Slashdot Mirror
FBI Says Computer Crime Costs Billions Every Year
JamesAlfaro wrote to mention a C|Net article putting a pricetag on computer crime. From the article: "The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "
Who responded to this survey? The accountants? The lawyers? The CFO? The CIO? I'm not saying that computer crime doesn't cost a whole lot of money. I'm just wary of reports like this, especially when the total is arrived at via simple straightline extrapolation from their 1300 respondents. This is simply a report designed to paint a bad picture so that they can secure extra funding for things like "online surveillance."
This article doesn't even mention the Computer Security Institute (CSI), the organization which conducts and publishes these surveys. The FBI allows them use of crime databases and is just presented the end result. On top of that, they present you with one graph and label it as referenced from the "Computer Crime Survey" when, in fact, this survey also had to do with security and is entitled 2005 Computer Crime and Security Survey. I believe you'll find a wealth of information in that PDF as it contains many graphs that break down respondents of crimes, average security expenditures, types of attacks, etc. If you're interested in what constitutes a "computer crime," check out the policy and sample cases (some amusing) as we all know that what is and isn't illegal with computers can get very fuzzy very fast.
I think this is a case of CSI running a survey and doing a damn fine job on the support but the media (and Slashdot) feel that FBI is better news than CSI.
My work here is dung.
Perhaps the problem is that companies aren't putting enough money into their security and not enforcing strict enough protocol among their staff. How many viruses felt by businesses do you assume were caused by a stupid employee? This could take the form of lazy tech staff, or even the assistant downloading something to pass the time. Then there is also the fact that alot of smaller businesses I have experience with do not have an employee that can properly setup and maintain the businesses networks and desktops. How much money are these companies spending on techie staff to remove stuff that otherwise could be done by any teenager who has experience with computers.
The number is huge, however the issue behind it I feel is being avoided and unseen. Businesses need a better method of using computers, perhaps a more business friendly OS. From the article, "Some are very small businesses that should have that technology, but they don't," and this is the problem. We won't be able to stop people from trying to bring down software and networks, however businesses can become more competent on how to prevent and protect.
do.what.promptcmds
I believe the FBI is correct, but I also believe that one should lock the door to their houses, offer potential robbers the thought that the family might be armed, get a decent alarm and security company and insure their belongings for the maximum amount.
My IT business makes about 40% of its income dealing with security issues. We have to turn new business away usually, as most new customers that we go visit are so insecure it isn't even funny. With insecurity comes more than just data theft but spyware and viruses and the rest, as we all know. It amazes me how many companies leave their homes unlocked, the lights on, the alarm off, and a big sign on the front steps saying "Come and get it!"
The solution to computer crime isn't using the FBI -- I'd like to turn their offices off and throw out the key. The solution to computer crime is:
1. Developing a good infrastructure and upgrade cycle
2. Commit to teaching users proper ways to set up their data and desktops
3. Purchasing security sofware and services from companies that do the best job finding the holes and plugging them.
Is the law useful? Not one bit. Most companies aren't going to bother suing civilly for damages, and no one wants to bother calling the cops. The chalk line around your stolen data isn't very useful. Get a good consultant, pay them well, and make them back it up with guarantees. Problem solved.
I wonder how many of these billions is the cost of hunting script kiddies when the money would be better spent hiring someone who knows a thing or two about security and preventing an attack from happening in the first place.
Hexy - a strategy game for iPhone/iPod Touch
Word to the wise:
Next time someone says "XXX Trend is costing us YYY dollars every year", it's probably going to be followed up with "Therefore we should spend ZZZ dollars dealing with it."
XXX = overstated threat
YYY = some made up figure
ZZZ = profit
Now that even the FBI can put a quantifiable sum of money on this may we please begin dismembering the EULA which makes this such an enormous problem?
"We'll just create this broken product... and let everyone else deal with the billions of lost dollars which it causes."
fast as fast can be. you'll never catch me.
Why? Because that seemed like a good number? This inexplicable change causes me to question the validity of the whole study.
The world will not get better through technology. We must seek to be better people.
In other news, paper crimes have cost Trillions per year.
It is amazing how many crimes go unreported, and if we were to prosecute all crimes by every person alive today, it would cost Quadrillions!
He who knows best knows how little he knows. - Thomas Jefferson
Considering most of the vulnerabilities exploited in "computer crime" are Windows flaws, we could say that by switching to (insert your distro here) we could save the licensing costs, PLUS the computer crime related costs.
