Cybercrime Is a Franchise Model That Scales

Presto Vivace notes a report from the RSA conference on the cybercrime economy, and it's not an optimistic one. Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research. "As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money."

Office Space clearly had an impact

One of the big problems the guys in Office Space faced was how to launder their money. They were computer programmers who had no knowledge of the intricacies of money laundering. It's good to see someone recognized the problem and is now providing solutions for those of us who don't know how to launder money ourselves.

Re:Office Space clearly had an impact

[CogDissident]

Its not as hard as you think. If you can get the money off-shore (such as an offshore account in the pacific), and then throw it to a numbered account in a swiss bank, its basically done.

The hard part is getting it out of the country of origin, without it being linked to you as having "left" from you.

Re:Office Space clearly had an impact

So what you're saying is that it's easy, except for the hard part.

Cut of the source

[pembo13]

Kill all bot nets. Seriously. And have companies who sell operating system take some financial responsibility for future security.

Re:Cut of the source

[moderatorrater]

Kill all bot nets. Seriously. Agreed, although botnets are a tool, not necessarily a source. They make computing power cheap for the underworld, but everyone here should know that computing power is already cheap. The diversified IP addresses is harder for them to mimic, but not impossible.

And have companies who sell operating system take some financial responsibility for future security. Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins. Microsoft has never claimed to be completely secure and they haven't made any contracts specifying that they should be. They allow other products to work on their platform, and these other products have threatened legal action if Microsoft makes their OS secure (although not in those exact words). It also patches on a regular cycle and it's ultimately a decently secure OS (when you take the patches into consideration).

The ultimate responsibility for what happens on someone's computer is theirs. There's a lot of hatred for Microsoft floating around here, and for good reason, but holding them responsible because people can't protect their computers in the most rudimentary ways is wrong. It also opens the doors for holding any software responsible for any hacking that occurs on them, even if the user could have prevented it with negligible effort. Considering the state of security in the software industry, that would destroy pretty much every company in existence and set us back 10-20 years.

Re:Cut of the source

[Dada+Vinci]

Not all botnets are the fault of insecure operating systems. People who exclaim "Oh, look, somebody I don't know emailed me a file called CutePuppies.exe! I think I'll click on it!" pretty well destroy any sort of security scheme. Vista tried to solve that by preventing users from running programs (under the guise of User Account Control) but that just led to rebellion because people don't want to have to explicitly grant access to every program that wants to read to disk or connect to the Internet. When I install the new Firefox I don't want to have to authorize each and every operation it performs (write to disk, read from disk, connect to Internet, etc).

Re:Cut of the source

[Spy+der+Mann]

Not all botnets are the fault of insecure operating systems.

Not all, but most definitely are:

- Unpatched Windows XP (and below) PC's
- patched but already infected Windows PC's
- patched but rootkitted Windows PC's
- patched Windows PC's just infected this week with a zero-day exploit.

So the rest of the botnets would be shared webservers running insecure PHP bulletin boards, and servers running unpatched MS SQL, but these are a tiny fraction.

As you can see, Microsoft's greed is largely responsible for most of the world's botnets. This has to stop. The US government could as well take these steps:

a) Force Microsoft to release a new version of XP but with Vista's security features (but please replace the cancel/allow with administrator password dialogue), so that all processes run in userspace and no changes can be done to the registry/configuration without user authorization.

b) Force Microsoft to release the patches and upgrades *FOR FREE*, even for pirate copies

c) Make a "Disinfect your PC" campaign, making a census of all computers, and running antivirus/antirootkit software (or possibly formatting, with previous backup of course) on such machines, at the same time upgrading the PC's to the newest Windows version (FOR FREE). When the campaign is over, we could as well declare the US virus-free (for now :-/ ) Unfortunately, for the measure to be effective, this should have to be done in all countries (so here comes international politics), so i'm afraid we'd have to stick with a) and b). But what use is upgrading a PC which has a rootkit on it?

Re:Cut of the source

[ratboy666]

The solution? CutePuppies.exe is not executable. End of discussion.

If you want to actually execute it, you have to:

1 - save it to disk
2 - change its permissions
3 - then (and only then) execute it.

It is preferable to force a command line session (terminal window) for step 2, with a "difficult" sequence. Say.. chmod +x CutePuppies.exe. And it should show up on the desktop either...

No "is this allowed?" dialog. No "please enter your password" dialog. Just.. don't.. execute.. it.

I would even go so far as to force a manual base64 or uu decode in there.

Get off my lawn, you damn kids!

And my mother always said that

[name*censored*]

Crime doesn't pay. Pfft.

BRB, watching to see if the kettle boils.

Is pay really the reason?

[mrroot]

Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?) Well I guess you could say it is a part of the problem, but the OTHER part of the problem is the risk of getting caught is too low. It is a risk/reward model. There are other factors in play here too, for example people's morality. Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime.

Re:Is pay really the reason?

[iamacat]

Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime. But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!

Re:Is pay really the reason?

[mrroot]

But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!

So who decides who is a crook and who is not? I guess you feel like you have a pretty good handle on that, or at least you just rattled off all the names you have been told are crooks. Congratulations, you have conformed.

Re:Product Fulfillment?

[sco08y]

I've actually tried, out of curiosity, to order something. I rarely get to a working web page, let alone an order form. Sometimes you'll see a 1800 number. Many times you'll just be redirected to a page full of ads.

