We continue to blame users for not avoiding clicking on every phishing link
Perhaps they could add that these users should install Avast software.
(Mine's the one with the Jumpshot pay cheque in the pocket)
A plague of ignorance and misplaced priorities in government and law enforcement, from neighborhood cops all the way up to international bodies, is allowing cyber-crime to run rampant. So says Mieke Eoyang, long-time US government policy adviser and veep of the national security program at Washington DC think tank Third Way. …
You are concentrating on the goal, not how it could be implemented. To make it work you would need total cooperation between nations (I probably don't need to add anything else). Next you need an end to state sponsored cyber crime, but given the prerequisite of all nations being cooperatively friendly this shouldn't be a problem. Finally you need the raw data for investigating the crime which works best with total surveillance of both ends of the connection i.e. everything.
Trump is not only one. The problem is most politicians are technical illiterates and do not understand how cyber-crime works and that are techniques to fight it. Instead of Trump, fill your local leader and you have the same problem. About the only leader who might actually understand cyber-crime is Putin because his intelligence background.
The problem is these days we don't have politicians thinking long term, they can't see past the next election so long term strategy is out of the window on pretty much every area of governance.
If it's not going to be a good news story during the next campaign then they see no benefit in it.
At least for the very common drive by infections via the browser (and that includes much ransomware), I largely blame the web developers who force us to browse insecurely in order to use their creations. Not only with scripting enabled by default, but, as in one recent case I examined, drawing scripts and other fragments from around 20 third party servers.
It's impossible to be secure if you download untrusted and untested code and run it blindly on your systems, but what alternative have we been given in the age of the web app?
It wouldn't be a bad idea that when you start your browser, you are actually starting a virtual machine that keeps itself, well and truly to itself.
And so on a single pc, several icons on your desktop can be different configurations of VM Firefox, each one configured for a specific purpose, with optional white lists, NoScript, firewalls, etc.
eg. VM F1 is for serious stuff, like banking, and has all your personal details. VM F2 is for work stuff with your work credentials VM F3 is for surfing and is laden with the details of the neighbour you don't get on with VM F4 is for getting up to no good and spoofs everything.
Take one out, another springs up, fills the void and maybe adds a little extra?
This type of philosophy doesn't address the root cause of crime in general. It is way wide of the mark. But that is not what the law enforcement want either, they just want their job to be easy, not non existent.
Yes, there's a bit of that. And given the difficulty of identifying and prosecuting these criminals, we might also ask if we should start working on how to turn wishes into horses, too.
But while there's blame to go round, and while resources are limited and obstacles often prohibitive, I can see some justification for the force of Eoyang's argument. We shouldn't just throw our hands up at the simple possibility of investigating and prosecuting computer-based crime. There have been successful investigations and prosecutions (Paras Jha, for example), and perhaps we can shift more resources into those areas before we hit the point of diminishing returns.
I have had 3 phone calls this week for the National Grid Agency who want to change my meter. Sadly they have the details of the previous user of the landline number. Why cannot we have a bank account number of email address to give the scammers that can activate an alert. Why can we not have a reverse 1471 system that you can dial to alert the phone company that the previous call was from fraudsters and track the number back to source?
My only ray of comfort is that the last one was on the phone 32 minutes, and even 4 minutes after I gave my email address as scam @ googlemail.com
Retired of Tunbridge Wells
First of all, it's extremely easy to do something and pin the blame on someone else. Want the Russians to be the culprit, buy a Russian PC to develop your code on and leave Russian language clues. Attribution is basically impossible, unless you are dealing with stupid people.
Then there's the whole area of side effects of doing this. If you want to make attribution easier you have to make sure that things like anonymous communication disappear. This endangers large groups of the population, from whistleblowers to homosexuals. Probably even people like security analysts.
Third it doesn't fix anything. The security holes are still there. If they are not used by criminals they probably are used by "Lawfull" organisations.
