tommy July 22, 2011 7:44 PM

@ Nick P.:

Are you just saying that because you know that my last name is “Turtle”? … aw, shucks!

Seriously, nice glass work there, Bruce. Also liked the dolphins,

and what looks to be an endangered right whale,

The pufferfish kissing were kind of cute.

All work and no play makes us dull. Gotta stop and smell the roses, appreciate the beauty. Nice link.

Clive Robinson July 24, 2011 9:08 AM

OFF Topic,

@ Bruce,

I don’t know if you’ve read this or not,

It’s by “Noah Shachtman” and although I agree with the main thrust of the article that it’s Cyber-crime not Cyber-war we should be worrying about, his soloution of,

“That’s where the federal government could help. It could introduce new mechanisms to hold hosting companies liable for the damage done by their criminal clientele. It could allow ISPs to be held liable for their criminally connected hosts. It could encourage and regulate ISPs to share more information on the threats they find.”

Is actualy quite nieve, in that it takes an “american centric” view of a “global problem” and assumes that the solution can be found by “killing the messenger in the US” not the “enemy in any port of convenience”.

The way to deal with crime is to use one or more of the following,

1, Remove the profit from the crime.
2, Stop the money being moved/laundered
3, Increase the scope of intel/detection
4, Prosecute effectivly on the intel/detection.

Currently we only have some international legislation on 2, and the real lack of progress in 3&4 is why internet crime is so lucrative.

Although Noah did mention a method for 1&2, he forgot to mention the idea had been lifted lock stock and barrel from Brian Krebs.

Nick P July 24, 2011 2:33 PM

@ Clive Robinson

I agree mostly with what you’re saying, especially about Krebs getting there first. BUT, I have to say that ISP liability could help a lot if done properly.

First, he mentions about 20 ISP’s in the US that host all kinds of crime. Why are crooks consistently using these? Presumably, these ISP’s policies enable crime to flourish, whereas others crack down on it or implement policies detrimental to crime. A general set of standards in the US similar to the banking standards might help a little. I would want the standards to be as minimal as possible, but even using COTS traffic monitoring can catch a lot of stuff.

Additionally, many foreign countries and ISP’s are billing themselves as “havens” for data and malicious activity. I do like the former & accepting it means we must accept some of the later. However, we still can choose to nationally block certain foreign ISP’s whose networks send tons of spam or criminal actions. The terms of the block would require them to implement measures like ours that make things more difficult. We would see a corresponding drop in malicious traffic & the blocks would be lifted so long as those traffic levels remain.

These two ISP-level strategies would be done in addition to the four you mentioned. What do you think of these ideas?

Nick P July 24, 2011 3:05 PM

@ tommy

Dream on!

@ Bruce

I was going to check on the pufferfish, as I used to have one, but the site is down. It has apparently been “Schneier-slashdotted.” Will you be doing a blog post about how your community’s DDOS attack on Shawntsai Art was a total success? Or play it smart & silent to avoid self-incrimination? 😉

Clive Robinson July 24, 2011 9:56 PM

OFF Topic,

@ Bruce,

Another article that might be of interest and acts as an indicator to what can be done against cyber-crime if there is the appropriate cooperation internationaly,

Admittadly the sums of money involved made cooperation virtualy guaranteed, but it shows “there is a way when there is a will” to do it.

What we need is “the way” to become easy to implement such that the threshold for the will drops to just a few thousand dollars at most, not tens of millions.

Clive Robinson July 24, 2011 10:58 PM

@ Nick P,

You’ve presented a lot to go through, however on aspect of censure that realy needs to come in before any censure on the ISP’s is US Banks.

The amount of money being stolen in the US out of small business accounts because the security systems the banks employ is on these accounts is laughable at best is eye watering.

If personal accounting can have a “personal liability threshold” of just a few dollars then small businesses likewise.

Most small businesses don’t have large or very variable payrolls, nor lists of suppliers, it should easily be possible to detect unusuall payments and get them “checked off” via an out of band channel prior to payment.

Many of these problems are caused by the banks selling as “ease and convenience” less secure methods than existing methods to cut the banks bottom line.