Economies of scale

[Facetious]

The risk/reward concept of crime is complicated by economies of scale. Prior to the Series-Of-Tubes(TM), it was fairly difficult to con more than one person at a time. Now, many high school students have the power to con millions of people across international borders. The potential reward has gone up. The perceived potential of risk has gone down. Thus, cybercrime rises.

The problem: FBI Baltimore

[Animats]

We need the FBI Baltimore office taken out of the business of distributing child porn and put on this problem. After ten years of work, they've arrested over 6,000 people.

How many computer criminals have they arrested? The Department of Justice doesn't seem to provide useful statistics, but it looks like the number per year is in the 10-100 range.

This is backwards, given the relative size of the problems.

Part of the problem is that the FBI has a measurement bias against white-collar crime. See the FBI Crime Statistics page. Violent crimes are counted if they are reported; white collar crimes are only counted if there's an arrest.

Not just cyber

[sm62704]

They keep parroting that "crime doesn't pay" but it obviously DOES pay, and it pays well. Most crimes are not solved. Most criminals are not caught - only the stupid ones and the unlucky ones get caught.

In fact, society should be damned glad that most slashdotters are honest and have conscienses (no that's not spelled right, so jail me) because if most of us were dishonest we could do one hell of a lot of damage!

Some times I wish I could be dishonest, I'd be a rich man. But it's just not in my nature.

Another Part of The Problem

[Bob9113]

Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

Another part of the problem is that our cyber enforcement budget leans heavily toward pornography, gambling, and copyright.

Yet another part is that corporations and politicians are unwilling to kill their fatted calf that is "legitimate" UCE.

Re:I don't get it...

[CodeBuster]

It probably has less to do with actually selling a particular product than it does with saturation advertising which is designed to bypass the natural mental defenses that people have built up to advertising in general by so completely saturating the mind with brand image, logo, slogan, etc...that when the decision to make a purchase finally does come it is made on an almost subconscious level (i.e. you drop the item in your shopping cart without even thinking about it really). That is the angle that most spammers are working for their clients these days. They know you hate it, they know that you would never buy anything directly from them, but they and their clients don't care because they do not require your active cooperation in any way for their strategy to work because they are attempting to manipulate your subconscious through information overload to short circuit the rational decision making part of your brain the next time you have to make a purchase so that you will buy their brand without remembering specifically where you heard of it or even if you have seen it before. That explains the client of the spammer, but the spammer is simply a mercenary who cares about getting paid and he doesn't give a crap either way as long as he gets paid (by his clients) to run the spam campaigns on their behalf.

Not in your nature? Sure it is, but...

[RexDevious]

it never developed because you happen to be naturally better at things which didn't require it.

CASE STUDY: Matt Dillon

My brother own's a bar frequented by Matt Dillion, the mult-millionaire, super-naturally gorgeous, very famous actor. And he's never seen anyone so utterly terrible at picking up girls. Why? Because he's never *had* to be good at chatting up girls, he's been a movie star since he hit puberty. If he'd needed to learn how to chat up girls, he'd have learned.

You're bad at being dishonest for the same reason Matt Dillion is bad at picking up women.

But, if you'd lack any natural ability to achieve goals honestly, you would have had no other option but to develop the talent to lie, cheat and steal your way to success.

This is the same reason why beautiful girls seem dumb, and powerful people rarely have any other talent than gaining power.

To me, this last bit is the most troubling. We've created a world in which utterly worthless people have no other choice than to figure out how to exploit the worth of others in order to get anywhere in life.

Personally, I blame our "won't someone think of the children" policies. They keep dumb people alive long enough to develop the skill to exploit the intelligent people - who are completely unprepared to deal with dishonesty, cheating, and theft because they never needed to do the things that would have given them experience in those areas.

It's like that sig which floats around slashdot a lot:

"Never argue with a fool. They'll drag you down to their level, and then beat you with experience."

Re:Robin Hood Rich/Poor Dichotomy

[pbhj]

According to the UK government my family live well below the poverty line (about two-thirds of a poverty level income), so I feel I can offer some insight!

>>> Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood?

If you're a medieval peasant (probably a serf) given enough money to buy a sack of flour you won't go hungry for a few weeks. You'll still be in need, with more money you could buy vegetables, more still you could have meat, more than that land that you could use to feed yourselves from (assuming you're not debarred from owning land by not being a part of a noble family).

>>> If poor people constantly spend every cent they receive, whether from assistance or earned to remain poor, is that moral behavior?

We spend every penny we earn on housing, food, utilities, clothing (if we're lucky, though mostly we get clothes as gifts). We work and are raising a child (both consider moral goods for the community by most). I can't see how it's immoral to spend all you earn - with more money we could afford to eat a little more healthily and maintain our property better which in turn would reduce economic strains in the long-term. We have a national health service and someone will have to conduct repairs in the future which wouldn't have been necessary could we afford to maintain our property.

I'd love to hear how you think this could be immoral living?

To some extent it's the system - capitalism is a predatory system in which those who have money make more by exploiting those who don't. And to some extent it's personal choice: we believe our business is a worthwhile part of the community even if as a whole the community don't value it as much as we do.

>>> Robin Hood would steal from the rich to give to the poor. Was this a moral act?

In his circumstances (assuming the tales to be true) then I think it is moral to steal from those with excess to prevent those with nothing from dying of starvation. It's not capitalist morality but it works for me! Moreover Robin Hood probably does the landowners a service by stopping them (the landowners) from killing off the people who are growing their food and keeping them in their luxury.