How to Punish Cybercriminals

Interesting policy paper by Third Way: "To Catch a Hacker: Toward a comprehensive strategy to identify, pursue, and punish malicious cyber actors":

In this paper, we argue that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers. We show that:

  • There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches. This is likely a vast undercount since many victims don't report break-ins to begin with. Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.

  • There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.

  • There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them. We believe that the United States is as far from this human attacker strategy as the nation was toward a strategic approach to countering terrorism in the weeks and months before 9/11.

In order to close the cyber enforcement gap, we argue for a comprehensive enforcement strategy that makes a fundamental rebalance in US cybersecurity policies: from a heavy focus on building better cyber defenses against intrusion to also waging a more robust effort at going after human attackers. We call for ten US policy actions that could form the contours of a comprehensive enforcement strategy to better identify, pursue and bring to justice malicious cyber actors that include building up law enforcement, enhancing diplomatic efforts, and developing a measurable strategic plan to do so.

Posted on November 2, 2018 at 6:01 AM • 39 Comments

Comments

Mike AckerNovember 2, 2018 6:29 AM

I think those who slam out products that are weak on security bear just as much responsibility as the "hackers" who leverage weak software/firmware, and, perhaps, "backdoors" that bypass logons and encryption.

addressing product liability won't be easy. to start we should take care to observe that "solutions" are built using many tool sets: the O/S, the compilers and libraries, the product itself, as well as the various network services.

the solution then ought to focus on assigning responsibility for quality in a limited manner: everyone in the chain plays a part and is responsibile for that part of the work over which he has control.

i.e. I check the SHA256 value for my O/S as well as the signatures for those values. I do the same for the compile and library that I will use. I'm responsible for doing these checks.

and finally I'm responsible for the code I develop and test.

use PGP signatures.

TheInformedOneNovember 2, 2018 7:18 AM

Inside America's secret spy agencies I think this type of comprehensive strategy has existed and been practiced for many decades. However for the regular government police and enforcement agencies (and the rest of us) I believe this article is spot-on. Why is it that you always hear about Russian and Chinese sponsored bad actors hacking U.S. entities and never the other way around? Because the U.S. spy agency hackers are so good that they conduct attacks "through" the bad actors (like an invisible proxy) without their knowledge or consent. Think about it. If it quacks like a duck.......

wiredogNovember 2, 2018 7:49 AM

@TheInformedOne
"Inside America's secret spy agencies I think this type of comprehensive strategy has existed and been practiced for many decades."

Yeah, that's why Edward Snowden was shut down before he could do any damage, and is currently serving 10 consecutive life terms in solitary in Marion.

FaustusNovember 2, 2018 8:59 AM

It's hard not to notice that "Third Way" is just repackaging the same old Democrats and friends (Clinton and Tony Blair) as some sort of change. They offend me by presuming me an idiot. I see you in there, same old corrupt democrats! Now the fake traditionalist and fake moralist Republicans can start a "Fourth Way" and all of politics will have new branding. Progress!!

We have worldwide surveillance. I assume it could find the hackers if they gave a crap. But, of those that aren't state sanctioned, 99% of them are probably 15 year olds in their parents' basements. They are teaching themselves to dismantle 1984 and I'm happy they are there.

As it is, I suggest that if we were seriously concerned about hacking we would lock the front door. This is just another trojan horse for more control and surveillance of the general populace and not letting you do dangerous things like burning DVDs and fixing your broken iPhone. https://en.wikipedia.org/wiki/Electronics_right_to_repair

If we really want to punish the criminals, they are easily found sitting in Congress, White House, and state and local governments. Oh, and Joe Arpaio, let's arrest him first and put him in a pink jumpsuit in a tent in the middle of a sewer.

Has anybody on this list ever been seriously hacked?

I don't mean data theft. Our data has already been stolen under color of law by our equivalent to the Chinese Social Credit System, the Credit Reporting Agencies. I find it hilarious that we tut tut the Chinese when we are doing exactly the same thing.

Attacks on security companies? Security companies with worse security practices than my grandmother are not really security companies are they? They are frauds. I think that is the point.

Boy, did I wake up grumpy this morning! Sorry Sheriff Joe! But I am not leaving you alone with my children.

de la BoetieNovember 2, 2018 9:09 AM

A lot of problems with this:-

a) stop blaming the victims? while the ultimate victims may be blameless, the corporations/departments involved are negligent in my opinion (e.g. Wannacry). Until CEOs and politicians are personally meaningfully sanctioned, there is no proper incentive to do even basic security and privacy hygiene. So I do blame the organisations involved, yes indeed.

b) perhaps giving up on the assaults on encryption and privacy and intentionally weakening systems would be a really good idea.

c) LE want MORE budget? How about giving up the unproductive and undemocratic mass surveillance and concentrate on the essentials, within the budget you have.

d) There is no good basis for lawful LE across national boarders, and the US has done a lot to peeve both its allies and enemies into not cooperating. It will be very dangerous to abandon the rule of law at this point.

FaustusNovember 2, 2018 9:19 AM

P.S.

Boy, this looks like a consulting sales presentation. Somebody is on the way to a big payday out of our pockets.

If we just required routers and other devices not to be shipped with identical default passwords, and to not continue to operate if the passwords were not updated to something reasonable, and for administration always to go over https or some other encrypted channel with a real certificate from a recognized authority, and for default security settings to be conservative, we would successfully fight much more hacking, which relies on using such devices as proxies to hide their trails and store their malware.