And that is the problem, cutting the bottom line is a race to the bottom where security is concerned.

Which ever way you do it security has a cost, and the best place for that cost is where economies of scale can be made and that is with the banks. Alowing the banks to “externalise the risk” is a sure fire way to nitro charge the race.

I’m not saying the banks should “not be alowed to externalise the cost” just the loss risk. Thus a bank could decide to (1) internalise the losses, (2) get insurance to cover the losses, (3) or take increased preventative measures via technical or other means. Which ever route they chose the bank will pass on the cost over the customer base creating a level playing field where customers can make rational choices of the features they want and at what cost over and above the minimum cost to mitigate the security risk.

One reason I’m against legislating against the ISP’s is it is like legislating against the Post Office or Telephone company or highways agencies for illegal business carried out by mail, phone or vehicle. It only takes a little thought to realise just what the cost is going to be to implement such a system, and how little it would actually return on the investment and importantly the compleate loss of privacy for individuals that would result.

For a concrete example look at the drugs trade and the cost of trying to stop drugs crossing the US border and how ineffective it is. Then look at the loss of privacy that has followed with the TSA.

Now imagine the direct cost of a DHS checkpoint on every 10,000 homes/business? Now try and figure the indirect costs…

It’s a non starter because we know from experiance the criminals would adapt faster than the technology can be realised. Most certainly faster than the ISP’s could deploy if, and without the slightest doubt faster the glacial speed of legislation. All it would do would be to create an arms race which would be won by the most agile side (the criminals) and would end by bankrupting the other side (the ISP’s), just as we are seeing with the DHS.

Richard Steven Hack July 24, 2011 11:20 PM

Clive: The problem with that article is the last sentence: “The good guys can score victories.”

Which means Zeus (or the equivalent) is gone for good? Hardly. Which means the 92 people arrested (out of the 6,000 involved) won’t be replaced within days, weeks or months by some other criminal syndicate? Hardly.

Cybercrime is like drug crime – highly profitable – but easier and less risky. It’s not going away, or even being “cleaned up” to the point of being even ten or twenty percent of what it is now.

It’s going to be more like spam – worse before it gets better. Periodically they knock spam down by a significant percentage, but it usually manages to climb back up. Lately I’ve read they’ve got it down somewhat from the ninety percent or more of email traffic it used to be.

Cybercrime is going to be like that – eventually it will affect far more than the few percent of people it affects now (leaving out malware per se which afflicts a much higher percentage of consumers.) It may start to afflict ten, twenty, even fifty percent of people before governments can increase the penalties and fund more police efforts and get international cooperation.

And even with the latter, look at the drug industry. Not even remotely going away.

Neither will cybercrime.

Let’s look at your four solutions:

“1. Remove the profit from the crime.”

In black markets, the way to do that is remove the illegality. That’s the ONLY way. But it doesn’t apply to cybercrime because cybercrime is not a “black market” in the technical sense.

“2. Stop the money being moved/laundered”

This is a temporary fix and band-aid. If the money has to be shoved in duffel bags and lugged across borders by REAL mules, it will get moved. You can only make it slightly more inconvenient than a wire transfer.

And the only reason it’s being moved currently is to keep it from being traced easily. Therefore it has to be converted into cash or the equivalent. To do that, it has to be moved from the source to another location where it can 1) stored in an account which can be shielded from LE in another jurisdiction, or 2) withdrawn as cash. Otherwise, the criminals would just keep it in a bank in the US or wherever.

It’s highly unlikely that cracking down on money movements is going to make the overall business of cybercrime so unprofitable – by raising the costs of doing business – that it ceases to be a problem.

“3. Increase the scope of intel/detection”

This basically means installing a worldwide police state – and even then it’s not going to work. Whereas the small groups of terrorists can be affected by enhanced intelligence and police investigations sufficiently to interdict them, precisely because they ARE small, this method has been utterly worthless in large-scale crime like drug dealing. It will be equally worthless in cybercrime.

