Slashdot Mirror
FBI Says Computer Crime Costs Billions Every Year
JamesAlfaro wrote to mention a C|Net article putting a pricetag on computer crime. From the article: "The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "
Who responded to this survey? The accountants? The lawyers? The CFO? The CIO? I'm not saying that computer crime doesn't cost a whole lot of money. I'm just wary of reports like this, especially when the total is arrived at via simple straightline extrapolation from their 1300 respondents. This is simply a report designed to paint a bad picture so that they can secure extra funding for things like "online surveillance."
This article doesn't even mention the Computer Security Institute (CSI), the organization which conducts and publishes these surveys. The FBI allows them use of crime databases and is just presented the end result. On top of that, they present you with one graph and label it as referenced from the "Computer Crime Survey" when, in fact, this survey also had to do with security and is entitled 2005 Computer Crime and Security Survey. I believe you'll find a wealth of information in that PDF as it contains many graphs that break down respondents of crimes, average security expenditures, types of attacks, etc. If you're interested in what constitutes a "computer crime," check out the policy and sample cases (some amusing) as we all know that what is and isn't illegal with computers can get very fuzzy very fast.
I think this is a case of CSI running a survey and doing a damn fine job on the support but the media (and Slashdot) feel that FBI is better news than CSI.
My work here is dung.
In other news, the FBI says Osama Bin Laden is a bad guy.
Perhaps the problem is that companies aren't putting enough money into their security and not enforcing strict enough protocol among their staff. How many viruses felt by businesses do you assume were caused by a stupid employee? This could take the form of lazy tech staff, or even the assistant downloading something to pass the time. Then there is also the fact that alot of smaller businesses I have experience with do not have an employee that can properly setup and maintain the businesses networks and desktops. How much money are these companies spending on techie staff to remove stuff that otherwise could be done by any teenager who has experience with computers.
The number is huge, however the issue behind it I feel is being avoided and unseen. Businesses need a better method of using computers, perhaps a more business friendly OS. From the article, "Some are very small businesses that should have that technology, but they don't," and this is the problem. We won't be able to stop people from trying to bring down software and networks, however businesses can become more competent on how to prevent and protect.
do.what.promptcmds
I believe the FBI is correct, but I also believe that one should lock the door to their houses, offer potential robbers the thought that the family might be armed, get a decent alarm and security company and insure their belongings for the maximum amount.
My IT business makes about 40% of its income dealing with security issues. We have to turn new business away usually, as most new customers that we go visit are so insecure it isn't even funny. With insecurity comes more than just data theft but spyware and viruses and the rest, as we all know. It amazes me how many companies leave their homes unlocked, the lights on, the alarm off, and a big sign on the front steps saying "Come and get it!"
The solution to computer crime isn't using the FBI -- I'd like to turn their offices off and throw out the key. The solution to computer crime is:
1. Developing a good infrastructure and upgrade cycle
2. Commit to teaching users proper ways to set up their data and desktops
3. Purchasing security sofware and services from companies that do the best job finding the holes and plugging them.
Is the law useful? Not one bit. Most companies aren't going to bother suing civilly for damages, and no one wants to bother calling the cops. The chalk line around your stolen data isn't very useful. Get a good consultant, pay them well, and make them back it up with guarantees. Problem solved.
I wonder how many of these billions is the cost of hunting script kiddies when the money would be better spent hiring someone who knows a thing or two about security and preventing an attack from happening in the first place.
Hexy - a strategy game for iPhone/iPod Touch
Word to the wise:
Next time someone says "XXX Trend is costing us YYY dollars every year", it's probably going to be followed up with "Therefore we should spend ZZZ dollars dealing with it."
XXX = overstated threat
YYY = some made up figure
ZZZ = profit
Now that even the FBI can put a quantifiable sum of money on this may we please begin dismembering the EULA which makes this such an enormous problem?
"We'll just create this broken product... and let everyone else deal with the billions of lost dollars which it causes."
fast as fast can be. you'll never catch me.
Why? Because that seemed like a good number? This inexplicable change causes me to question the validity of the whole study.
The world will not get better through technology. We must seek to be better people.
In other news, paper crimes have cost Trillions per year.
It is amazing how many crimes go unreported, and if we were to prosecute all crimes by every person alive today, it would cost Quadrillions!