But what's that point? Who'd make money? Who'd pay the politicians?

echoNovember 2, 2018 9:49 AM

In order to close the cyber enforcement gap, we argue for a comprehensive enforcement strategy that makes a fundamental rebalance in US cybersecurity policies: from a heavy focus on building better cyber defenses against intrusion to also waging a more robust effort at going after human attackers.


Secure systems leave any attacker flailing away at a keyboard and acquiring a vitamin D deficiancy. I don't see the need to divert resources to "sending a posse". Has anyone actually thought of picking up the phone and asking the other side what is going on? You never know they may be more surprised than you.

GanzelNovember 2, 2018 10:03 AM

yes, this referenced paper is full of empty rhetoric and cliches. it is of no value to readers

WinterNovember 2, 2018 10:11 AM

In order to close the cyber enforcement gap, we argue for a comprehensive enforcement strategy that makes a fundamental rebalance in US cybersecurity policies: from a heavy focus on building better cyber defenses against intrusion to also waging a more robust effort at going after human attackers.

The intentional imbalance between defense and offense which is sustained by most of the powerful players in the field, e.g., the TLAs of all countries, is the prime cause of these problems.

Until this imbalance is corrected, i.e., serious efforts for defensive capabilities are developed, nothing will help.

DocNovember 2, 2018 10:33 AM

"...the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers." One can substitute nearly any criminal activity for "cyberattackers" and the statement still rings true. There are a whole range of violent crimes the perpetrators of which largely go unprosecuted and unpunished. Sending these criminals to the US prison system is sending them to a fraternity (or sorority) of their peers and friends. Instead, they should be anesthetized, carved up into recyclable donor organs and allowed to become useful parts of society again. If its OK for Planned Parenthood to do this with innocent unborn children, why can't the Govt do it with convicted criminals? The crime would cease in days. After all, post death penalty recidivism is precisely -zero-.

FaustusNovember 2, 2018 10:50 AM

@Doc

I hope you are not really a doctor. I really hope you are not MY doctor.

Crime rates have been dropping for 20 years. https://en.wikipedia.org/wiki/Crime_in_the_United_States
All these scare tactics are not in the interest of people in general, but policing for money and authoritarianism and racism in general.

Beyond that: Why don't we kill criminals? Because we have a horrible record of convicting innocent people and focusing our policing based on our racism, that's why. https://www.washingtonpost.com/opinions/the-cost-of-convicting-the-innocent/2015/07/24/260fc3a2-1aae-11e5-93b7-5eddc056ad8a_story.html
Assuming criminals are killing innocent people, we don't need the government doing it too.

Doc, please move to the Philippines. I'll say good bye now.

Wilkerson WalkersonNovember 2, 2018 11:05 AM

> comprehensive enforcement strategy

It is not possible to make the enforcement strategy to work before the rest of the world is subjugated under the American law.

One Imperium. One law.

Petre Peter November 2, 2018 11:09 AM

I am glad they are mentioning a Digital Geneva Convention. International collaboration is coming.

TimothyNovember 2, 2018 11:19 AM

Third Way published their “Third Way Cyber Enforcement Initiative” in a three part series:

  • Report “To Catch a Hacker” 1 hour, 3 minute read
  • Memo “Announcing the Third Way Cyber Enforcement Initiative” 9 minute read
  • Advisory Board “Third Way Cyber Enforcement Initiative Advisory Board” 3 minute read

There are PDF's available:

The Memo outlines a 3-part strategy:

‘Change the Mindset’… Like this pre-9/11 state, the government agencies that work on prosecuting and sanctioning cyberattacker(s) have largely worked within the bureaucratic status quo, not thinking strategically about how to improve the government’s ability to bring multiple agencies together in cooperation to identify, stop, and punish attackers…

‘Assess Our Capabilities’ … Not only do we need to measure the rate of enforcement, but also to assess the training, workforce management, organization, international cooperation and capacity building, and regulatory incentives and disincentives to effective enforcement.…

‘Develop and Promote Policies’ … Through these policy changes, we aim to rebalance America’s approach to cybersecurity to one that puts America’s law enforcement and diplomats at the forefront not just the military…

There are 14 people listed on the “Third Way Cyber Enforcement Initiative Advisory Board” including: Rajesh De, Orin Kerr, Christopher Painter, Ari Schwartz, and Benjamin Wittes

albertNovember 2, 2018 11:30 AM

Unfortunately, the suggestions by the authors have little or no chance of being implemented. The US gov't has had many years to work on these problems. Where are the solutions? Where is the regulation? Where are the laws forcing manufacturers, businesses, and users to follow good security procedures?

They're nowhere, man.

It'll be interesting to see the upper limit of financial losses required to do something about the situation.

. .. . .. --- ....

GenieNovember 2, 2018 11:37 AM

You need to take things in context. People do not live an honest upstanding law-abiding life and suddenly become criminals when they get in front of a computer.

Some guy gets arrested on some vague criminal charge. Oh, by the way, just throw in a count or two of possession of child pornography on his computer or something like that.

It's a guy charge. Either the guy's innocent or he's been molesting children in real life all along. They have no hope of proving the latter in court, so they just file a "possession" charge of some kind or another with an automatic statutory presumption of male guilt because of the guy's DNA. Might even be possession of a firearm or something like that in real life, because controlled substances are fully legal to possess and put in others' food and drink nowadays.

Of course it's usually a substitute charge for some sort of perceived copyright violation which for some reason or another cannot be proven on its own merits in court, but it's definitely a felony and the guy's definitely guilty of it no matter what.

