Sex, Lies and Cyber-crime Surveys
April 16, 2012 7:46 AM   Subscribe

I've been preparing an e-mail security presentation for the firm today and I was noticing one of the things pointed out. Whenever the scale of cybercrime was being reported, they would always list the cost to businesses but then treat that like it was income for the criminals. But the cost to businesses mostly consisted of lost time, which is useless to a criminal (unless they happen to be a Weeping Angel).
posted by charred husk at 8:03 AM on April 16, 2012 [10 favorites]

What? Who wrote this? A short newspaper article that take s a moment to explain why numerical statistics are intrinsically flawed? Pffft. These people have a thing or two to learn about "Journalism".

Let me propose new headlines:

- Negative Losses Skew Cybercrime Stats

- Cybercrime: Are You Next?

- Experts Question Safety of Children in Cyberspace


...that's better.
posted by Xoebe at 8:05 AM on April 16, 2012 [4 favorites]

Oh come on! I've been working on this pitch for Law & Order: Grand Download Auto for months!
posted by griphus at 8:08 AM on April 16, 2012 [2 favorites]

Yeah? Well I'm hacking your gibson right now! (Dear MI5... no I'm not)
posted by fearfulsymmetry at 8:10 AM on April 16, 2012

Is there a correlation between the arrival of Hologram Tupac, and a reduction in cybercrime?
posted by nickrussell at 8:21 AM on April 16, 2012 [1 favorite]

charred husk: "(unless they happen to be a Weeping Angel)."

And this marks the precise moment in time at which I become absolutely fucking terrified of "cybercrime."
posted by stet at 8:39 AM on April 16, 2012 [5 favorites]

There isn't a firm definition of crime in the article. It pays minor lip service to ID theft, but otherwise stealing passwords and bankaccounts ?

If you follow Krebs, a more educated on-line-crime reporter (former washpost), he details the actual dollar amounts the various spammers make and what an intriguing ring they are. Virus/trojan writers, kit/payload distributors, rogue credit card processors, rogue hosting services that host the command/control servers for botnets formed via the virus/trojan, affiliate programs, cost to rent out botnets to send spam etc etc.

It's a thriving black market.

Are they necessarily hacking your bank account etc ? No, but they do make money from people that buy the online pharma ads that are spammed out via the entire network/supply-chain.

And the "low barrier to entry" comment shows a lot of ignorance. You've got two ways to do it - cast a huge, wide net and hope someone bites, or a very narrow, targeted phishing strike. Both take time, effort and usually money.
posted by k5.user at 8:40 AM on April 16, 2012 [3 favorites]

It's irrelevant how much cyber crime there is, or how much money people are making from it, or how many people are doing it. What matters is if your information is secure. And it should be, it has to be, no matter what percentage of Belarusians are nmapping their way across the internet.

His point about these statistics, that their publication may increase the amount of cybercriminals, is bullshit. Cybercrime is not "as simple as downloading and running software", as he characterises it. It's very complex and takes a lot of knowledge. Take a botnet, one of the biggest elements of cybercrime. Creating a botnet is a complex process that requires a very long period of education and practice. At the very least, you'll have to know how to code the botnet, and how to avoid antivirus heuristics, and how to source and properly configure a command node for it (and this involves finding a computer somewhere that can't be traced back to you). That's not even getting into the difficulty of setting up something for the botnet to actually do that makes you money. Don't forget the actual exploit you use to put your botnet client on peoples' computers - I hope you have connections in the scene and the capital to buy an exploit, because if not you're going to be humping over thousands of lines of disassembled code to write some godawful Assembly payload monstrosity. Hope you're proficient enough to not get caught too. There's a reason a very high amount of cybercrime comes from Eastern Europe and Asia - those countries either don't give a shit about cybercrime or have no laws regarding it, whereas some dumbshit in Illinois is going to wind up in jail faster than he can pay for a command node with his real credit card.

Cybercrime is a hugely complex and detailed process far beyond the reach of even the majority of computer programmers, let alone regular people. Characterising it as something that's done because it's an easy way to make lots of money is complete crap.
posted by a debt owed at 8:49 AM on April 16, 2012

Naah, most cybercrime is script kiddies and low level criminal punks doing the online euqivalent of checking if your back door is locked.

Most of the rest of the scare stories is just the pentagon looking for new funding excuses.
posted by MartinWisse at 8:56 AM on April 16, 2012

Characterising it as something that's done because it's an easy way to make lots of money is complete crap.

Um...you do realize his whole argument is that there's much less of it than people are claiming and that it's not, in fact, an easy way to make money. Right?
posted by yoink at 8:59 AM on April 16, 2012 [4 favorites]

A Microsoft study claiming that cybercrime is greatly exaggerated?

They couldn't have ulterior motives to claim that, could they?
posted by Skeptic at 9:03 AM on April 16, 2012 [1 favorite]

Microsoft research is among the most respected industrial research institutions in the world, Skeptic. Yes, bias is always possible, but they aren't PR flacks, climate change denialists, etc.

Bruce Schneier disliked "our reliance on self-reported statistics for cyber-crime" as well.
posted by jeffburdges at 9:13 AM on April 16, 2012 [2 favorites]

What about Michael Hayden and the rest of the cyberwar alarmists? Are they full of shit too?
posted by eugenen at 9:21 AM on April 16, 2012

I guess they don't call Facebook buying Instagram fro a BILLION FREAKING DOLLARS a cybercrime, eh?
posted by The 10th Regiment of Foot at 9:23 AM on April 16, 2012 [3 favorites]

Self-reported statistics are always going to be misleading, especially when that data is extrapolated to cover those who don't report the crime at all. The conclusion of the PDF says it best:

The importance of input validation has long been recognized in security. Code injection and buffer overflow attacks account for an enormous range of vulnerabilities. "You should never trust user input" says one standard text on writing secure code. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input.

posted by antonymous at 9:28 AM on April 16, 2012 [2 favorites]

jeffburdges: I don't dispute the study in itself. I don't have the time (nor, probably, the statistical nous) for studying it in depth, but at first sight it seems solid, and well-researched. Also, its conclusion is less than surprising: yes, we should take such statistics with a grain of salt, especially when they play into the media's doom-mongering ways. This is particularly true for statistics on any form of crime, since criminals don't generally like to make it easy to gather data on their activities.