He who knows best knows how little he knows. - Thomas Jefferson
Considering most of the vulnerabilities exploited in "computer crime" are Windows flaws, we could say that by switching to (insert your distro here) we could save the licensing costs, PLUS the computer crime related costs.
(Disclaimer: Yeah yeah, i know this is slashdot and I'm probably not the first in mentioning it yadda yadda)
In old school government thinking, you're not supposed to "get rich off the government" as an employee. The government would often rather spend $2B for a stealth bomber that carries nuclear bombs, but will pinch pennies on the salary of the pilot of the bomber. The reality is that it costs the tax payers less to pay $80,000 starting out for a qualified security official, and let them retire making $200-$250K/year than it does to hire a less competent one at $45,000/year. The better qualified, better paid one will be more effective if not hampered by management and more crimes will get punished, reducing the reward for crimes of this nature, thus decreasing the amount of money that has to be spent on prison and other costs in the long run.
Ultimately, you get what you pay for is a fundamental law of life. If you're not willing to pay well, the people that have the skills won't sign up for the job unless the economy is dying and they're desperate.
In other news, the director of the Suffolk County Water Authority has released a study concluding that, "Water is wet."
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
"FBI Says MS-Windows Costs Billions Every Year due to negligence." That's what they *should* say, but nooo.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
More money is blown into similar activities under the cover of "fighting terror".
With the difference that in that crime people die.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
suffered a financial loss from computer security incidents
Whoa, whoa. Back the truck up here, pal. Define "loss." I'm betting the overwhelming majority of the reported un-cash is probably:
1) "Lost" sales -- which is money the company didn't have in the first place
2) Money paid to try and prevent computer crime (which was their choice, and obviously didn't work
3) Money paid to chase criminals after the fact (which, though necessary, shouldn't be lumped together with what a robber stole)
That leaves a very small percentage of money that was actually substracted from a bank account somewhere.
I am curious how this would compare to the costs incurred due to defects in software. Back in 2002, NIST reported "Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually":
0 .htm
http://www.nist.gov/public_affairs/releases/n02-1
Has anyone seen an update to this report?
With limited resources, organizations need to choose between fixing security problems or fixing others types of defects in their software.
FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
Did they include the NSA's illegal wiretaps in that tally?
Just like anything else, data networks need to be protected. Where all the money and private information transits nowadays? Yeah, via public networks. If a company doesn't have a strong data security team in these days, they are falling behind times, and no one, individual or corporation, will want to make business with them.
Is that including rootkits and other crimes from industry or just the ordinary non-corporate (i.e. punishable) crimes?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Most, nearly all, of the "cost" of computer crime comes from running a full security audit of your systems and locking down the security procedures and controls you will use to keep it from happenng again. If these companies had a competent computer security policy in the first place, they would find thier "costs" much less.
It's like a thief crashing through your dry-rot, termite-infested walls and then blaming HIM that you have to rebuild your whole house now. This money is almost always money that *should* have been spent, but wasn't in the name of cost-cutting or just general laziness.
"Your superior intellect is no match for our puny weapons!"
This is price tag not for crime - but for insecure software. All thouse money lost are money that companies disagree to pay to developers to make software more secure.
Entire AntiVirus industry is more like a hoax - it's takes 10 minutes for student to compile new clone of existing virus or exploit. Take a look on your daily updates log and find hundreds of new viruses developed !
P.S> All thouse lossed are meanless - most of time recovery after damages done by stuff who already in your payroll. There is no increase in costs in this situation.
Microsoft had two or three possibilities for fixing the security problems in Windows and we are still seeing security issues that are 10 years old...
--
This sig suck...
A portion of every IT worker's salary goes towards security. Security issues are certainly a daily concern support technicians. The costs easily amount to billions.
FoundNews.com - get paid to blog.,
"So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent."
We realized the data was completely meaningless. So we pulled a number out of our arse and decided that made the results accurate and meaningful.
How do the feds know how much it costs. Do public or private companies report these to the feds?
Be aware that there are significant intangible benefits to working for the government like job security and status.