FaustusNovember 2, 2018 12:36 PM

@Timothy

It appears you are in the industry. At least you provide nice concise summary and backup for what you say. And at least you provided support to my side once! );-)

Seriously, I realize a lot of the members make their living flogging lost horse posses that would be seriously less in demand if the barn door were closed, but this is serious. It's the same security theater with 10 times the Orwellian edge.

Fighting what? Who on this list has actually been hacked? If so, did you do something really stupid that allowed it?

It is like installing SWAT teams on every corner to fight a rash of bank robberies that could be much more easily foiled if the banks didn't leave bags of cash outside their doors.

Corporations and individuals egregiously ignore security and we all need to pay in dollars and less rights? What an absolute scam!!

TimothyNovember 2, 2018 1:28 PM

@Faustus

Fighting what? Who on this list has actually been hacked? If so, did you do something really stupid that allowed it?

My response preempts a thorough reading of the report, but a few statistics from the report seem relevant:

page 3: Only 3 in 1,000 cyber incidents see an arrest. By comparison, the clearance rate for property crimes was approximately 18% and for violent crimes 46%, according to the Federal Bureau of Investigation’s (FBI) Uniform Crime Report (UCR) for 2016.
page 4: There’s a rising and often unseen crime wave happening in America. The FBI received 298,728 self-reported cybercrime complaints in the United States in the year 2016 alone through its Internet Crime Complaint Center (IC3).
page 7: Third Way’s analysis estimates that the enforcement rate for reported incidents of the IC3 database is 0.3%. Taking into account that cybercrime victims often do not report cases, the effective enforcement rate estimate may be closer to 0.05%.

During a March 2018 hearing titled “After the Breach: The Monetization and Illicit Use of Stolen Data” Dr. James Lewis testified that a healthy society can manage a certain amount of crime, around 0.5% to 1.5% of national income, without being dramatically burdened. However, the exact costs can be difficult to determine as many losses aren’t reported or are difficult to quantify. He suggests that it may be important for government to intervene to help set the standards for effectively calculating these costs.

Maybe you can help me better understand where you agree and/or disagree with the policy recommendations from the report?

Impossibly StupidNovember 2, 2018 1:38 PM

@Wilkerson Walkerson

It is not possible to make the enforcement strategy to work before the rest of the world is subjugated under the American law.

That's simply not true. When it comes to a secure Internet, everyone already controls their own borders; they problem is that they don't care about the criminal elements that don't affect them.

China is the prime example of this. They supposedly have their "Great Firewall", but every day I see attacks coming from Chinese IPs on my servers. Nobody inside China cares about those kinds of criminals, or they'd block that kind of outgoing traffic. Nobody in my country cares, either, or they'd null route the abusive networks. Nobody who does IP allocations cares, despite there being a shortage of IPv4 addresses, because there's never any talk of taking ranges away from people who weaponize the Internet.

So it's not an issue of "American law", or any individual country's sovereignty. It's completely subsumed under the umbrella of a general disinterest in policing cybercriminals, likely because (as we see with so many issues) those with the power to make changes are often also engaging in those same activities.

GenieNovember 2, 2018 1:52 PM

The cause of an economic great depression is always the same.

An overwhelming wave of organized crime that attracts the support and cooperation of the general population in exchange for a certain measure of "protection" against an endemic hyper-aggressive, self-serving, careless, and wanton law enforcement culture.

Impossibly StupidNovember 2, 2018 1:58 PM

@Faustus

Seriously, I realize a lot of the members make their living flogging lost horse posses that would be seriously less in demand if the barn door were closed

I got my fill of this when I was heavily involved in the anti-spam community 15 years ago. Absolutely nobody was willing to do anything that actually solved the problem, and so most people are still stuck with a system that is both resource intensive and yet ineffective.

Fighting what? Who on this list has actually been hacked? If so, did you do something really stupid that allowed it?

There's no need to wait until you're compromised before you begin to address the problem. Anyone who has an Internet-facing computer can look through their logs and find that they're under constant attack. That is the root issue that needs to be addressed first. You don't blame the victim when criminals are allowed to freely roam the neighborhood.

FaustusNovember 2, 2018 2:46 PM

@Timothy

I disagree that we need to further grow the security state. Nothing significant is happening. Almost every system has multiple levels of security. Who cares who is knocking on my firewall if they can't get in? Inside my firewall there are more firewalls. Every byte on my networks is tracked. Nothing penetrates. The loss of data comes from applications I allow in that are legally allowed to steal as much information as they can get. I watch it leave. A disturbing amount of information leaves unencrypted.

But nobody is seriously looking at this. Bad for business. No we must search for Communists, no I mean terrorists, no I mean hackers, whatever the scare of the day is. Successful infiltration is state sponsored, and not something the police can address. Putting police in my underwear is not going to make any difference except to make a lot of money and affect my privacy and maybe put a ton of young people in jail for simply screwing around.

You yourself admit that you have little real support for the idea that there are burgeoning security threats. Sure I watch my internet facing router and watch scans bounce harmlessly off it. Sure I get about a hundred phishing emails a day that are totally safe because I don't open them except to put them in a sandbox and watch their shenanigans. If I counted them all as attacks I'd get a very big number that means nothing.

In 25 years of working with internet based computers en masse I have never once been successfully attacked in any way that had enough effect that I could notice. And I am looking.

We have learned that many companies in the DDOS protection business were also running DDOS services. The best malware is written by security industry contractors. It is silly to feed this ourobouros indefinitely.

I provide security services. I support the industry. But I don't support giving the industry and authoritarians perverse incentives to make the problem worse.