(Disclaimer: Yeah yeah, i know this is slashdot and I'm probably not the first in mentioning it yadda yadda)
In old school government thinking, you're not supposed to "get rich off the government" as an employee. The government would often rather spend $2B for a stealth bomber that carries nuclear bombs, but will pinch pennies on the salary of the pilot of the bomber. The reality is that it costs the tax payers less to pay $80,000 starting out for a qualified security official, and let them retire making $200-$250K/year than it does to hire a less competent one at $45,000/year. The better qualified, better paid one will be more effective if not hampered by management and more crimes will get punished, reducing the reward for crimes of this nature, thus decreasing the amount of money that has to be spent on prison and other costs in the long run.
Ultimately, you get what you pay for is a fundamental law of life. If you're not willing to pay well, the people that have the skills won't sign up for the job unless the economy is dying and they're desperate.
"FBI Says MS-Windows Costs Billions Every Year due to negligence." That's what they *should* say, but nooo.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
More money is blown into similar activities under the cover of "fighting terror".
With the difference that in that crime people die.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
suffered a financial loss from computer security incidents
Whoa, whoa. Back the truck up here, pal. Define "loss." I'm betting the overwhelming majority of the reported un-cash is probably:
1) "Lost" sales -- which is money the company didn't have in the first place
2) Money paid to try and prevent computer crime (which was their choice, and obviously didn't work
3) Money paid to chase criminals after the fact (which, though necessary, shouldn't be lumped together with what a robber stole)
That leaves a very small percentage of money that was actually substracted from a bank account somewhere.
I am curious how this would compare to the costs incurred due to defects in software. Back in 2002, NIST reported "Software bugs, or errors, are so prevalent and so detrimental that they cost the U.S. economy an estimated $59.5 billion annually":
0 .htm
http://www.nist.gov/public_affairs/releases/n02-1
Has anyone seen an update to this report?
With limited resources, organizations need to choose between fixing security problems or fixing others types of defects in their software.
FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
Did they include the NSA's illegal wiretaps in that tally?
Just like anything else, data networks need to be protected. Where all the money and private information transits nowadays? Yeah, via public networks. If a company doesn't have a strong data security team in these days, they are falling behind times, and no one, individual or corporation, will want to make business with them.
Is that including rootkits and other crimes from industry or just the ordinary non-corporate (i.e. punishable) crimes?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Most, nearly all, of the "cost" of computer crime comes from running a full security audit of your systems and locking down the security procedures and controls you will use to keep it from happenng again. If these companies had a competent computer security policy in the first place, they would find thier "costs" much less.
It's like a thief crashing through your dry-rot, termite-infested walls and then blaming HIM that you have to rebuild your whole house now. This money is almost always money that *should* have been spent, but wasn't in the name of cost-cutting or just general laziness.
"Your superior intellect is no match for our puny weapons!"
Microsoft had two or three possibilities for fixing the security problems in Windows and we are still seeing security issues that are 10 years old...
--
This sig suck...
A portion of every IT worker's salary goes towards security. Security issues are certainly a daily concern support technicians. The costs easily amount to billions.
FoundNews.com - get paid to blog.,
"So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent."
We realized the data was completely meaningless. So we pulled a number out of our arse and decided that made the results accurate and meaningful.
Be aware that there are significant intangible benefits to working for the government like job security and status.
Evaluating the amount of losses due to a security break where information might have been stolen (when the perpetrator was found, but no evidence of stolen data was found) was initially in vogue during the big "Hacker Crackdown". In some cases evidence of stolen credit card numbers were found, and in that case, evaluating the losses again is an elusive task depending on how these numbers were used. The RIAA and MPIAA crack at uploaders, assuming they have the capability to assist infinite number of downloaders and therefore evaluate the losses at some skyrocketing unearthly sum. There have already been debates about a ceiling for such losses particularly when a P2P crackdown is on. Recently there was someone who used an anonymous remailer to create a bombscare in the Indian parliament. Anonymous remailers are possible due to the very RFC that allows email and most usually can't be traced back (not that easily unless the perpetrator was too careless to have used unencrypted remailers.) Obviously there is no easy "damage evaluation" except the cost of the Bomb squad deployment, cost of Halt of Parliamentary business (this happens not just due to bomb scares too). But the perpetrator will be prosecuted under an "Anti-Terror" law, and therefore in most likelihood won't be just fined. I see the following in tandem
The second being dependant on the first. So FBI, CIA or name the agency, name the country, a proper crackdown is going to be very difficult until definition and procedures are established. Trouble is red tape or Ph.D, hire either group and you will have to wait for these procedures and definitions to come in. Until then, Law firms will define things in whatever way they choose, the same way they handle other criminal investigations. SPAM perpetrators - should they be fined for the volume of network traffic they generated (and therefore choked others, infringing on others rights) which can be mathematically calculated should you recover intact evidence. I believe Anti-SPAM laws in some countries are slowly coming in play and they do have a proper definition and a procedure for evaluating losses and severity of the crime. These numbers are hardly indicative of malicious activity or of any potential threat. Warranted products (like Microsoft Windows) having known/unknown security holes in them that create problems to consumers should obviously be dealt with using consumer-friendly laws where the company is unable to provide timely solutions. This is a hornet's nest, and one has to clearly separate a lot of variables before attempting to define crimes, severity, liability and all responsible entities.
