Slashdot Mirror
Criminals Target Tech Students With Job Offers
An anonymous reader writes "BBC News is running a story on criminal gangs targeting tech students. Some of these outfits offer to pay for an education in exchange for the student's employment on graduation in criminal hacking activities." From the article: " As the number of criminal gangs looking to move into cyber crime expanded, it got harder to recruit skilled hackers, said Mr Day. This has led criminals to target university students all around the world. 'Some students are being sponsored through their IT degree,' said Mr Day. Once qualified, the graduates go to work for the criminal gangs. As well as the direct route of targeting students, some organised crime gangs were trading on the glamour surrounding the 'hacker' label to help them recruit impressionable youngsters..."
Does this mean that legitimate companies, to keep up, will have to do the same thing?
Maybe they could even get into bidding wars over potential students/employees! This could only be a good thing...right?
Everything I need to know about copyrights I learned from Slashdot.
how do i sign up?
Wal-Mart. Big huge massive retail company. How much do you think it would be worth to K-Mart, or Target, or various other retailers, for Wal-Mart to just be down for a few days? Easily into tens of millions, if not hundreds of millions of dollars.
Sad part is, the person at the top doesn't even have to know what's going on. They just say "Hey write a program that will do this, and propogate. We'll give you a cool 100Gs." Kid says hells yea, takes a few hours, whatever, writes it, and gives it to them, collects.
Two weeks later, Wal-Mart plant sticks the little nasty into the Wal-Mart mainframe, and it gets disseminated to every single store in the company. The plant is nice and safe (removed by organization, or perhaps just left to fend for themselves, whatever), many of the people involved will never be caught, and the person that wrote it may not even know they were responsible!
Perhaps I should take off my tin-foil hat, but still, it's a helluva "What-If".
Can anyone here honestly tell me that they can get me access to a given business's clients database in the next 48 hours ? Didn't think so. So what are the gangs getting out of this ? Are they getting on a hype bandwagon ?
Getting access to a company's database is so 1990's. These days, you need smart computer science types to design better malware to create botnets so that you can practice good old fashioned extortion against Costa Rican casino web sites. Simple as that.
Don't disappoint your bird dog. Go to the range.
The people who get caught by the RIAA are the "low hanging fruit" most of the time. They're either hitting ten year olds or they're hitting the superseeders (or the guys who run the sites). People with IT degrees who pirate would use safer, and harder to trace, methods. Even just using PeerGuardian or pirating via proxy (or stealing wireless) is going to help you a great deal in terms of not getting caught. Additionally, they "stay in the middle" in terms of threat level.
Same for these hackers. They're semi-safe because they're smarter than the average script-kiddie, and they're not quite as dangerous as the guys who hack the Pentagon or whatever. Law enforcement will feel two pressures: Go after the major crimes and close a lot of cases. They close the easy cases quickly, and catch the high-profile cases for the headlines. These guys probably feel safe since they're neither.
That said, the reason crime doesn't pay is that a cops only needs to get lucky once, but the criminal needs to be lucky everytime.
>In order for this to work, you'd have to credibly threaten or capture a loved one.
The old recipe for recruiting a spy was MICE: Money, Ideology, Compromise, Ego. If organized crime really is troling computer students, they could use at least three of those, and maybe even ideology ("stick it to the greedy corporate exploiters and their fascist tools in government", or something like that).
The other problem is, what's a CS degree going to do for a blackhat?
Put them through drama school and psychology if you want to raise a crop of social engineers, use an apprenticeship system if you need vulnerability finders, but CS? There are only a few problems in the criminal world (robust scalable botnet control, untracable communications) that are computer science problems. And there can't be room for many people to work on those.
The article was way too light on any of the specifics that would have inclined me to trust it.
Funny that you mention ethics. I remember a class a few years ago, we tried to determine what set a 'Profession' different from a 'job'. Eventually we settled on something along the lines 'that a professional has a code of ethics'.e.g Doctors, engineers, lawyers (ok, yeah ok i know - stick with me)..
I dont recall IT professionals having a code of ethics. If BSC/SE graduates swore to uphold a code of ethics, it may weed out a few of the more 'innocent' people that would take up this offer. Of course it may always be to late by the time they graduate too....