We see through security theater really well when it comes to x-ray machines at airports. When it comes to our services, no so much I guess.

I don't feel well today and I am particularly strident. I am an innocuous wealthy person who is never going to end up on the wrong side of a gun or a jail sentence. I am just discouraged to read this here.

I am also older. I won't see the worst fruits of our authoritarian leanings. But, to take a page from the security theater handbook:

"Think about THE CHILDREN"....

FaustusNovember 2, 2018 3:03 PM

@Impossibly Stupid

I really don't like that I have to insult you to address you.

I've answered some of your points above. In summary, I don't believe that we should blanket the streets with police because people don't bother to close their front door.

How many of these "attacks" you observed actually caused you any harm?

Are people afraid to admit they've been had or has nobody actually been successfully hacked here?

If everyone left their wallet in the streets there would be an increase in crime. Do you really think that the ROOT of that occurrence is lack of policing?

Clive RobinsonNovember 2, 2018 5:54 PM

@ Faustus,

Are people afraid to admit they've been had or has nobody actually been successfully hacked here?

Yes where I've had control I've been hacked, but only in the tar pit I'd set up, to test bits of instrumentation kit I was developing.

All of my personal machines are not connected to the Internet, and I have a number of self designed data diodes, sluices, pumps, protocol converters, and instrumentation via microcontrolers and *nix boxes to get untrusted data into a trusted state prior to then getting it into a DMZ network where it can be preped for "energy gap" crossing.

However in the past where I've not had control I've had problems with work computers... Where I took steps to harden those I used I sometimes got told it did not fit in "organisational policy"...

Policies that were set up for ease of admin and internal software developers who had "Must have holes punched through for the latest tech nonsense to look good on a C.V.". In such places security came a very long way down the priority list about the same place as getting stickers that said "Numbnuts Inside".

One of the things I ask for when acting in a consultant role is "The business case for each computer connected to the Internet" most places don't have one, and even when pushed they usually can not make one that has any real business validity...

And that's one of the primary reasons we have computer crime, because computers that are not sufficiently "locked down" are visable on the Internet like pigeon holes on a dove-cot.

FaustusNovember 2, 2018 6:18 PM

@ Clive

It doesn't sound like you suffered any real loss in your "attack".

You did all you could do re the Work Computers. People abuse them.

Now that it is set up, is your secure network convenient or inconvenient to use day by day?

Impossibly StupidNovember 2, 2018 10:21 PM

@Faustus

I really don't like that I have to insult you to address you.

I won't bother going in to the origin story here, but my moniker is not intended to insult anyone.

How many of these "attacks" you observed actually caused you any harm?

All of them would have harmed me if I had not used my resources to secure myself (the cost of which represents a type of theft in its own right). Again, you need to stop blaming the wrong parties. The problem remains the intent of the attacker, not the actions of their victims. If someone runs at you with a knife screaming "I'm going to kill you!", everything's not cool if they trip and fall just before they were able to harm you at that instant.

If everyone left their wallet in the streets there would be an increase in crime. Do you really think that the ROOT of that occurrence is lack of policing?

Yes. The problem isn't the wallets, it's the elements in society that would rather take them than return them to their owners. I might argue in that case that maybe a better approach is a civics class, but the fact remains that the availability of the wallet is not the crime. An unlocked house doesn't entitle you to everything inside. A short skirt and high heels don't mean a woman is "asking for it". That is an inherently flawed way of thinking.

echoNovember 2, 2018 11:26 PM

@albert

It'll be interesting to see the upper limit of financial losses required to do something about the situation.

Foreign companies can be sued in UK courts. The EU is beginning to develop a taste for getting ahead of the problem because the EU within reason can set hpw much it wants to collect as a feif. All of this highlights the weakness of "exceptionalism". Exceptionalists forget it takes two to tango.

@faustus

I provide security services. I support the industry. But I don't support giving the industry and authoritarians perverse incentives to make the problem worse.

We see through security theater really well when it comes to x-ray machines at airports. When it comes to our services, no so much I guess.

I don't feel well today and I am particularly strident. I am an innocuous wealthy person who is never going to end up on the wrong side of a gun or a jail sentence. I am just discouraged to read this here.

I am also older. I won't see the worst fruits of our authoritarian leanings. But, to take a page from the security theater handbook:

My specialities and skillsets and life situation is althogether different. I have now obtained hardcopy evidence off the "managing partner" of a lawyers where he fired off like a self-entitled blowhard, ignored every law governing corporate conduct, and was extremely unprofessional. At the back of my mind before I contacted this lawyers I had suspicions. The trick is to obtain confirmation without tipping somone off they are being "verified".

In the past five years I have taken out a cabinet minister and a whole layer of management in a state organisation. Unfortunately for this "managing partner" he is now at the top of my target list. More to follow...

"Think about THE CHILDREN"....

I may be returning to this in the squid topic.

@Clive

My security is Swiss cheese. I may be lucky I haven't been hacked in a noticeable way. I'm personally more concerned with my narrative being hacked by officials when within a bureaucratic regime. There is nothing more dangerous than a thin skinned petty minded inadequate with a pen. I believe Cyberwar and kenetic action are merely symptoms of this.

TImothyNovember 3, 2018 12:58 AM

@Faustus

Am I understanding you correctly to say that you believe setting up the system to ‘catch the hackers’ would grant excessive permissioned access to personal data and that it would still not address more institutionalized forms of data abuse?

What are your thoughts on Third Way's recommendations #5 thru #7 with their focus on international cooperation? Do you feel that those initiatives have the potential to add any net-positive value with fewer of the risks you addressed?