Evaluating the amount of losses due to a security break where information might have been stolen (when the perpetrator was found, but no evidence of stolen data was found) was initially in vogue during the big "Hacker Crackdown". In some cases evidence of stolen credit card numbers were found, and in that case, evaluating the losses again is an elusive task depending on how these numbers were used. The RIAA and MPIAA crack at uploaders, assuming they have the capability to assist infinite number of downloaders and therefore evaluate the losses at some skyrocketing unearthly sum. There have already been debates about a ceiling for such losses particularly when a P2P crackdown is on. Recently there was someone who used an anonymous remailer to create a bombscare in the Indian parliament. Anonymous remailers are possible due to the very RFC that allows email and most usually can't be traced back (not that easily unless the perpetrator was too careless to have used unencrypted remailers.) Obviously there is no easy "damage evaluation" except the cost of the Bomb squad deployment, cost of Halt of Parliamentary business (this happens not just due to bomb scares too). But the perpetrator will be prosecuted under an "Anti-Terror" law, and therefore in most likelihood won't be just fined. I see the following in tandem
The second being dependant on the first. So FBI, CIA or name the agency, name the country, a proper crackdown is going to be very difficult until definition and procedures are established. Trouble is red tape or Ph.D, hire either group and you will have to wait for these procedures and definitions to come in. Until then, Law firms will define things in whatever way they choose, the same way they handle other criminal investigations. SPAM perpetrators - should they be fined for the volume of network traffic they generated (and therefore choked others, infringing on others rights) which can be mathematically calculated should you recover intact evidence. I believe Anti-SPAM laws in some countries are slowly coming in play and they do have a proper definition and a procedure for evaluating losses and severity of the crime. These numbers are hardly indicative of malicious activity or of any potential threat. Warranted products (like Microsoft Windows) having known/unknown security holes in them that create problems to consumers should obviously be dealt with using consumer-friendly laws where the company is unable to provide timely solutions. This is a hornet's nest, and one has to clearly separate a lot of variables before attempting to define crimes, severity, liability and all responsible entities.
No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
But did they ask the RIAA for their costs on computer crime?
And no, I didn't RTFA
to three things
1, coders inablility to write code that is secure
2, admins inablility to secure their infrastructure.
3, admins not being knowledgible enough to monitor and handle hacking attempts.
The idea of passing new laws to "prevent" such crime is stupid. Kill as many flies as you can, there will still be flies to bother you.
But get a good repellant, and the flies dont bother you any more.
I think the size of the loss will probably have a major effect as well. Somebody who's lost only twenty dollars is a lot less likely to respond than somebody who's lost fifty thousand.
There are also questionable cases. Consider something I hit about a year ago. Shortly after Cingular bought AT&T, I switched my cell phone to Verizon. Cingular continued to bill me few a few months after the switch. After a little arguing over it, they admitted they'd screwed up and cancelled the bill -- but then a month later (or so) sent the bill again, with a late fee added. I called them back up, argued about it, and they cancelled the bill again. After this happening for about three months, they turned it over to a bill colletion agency, and I argued with them instead.
Eventually, I wimped out and paid them instead of continuing to put time and effort into straightening out their mess. Now, first of all, I'm not at all sure whether this falls within the scope of the survey in the first place. My guess is that it's also basically accidental rather than a result of fraud. OTOH, it's somewhat open to question how long accidents can continue to happen without any apparent attempt to fix the problem before you have to figure their ignoring the problem is really intentional.
Anyway, my guess is that the average loss is probably more like tens or perhaps hundreds of dollars, rather than the tens of thousands they've estimated -- but I'd also guess that the problem is much more widespread than they've implied as well.
The universe is a figment of its own imagination.
It sounds like a lot, but $24,000 is substantially less than the cost of 1 IT staff. Besides, it's not mentioned how large these companies are (on average). For a 1 person operation $24,000 is a lot, for a Fortune 500 company with hundreds/thousands of employees, it isn't.
SCO employee? Check out the bounty
Of the 2066 companies that responded to the survey, a huge number (like 70%+) were in Texas or NYC. What's up with that? FBI is national.
Another odd thing is that only 23% used IDS, and only 90% had a firewall of any kind. Wha? These things seem so fundamental to me. I suppose the large number of very small companies just don't pay any attention to security.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
was thiiiiiiiiiiiiiiiiiisssssss big.
and when they hacked our system, it cost us a trillion, billion dollars.
You raise a fair point, but I wanted to point out something.
>spend $2B for a stealth bomber
While the cost of a weapons program is staggering and of questionable value relative to other needs, it's not as simple as deciding to spend $2B for a bomber.