Not to mention that since cybercrime is being essentially subsidized by the ease of access to the Internet, the only way to increase the scope of intelligence gathering is basically to slaughter the privacy of everyone. Which is precisely what the “ISPs need to police their customers” notion leads to – especially if its mandated by the government.

And this is leaving out the entire area of how cyber-criminals will simply improve their methods of evading detection. The drug dealers are using classified communications equipment and submarines these days… What are cyber-criminals going to do? Sit back and let the FBI trace their IP?

The article quotes a forensics guy as saying he’s not impressed by their technical skill. But he also says, “They get the job done.” That will only prove more true even if you expand the FBI cyber-crime force by a factor of one hundred. They will never match the hundreds of thousands of Chinese hackers, let alone the rest of the world.

“4, Prosecute effectively on the intel/detection.”

They tried this with crack. Boost the sentence up insanely compared to regular cocaine. Sure, they managed to throw even more hundreds of thousands of black ghetto residents in prison. Didn’t stop the drug problem in general.

And prosecuting effectively also means dealing with the counter-forensics problem. Which isn’t going to stand still any more than the methods of arrest evasion in the first place.

It’s a losing battle and will continue to be so.

Nick P: Sure, getting some major ISPs internationally to cooperate on blocking the relatively fewer downstream criminal ISPs would help things like spam and some aspects of cybercrime.

But it wouldn’t make a dent in cybercrime overall.

And you won’t be able to do it without major government intervention because there’s no incentive for ISPs to police the downstream. They have enough trouble policing themselves and clearing a profit. The ISP business is highly competitive, a commodity market.

It’s like asking the phone companies to police who are the drug dealers using their cell phones. Sure, it could be done – just outlaw burner phones and require ID verification before anyone activates a new phone service. Then monitor all telecom like the NSA likes doing anyway.

And drug dealers will STILL find a way to communicate in code.

All of these solutions are band-aids and hopeless.

There is one way and one way ONLY to “get rid of crime” (or even minimize it). And that is to change the way people – ALL people everywhere – are raised by parents and society. Which means changing societies everywhere. Which means changing human nature.

Good luck with that. Email me when it starts to be effective.

All of which leads directly back to my meme… 🙂

Clive Robinson July 25, 2011 5:09 AM

@ Richard Steven Hack,

Thanks for the lengthy reply (we need a place for “off topic chats”).

With regards taking the profit out of crime there are a number of ways to do it. One of which is to destroy the target of crime either during the crime or shortly there after.

For instance cash truck theft has been reduced to quite managable levels in many places simply because the cash is kept in small boxes with ink cartridges in them that soak the notes befor the commiters of crime can stop it happening.

In times past governments frequently changed the design of bank notes forcing the old ones to be changed at banks, this stopped criminals hording large quantities of notes (this is something the US has always resisted doing because it gains significant economic advantage by not doing so).

Similarly in Northern Ireland a few yeas ago criminals related to a terrorist organisation pulled of a very very large raid that netted them millions. The government response was to make the notes worthless in a short time.

And this is the point “money is an exchangable token” and asside from coinage it all carries serial numbers, it has in of itself no real intrinsic value as most tokens of exchange don’t.

Thus money is intrinsicaly worthless and all traceable if people wanted it to be, it’s just that the cost of doing it with paper money untill fairly recently has been very high.

But that is rapidly changing and the cost is dropping very rapidly. For instance these newish unmaned checkouts and ticket machines that check notes for forgery can quickly and easily check the serial numbers on notes and save them against serial numbers of goods purchased (yes super markets in the UK have got to the point of putting serial numbers on packs of vegetables etc as it’s just as easy as putting the date and batch number on).

Thus within a few years paper money is going to be as traceable and revokeable as creditcard transactions and proceads of almost any form of transaction criminal or otherwise will be traceable back to a purchase and a traceable financial history.

And the governments are going to get this almost for free because the relentless quest of the marketing industry and stock control industry will do it for them and happily sell them the data.

Certainly within my lifetime and I suspect yours as well I expect everything to have a serial number including each egg in a box and each biscuit in a packet. Currently we can and do put serial numbers on other high value items such as diamonds and many luxury car parts so tracability just keeps getting easier by the day as a conciquence of “efficiency” and “liability”.