As a quick summary, policy recommendation #5 advocates for an ambassador-level cyber coordinator at the State Department, and strengthened alliances with international organizations like the UN, G7, and NATO. Recommendation #6 proposes expanding and streamlining diplomacy mechanisms with other countries with tools like mutual legal assistance treaties (MLATs) and mutual legal assistance agreements (MLAAs) that formalize criminal justice cooperation. Finally, recommendation #7 suggests supporting efforts to “build the capacity of other countries on cybercrime investigations, while ensuring cybercrime and cybersecurity efforts are not used to suppress civil liberties and human rights.”

Was the balance point raised in recommendation #7 similar to one of the concerns you mentioned, specifically that advanced attribution and investigative arrangements may not be appropriately implemented under all regimes?

FaustusNovember 3, 2018 8:29 AM

@Timothy

I don't buy the whole narrative. Isn't that clear? Some international cooperation window dressing doesn't mean anything. Provisions like "consistent with human rights" and "not involving egregious violators of human rights" have little to no impact in actual implementation.

We have an enormous amount of people in jail already. We have militarized police already. We have tons of international cooperation in extreme rendition, black sites, torture, and getting our partners to violate the civil liberties of our own people for us.

The people who are your answer to the problem, the police and intelligence services and security contractors, are the source of the most dangerous aspects of the problem, not the solution. Not that they are bad intentioned, but they are on a juggernaut of creating problems and then executing extreme reactions to the problems they created, creating new problems to address.

I, personally, say "Enough!"

FaustusNovember 3, 2018 9:54 AM

@Impossibly

It sounds like you might be in law enforcement. When I was in consulting I never saw a problem that didn't need my services. I'm sure other professions see the world in a parallel manner. It's adaptive.

I don't hate anyone. Although I wouldn't let the worst criminals roam free, and I particularly dislike gangs of bullies, I don't think anybody deserves the hell we make of prisons. I don't buy the bad guy narrative. Some people have mental deficits that don't allow them to feel for others. Other people have been traumatized or grew up in environments with bad models. They may be criminal, but they remain human, and do not lie outside the circle of my concern.

We all enjoy watching movies with criminal heroes as long as we detect some sort of heart of gold. Part of us clearly appreciates the vitality they show in their almost always self-destructive confrontation with ordered society.

I think an overly ordered society saps vitality. I think people not having to watch their own backs makes them weak and subject to predators in sheep's clothing.

If we had been able to fully enforce laws in the past we would have exterminated all LGBTQ people before we realized that they were ok, as one example. Free speech was once illegal. Helping escaped slaves was. Being Protestant. Being Catholic. Being Jewish.
Anti-hacking laws are right now being used to silence activists like Barrett Brown.

Some level of crime is the entropy that drives our evolutionary society.

Clive RobinsonNovember 3, 2018 11:43 AM

@ Faustus,

It doesn't sound like you suffered any real loss in your "attack".

Only the "scrap value" of already second hand equipment. The purpose was similar but not the same as a Honeynet. I was developing instrumentation to detect certain types of normally ignored hacking.

One of the problems the Honeynet people had was using VMs to fake a network on an individual machine. The problem with that is they all use a common clock, so there is no drift between them. This lack of drift can be detected remotely by what looks like the simplest and most brain dead "script kiddy wanabee". Which is why the Honeynet people were --and still may be-- ignoring it.

From a skilled attackers perspective zero network timestamp drift due to all "hosts" using the same clock is indicative of a faux network hosted on a single hardware instance. Thus most likely a trap. So from a skilled attackers perspective why waste a precious zero-day on such a network?

Since then I've discovered other ways to detect such VM Honeynet networks, with what look like usless brain dead attacks. And lets be honest, if I can do it so can others, a point that appears lost on quite a few people.

Thus for sophisticated attackers you have to develop different tactics. As I've pointed out a few times "air-gaps" are insufficient these days, you need "energy gapping" if you have things you realy want to protect.

However a "full gap" has disadvantages such that it in effect becomes a "static generator". That is you don't upgrade the software or hardware and you only ever export not import data, often in the form of a print out or fully disposable media.

The reality of life is you have to "upgrade and import" (U&I) otherwise what you "export" becomes quickly "stale" in a number of ways. Thus you need to accept certain levels of U&I risk and hopefully nullify them by various mitigation techniques.

One such way is to have a bridge that is a highly instrumented choke point. Most people are aware of what a proper hardware data diode can do for them in terms of stopping ingress, but not as many are realy aware of just how much data can pass out through the diode unless you jog them into actually thinking about it. That is if you have malware or similar in your protected node that got there via any one of a number of "air-gap crossing" methods then the diode alone is of little use. You need other mitigations as well. The first of which is to convert all egress data into a simple and well defined protocol that is easy to check in many ways. You then design your instrumentation to work with that protocol and ensure it complies.

Yes you lose quite a bit of the mainly cosmetic "richness" but in most cases that can be put back with ease.

To see why, there is little to stop you typing up the raw text of a document in "note pad" it won't get spell checked and it won't have bells and whistles formating.

However there is nothing to stop you signifying a paragraph break with a double CR_LF or a page break with a triple CR_LF or similar. A look at the history of the "WordStar" file format[1] will tell you just how rich that can get. Alternatively you can use a striped down version of RTF, to do formating, or a striped down early version of HTML (a subset of v3 gives sufficient formatting but can give rise to covert channels[2]).