You start out with an appropriation to spend $XXB on a program, expecting to produce NNN planes which will result in a cost of $YYY million each (still a lot, obviously).
Then, years into the program, things change and funding is cut and they say, build just 18. Now, your overall $XXB program cost is divided by the small number of planes, and pundits get to go on cable news shows and complain about government waste because stealth bombers cost $2B each.
Did they spend too much on building stealth bombers? Arguably.
Did they start out approving a program that was going to cost $2B for each bomber?
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
In a related note, the costs associated with train robberies is way down. And cattle rustling related costs have virtually dissapeared.
As the world changes, so does the crime.
Wow, I just did the calculations and I came up with trillions (plus or minus 80%).
Accountants enjoy new freedom of book keeping with "theoretical losses" of arbitrary fitgures they pulled off the top of their head:
Accountant: So how much did you think we lost because of computer crime?
IT Guy: I dunno... Our server web server went down for a while and I joked that it was because some guy was hitting F5 in China.
Accountant: Ah! Excellent... *writes something down* So how much do you think it cost us.
IT Guy: Oh I dunno... Whats the cost of me getting up out of my seat to make a phone call to the guy down in the server room to boot it... Oh $0.35 cents?
Accountant: Hrm... *scratches chin* No good. But if I multiply it by inflation and theoretical estimates and carry the zero. By golly! I think we've lost over $2,000,000.35 to computer crime! Thats one hell of a tax break. Daddies going to be rolling in the bonus this year!
IT Guy: But... I... Oh never mind...
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I point to the 'point-and-click' culture as at least part of the problem. I was dealing with a major vendor of credit information, and they wanted to set up a VPN tunnel as part of their 'corporate' security (presumably SBO complience). They wanted to use preshared keys. I offered to send them my public key so they could encrypt the keys. Or, failing that, my phone number so they could send the keys that way, if need be. They emailed the keys in the open. If they couldn't do it with a point-and-click, its seemed, they just couldn't do it at all.
There's just no substitute for independant thought.
"We are all geniuses when we dream"
- E.M. Cioran
The numbers are meaningless anyway, unless you have another set for comparison, say the loss from common white-collar crimes (embezzlement, theft, etc.). It's about the proportion of loss more than the actual loss. Sure, a worm or virus can bollix up the works, but such things are easily fixable. An accountant siphoning money from the company accounts is harder to trace and when found, is usually harder to recoup.
GetOuttaMySpace - The Anti-Social Network
Does anyone actually have the survey? The link on the FBI's website doesn't even work.
http://www.fbi.gov/publications/ccs2005.pdf
I think its funny that you think the "major vendor" was stupid for sending you the keys in plain text, but yet you think giving them your phone number is going to help things in some way?
Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent.
So basically they think their method of obtaining information is flawed, they have no idea by how much, but since 64% "feels" too high the decide to create a whole new number out of the blue that was felt to be subjectively acceptable to the committee.
Wow who funded THAT?
Seven puppies were harmed during the making of this post.
The loss of online liberties to orwellian government costs society billions every year too.
Whether you agree on more security or less, it does actually cost something and it is quite exspensive.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Somehow I think "it costs less to pay off the government" comes in there somewhere. Otherwise I would hope that the government would apply some kind of economic pressure to get the plugs sealed, thus making it cheaper to fix in the first place.
Having said that, I am quite glad that MS is such swiss cheese. I have had a nice little career helping people plug the holes, and if they were to fix all the problems, I'd be stuck having to do something else.
Don't use the Troll mod just because you disagree with me.
Does any one else work in the public saftey field? We've been attempting to submit NIBRs data to the state for the last oh, 3 years or so. NIBRs is the replacement for UCR crime stats. There are 3 optional fields that I've always thought were funny. Were drugged used, were alcohol used, and were computer equipment used. I've always figured that was for some acdemics to query the FBI and find out how many crimes computer equipment were invovled with. There is a tiny problem with that though... I've not seen any our guys actually use those fields in the software, which if others don't use them, make the numbers off. ;
(We've been trying to submit to the state. The state is responsible for submitting to the FBI.) I didn't read the article just the summary, but it looked like the FBI was just surveying businesses and not using the data it already has.
This really means nothing, this kind of suggests that if you get rid of computer crime, you save all this money. That's not the case, if you get rid of this computer crime that's costing say 5 billion dollars, then the criminals just do some other crime that makes up for 5 billion dollars. You don't blame the technologies or the methods, you blame the people of poor moral character who do these things. Getting rid of a method won't get rid of them...