No Greater Friend, No Greater Enemy! (Lucius Cornelius Sulla)
But did they ask the RIAA for their costs on computer crime?
And no, I didn't RTFA
to three things
1, coders inablility to write code that is secure
2, admins inablility to secure their infrastructure.
3, admins not being knowledgible enough to monitor and handle hacking attempts.
The idea of passing new laws to "prevent" such crime is stupid. Kill as many flies as you can, there will still be flies to bother you.
But get a good repellant, and the flies dont bother you any more.
I think the size of the loss will probably have a major effect as well. Somebody who's lost only twenty dollars is a lot less likely to respond than somebody who's lost fifty thousand.
There are also questionable cases. Consider something I hit about a year ago. Shortly after Cingular bought AT&T, I switched my cell phone to Verizon. Cingular continued to bill me few a few months after the switch. After a little arguing over it, they admitted they'd screwed up and cancelled the bill -- but then a month later (or so) sent the bill again, with a late fee added. I called them back up, argued about it, and they cancelled the bill again. After this happening for about three months, they turned it over to a bill colletion agency, and I argued with them instead.
Eventually, I wimped out and paid them instead of continuing to put time and effort into straightening out their mess. Now, first of all, I'm not at all sure whether this falls within the scope of the survey in the first place. My guess is that it's also basically accidental rather than a result of fraud. OTOH, it's somewhat open to question how long accidents can continue to happen without any apparent attempt to fix the problem before you have to figure their ignoring the problem is really intentional.
Anyway, my guess is that the average loss is probably more like tens or perhaps hundreds of dollars, rather than the tens of thousands they've estimated -- but I'd also guess that the problem is much more widespread than they've implied as well.
The universe is a figment of its own imagination.
It sounds like a lot, but $24,000 is substantially less than the cost of 1 IT staff. Besides, it's not mentioned how large these companies are (on average). For a 1 person operation $24,000 is a lot, for a Fortune 500 company with hundreds/thousands of employees, it isn't.
SCO employee? Check out the bounty
Of the 2066 companies that responded to the survey, a huge number (like 70%+) were in Texas or NYC. What's up with that? FBI is national.
Another odd thing is that only 23% used IDS, and only 90% had a firewall of any kind. Wha? These things seem so fundamental to me. I suppose the large number of very small companies just don't pay any attention to security.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
was thiiiiiiiiiiiiiiiiiisssssss big.
and when they hacked our system, it cost us a trillion, billion dollars.
You raise a fair point, but I wanted to point out something.
>spend $2B for a stealth bomber
While the cost of a weapons program is staggering and of questionable value relative to other needs, it's not as simple as deciding to spend $2B for a bomber.
You start out with an appropriation to spend $XXB on a program, expecting to produce NNN planes which will result in a cost of $YYY million each (still a lot, obviously).
Then, years into the program, things change and funding is cut and they say, build just 18. Now, your overall $XXB program cost is divided by the small number of planes, and pundits get to go on cable news shows and complain about government waste because stealth bombers cost $2B each.
Did they spend too much on building stealth bombers? Arguably.
Did they start out approving a program that was going to cost $2B for each bomber?
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
In a related note, the costs associated with train robberies is way down. And cattle rustling related costs have virtually dissapeared.
As the world changes, so does the crime.
Accountants enjoy new freedom of book keeping with "theoretical losses" of arbitrary fitgures they pulled off the top of their head:
Accountant: So how much did you think we lost because of computer crime?
IT Guy: I dunno... Our server web server went down for a while and I joked that it was because some guy was hitting F5 in China.
