Comments

Natanael LOctober 17, 2011 8:18 AM

Not much new to me, but it's a good read.

For TLDNR'ers, some of the things to avoid is "quick money schemes" and sharing personal and financial details. As always. And don't just blindly agree to do tasks that seems strange.

(The CAPTCHA thing is quite interesting. How could you defend against that in a way that can be beaten with automation?)

paulOctober 17, 2011 9:00 AM

Is this article moving toward a new synthesis, or is it slapping a bunch of unrelated things under a fancy new buzzword? Black markets for stolen goods and criminal networks have been around for centuries if not millennia, and the whole "flash rob" thing sounds suspiciously like the "wilding" hype of the late 80s and early 90s.

The one newish bit would seem to the Mechanical Turk crowdsourcing of CAPTCHA information, which relies crucially on the ability to stitch data from many sources together in real time to make a web page. (Along those lines, convincing people to download software that attaches their computer to a botnet is arguably another form of crowdsourcing -- it's almost certainly the biggest application of distributed computing currently in operation.)

askme233October 17, 2011 9:33 AM

I'd love to see one of the Botnet runners try to make money "legally" by finding a way to sell the processing power of their net for real business or scientific purposes. I will bet they could make a lot more money analyzing data than they can pumping spam.

They would have to hide behind a front of some sort, but that doesn't seem hard.

Captain ObviousOctober 17, 2011 12:17 PM

I've seen a number of TV shows use the craigslist approach for surveilance DOS: "$20 to wear a t-shirt and mill around X"

Have this been observed in real life?

KazOctober 17, 2011 12:59 PM

@askme233

I really don't think so, with the latency of the Internet as well dedicated hardware vs the average outdated, I'm skeptical that would be plausible to successfully build a botnet for less effort(/cost) per computation achieved than investing in the hardware to rent out. That is ignoring the ethics completely. Could you really fool someone that is in the business of purchasing computations that they were not being sold time on a botnet?

I do I agree that it would be better for the world to use bots for good than evil, no institution would want to be the one known for stealing your CPU cycles.

Captain ObviousOctober 17, 2011 1:38 PM

@kaz, askme

Could McAfee AV be the $600 toilet seat?

When my CPU pegs for 3 days (of each week) it can't really be just scanning my puny HD...what better front to hide an 'authorized' botnet?

RHOctober 17, 2011 4:08 PM

A legitimate user of computer time expects to see uptime guarantees not applicable to botnets.

I actually had a business plan for farming out idle CPUs to corporations until I realized Intel had no desire to hand a PSpice model of its upcomming chip to some random person's computer to do simulations.

pfoggOctober 17, 2011 6:32 PM

The crowdsourcing of crime predates the coinage of the jargon term 'crowdsourcing', and the internet as well, doesn't it? Using Islamic fatwas to induce remote, third-party assassination attempts, for example.

MWOctober 17, 2011 8:01 PM

I remember the 'crowd of identically dressed individuals recruited from internet' trick being used in a movie or TV show ("Castle"?) to cover for a ransom pick up.

For the 'flash rob' method, there is a clear possibility for Police to use this to set up ambushes. I wonder if there is a way to do this without it counting as entrapment.

ThomasOctober 17, 2011 8:25 PM

re: FB-tagging 10,000 people in a single pic.

Today it's rioters, tomorrow it may be demonstrators in a legitimate peaceful protest, next week it's everyone, all the time.

The scariest part? It may not even be a government doing it.

Quis custodiet ipsos custodes?

Natanael LOctober 19, 2011 4:32 AM

There was this TV show were the bad guy hid among a group of employees. They were all locked into a large room to make sure the bad guy didn't get away.
They didn't know who he was or how to figure out who he was.
Then one of them referenced *another* TV show were they asked the people to gather with their closest friends in small groups - the bad guy were an outsider and would instantly stand out.
And so he did!

I think that counts as crowdsourcing. (I'd call it crowdsourced whitelists :)

R2D3October 19, 2011 1:54 PM

@ MW, Natanael L
This 'hiding in a crowd of identical looking people' was used in a 1970s/80 episode of M*A*S*H when, I think it was, Radar got an unauthorized nose-job and everyone in camp had their nose bandaged.

Sam PedsOctober 19, 2011 11:25 PM

As atrimpi observed On the Perception of the Valuation of Fungible Transactions,
published on MIT's delphi forums'elphic Thoughts Forum,
the intersections of any perceptual discontinuities can overcome security
as much as any criminal act.

Crowdsourcing for a crime may seek to gather as many discontiuous perceivers as are needed
in order to stitch together a whole arc of intent, of parti-tasks needed in order to accomplish the whole crime.
(Just like booking air fare and hotel rooms, together. "Wow factor.")
(http://forums.delphiforums.com/DelphicThoughts/messages/?msg=3.1)

Natanael LOctober 20, 2011 3:48 AM

I think that what Sam Peds writes won't make any sense to most of you, but here's how I'm interpreting what he said:

If you see something you think is impossible, you're likely to dismiss it without substantial evidence that it's true.

Also, if each observer only see one tiny part of a crime, they are unlikely to understand that a crime happened.

So the idea is that crimes are made somewhat complex (to prevent easy analysis, like steganography) and are split up in thousands of tiny tasks that each and every one blends in among the normal ones such that nobody who sees it will know what's going on even if they see it all, and if crime ever would be suspected it would be quickly dismissed because nobody understands it and thus they can not prove it.

Sam PedsOctober 20, 2011 9:12 PM

@ Nataniel L
Thank you for making it so clear.

I only want to add that the article said:
If they don't believe in it,
they won't see it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..