--
DreamSys Software
What recourse does an individual have when they've exhausted all their options, and your guarantees don't satisfy them?
The law.
Your guarantee is worthless without legal remedy when it fails.
One other thing
This
"How is that untrustworthy?"
Where did I say ANYTHING about trustworthiness?
WHY ARE YOU CONSTANTLY MAKING SHIT UP? WHAT IS WRONG WITH YOU THAT YOU CAN'T READ AND RESPOND TO WHAT I SAID WITHOUT ARGUING A POINT I NEVER EVEN REFERENCED, MUCH LESS ATTEMPTED TO MAKE?
Are you just fucking stupid? Do you have some difficulty with the language that you saw the word "untrustworthy" and the argument related to it in a post consisting almost completely of "BWAHAHAHA....."?
Why do constantly just make shit up?
How pathetic are you that you follow me from topic to topic and waste all your mod points at once modding me down?
[insert favorite linux site here] reports that Linux-Based Networks were un-affected by any critical security threats in 2005, again, for the 10th year in a row, thus saving businesses over $24,000 each, and saving the country over $32m/year.
the only permanence in existence, is the impermanence of existence.
There was a tale not too long back of a one Jeremy Hammond (case pending), so was persecuted for breaking into a rival company's server and stealing over $3.5 million dollard worth of credit card numbers (http://en.wikipedia.org/wiki/Jeremy_Hammond). Who knows how many Jeremy Hammonds there are in the world, who perpetrate similiar crime every year.
Reading this makes me rethink some privacy laws. I'm a privacy addvocate, but if the hackers are costing me more money in my yearly tax I say go after them. Its only hindering the US economy.
FBI, meet US Deficit. US Deficit? FBI.
It's never just a game when you're winning. - George Carlin
This isn't really news. It seems like the numbers are just pretty much made up. They knew that the polling was completely inaccurate, so they just decided to change the number from 64 to 20. This number has no more meaning than one made up entirely randomly.
I'd guess that most companies are losing more money due to stolen office supplies than computer crime. I get annoyed at computer crime being treated as some magical force, as if it is some how different from every other sort of crime.
Politicians repeat after me: "Computers are not Magic!, Computers are not Magic!"
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
By that logic, a $2,000 armani suit can be construed as preventing the crime of peeping-toms and voyeurs. Heck, we can continue on this line of reasoning and claim the $5,000 ring I bought my fiancee can be the cost of preventing the (moral) crime of adultery. And that 1 month of research I spent cost-comparing cars and doing due dilligence in researching what's a safe car for my family is the cost of preventing getting ripped off. I suppose I could bill those 'wasted hours' at $150/hr or more like the CIO does and come up with a nice figure like wasting $11,200 on researching buying a car. Oh my, quick, I need FBI help, someone *stole* $11,200 from me!
Ultimately, you get what you pay for is a fundamental law of life.
No, it isn't. It's just that the tired old cliche has been repeated often enough that you BELIEVE it's true. If you believe that "you get what you pay for" you're an easy mark. The fact is you DON'T always get what you pay for, in goods or salaries.
Did Enron get what it paid for when it paid Lay and Skilling's salaries? I think not!
You usually pay for what you get. But not always. Last night's sunset was magnificent, and nobody charged me admission. And I haven't bought any air in a while.
But they're not crimes. Perhaps they should be.
IT security shops make billions each year.
So do body shops.
So do insurance companies.
Get over it.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
Are those actual billions, or are those RIAA-inflated numbers, where it actually only cost $10 million to fix it all but they want to say it's $2 billion so they can sue for that much?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 SU CK IT MP AA
The cost is much higher than the 67bn that the FBI says. Their "more realistic" estimate of twenty percent is way below the mark. Also, every machine that I find infected with spyware costs at least two hours of repair time - these costs should realistically include the user's down time, my time, "overhead and burden" and the other costs associated with having a computer out of service. These costs could realistically be hundreds of dollars per incident. All of this comes before the cost of the crime associated with spyware (which can include identity theft and corporate espionage). You really also need to add to these costs the price of defense, the anti-virus software, the anti-spy software, proxies, firewalls and all the other security softwares out there. Plus the man-hours that it takes to coordinate and administer all of this stuff.