The point is you can export this to an insecure machine where you can pull it into any modern Word Pro to convert it to the formats people want. You can also use CSV format for Spreadsheet, database and other structuted record programs. The point being they are all 7bit printing ASCII without any control chars other than for EOL and EOF. Which makes checking them a lot easier, not just at the low level but higher levels. Whilst it does not stop all potential covert channels it can make life extreamly difficult for an attacker.

Also if you have to import data, if it's in one of the base 7bit ASCII formats such as CSV there are ways you can modify them such that trying to put malware in is at best difficult for an attacker.

Even images can be converted into other safer formats.

Developing ways to do this as well as instrument the various stages, helps ensure that even if nasties do get in unless specifically tailored for your bespoke environment they will get flagged up fairly rapidly.

Like many things "security" you can put in a large amount of effort, knowing that no matter how hard you try you are always going to miss some form of covert channel. However if what you do has sifficient "bespoke" elements to it, the chances of an attacker not getting detected reduce very quickly.

[1] Up untill WS 5.0 the file formate whilst 8bit was realy 7bit for all but the last alpha-char in a word which had bit 8 set. Whilst clearing it is a doddle to convert to pure 7bit ASCII setting it again is a bit harder.

[2] One thing you have to be carefull with formating languages is there implicit redundancy that can allow covert channels to be built. Take the HTML "I" and "B" etc tags, they are often used in pairs for a block of text and HTML cares not a jot which order they are in that is [I][B] is as valid as [B][I] and does not in anyway effect what is displayed. However the redundancy gives you one bit of covert channel with [/I][/B] [/B][/I] giving a second bit of covert channel. There are ways to stop this but you have to be aware of the possability to start with.

Clive RobinsonNovember 3, 2018 6:18 PM

@ echo,

My security is Swiss cheese. I may be lucky I haven't been hacked in a noticeable way.

For most individuals who want some level of privacy more than security I usually recommend a variation on the "two computer" approach. One you do all your private stuff on, that you don't connect up to the Internet or even WiFi. The second being a striped down machine you use for the Internet. By stripped down I mean it lacks a hard drive or other easily mutable persistant memory in which malware etc can be put by a run of the mill cyber crook, and it runs of a "Boot CD OS" such as one of the linux distros aimed at older less powerfull hardware.

However, you are not only concerned about the average cyber criminal that's just looking for low hanging fruit to make a quick buck out of. You are also concerned about being targeted in one way or another. As you note,

I'm personally more concerned with my narrative being hacked by officials when within a bureaucratic regime.

Which brings up the old CIA triad question what are your levels of concern with "Confidentiality" and "Integrity" of your data? I'm guessing that as a "sole user" your only interest in "Authentication" is letting you in but keeping everyone else out.

For some organisations in similar positions I've indicated that actually they are better off with their information on a more physical form than a computer hard drive especially if it's not entirely under their control or not at all in the case of "cloud" storage.

Again I reiterate that humans can only do three things with information,

1, Communicate it,
2, Store it,
3, Process it.

Whilst the first two are amenable to privacy via quite high/strong levels of encryption because the data is not being changed. The processing of data however generally requires information to be unencrypted and this means it is vulnerable in various ways both for confidentiality (a read process) and integrity (a write process).

Again a minimum of a two machine approach is recommended but with extras such as both full disk encryption and application/file level encryption and the use of "write once" media like CDs/DVDs. Along with both volume and file checksums similar to those used to protect forensic file copy integrity.

Then there is "physical security" which involves the use of safes which are not just fire retardant but also tamper evident. The easiest being a fire proof safe with "audit counter" into which a laptop can be put and a similar "off site" safe for storing encrypted backups etc.

There then arises the question of what type of backup to store. That is copies of volumes, folders, and files, or the fotensically more usefull images of disks. And how far back in time you want to keep them.

All of which needs a certain degree of capital input as well as OpSec both of which many would find difficult.

Which brings us onto your observation of,

There is nothing more dangerous than a thin skinned petty minded inadequate with a pen. I believe Cyberwar and kenetic action are merely symptoms of this.

Whilst the inadequate are frequently venal, they generally only become dangerous when they have access to either more competent individuals or the fruits of the labours of more competent individuals. Which is one of the problems with the UK's National Crime Agency (NCA) and it's seven sub-directorates one of which is Inteligence.

The NCA was a "Mrs May" project that basically is "Policing done on the cheap". It is the result of supposadly combining various independent organidations over several steps. Each time the workload goes up but the funds get halved... The result is at best under qualified over worked staff who are at best mismanaged and thus little or no oversight. In their first year a judge had cause to rebuke them over attempted over reach of their powers. In essence there are insufficcient checks and balances in the system poor or no auditing and over sight...

Which means it would not be that difficult for a venal but incompetent pen pusher to "work the system" and get others to do what they can not... This includes getting access to the product of state level SigInt entity technology...

FaustusNovember 4, 2018 5:52 AM

@ Clive

Do you really have a threat model that necessitates such heavy precautions?

I'm am just not that interesting outside my software, and that is either client software, which is safer with me than the client in any case, or my R&D software, which I think would be hard to use without my participation.

I have several layers of protection around my banking, and any significant transaction requires verbal communication.

Besides that, I have some infrequently used encrypted drives. If I really want something to be secret, I don't put it on a computer, I don't write it down, and I don't tell anybody about it.

Clive RobinsonNovember 4, 2018 7:46 PM

@ Faustus,

Do you really have a threat model that necessitates such heavy precautions?

Are they realy "heavy precautions"?

I tend to view some as being the only "practical" way to ensure a degree of privacy, but more on that later.

