firm has represented ProPublica in the past.“This is more of a document expressing the aspirations of the three reporters — what they would like the law to be rather than what the law actually is.”

ALI and the Restatement’s authors dispute these claims.  They have defended their methodology and say they have followed the traditional approach.  The Restatement doesn’t reflect personal opinion, noted one of the three authors.  “We are not partisans,” said University of Chicago law professor Omri Ben-Shahar.  “We are not anti-consumer or anti-business.  ALI entrusted us to identify patterns in the law as developed in the courts.  We did our best to identify what are the relevant precedents and rules.”  As Ben-Shahar put it, “The grounds for the opposition is that people don’t like the law and hope that either the ALI will try to change the law or not engrave into stone existing law, in the hope that maybe it would change in courts over time, since we’re talking about common law that’s developed by courts.”

Proponents of the Restatement argue that it hews to how courts have responded to the rise of e-commerce.  “The courts (and everyone else) recognize that most don’t read the contracts,” Steven Weise wrote in an email to ProPublica.  Weise is a partner at the law firm Proskauer Rose and a member of the ALI’s governing council.  “But that doesn’t mean that the law should give up — the courts have taken classic rules on contract law and applied them in the changing, online environment.”

The authors also contend that there’s a benefit for consumers: tools that make it easier to sue in court.

But consumer advocates see that as meaningless.  Most consumers don’t litigate contract issues because they can’t afford to, they say.  Consumer goods usually aren’t worth the legal fees, and contracts often include mandatory arbitration clauses or class-action waivers that further deter litigation.

The consumer advocates have found an unexpected ally among some in the business community, who oppose the proposed changes to the rules that apply to consumer lawsuits.  Some companies fear that the stronger legal tools will result in a flood of lawsuits and leave businesses unsure of how to conduct themselves to avoid liability.

The combination of consumer and business opposition has led to a groundswell of critical op-eds, law review articles, posts on legal blogs and letters.  Their goal is to stop the Restatement altogether and leave consumer contracts guidelines as they currently are.

The extent of the opposition makes Tuesday’s vote hard to predict, according to ALI members.

Proponents are confident.  Historically, the broader membership has followed the organization’s governing council, which in this case voted in favor of the Restatement.

Opponents seem pessimistic.  “My hope is they drop it altogether,” said Kaplinsky, who served on ALI’s board of advisers for the consumer contracts Restatement.  “The best the opponents can hope for is that it gets sent back” for revision to the authors and the governing council “and dies a slow death.”