It will only get worse before it gets better. Currently it is simply way too difficult to prosecute these criminals and their structure makes it even harder to bust the higher-ups in the organization. Their ability to disappear and hide make the mafia look like rank armatures. The borderless society of the internet and the fact that everything operates at near-light-speed means that the crooks can be in Amsterdam, Moscow, New York or Cuba and function just as effectively. This makes capture and prosecution terribly difficult and very expensive. For these reasons, along with the relative ease of commission, cyber-crime is and will remain a growth industry.
Ultimately, you get what you pay for is a fundamental law of life.
It may be, but it carries a risk of its own. Companies can (and do) pay large sums of money for certain services and still get screwed. Money in and of itself isn't answer...money helps, but competence is what gets the job done.
Of course the FBI says that computer crime is going to end the world. They want to snoop more so thye need to create some panic. Don't listen the the Gov, they lie always.
Statistics like this support insinuations against people with computer skills. I wonder if stats were kept on the number of crimes where the perpetrators made use of the public roads and parking to aid their crime? Driving licenses contribute to X percent of national crime!
If last year music downloads had their best year ever and other computer based business models are also improving - I wonder what the size of computer aided or assisted business is? What percentage of the profit from that business went into security improvements and training?
In the blindingly vast percentage of cases people are honest but you never hear about that.
Does the talley include the Sony rootkit?
The RIAA/MPAA of course.
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
Thus, US information about the prevalence of white collar crime is very poor. There are surveys, but not much hard data.
If this survey was about safety and the expense of keeping our roads safe and the vehicles driving you know they would break down what vehicle cost most. Funny that there is no talk of the principle cost here being one software manufacturer and that alternatives dont represent such a cost to the country.
Virus protection and repair form the largest category of expenses. Doesn't it make sense to avoid the operating system with the largest expense in virus costs.
Why has protecting the nations computers from viruses affecting one company's operating system been represented as an inevitable cost of 'computer crime' to business. Seems there is something that can be done...
Americas favourite monopoly avoids any responsibility again.
Together with the new-year speeches, come the "I want to secure my budget for this year"-speeches everywhere.
The FBI is no exception in this case.
Bring in the money guys, bring in the money...
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
As an online retailer other than eBay or Amazon, try calling them up and saying "We have some information on people that are attempting to use fraudulent credit cards through us." See how quickly you're told to buzz off.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Sending the keys over a POTS ppp link is actually pretty far out-of-band, and provides reasonable levels of assurance that the sender and receiver are correct. Because of less time exposure for interception, it's probably just as good as using a flash drive sent parcel-post.
The vast majority of IT type with whom I work are completely, gloriously incompetent when it comes to security.
I'm not talking about patch management and implementing the SORBS list and having a firewall and so forth. I see the whole gamut when it comes those guys.
What I never see is any kind of inventory system in place so they can say, hey, we have three thousand known MAC addresses that should be allowed on our network--what's that NEW device?
Or, "I know the operating system, patch level, loadout, and purpose of every workstation and server in this IP range, with up-to-date maps." During 99 times out of the last 100 on-site mitigation efforts in the past year, when I asked the local IT guys "Ok, where is this hacked box?" They COULD NOT TELL ME. It took them DAYS to track that shit down. DAYS. Of course, because they are incompetent, they try to stab me in the back by slamming our 24-hour support: "It took them four days to clean up the incident." "Yeah, but three days was you trying to find the box in a building with less than 100 nodes..."
I would settle for guys who knew how to use grep, who knew where the firewall logs were stored, who bought all the expensive Cisco gear and then--GASP--actually took advantage of netflow, or who even knew the IP ranges their organization had allocated to them. I have yet to find any of these among the teeming millions of dickheads with MCSEs and CCNA certifications.
Until IT stops being something you do with a GED, there will always be security problems, and I will always have a well-paying job.
As the character Colnel Potter of M.A.S.H use to say, bullpuckey!
A. Pass law that says anyone breathing oxygen is depleting the resource and endagering public safety (this is what speeding tickets are based on... nobody is hurt in this victimless crime, but supposedly the public good is done "harm". Chyeah). Easy to pass this law because these things are done behind close doors not by the public, but by "representatives of the public" who had a choice of idiot one or idiot two, the slimest possibility of choice and still being able to call it a choice. What a load of rot.