How do you work out what the threat model realy is these days?

I have developed systems that are of critical importance for projects that are over the $1billion mark on several occasions. Likewise I've been involved in other activities where the knowledge involved is worth up past the $100billion mark. And that's just the Petro-Chem industry, where it's rumoured certain nations use their SigInt and IC entities to gain a "competative advantage".

Thus that would necessitate precautions against a "state level" or "level three" attacker.

I've also worked on the less reputable side of the fence as it were and I have developed all sorts of covert surveillance devices and their counter measures.

And I know from practical experience just how easy it is to deploy such devices. So what some might consider "state level" are almost "younger brother level" or a "level one" attacker.

So I've an idea of what lengths people will go to when they think it is warranted, and how easy technology has made it for them to do so.

But it's not just Intellectual Property we need worry about there is also the human side. Technology has made stalking, doxing, trolling, and other similar crimes almost trivial. Which is why they are very much on the rise.

Thus I get remined of a saying that used to get drummed into you when wearing the green, and how it applies in a broader sense,

    Don't leave ammunition for the enemy!

Also the falseness of that old nursery saying of,

    Whilst sticks and stones may break my bones, but words will never harm me.

If seen people totally destroyed by words and driven to self destruction.

Many people this has happened to in no way thought they were of any importance. Almost like being in a car smashup, you don't think it's going to happen to you then it does, only then do you question why. It's just the flip side of "the luck of the draw" in a zero sum gaim every win is balanced by a loss of equal magnitude.

In the physical world life we are familiar with however, the magnitude of the loss is almost always greater than that of the win, it just tends to get spread over greater numbers.

But when it comes to the information world the rules are different because those who win do so by theft in one form or another. But there are so many ill prepared people that there are so many potential targets that the thieves can not keep up. Thus it appears the odds of being a loosing target are random...

But the reality is slightly different. Whilst you might get selected at random to be attacked whether you loose or not is far from random. Even a small amount of self defence quickly makes you a target not worth pursuing when the attacker can exploit many more who are not defending themselves in the same period of time.

We glibly talk about it as "low hanging fruit" effect and forget there are a couple of catches. The first is what might be an adiquate defence today may well not be tommorow or the day after. Secondly people are building "informational time machines" and it's not just National SigInt and IC entities doing it. It's also all those transnational corporates down to even "mom and pop enterprises" practicing "Collect it all" or just "collect what you can". Even tenagers who can barely understand an SDK are pulling code snippits from all manner of Internet sites and building apps to go in those "Walled Gardens" the phone OS and smart device OS companies run, so they can steal any data you put on the device.

I'm of a mind that they only "collect what they can" because it's so easy to do and there is a market for it even though it might only pay pennies. But it's actually worse than that, people throw information on the Internet one way or another without a care or thought. That is they put information blindly into cloud storage and social media, thst they would not share with other people that live in the same street they do, or the same building they work in..

Quite a few years ago in fact back last century I realised the dangers of both cookies and javascript and similar internet technologies like Flash, Java, etc. I chose to stop using them, and got told by many I was being paranoid. Well more and more people are following in my footsteps these days even if they don't go all the way and just install add blockers etc.

Thus I could argue I'm not paranoid just being between a decade and a quater century in front of most people. Whilst others might argue that I don't need to be that far in advance, they are kind of forgetting those "information time machines" and how they can come back and haunt you. Thus I actually think that maybe I should be a little more forward looking or as some might think "a little more paranoid".

The point is I have more than a third of a century of as our host @Bruce puts it "thinking hinky" proffessionaly. I am infact cursed with a mind that is not just eternally curious, but as far as systems are concerned down right malicious. Just about every where I see a system my first thoughts are "how can this break or fail" followed shortly there after be of how to "subvert it" so that in effect "I make it work for me, not for the people who designed it". The problem is not only is it almost subconscious it's just way too easy to succeed in most cases, and there's no fun in that. Especially when you know there is no easy way to fix it due to the way modern technology has been designed.

Which brings me back to "practicle", as you've noted the easy way to protect your information is,

If I really want something to be secret, I don't put it on a computer, I don't write it down, and I don't tell anybody about it.

But it's actually not that practical a solution, due to the failing of the average human mind. That apparently these days can not remember it's own phone number, many can not remember a four digit PIN without writing it down or changing it to something obvious. As for trying to remember five words in a random order, most can not so will rearange them to make remembering easier, thus throwing security margins down the drain.

But though you and I might be better than quite a few, even the best of us can not remember a 128bit crypto key. Worse we have trouble remembering a poem or similar sufficiently accurately, that we might get the maybe thirty to fourty bits of realistic entropy in them after the predictability has been removed.

In the main modern "technical measures" are way beyond what most can do safely, and the required underlying OpSec just gets in the way. Thus practical security has to be better than "fool proof", it has to be "ordinary user proof" to have a snowball in hells chance of working.

FaustusNovember 5, 2018 12:56 PM

@ Clive

It isn't clear to me whether you can get work done easily with your system. It doesn't sound too user friendly. But you are protecting more desirable assets than I am and you are more likely to be targeted for an attack.

I have to admit that I put up insecure wifi routers at times just to exercise the network security system I wrote. There is not that much to take and all of it is behind several more layers of security.

Physical security is more of an issue for me, but I choose to live in places where that is the case, the modern equivalents of old west frontier towns. I don't want to live a life I can sleepwalk through, texting and playing "CandyCorn" or whatever. You might as well be in a pod in the Matrix world. I don't understand where people get the time when we all have such short lives.

