>You misunderstand. Those who don't pay still have the problem. They will invest in solutions. Some (like good well tested backups) only affect them, but others like hardening software make it harder for ransomeware to get anyone in the first place.
Even those who pay are also investing in solutions, but the reality is that throwing money at this isn't going to make ransomware go away. Billions have been poured into this, and billions more will follow. What does that money get us? Mostly snake oil antivirus products, and big full page ads in the Economist for said snake oil products. I can't imagine that we're going to see significant results on a timeframe that you'd consider acceptable, maybe in 20 years.
>True. Though the less companies that pay, the more examples of not paying get out there and so the more likely it is other companies will get good protection for themselves.
>Probably not enough to really affect profits too much, but still helpful to limit the amount of investment "big evil" can afford to do.
Honestly, I think stories of companies paying out huge amounts has more of a chilling effect on ransomware than stories of companies refusing to pay. The huge ransom payment gives everyone a concrete number to be afraid of, a refusal to pay is a non-story unless it causes devastating damage to the company in question.
>Just a little bit. I'm looking to work with them more because for my area quality is important and we have reached the limits of what unit and manual testing can do. (but not the limits of other automatic code analysis which I'm also looking into)
The problem here is that you will never be able to produce a useful formally proven general purpose desktop software stack that would present meaningful advantages over current systems. Formal verification really only works for very simple pieces of software, and in any case, formal verification is only as good as the model you are verifying against.
We're not going to see formally verified web browsers, nor are we going to get a formally verified microsoft office suite.
Even those who pay are also investing in solutions, but the reality is that throwing money at this isn't going to make ransomware go away. Billions have been poured into this, and billions more will follow. What does that money get us? Mostly snake oil antivirus products, and big full page ads in the Economist for said snake oil products. I can't imagine that we're going to see significant results on a timeframe that you'd consider acceptable, maybe in 20 years.
>True. Though the less companies that pay, the more examples of not paying get out there and so the more likely it is other companies will get good protection for themselves.
>Probably not enough to really affect profits too much, but still helpful to limit the amount of investment "big evil" can afford to do.
Honestly, I think stories of companies paying out huge amounts has more of a chilling effect on ransomware than stories of companies refusing to pay. The huge ransom payment gives everyone a concrete number to be afraid of, a refusal to pay is a non-story unless it causes devastating damage to the company in question.
>Just a little bit. I'm looking to work with them more because for my area quality is important and we have reached the limits of what unit and manual testing can do. (but not the limits of other automatic code analysis which I'm also looking into)
The problem here is that you will never be able to produce a useful formally proven general purpose desktop software stack that would present meaningful advantages over current systems. Formal verification really only works for very simple pieces of software, and in any case, formal verification is only as good as the model you are verifying against.
We're not going to see formally verified web browsers, nor are we going to get a formally verified microsoft office suite.