What does raise my eyebrows is the interest, not just of making this study, but above all of publicising it. Any successful PR flack will tell you that it is far easier to convince people with a honest truth than with a damn lie. A honest truth not being, of course, the same as the whole truth.

In this case, I think it is just as true to say that cybercrime statistics are little more than guesswork and media coverage of the same far too alarmist, as that cybercrime is a problem and most computer users (including even large corporations) ridiculously negligent in their security.
posted by Skeptic at 9:32 AM on April 16, 2012 [1 favorite]

Most of the rest of the scare stories is just the pentagon looking for new funding excuses antivirus software industry marketing their products.

FTFY, MartinWisse.

AV protection is needed. AV vendors profit from fearful consumers. Therefore, AV vendor claims are inflated.
posted by IAmBroom at 9:44 AM on April 16, 2012 [3 favorites]

charred husk: "... But the cost to businesses mostly consisted of lost time, which is useless to a criminal (unless they happen to be a Weeping Angel)."

Unless you're out to do specifically that through social media and waste mefi user smoke's time.
posted by wcfields at 10:44 AM on April 16, 2012

Most of the rest of the scare stories is just the pentagon looking for new funding excuses antivirus software industry marketing their products.

It's actually more troubling then that, many of the stories coincide with periods where the NSA is attempting to gather more power.

This most recent battle between the NSA and Homeland Security has been going on for a while, and I've noticed everytime there's a rash of new cybersecurity scare articles, there are usually hearings or articles related to the fiefdom battle, or other information security legislation is on the legislative agenda.
posted by formless at 11:03 AM on April 16, 2012 [2 favorites]

OK, to be fair: both the Pentagon and the antivirus software industry have vested interests in this scare tactic "information".
posted by IAmBroom at 11:20 AM on April 16, 2012 [1 favorite]

I guess they don't call Facebook buying Instagram fro a BILLION FREAKING DOLLARS a cybercrime, eh?

The real crime was the IPO - the wall street banks strike again.
posted by rough ashlar at 11:26 AM on April 16, 2012

Well, considering the Pentagon seems to be unable to secure their own machines or networks..
posted by k5.user at 11:28 AM on April 16, 2012

Wired, 31 Jan 2011: "How a remote town in Romania has become Cybercrime Central":
"And just as in Silicon Valley, the clustering of operations in one place made it that much easier for more to get started. “There’s a high concentration of people offering the kinds of services you need to build a criminal scheme,” says Gary Dickson, an FBI agent who worked in Bucharest from 2005 to 2010. “If your specialty is auction frauds, you can find a money pick-up guy. If you’re a money pick-up guy, you can find a buyer for your services.”"
posted by iviken at 12:16 PM on April 16, 2012

IAmBroom is right on the money on this one.
posted by 3mendo at 1:24 PM on April 16, 2012

DHS requests $57 billion to fight cybercrime in 2012

No, it doesn't. If you are going to complain about alarmism, maybe you should start taking heed yourself.

I've read misleading headlines in my time, but that one takes the cake: if you read the actual article you've linked to, you'll see that $57 billion is the total budget request for the whole fucking Department of Homeland Security, including FEMA, Customs and Immigration, the Coast Guard, etc., etc.

The actual anti-cybercrime efforts mentioned in the article are:

Napolitano’s 2012 budget proposal includes significant funding for cyber-security initiatives, including:

$233.6 million for development of the Einstein 3 program designed to prevent infiltration of government information systems;
$40.9 million for network assessments in federal agencies;
$24.5 million for cyber-security education and training;
$1.3 million to help DHS work with the Department of Defense and National Security Agency; and
$18 million for research and development in the Comprehensive National Cybersecurity Initiative.

Frankly, none of this seems particularly outlandish or Big Brotherish.
posted by Skeptic at 12:53 AM on April 17, 2012

Oops, yes I got suckered by that headline, my own fault for not actually reading past the headline and not thinking about the number. It appears they're asking for a $700M increase of which $300M is cybercrime.
posted by jeffburdges at 1:06 AM on April 17, 2012

jeffburdges, presumably, the DHS had already a significant cybersecurity budget in previous years, so it is also misleading to claim that out of the $700M increase, $300M is about cybercrime. For all we know, the DHS may even have cut its cybersecurity budget for 2012.

The only reliable information that the article offers is that, out of the requested $57 billion budget of DHS for 2012, at least some $300 million are somewhat related to cybersecurity. Which is, let me see...slightly over 0.5%.

Coming to your original point: yes, it is reckless to jump to conclusions from incomplete datasets. The original GIGO paradigm remains alive and well.
posted by Skeptic at 2:46 AM on April 17, 2012

Yup, the Einstein 3 program was being discussed back in 2009 with predecessors existing since 2002, albeit under the NSA, which doesn't exactly publish their real budget.
posted by jeffburdges at 3:57 AM on April 17, 2012

Why You Really Shouldn't Worry About Cyber War

The whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, all of them imaginary.
posted by jeffburdges at 5:14 AM on May 1, 2012