Full Disclosure mailing list archives
Re: Security Industry Under Scrutiny #4
From: "yossarian" <yossarian () planet nl>
Date: Wed, 22 Jan 2003 02:20:47 +0100
But what differentiates me from Perry? Perry held no personal vendetta
against
those three victims. He killed for money. Using the information
contained in
the archives of full-disclosure and bugtraq, and those sources alone, I
could
learn how to commit criminal acts with my computer. I could treat these criminal activities with as much detachment as Perry. The only thing
that holds
me back from doing this is self-control.
Interesting point - the motives of the criminal. The motives are part of the key to this problem, the other part is effectiviness. The essence is - for a criminal - is making crime pay, like Perry managed, and get away with it, where Perry flunked. Fame is a form of payment, but criminals looking for fame are rare. Some call them maniacs, sociopaths, etc. Fame is risky - you might get caught. Most criminals want cash, for dope, nice cars, escape to a tropical island, or just to pay the bills. Ask yourself, why don't regular criminals falsify the record on the networks of the Justice department? Computers stolen from the police are sold like any other stolen system - unchecked for interesting data. Why? Because other types of crime are more appealing to the criminal mind. To be a criminal you need criminal intent, step over the social boundaries of society. Why do that? Because you want something you don't have. You will take risks to get it. If you are smart, you calculate the risks - chances of getting caught, amount of time spent, punishment, etcetra. Less smart people might spend half a year fulltime in preparing a crime with a $4000 loot. Bit silly, working at the grocery pays better, but it does happen. I have met people stealing cars, taking out the wheels,engine, etc, selling the parts, for a net profit of a few thousand per car. Buy the car with a technical problem, fix it, sell it: More profit with the same skills. No risk. If you can hack a computer, chances are you can make a good living being commercial with these skills - like setting up p0rn sites or just being an admin. No risk there. Crime is related to poverty, try paying your bills - even gangster have mortgages - by the profits of a virus or taking down the entire internet. Crime is related to social status, or the lack thereof. Many criminals get caught because the money made is spent in a flashy way - drive a porsche when your on welfare - someone might check on you. Flashy to raise the social status. If you are good enough with computers - the company provides you with a car. Probably not a Porsche, but it will be newish and with no risk. You will have some status, and the commercial system tells you, it can get better, and you might get that Porsche, if you wear a tie, do your exams, show up on time. You see other people, much like yourself, get it. These are the social boundaries of society. So exit all scenario's involving crime. People with a career plan rarely commit crimes, unless it is part of their jobs or the profits will be huge and the risks downplayed by a huge self-esteem- see enron and the like. But the normal criminal is on the other side of society, looking up. If you are smart enough to hack computers, even if just by doing what doctor Nomad prescribes, you are probably more or less smart. Smarter than most computer users, anyway, who just swith the thing on and call the helpdesk if the printer jams. If you are smart there are easiers crimes, with direct access to the cash. Say you hack the bank payment system - how do you get the money in your hands, so you can pay the landlord? If you have stolen credit card numbers, you can order stuff on someone else's expense. You still have to receive the goodies, preferabilly not on yout home address, and convert them to money. Sell it to real criminals at a fraction of the price. But these are dangerous people - better not. Smart people are usually less brave - they think about the risks - and the more steps to a crime, the more points of failure, the bigger the risks. Perfect crimes, if they exist, are single step crimes. If a crime is perfect, you can't get caught, usually because the crime is not noticed. In my country, there is a saying - opportunity makes the thief. Part of opportunity is no risk. That's why many IT people steal computer parts and software in the workplace. They are the only ones that count the stuff, so there is no risk. It is not considered crime, it is just an alternative way of getting paid for the overtime and senseless stress. Being a criminal often involves seeing yourself as such, as a mean gangster with a grudge to society. If you steal what you work with, it is called fraude, especially if you work in a bank. In society, fraude is considered less criminal than stealing cars or dealing dope. Think about it, the IT security industry is targeting viruses and hackers, rarely stealing employees. The same goes for cyberterrorism. Why attack the network of an oil company, if dropping a few ancient 1910 sea mines near major oil ports will have the same effect, with a lot less risk and preparation time? That is why law enforcement and intelligence agencies look at traditional crime and terrorism - because they are usually much more effective. The security industry clearly must overstate the risks, but the business is just providing defence against vandalism. Of course, vandalism is a costly form of crime, like hooligans, but it is rarely clever or really dangerous. IT security government agencies are part of the industry, making it all seem really bad is securing their jobs. Cybercrime might be bad, it will never be terrible, unless all other forms of crime or fraude are made impossible. Bottom line: if crime doesn't pay, most people just won't bother. So not using the information available at this list or in advisories has little to do with self-control. We just have other ways to get the cash. So black hat or white hat, the form of disclosure will not have much effect on crime. We are just making ourselves more important than we really are. yossarian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Security Industry Under Scrutiny #4 sockz loves you (Jan 21)
- Re: Security Industry Under Scrutiny #4 batz (Jan 21)
- Re: Security Industry Under Scrutiny #4 Silvio Cesare (Jan 21)
- Re: Security Industry Under Scrutiny #4 yossarian (Jan 21)
- <Possible follow-ups>
- Re: Security Industry Under Scrutiny #4 Anonymous (Jan 21)
- Re: Security Industry Under Scrutiny #4 sockz loves you (Jan 21)
- Re: Security Industry Under Scrutiny #4 Day Jay (Jan 21)
- Re: Security Industry Under Scrutiny #4 Silvio Cesare (Jan 21)
- Re: Security Industry Under Scrutiny #4 Day Jay (Jan 21)
- Re: Security Industry Under Scrutiny #4 Anonymous (Jan 21)
- Re: Security Industry Under Scrutiny #4 The Hawklord (Jan 21)
- Re: Security Industry Under Scrutiny #4 hellNbak (Jan 21)
- Re: Security Industry Under Scrutiny #4 Ron DuFresne (Jan 22)
- Re: Security Industry Under Scrutiny #4 hellNbak (Jan 21)
- Re: Security Industry Under Scrutiny #4 sockz loves you (Jan 21)
- Re: Security Industry Under Scrutiny #4 Anonymous (Jan 21)
(Thread continues...)