Accountant: Ah! Excellent... *writes something down* So how much do you think it cost us.
IT Guy: Oh I dunno... Whats the cost of me getting up out of my seat to make a phone call to the guy down in the server room to boot it... Oh $0.35 cents?
Accountant: Hrm... *scratches chin* No good. But if I multiply it by inflation and theoretical estimates and carry the zero. By golly! I think we've lost over $2,000,000.35 to computer crime! Thats one hell of a tax break. Daddies going to be rolling in the bonus this year!
IT Guy: But... I... Oh never mind...
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
I point to the 'point-and-click' culture as at least part of the problem. I was dealing with a major vendor of credit information, and they wanted to set up a VPN tunnel as part of their 'corporate' security (presumably SBO complience). They wanted to use preshared keys. I offered to send them my public key so they could encrypt the keys. Or, failing that, my phone number so they could send the keys that way, if need be. They emailed the keys in the open. If they couldn't do it with a point-and-click, its seemed, they just couldn't do it at all.
There's just no substitute for independant thought.
"We are all geniuses when we dream"
- E.M. Cioran
The numbers are meaningless anyway, unless you have another set for comparison, say the loss from common white-collar crimes (embezzlement, theft, etc.). It's about the proportion of loss more than the actual loss. Sure, a worm or virus can bollix up the works, but such things are easily fixable. An accountant siphoning money from the company accounts is harder to trace and when found, is usually harder to recoup.
GetOuttaMySpace - The Anti-Social Network
I think its funny that you think the "major vendor" was stupid for sending you the keys in plain text, but yet you think giving them your phone number is going to help things in some way?
Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent.
So basically they think their method of obtaining information is flawed, they have no idea by how much, but since 64% "feels" too high the decide to create a whole new number out of the blue that was felt to be subjectively acceptable to the committee.
Wow who funded THAT?
Seven puppies were harmed during the making of this post.
The loss of online liberties to orwellian government costs society billions every year too.
Whether you agree on more security or less, it does actually cost something and it is quite exspensive.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Somehow I think "it costs less to pay off the government" comes in there somewhere. Otherwise I would hope that the government would apply some kind of economic pressure to get the plugs sealed, thus making it cheaper to fix in the first place.
Having said that, I am quite glad that MS is such swiss cheese. I have had a nice little career helping people plug the holes, and if they were to fix all the problems, I'd be stuck having to do something else.
Don't use the Troll mod just because you disagree with me.
Does any one else work in the public saftey field? We've been attempting to submit NIBRs data to the state for the last oh, 3 years or so. NIBRs is the replacement for UCR crime stats. There are 3 optional fields that I've always thought were funny. Were drugged used, were alcohol used, and were computer equipment used. I've always figured that was for some acdemics to query the FBI and find out how many crimes computer equipment were invovled with. There is a tiny problem with that though... I've not seen any our guys actually use those fields in the software, which if others don't use them, make the numbers off. ;
(We've been trying to submit to the state. The state is responsible for submitting to the FBI.) I didn't read the article just the summary, but it looked like the FBI was just surveying businesses and not using the data it already has.
What recourse does an individual have when they've exhausted all their options, and your guarantees don't satisfy them?
The law.
Your guarantee is worthless without legal remedy when it fails.
One other thing
This
"How is that untrustworthy?"
Where did I say ANYTHING about trustworthiness?
WHY ARE YOU CONSTANTLY MAKING SHIT UP? WHAT IS WRONG WITH YOU THAT YOU CAN'T READ AND RESPOND TO WHAT I SAID WITHOUT ARGUING A POINT I NEVER EVEN REFERENCED, MUCH LESS ATTEMPTED TO MAKE?
Are you just fucking stupid? Do you have some difficulty with the language that you saw the word "untrustworthy" and the argument related to it in a post consisting almost completely of "BWAHAHAHA....."?
Why do constantly just make shit up?
How pathetic are you that you follow me from topic to topic and waste all your mod points at once modding me down?
There was a tale not too long back of a one Jeremy Hammond (case pending), so was persecuted for breaking into a rival company's server and stealing over $3.5 million dollard worth of credit card numbers (http://en.wikipedia.org/wiki/Jeremy_Hammond). Who knows how many Jeremy Hammonds there are in the world, who perpetrate similiar crime every year.
Reading this makes me rethink some privacy laws. I'm a privacy addvocate, but if the hackers are costing me more money in my yearly tax I say go after them. Its only hindering the US economy.