I’ve said in the past that RFID’s in our clothing will be used to link us back to the place of purchase and purchase record details including credit card numbers and will over time become a matter of targeted advertising as we are already begining to see with mobile phones.

We already know that there is software out there that can analyse telephone records to establish contact lists and thus identify people and groups (families, employers, clubs and associations even political leaning)

Doing the same for credit card and paper money transactions is not going to be that hard, and it will be done if people think they can sell product with it, and belive me they certainly will go there to see if they can.

Thus being able to revoke a ten dollar bill will become very very easy in a few years if the politico’s decide to do so. And the risk of that may well drive people into electronic transactions…

This means that crime will have to move up the chain and find some other method of moving the proceads of crime. Because as I’ve said above with diamonds other high value items will get serial numbers and thus tracability and thus effectivly worthless for crime.

This means money laundering in some way will become the only way that serious crime will pay.And some (if not all) Governments will allow money laundering to continue.

Why? well because at the end of the day governments like crime it’s good for the economy, and it can get them out of trouble. There is anecdotal evidence that when the banking crissis hit in the US it was only the drugs money being laundered that stopped the whole system going down the tubes prior to the government getting of it’s butt.

However even in normal times money laundering like off book public spending is usefull to governments because it enables them to apparently spend money they have not got (see what lies behind the Euro crisis)

And lets be honest about this crime is a major factor in any economy, and many governments turn a blind eye to it (tax evasion etc) provided they get some piece of the action in one form or another.

Johan Hoogenboezem July 25, 2011 8:03 AM

Ever read Kraken by China Mieville?
Fantasy fiction.
Squid as a god, tattoos that are alive, a different sort of London Underground, etc.
Really, really good if you like that sort of thing…

Richard Steven Hack July 25, 2011 8:46 AM

Clive: Yes, governments benefit a great deal from untraceable money. The CIA undoubtedly loves all the drug money they get their hands on which they can use for “black ops”. I believe that is one major reason we’re in Afghanistan – to recover the heroin trade the CIA lost when the Taliban took over the production and storing of heroin.

But it will be a long time before cash becomes worthless. As you note, there is too much “underground economy” (even such that is not particularly criminal, other than tax evasion, where money is paid “off the books”) for the states of the world to clean it up.

And the people who run those states have need for untraceable money as well. It’s like no one attacks Switzerland because every dictator needs his bank account to be safe there.

As in so much, the attempt will be made – and the attempt will fail.

Also, in your discussion, what you’re really discussing is not the traceability of money but the traceability of (above ground) transactions. What does it matter if a stolen bill is used for checkout at a supermarket the passer will never visit again? Are they really going to grab the security camera views to see who it was bought that bag of Lays Sour Cream and Cheddar Potato Chips? And how does that help them?

Serial numbers on diamonds are indeed a problem. So criminals buy industrial diamonds not so marked.

There are ways around anything. As you correctly note, it merely means the criminals have to get smarter.

It’s like Harry Harrison’s “The Stainless Steel Rat” series. His hero lives in the world you envision, where everything is locked down and everyone is forced to be honest – where a rat living in a world of steel and concrete has to become a “Stainless Steel Rat”.

And if and when such a world comes about here – well, then it’s time to destroy it. And with the same technology that can lock down a world, you can destroy that world.

Clive Robinson July 27, 2011 3:30 AM

OFF Topic,

@ Bruce,

It would appear that Randy Vickers has resigned without giving public reason,

However this has not stoped a number of people linking it to lulzSec activity (breaching CIA web site) and Anonymous (CTRL+ALT_BERNANKE).

As the UK’s Guardian online new site put’s it,

“Vickers’s resignation follows a number of online attacks on government websites including the Senate, the CIA and the FBI. William Lynn, the US deputy defence secretary revealed earlier this month that a foreign intelligence service had stolen up to 24,000 computer files from a Pentagon supplier in March – one of the largest successfu cyber-attacks on a US government agency.”

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.