I met a girl in Colombia, and we hung out for a while. This was in the early 2000s, with bombs going off in Bogota. On my last night there she drove me out of the city to go dancing in the sticks. As we drove through the countryside she turned to me and said: "How do you know that I am not kidnapping you?" And I responded: "If you are, it's going to be a hell of an adventure!"

Or, as surrealist (and eventual suicide) Jacques Rigaut wrote: "Try, if you will, to arrest a man who wears suicide in his buttonhole."

I'm not advocating suicide. Far from it. But I do strive to maintain a fearlessness towards life, and the perspective that every disaster is the beginning of a new adventure. I don't want too much security.

It sounds like YOU have a very interesting life. Like you, I eschew a lot of things that are security exposures and life wasters. Believe me, I have serious security. But if somebody really wants to attack me I am also excited to use my software and skills and smarts to try to detect them and defeat them.

You talk of life as a zero sum game. I don't really think that way. I think we can play a game that all reasonable actors can win. And I think winning, and the corresponding judgments of good and bad, have a quantum wave/particle type duality. Look at an event from one perspective it's a bad thing. From another, it's a good thing. The ok is the enemy of the better. I've often lost something only to find the loss opened space for something "better".

fredNovember 5, 2018 1:43 PM

I've been in government cybercrime control, and teach.

for a long time, I've thought the cheapest AND highest returns would come from absolutely eliminating all immunities for those who sell code with holes -- including both click-thru and real contracts.

Second is enormous civil penalties for possessors of personally identifiable data who have it hacked away; when the data is not essential to collect a debt, the penalties should be high enough to put even Google, Apple, Amazon, etc. out of business and require the claw back of officer's salaries above minimun wage.

I.e. as Schneier has said, make such data a "toxic asset" that companies get rid of not grab however they can and then hoard and sell it.

GREAT BLOG!

FaustusNovember 5, 2018 3:24 PM

@ fred

Everything is connected. You can't just wack the biggest companies in the world over the head and not expect it to have all sorts of consequences. The chances of somebody being seriously harmed by cybercrime are small. The chances of somebody becoming unemployed by governments rushing in and punishing thriving employers and consumers of goods are much larger. The chance of such an initiative being used by large corporations to throttle competition is also great.

You say returns? I really doubt you have run the numbers.

"When it is not necessary to collect a debt?" That is your major concern? It speaks volumes.

Almost nobody practices good security. Our own governments create vulnerabilities and hide ones they find. How just is it to find a few scapegoats for a situation that is created by all of us? And who will really end up paying?

bttbNovember 5, 2018 3:39 PM

@fred

Regarding Privacy, but why not for Cybercrime, too: How does twenty years sound?

Regarding a Bill proposed by Senator Wyden, from https://arstechnica.com/tech-policy/2018/11/proposed-data-privacy-law-could-send-company-execs-to-prison-for-20-years/ :

"MAKING PRIVACY NON-NEGOTIABLE —
Proposed data privacy law could send company execs to prison for 20 years
Privacy law would let consumers opt out of data sharing..."

also
https://boingboing.net/2018/11/02/20-years-for-lying.html
http://fortune.com/2018/11/03/privacy-law-tech-ceo-wyden/

Clive RobinsonNovember 5, 2018 3:55 PM

@ Faustus,

It isn't clear to me whether you can get work done easily with your system. It doesn't sound too user friendly.

It depends I guess on what you do by way of work. If you need a lot of access to "other sources" then it would be a pain without connectivity. However the stuff I do does not need direct connectivity to thr internet, in fact as I don't "cut-n-paste" from stack exchange etc documentation can run on an entirely different machine.

I'm old enough to have built up my own extensive code library over a third of a century or so. So "cut-n-paste" is from my own well tested work not some anonymous source half baked minimal example code where handling errors and exceptions are "left as an excercise for the reader".

With regards,

You talk of life as a zero sum game. I don't really think that way. I think we can play a game that all reasonable actors can win.

I think you misunderstand me. At any moment in time the world we live in is a zero sum game in which the winners and loosers balance out. What that does not effect is the "rising tide floats all boats effect, likewise a falling tide. Those are mostly very gradual effects and only have a very tiny effect at any given point in time. Hence the zero sum is dominant at any given point in time over a much longer time the tide effects dominates one of which is population size, but even then in the much longer term we are "resource bound" thus it's still a zero sum game all that realy changes is our ability to utilise the resources and what the average share is.

Can we change the zero sum game, well yes, we have a couple of basic options. The first is find ways to reduce the population, but the reality is it has realy disastrous consequences due to longevity. That is "retirement" is fairly soon going to become a luxury very few can aford, worse they will be the ones who hold the majority of assets that they "rent seek off". To the very few that is as far as they are concerned the ideal state of existence, as it brings immense "status" which is more important to them than wealth could ever be. No matter what those few think it's unstable and will at some point collapse, as history shows it always does often very violently.

Now we have sufficiently advancex science and engineering which has in the last sixty years given us an alternative. That is the ability to invest resources into getting out of our gravity well that was in effect our prison, and use them to drop new resources in. However we have to remember that the ultimate form of polution is heat, and that puts a very real limit on just how far we can go on this rock we call home. Thus at some point like all children we will have to fly the nest or die out as a spieces untill we reach some kind of equilibrium. But a salient fact to consider is the fact that since 1970 mankind has wiped around two thirds of the non human flora and fauna of the face of the planet and the problem is getting worse at an increasing pace. Oh and some of those now threatend spieces are actually essential to the food chain...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.