This isn't really news. It seems like the numbers are just pretty much made up. They knew that the polling was completely inaccurate, so they just decided to change the number from 64 to 20. This number has no more meaning than one made up entirely randomly.
I'd guess that most companies are losing more money due to stolen office supplies than computer crime. I get annoyed at computer crime being treated as some magical force, as if it is some how different from every other sort of crime.
Politicians repeat after me: "Computers are not Magic!, Computers are not Magic!"
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
But they're not crimes. Perhaps they should be.
IT security shops make billions each year.
So do body shops.
So do insurance companies.
Get over it.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
Are those actual billions, or are those RIAA-inflated numbers, where it actually only cost $10 million to fix it all but they want to say it's $2 billion so they can sue for that much?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 SU CK IT MP AA
The cost is much higher than the 67bn that the FBI says. Their "more realistic" estimate of twenty percent is way below the mark. Also, every machine that I find infected with spyware costs at least two hours of repair time - these costs should realistically include the user's down time, my time, "overhead and burden" and the other costs associated with having a computer out of service. These costs could realistically be hundreds of dollars per incident. All of this comes before the cost of the crime associated with spyware (which can include identity theft and corporate espionage). You really also need to add to these costs the price of defense, the anti-virus software, the anti-spy software, proxies, firewalls and all the other security softwares out there. Plus the man-hours that it takes to coordinate and administer all of this stuff.
It will only get worse before it gets better. Currently it is simply way too difficult to prosecute these criminals and their structure makes it even harder to bust the higher-ups in the organization. Their ability to disappear and hide make the mafia look like rank armatures. The borderless society of the internet and the fact that everything operates at near-light-speed means that the crooks can be in Amsterdam, Moscow, New York or Cuba and function just as effectively. This makes capture and prosecution terribly difficult and very expensive. For these reasons, along with the relative ease of commission, cyber-crime is and will remain a growth industry.
Ultimately, you get what you pay for is a fundamental law of life.
It may be, but it carries a risk of its own. Companies can (and do) pay large sums of money for certain services and still get screwed. Money in and of itself isn't answer...money helps, but competence is what gets the job done.
Of course the FBI says that computer crime is going to end the world. They want to snoop more so thye need to create some panic. Don't listen the the Gov, they lie always.
Statistics like this support insinuations against people with computer skills. I wonder if stats were kept on the number of crimes where the perpetrators made use of the public roads and parking to aid their crime? Driving licenses contribute to X percent of national crime!
If last year music downloads had their best year ever and other computer based business models are also improving - I wonder what the size of computer aided or assisted business is? What percentage of the profit from that business went into security improvements and training?
In the blindingly vast percentage of cases people are honest but you never hear about that.
Does the talley include the Sony rootkit?
The RIAA/MPAA of course.
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
Thus, US information about the prevalence of white collar crime is very poor. There are surveys, but not much hard data.
If this survey was about safety and the expense of keeping our roads safe and the vehicles driving you know they would break down what vehicle cost most. Funny that there is no talk of the principle cost here being one software manufacturer and that alternatives dont represent such a cost to the country.
Virus protection and repair form the largest category of expenses. Doesn't it make sense to avoid the operating system with the largest expense in virus costs.
Why has protecting the nations computers from viruses affecting one company's operating system been represented as an inevitable cost of 'computer crime' to business. Seems there is something that can be done...
Americas favourite monopoly avoids any responsibility again.
Together with the new-year speeches, come the "I want to secure my budget for this year"-speeches everywhere.
The FBI is no exception in this case.
Bring in the money guys, bring in the money...
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
As an online retailer other than eBay or Amazon, try calling them up and saying "We have some information on people that are attempting to use fraudulent credit cards through us." See how quickly you're told to buzz off.
Oh, you're not stuck, you're just unable to let go of the onion rings.
Sending the keys over a POTS ppp link is actually pretty far out-of-band, and provides reasonable levels of assurance that the sender and receiver are correct. Because of less time exposure for interception, it's probably just as good as using a flash drive sent parcel-post.
The vast majority of IT type with whom I work are completely, gloriously incompetent when it comes to security.
I'm not talking about patch management and implementing the SORBS list and having a firewall and so forth. I see the whole gamut when it comes those guys.
What I never see is any kind of inventory system in place so they can say, hey, we have three thousand known MAC addresses that should be allowed on our network--what's that NEW device?