One could always join the military to get their training. It even has a similar rank structure to the Mob.
While it may not qaulify as a mandetory code of ethics, I'd encourage you to read the SAGE System Administrator's Code of Ethics
We as professional System Administrators do hereby commit ourselves to the highest standards of ethical and professional conduct, and agree to be guided by this code of ethics, and encourage every System Administrator to do the same.
Professionalism
* I will maintain professional conduct in the workplace and will not allow personal feelings or beliefs to cause me to treat people unfairly or unprofessionally.
Personal Integrity
* I will be honest in my professional dealings and forthcoming about my competence and the impact of my mistakes. I will seek assistance from others when required.
* I will avoid conflicts of interest and biases whenever possible. When my advice is sought, if I have a conflict of interest or bias, I will declare it if appropriate, and recuse myself if necessary.
Privacy
* I will access private information on computer systems only when it is necessary in the course of my technical duties. I will maintain and protect the confidentiality of any information to which I may have access, regardless of the method by which I came into knowledge of it.
Laws and Policies
* I will educate myself and others on relevant laws, regulations, and policies regarding the performance of my duties.
Communication
* I will communicate with management, users, and colleagues about computer matters of mutual interest. I will strive to listen to and understand the needs of all parties.
System Integrity
* I will strive to ensure the necessary integrity, reliability, and availability of the systems for which I am responsible.
* I will design and maintain each system in a manner to support the purpose of the system to the organization.
Education
* I will continue to update and enhance my technical knowledge and other work-related skills. I will share my knowledge and experience with others.
Responsibility to Computing Community
* I will cooperate with the larger computing community to maintain the integrity of network and computing resources.
Social Responsibility
* As an informed professional, I will encourage the writing and adoption of relevant policies and laws consistent with these ethical principles.
Ethical Responsibility
* I will strive to build and maintain a safe, healthy, and productive workplace.
* I will do my best to make decisions consistent with the safety, privacy, and well-being of my community and the public, and to disclose promptly factors that might pose unexamined risks or dangers.
* I will accept and offer honest criticism of technical work as appropriate and will credit properly the contributions of others.
* I will lead by example, maintaining a high ethical standard and degree of professionalism in the performance of all my duties. I will support colleagues and co-workers in following this code of ethics.
Draft of September 12, 2003, approved September 18, 2003, by the SAGE Executive Committee and September 30, 2003, by the Ethics Working Group.
Co-signed by LOPSA, USENIX, and SAGE 2006.
USENIX grants permission to reproduce this Code in any format, provided that the wording is not changed in any way, that signatories LOPSA, USENIX, and SAGE are included, and that no other signatory or logo is added without explicit permission from the copyright holders.
http://www.sage.org/ethics/
I will not give in to the terrorists. I will not become fearful.
Three years ago, Wired had an article written by a guy who does tech support for the Mafia.
Can anyone tell me how to set my sig on Slashdot?
What we *had* here was a failure to communicate.
:-P"
1 237124/ref=ase_mitnicksecuri-20/103-6052457-813506 9?v=glance&s=books
...
That seems to be clearing up, somewhat.
If you remember just a few, scant years ago, this discussion would be full of:
* "Your a moran"
"How about that tin foil hat"
"You watch too much TV"
"I guess you are a leet hacker dude
and so on.
Perhaps Kevin (TM) has helped us understand what has been perpetrated on us for years (witting or unwitting social engineering).
The Art of Deception: Controlling the Human Element of Security
http://www.amazon.com/exec/obidos/tg/detail/-/047
So the internet does make us smarter, eh?
For example:
The Kennedy assassination made the word "conspiracy" a knee jerk, almost unconscientious reaction to discount whatever followed as ludicrous.
As an exercise let me roll this past you.
If the Japanese in WWII could have attacked every home in the US by way of their radio set top box (a "brown note" for electronics), to start fires in every home
http://www.schmarder.com/radios/crystal/
http://en.wikipedia.org/wiki/Brown_note
do you think they would have conspired with College (engineering) students to help them?
Criminals are now MBAs, Engineers and Rocket Scientists.
Your desktop could be mocking you.
* [yes, it's misspelled]
~hylas