B. Estimate that every year, with millions of American's flagrantly violating the law, millions are lost in the theft of oxygen. Compute the price by using hospital oxygen bottled in tanks, which is not cheap.
c. Villianize, criminalize, and start cracking down on these people. Put them in front of a jury, and confront them, did they or did they not breathe oxygen on such and such a date. Well, yes, most people would say they did. Admission right there. If they say they didn't, jury pegs them as a liar. Its a no win situation. But then they had their fair jury trial. More than not most people going before a court are scared senseless like a deer in the headlights, they have no experience with the justice system, and that they are about to be painted a criminal in words and slammed away from life. Its an abatoir, where sheep are led to be slaughtered. It happens every day in America.
You think this is bs? It happened to me. I spent 2 years in prison on such bs. I won my appeal, but it took 2 years just to process it, and they only reason I am out and alive today is because I FOUGHT BACK.
To hell with the law. For real. To hell with the law. I've seen it from the inside, they don't even follow thier laws, only when its convient for them. When nobody's looking forget it. They are thugs with radios, which is why people are terrified of the police and breaking the law.
I don't want your stinking vote. I don't need you to protect my rights. I take my rights. The only right I need is the right I give myself to riot and wage war upon your police state.
You know, the world can not fight the US militarily. The whole world is waiting on the US citizens to fix it from within. But its not happenign. Because these last genrations are spineless couch potato geek consumers who have never come face to face with the police state where it was they who have been hunted down like a witch and tortured.
But it will happen
It will happen
And when your spread eagle against a black and white or at the end of a gun, or being stripped naked and hosed down on a floor or chained to it, or being punched with a baton behind closed concrete walls all for saying you have a constitutional right to speak... well... you'll change your tune
To serve and protect
What a lie
Lets get this clear. Businesses get whacked with costs the moment they put out a shingle.
Insurance (Fire, Burgulary theft)
Local Taxes (Too long to mention)
Complaints, product liability insurance
Employer worker compo (Whoops, slipped, hurt back etc).
Cost of advertising
Hiring and Medical insurance plans
Payroll expenses
Rent, depreciation
Keeping books/accounts straight
Way down the list of concerns is IT security, which is mixed in with vandalism and storm/ water damage.
Ask execs, which one did you loose more money on - Insurance and Legal, or Computer matters?
Are electricity interruptions costing you more than computer crime?
Are Taxation and regulation requirements costing you time and money than IT?
As you can see, IT is being blamed, and used as a distraction to rising and crippling non IT costs, and a drop in the puddle compared to staff insurance claims.
All the whinging and bitchin about gas prices has cost way more than the occasional computer glitch, and the ones that do get through, come down to 'risk management', because sometimes it is cheaper to pretend or not have decent IT security, and used the money saved on something else (like insurance).
This is a very interesting conclusion brought on from the FBI, particularly because it excludes INDIVIDUALS who may be victims of "computer crime", but only focuses on businesses who claims losses due to percieved computer crime.
When a person is a victim of identity theft, the loss is much more "real" in that there's a person who is "hurt" by this crime. There is attributable loss, usually in money taken out of bank accounts, money that may be racked up on credit cards, and the years spent trying to undo the damage done to your credit rating.
Conversly, the damage done to an organization doesn't harm any one person and therefore the wound isn't "felt" as a deeply, furthermore, most of what businesses arrtibute as a loss is really a cost of simply doing business and isn't money lost out of a bank account or a ruined credit rating.
Seems to me that the government cares more about businesses than it's citizens.
If I was a victim of identity theft, I couldn't walk into my ISP and demand records of who was using what IP address -- but the RIAA can if they think they've been wronged. Why is it that businesses - NON PEOPLE - have more rights than the people this country was founded to serve?
If telephones are outlawed, then only outlaws will have telephones.
It boils down to a real simple question, on who's side are you going to be one...
Who do you want to rule the world?
Do you want it to be computer geeks? Are you a computer geek? Aren't we all computer geeks here. Has the world been massively changed and power usurped by the free access to information?
Or do you want it to be ruled lawyers? Lawyers you dont know, who are slysters and liars and slick sleazy salesmen and probably the lowest of the low.
Slashdot readers need to stop dickering like little hens and provide a unanimous front against any pigs getting on the internet or even on a computer. When should of done so from the get go. How many pigs let you drive cop cars around for free, or play on thier walkie talkie channels. None. I thought so.