Or, "I know the operating system, patch level, loadout, and purpose of every workstation and server in this IP range, with up-to-date maps." During 99 times out of the last 100 on-site mitigation efforts in the past year, when I asked the local IT guys "Ok, where is this hacked box?" They COULD NOT TELL ME. It took them DAYS to track that shit down. DAYS. Of course, because they are incompetent, they try to stab me in the back by slamming our 24-hour support: "It took them four days to clean up the incident." "Yeah, but three days was you trying to find the box in a building with less than 100 nodes..."
I would settle for guys who knew how to use grep, who knew where the firewall logs were stored, who bought all the expensive Cisco gear and then--GASP--actually took advantage of netflow, or who even knew the IP ranges their organization had allocated to them. I have yet to find any of these among the teeming millions of dickheads with MCSEs and CCNA certifications.
Until IT stops being something you do with a GED, there will always be security problems, and I will always have a well-paying job.
This is a very interesting conclusion brought on from the FBI, particularly because it excludes INDIVIDUALS who may be victims of "computer crime", but only focuses on businesses who claims losses due to percieved computer crime.
When a person is a victim of identity theft, the loss is much more "real" in that there's a person who is "hurt" by this crime. There is attributable loss, usually in money taken out of bank accounts, money that may be racked up on credit cards, and the years spent trying to undo the damage done to your credit rating.
Conversly, the damage done to an organization doesn't harm any one person and therefore the wound isn't "felt" as a deeply, furthermore, most of what businesses arrtibute as a loss is really a cost of simply doing business and isn't money lost out of a bank account or a ruined credit rating.
Seems to me that the government cares more about businesses than it's citizens.
If I was a victim of identity theft, I couldn't walk into my ISP and demand records of who was using what IP address -- but the RIAA can if they think they've been wronged. Why is it that businesses - NON PEOPLE - have more rights than the people this country was founded to serve?
If telephones are outlawed, then only outlaws will have telephones.
If you send the keys/passphrase on a modem, and you send the host/user identification through e-mail, you have 2 distinct separate channels. The likelihood of a Bad Guy [TM] being able to intercept both is not significantly greater than the likelihood of said Bad Guy [TM] suborning your courier and reading your floppy, or blackmailing an insider at one or the other end of the communications path into supplying complete access information. I have been known to use 3 channels, myself, one for each of the three pieces of related information. This is information security 101 here.
If you are suggesting that your telco is out to get you, keep in mind that the phone companies have the political, economic, and physical power to crush you like a bug. They can do whatever they want as long as they put profit in front of the shareholders. If a major telco gets caught murdering pre-schoolers for their lunch money they will NOT go out of business, nor will the pre-schoolers magically come back to life again. So stop worrying about what the phone company, the NSA, or your mom can do to you, and instead make sure they have no reason to want to do anything bad to you. Again, security 101, don't piss off anyone you cannot realistically protect yourself from.
Obviously, using the same methods and channels every time degrades the efficacy of said methods. Equally obviously, both ends of the communications channel should implement IP address based restrictions (Wietse's TCP wrappers, for example) if possible, and failed attempts should be logged and monitored.
No shit sending a floppy via courier is also retarded. The fact that other non-secure methods of transmitting keys exist, does not mean that its ok to use a non-secure method of transmitting keys.
"Read the posts again. The whole point is that you assume all your communications are being sniffed. That's why you use multiple distinct channels."
Right, its all being sniffed so splitting it up doesn't matter, since its all being sniffed. Duh?
Welcome to 1991, you can use PGP to encrypt the keys and send them via email or whatever other electronic means you desire. Huzzah! Imagine all the amazing uses we might have for public key cryptography by the year 2006! Maybe we won't have to send sensitive information via plaintext over public networks like complete morons!
Riiiiiiight, we'll use secure keys to secure the keys. And then we'll make chickens without eggs!
Either you are determined to misinterpret whatever I say to make yourself appear clever, or you are a troll, or we are not speaking the same language. Further conversation seems pointless.
Which part of PUBLIC KEY CRYPTO is so difficult for you to grasp? Its perfectly ok for your public key to be intercepted. In fact, everyone on earth can have a copy, its all good. That's the point of public key cryptography dumbass.
Your comment relates to use of modems as out-of-band transfer mechanisms exactly how?
Are you on Ritalin by any chance? You don't seem to be able to track an entire conversation at once.
Are you retarded? As I said already, using a modem doesn't do anything for you. Transferring plain text data over the phone network is just as stupid as transfering it over the internet. There is no excuse to do this, simply encrypt the keys with pgp and you can transfer them over whichever insecure network you like.