Schneier on Security

I like the way that you can mentally add even more "cyber-" prefixes as you're reading, in order to make the article sound even more cutting-edge:

"The U.S. government has not devoted the cyberleadership and cyberenergy that this cyberissue needs",

and

"overlooking the international cybercriminals who are cyberstealing a fortune through the cyberInternet".

There's also the question: if you can't secure something against criminals, how can you secure it against enemy action or terrorists? They'll be able to do anything criminals can and more (since they have more resources or are less concerned about consequences).

Once we've got a good basic level of security, we can decide whether additional resources are needed, and where to put them. Any situation where criminals can wage their own cyberwars with botnets, or gather large amounts of sensitive information, is secure neither against information war nor espionage.

I have reservations about discerning cybercrime from cyberterrorism. Terror being a subset of crime. By bringing the term "terrorism" to the level of "crime" or "warfare", it validates the argument we've been fed for many years now and impares our ability to address the issue for what it is.
In this particular instance, doesn't it boil down to the inversion of staus for the two terms. A subset of crime terrorism is given a higher priority than crime as a whole.
A major front in the War of Reason is taking back the control of the semantics.

re: David

"...if you can't secure something against criminals, how can you secure it against enemy action or terrorists?"

GREAT point.

Nuff said.

Criminals have economic motivations, and have the problem of laundering their profits in order to do something with them.
(Not withstanding that the Internet provides more opportunities for laundering)
As such, you can follow the money when investigating criminal activity. Perhaps, less so with "enemy action".

The fact that we (our governments) have not followed the money is very embarrassing. It's worse though --- those criminals that we aren't catching may well be for hire to the "enemy".

A quick scan of the link Bruce included did not show this bill that passed the House last month according to /.

U.S. House Says the Internet is Terrorist Threat

http://www.govtrack.us/congress/bill.xpd?...

(caveat: Bruce may have covered this already)

@reswob, considering that the fundamental motivator for war is economic, the distinction between criminals and enemy action is rather specious.

It's time we re-evaluated our paradigms around terrorists, criminals, and enemies of the state (as distinct from enemies of the people).

The real problem is those who steal value without providing something of equal value in return.

Those are the true enemies of the people, and include terrorists, criminals, and corrupt governments.

Enemies of the state are those who threaten the government, and to corrupt governments that includes terrorists, criminals, and patriots.

Elucidating the implications of distinguishing enemies of the state from enemies of the people is left as an exercise for the reader...

It occurs to me that cybercrime is not really a problem; if it were, the victims (i.e. banks, websites, etc...) would take stronger measures to combat it. Unlike crime in the physical world, where one only has to be in the wrong place at the wrong time, being a victim of cybercrime is largely a matter of one's own ignorance of computer system security. As long as it costs more to secure computer systems than the fraud perpetrated through them, we will have cybercrime. And it is not a problem so much as it is an economic choice that businesses make; as long as publicly-paid prosecutors are willing to prosecute computer criminals, businesses will shift the cost of computer security to the government. In fact, I believe many businesses believe that, since they pay taxes, they have a right to expect their lapses in computer security to be righted by law enforcement.

' "Federal law enforcement needs more agents to deal with this," said Ron Plesco, executive director of the National Cyber-Forensics and Training Alliance, a government-funded non-profit that investigates cybercrime.'

I submit that Federal Law Enforcement already has more agents than there are employees in "tiny startup Rock Phish". What Federal Law Enforcement really needs is agents who understand the problem, understand how to decide what action to take, and legally and ethically gain authorization to take that action.

@lucid
Having worked inside with business on cybersecurity, I truly believe they just do not understand how the crimes happen. Lots of very large companies still handle payroll and commissions through excel spreadsheets held on shared drives. The concept of a controlled and secured business environment makes no sense. They really, in general, do not want the government or law enforcement to know anything about their internal environment. They just want low-level techs with little or no power or experience to make it all safe and sound with no expenditure of time or money.

The siliconvalley.com link wants registration. Google's cache is much more convenient:

http://64.233.169.104/search?...

Finding parts I & II is left as an exercise for the reader. :-)

The paradigm of traditional law enforcement is that one criminal is perpetrating a crime against another person. Until law enforcement truly grasps that cyber crime breaks that paradigm by using computers to perpretrate crimes against others often via other computers, it will be an uphill struggle to thwart the billions of dollars that are lost each year to criminial activities.

Felicia Donovan
THE BLACK WIDOW AGENCY
www.feliciadonovan.com
www.blackwidowagency.com

The price tag for recovering from a single security incident has jumped 30% over 2006. As if it were cheap before...

http://www.baselinemag.com/article2/...

Continuing with Comments on Bruce Schneier book Beyond Fear, ~~ Is anonymity a Good thing or a Bad Thing?

For the Op Ed pages you post to your web site as text or HTML -- a pseudonym is fine. You can be anonymous because you can't hurt anything. But if you are writing executable code or eMail: NO: You cannot be anonymous.

Bruce discusses the role of auditing, detection, and response mechanisms as a key part of good security in his book. And anonymity obstructs the functions of auditing and response.

I have been following with great interest the FireFox/GnuPG project. The idea being to incorporate PGP authentication into the browser so as to require a PGP signature for every executable.

The concept could be taken 1 step further by adding the restriction that every executable has to be registered and a copy of the program saved before execution can be authorized. This would facilitate auditing. The un-wanted programs could be cleared off the computer system as soon as an audit had been completed.

Proper modifications to the browswers and/or related OS would be required but that is within our capability.
Schneier's book is a Most Excellent Read BTW, --recommended.

I would note as well that he has a very interesting approach to risk analysis, evaluating threats, assets, and probabilities and working into cost trade-offs.

One of the most important aspects of his approach is that the results will vary depending on the viewpoint.

This is very important to our effort to STOP RATS and to make online commerce safer.

If you are the credit card industry, a loss rate of 15 cents per $100 of business might be an acceptable risk, - and you just put that down to the "Cost of Doing Business."

But from the stand point of the individual the risk is entirely different. While the bank is supposed to limit individual liability for fraud to $50 this may not actually happen. The bank might sue to collect a debt that was created by fraud. And the individual could face a nightmare trying to deal with a very unsympathetic bank fighting through endless phone menus -- only to end up talking to a help desk agent who just reads information off a computer screen and claims infallibility. A credit card fraud incident can turn into a nightmare.
And so, turning back to Schneier's work, as individuals what we are protecting is actually our sanity and our precious time. And when you factor that into the risk analysis the outcome is entirely different than what it is if there is only $50 on the table.

It is my opinion that if online commerce is to continue to grow the RATS which are fast becoming a sophisticated and pervasive problem online -- must be EXTERMINATED. If RATS are allowed to continue to fester the future of online commerce and of MS/Windows itself will have been wagerd and placed at risk.

NO SIGNATURE? NO EXECUTE.

More clues that cybercrime has many forms ... some more obvious than others, and some less technical than others.

When breaking through network security seems like too much of a bother, the easy solution appears to be cutting a hole in the wall and grabbing data the old fashion way.

There is nothing new here with the method or the crime. Or in this case, both. Is this a case where paying insurance is cheaper than thicker walls?

http://www.theregister.co.uk/2007/11/02/...

Like Paul Kurtz, I live in the Washington, DC area and work on information security issues. I agree with him that the federal government hasn't invested enough resources to tackle the cyber-crime issue effectively. That is starting to change but more must be done. Part of the challenge is getting key decision makers -- whether in Congress or the Administration -- to understand how the threats and technology constantly evolve.