If there's any law to be made, its that all law agencies and police forces and military are to be prohibited from using computers and kept of the global network. Period.
Their intent is to make anyone and everyone who uses a computer a criminal, and fundamentally stigmatize and criminalize the use of computers.
Everyone here is guilty of computer crime in the eyes of the law, period. Every single one of you reading and posting this forum, I don't care who you are, I can look at anything you've done with computers in the past and single out something that violated a law. Whether you looked up the wikipedia webpage on lolicon, or downloaded a file that you didn't know contained a virus, or browsed a webpage at work, or sent someone you didn't know mail they didn't ask you for (thereby becoming unsolicited email), or downloading a song or game or software or who knows what.
Slashdot readers need to stop dickering like hens, this or that, pro or con, and be like the Indians should of been towards the whitemen, unified, and kick them the heck back into the sea instead of dickering well maybe maybe not, maybe they are on ourside, maybe they are friends, this that and the other.
Your governement does not want you to have a computer.
Most of you are too young or stupid to remember, but it was hackers, who like promethus stealing fire, stole computers out from behind the glass datacenter walls of IBM and kin. Do the words "8 bit revolution" have any meaning to anybody at all? There was a reason it was called a revolution. It took computing away from the government and its big corporations, and put access to it in the hands of the people.
Theft should be glorified. This keyboard you're typing on now, this video screen you're looking at now, is all courtesy of hackers who fought the good fight long ago.
So you want to call them theives. So be it. There is honor amongst theives. There is no honor amongst beureaucrats or laywers.
Support thievery. Do not criminialize it. Sanctifiy it. Pay hommage to it.
If you send the keys/passphrase on a modem, and you send the host/user identification through e-mail, you have 2 distinct separate channels. The likelihood of a Bad Guy [TM] being able to intercept both is not significantly greater than the likelihood of said Bad Guy [TM] suborning your courier and reading your floppy, or blackmailing an insider at one or the other end of the communications path into supplying complete access information. I have been known to use 3 channels, myself, one for each of the three pieces of related information. This is information security 101 here.
If you are suggesting that your telco is out to get you, keep in mind that the phone companies have the political, economic, and physical power to crush you like a bug. They can do whatever they want as long as they put profit in front of the shareholders. If a major telco gets caught murdering pre-schoolers for their lunch money they will NOT go out of business, nor will the pre-schoolers magically come back to life again. So stop worrying about what the phone company, the NSA, or your mom can do to you, and instead make sure they have no reason to want to do anything bad to you. Again, security 101, don't piss off anyone you cannot realistically protect yourself from.
Obviously, using the same methods and channels every time degrades the efficacy of said methods. Equally obviously, both ends of the communications channel should implement IP address based restrictions (Wietse's TCP wrappers, for example) if possible, and failed attempts should be logged and monitored.
No shit sending a floppy via courier is also retarded. The fact that other non-secure methods of transmitting keys exist, does not mean that its ok to use a non-secure method of transmitting keys.
"Read the posts again. The whole point is that you assume all your communications are being sniffed. That's why you use multiple distinct channels."
Right, its all being sniffed so splitting it up doesn't matter, since its all being sniffed. Duh?
Welcome to 1991, you can use PGP to encrypt the keys and send them via email or whatever other electronic means you desire. Huzzah! Imagine all the amazing uses we might have for public key cryptography by the year 2006! Maybe we won't have to send sensitive information via plaintext over public networks like complete morons!
Riiiiiiight, we'll use secure keys to secure the keys. And then we'll make chickens without eggs!
Either you are determined to misinterpret whatever I say to make yourself appear clever, or you are a troll, or we are not speaking the same language. Further conversation seems pointless.
Which part of PUBLIC KEY CRYPTO is so difficult for you to grasp? Its perfectly ok for your public key to be intercepted. In fact, everyone on earth can have a copy, its all good. That's the point of public key cryptography dumbass.
Your comment relates to use of modems as out-of-band transfer mechanisms exactly how?
Are you on Ritalin by any chance? You don't seem to be able to track an entire conversation at once.
Are you retarded? As I said already, using a modem doesn't do anything for you. Transferring plain text data over the phone network is just as stupid as transfering it over the internet. There is no excuse to do this, simply encrypt the keys with pgp and you can transfer them over whichever insecure network you like.