Schneier on Security

Clive Robinson • July 24, 2011 9:08 AM

OFF Topic,

@ Bruce,

I don’t know if you’ve read this or not,

http://www.washingtonpost.com/opinions/a-crime-wave-in-cyberspace/2011/07/21/gIQAYfbIUI_story.html

It’s by “Noah Shachtman” and although I agree with the main thrust of the article that it’s Cyber-crime not Cyber-war we should be worrying about, his soloution of,

“That’s where the federal government could help. It could introduce new mechanisms to hold hosting companies liable for the damage done by their criminal clientele. It could allow ISPs to be held liable for their criminally connected hosts. It could encourage and regulate ISPs to share more information on the threats they find.”

Is actualy quite nieve, in that it takes an “american centric” view of a “global problem” and assumes that the solution can be found by “killing the messenger in the US” not the “enemy in any port of convenience”.

The way to deal with crime is to use one or more of the following,

1, Remove the profit from the crime.
2, Stop the money being moved/laundered
3, Increase the scope of intel/detection
4, Prosecute effectivly on the intel/detection.

Currently we only have some international legislation on 2, and the real lack of progress in 3&4 is why internet crime is so lucrative.

Although Noah did mention a method for 1&2, he forgot to mention the idea had been lifted lock stock and barrel from Brian Krebs.

Clive Robinson • July 24, 2011 10:58 PM

@ Nick P,

You’ve presented a lot to go through, however on aspect of censure that realy needs to come in before any censure on the ISP’s is US Banks.

The amount of money being stolen in the US out of small business accounts because the security systems the banks employ is on these accounts is laughable at best is eye watering.

If personal accounting can have a “personal liability threshold” of just a few dollars then small businesses likewise.

Most small businesses don’t have large or very variable payrolls, nor lists of suppliers, it should easily be possible to detect unusuall payments and get them “checked off” via an out of band channel prior to payment.

Many of these problems are caused by the banks selling as “ease and convenience” less secure methods than existing methods to cut the banks bottom line.

And that is the problem, cutting the bottom line is a race to the bottom where security is concerned.

Which ever way you do it security has a cost, and the best place for that cost is where economies of scale can be made and that is with the banks. Alowing the banks to “externalise the risk” is a sure fire way to nitro charge the race.

I’m not saying the banks should “not be alowed to externalise the cost” just the loss risk. Thus a bank could decide to (1) internalise the losses, (2) get insurance to cover the losses, (3) or take increased preventative measures via technical or other means. Which ever route they chose the bank will pass on the cost over the customer base creating a level playing field where customers can make rational choices of the features they want and at what cost over and above the minimum cost to mitigate the security risk.

One reason I’m against legislating against the ISP’s is it is like legislating against the Post Office or Telephone company or highways agencies for illegal business carried out by mail, phone or vehicle. It only takes a little thought to realise just what the cost is going to be to implement such a system, and how little it would actually return on the investment and importantly the compleate loss of privacy for individuals that would result.

For a concrete example look at the drugs trade and the cost of trying to stop drugs crossing the US border and how ineffective it is. Then look at the loss of privacy that has followed with the TSA.

Now imagine the direct cost of a DHS checkpoint on every 10,000 homes/business? Now try and figure the indirect costs…

It’s a non starter because we know from experiance the criminals would adapt faster than the technology can be realised. Most certainly faster than the ISP’s could deploy if, and without the slightest doubt faster the glacial speed of legislation. All it would do would be to create an arms race which would be won by the most agile side (the criminals) and would end by bankrupting the other side (the ISP’s), just as we are seeing with the DHS.

Clive Robinson • July 25, 2011 5:09 AM

@ Richard Steven Hack,

Thanks for the lengthy reply (we need a place for “off topic chats”).

With regards taking the profit out of crime there are a number of ways to do it. One of which is to destroy the target of crime either during the crime or shortly there after.

For instance cash truck theft has been reduced to quite managable levels in many places simply because the cash is kept in small boxes with ink cartridges in them that soak the notes befor the commiters of crime can stop it happening.

In times past governments frequently changed the design of bank notes forcing the old ones to be changed at banks, this stopped criminals hording large quantities of notes (this is something the US has always resisted doing because it gains significant economic advantage by not doing so).

Similarly in Northern Ireland a few yeas ago criminals related to a terrorist organisation pulled of a very very large raid that netted them millions. The government response was to make the notes worthless in a short time.

And this is the point “money is an exchangable token” and asside from coinage it all carries serial numbers, it has in of itself no real intrinsic value as most tokens of exchange don’t.

Thus money is intrinsicaly worthless and all traceable if people wanted it to be, it’s just that the cost of doing it with paper money untill fairly recently has been very high.

But that is rapidly changing and the cost is dropping very rapidly. For instance these newish unmaned checkouts and ticket machines that check notes for forgery can quickly and easily check the serial numbers on notes and save them against serial numbers of goods purchased (yes super markets in the UK have got to the point of putting serial numbers on packs of vegetables etc as it’s just as easy as putting the date and batch number on).

Thus within a few years paper money is going to be as traceable and revokeable as creditcard transactions and proceads of almost any form of transaction criminal or otherwise will be traceable back to a purchase and a traceable financial history.

And the governments are going to get this almost for free because the relentless quest of the marketing industry and stock control industry will do it for them and happily sell them the data.

Certainly within my lifetime and I suspect yours as well I expect everything to have a serial number including each egg in a box and each biscuit in a packet. Currently we can and do put serial numbers on other high value items such as diamonds and many luxury car parts so tracability just keeps getting easier by the day as a conciquence of “efficiency” and “liability”.

I’ve said in the past that RFID’s in our clothing will be used to link us back to the place of purchase and purchase record details including credit card numbers and will over time become a matter of targeted advertising as we are already begining to see with mobile phones.

We already know that there is software out there that can analyse telephone records to establish contact lists and thus identify people and groups (families, employers, clubs and associations even political leaning)

Doing the same for credit card and paper money transactions is not going to be that hard, and it will be done if people think they can sell product with it, and belive me they certainly will go there to see if they can.

Thus being able to revoke a ten dollar bill will become very very easy in a few years if the politico’s decide to do so. And the risk of that may well drive people into electronic transactions…

This means that crime will have to move up the chain and find some other method of moving the proceads of crime. Because as I’ve said above with diamonds other high value items will get serial numbers and thus tracability and thus effectivly worthless for crime.

This means money laundering in some way will become the only way that serious crime will pay.And some (if not all) Governments will allow money laundering to continue.

Why? well because at the end of the day governments like crime it’s good for the economy, and it can get them out of trouble. There is anecdotal evidence that when the banking crissis hit in the US it was only the drugs money being laundered that stopped the whole system going down the tubes prior to the government getting of it’s butt.

However even in normal times money laundering like off book public spending is usefull to governments because it enables them to apparently spend money they have not got (see what lies behind the Euro crisis)

And lets be honest about this crime is a major factor in any economy, and many governments turn a blind eye to it (tax evasion etc) provided they get some piece of the action in one form or another.