In short it's an insane idea, not well thought out and based on assumptions which have been proven wrong many times.
She was talking about putting more plod resources into fighting cyber-crime at all levels. Too many local and state plods over here are more interested in shaking down the citizenry with various tickets than in addressing cyber-crime. Cyber-crime fighting is hard work and takes real skill to do well. Writing a parking ticket for an expired meter, not so much.
Yes, if we put any additional resources into investigating and prosecuting computer crime, we can't possibly put any into finding and fixing vulnerabilities. All those resources are atomic so it's all or nothing.
And if we can't feasibly investigate and prosecute some computer crimes, then we can't investigate or prosecute any. Those are all-or-nothing too. And there's never been a single successful investigation or prosecution of computer crime, so we can safely assume it's impossible.
Or perhaps - just perhaps - your argument is bullshit.
The existence of North Korea, Iran, Russia, and mainland China could be one reason we think that focusing on actually making our computer systems secure, rather than expecting deterrence through criminal law enforcement, is more likely to actually solve the problem. This is quite reasonable, and the real problem is why the computer industry is doing such a poor job of making our computers secure.
I tried to engage with the police over cyber crime, it turned out to be a data gathering excise - fill out this 9 page form then hey presto: nothing happens.
I've been to conferences where govt representatives have told us it's our problem.
I've identified cyber criminals spear fishing company employees - no-one is interested prosecution, you gotta do that yourself.
I've told google about criminally used gmail accounts, but it appears the criminals privacy is more important than the crime.
The uk police force was established in response to crime, when they going to go after the cyber miscreants robbing small businesses and individuals?
No, no, no, no, no!! You haven't been listening to the fine Home Secretaries from the party that cares only for the welfare of the people. The only crimes are paedo-porno-terrorism and being rude to people on social media. There is exactly the right number of police officers, all perfectly.trained to deal with these crimes. To suggest that there are other crimes calls your loyalty into doubt - are you adequately British? A private flight has been arranged for you - - - >
(Do I need a sarcasm warning?)
Are we supposed to pay off the ransomware perps or send in the swat team to chase the packets back to the source?
Seriously, as another has mentioned, this is like saying that banks should not train their personnel in anti-fraud procedures, but we should just have cops everywhere so no criminal will try anything.
Hard pass.
Also in the US the number of jurisdictions can make it difficult . Every county has their own police and courts, most of the time cases are not consolidated. Which could result in a large number of court cases. Here is an example. Years ago someone made off with my checkbook and used it to commit fraud. Our friendly law enforcement expected me to pay the checks (or cheques if you prefer) or take 3 days a month off work for about a year to sit in the various county courtrooms. I paid them off to remain employed. They don't care about the many low level problems. They only care if someone can get them headlines(free publicity) or if a large business(taxes/campaign donations) is involved.
I'm not hopeful for any changes.
You can't win.
You can't break even.
You can't quit the game.
Eoyang made the case for allocating more time and money to finding and snaring internet crooks, hauling them into court, and shutting down this criminality.
The crimes are often fraud or extortion or blackmail or theft. The fact that they've been committed using 'the Internet' is almost irrelevant - apart from the fact that it seems to make it easier for the criminal to avoid being prosecuted.
It appears that Mieke Eoyang is advocating teaching cops how to catch more of these criminals (somehow) and applying deterrents to prevent (re-)offending. Great. Good idea... Scumbags who steal old folks' pensions (for example) deserve to be locked up.
The trouble is the computer and organisational systems will still be vulnerable to attack. I don't believe we can find, prosecute and lock up enough criminals to make a significant difference in the crime rate. That doesn't mean I don't think we should try to prosecute more crims - but that won't fix the systems.
Ransomware hit the news many times in 2019. Are systems any more secure now? Are CIOs really trying to secure their systems? They're more likely making sure their insurance is up to date.
Cybercrime is what the Mafia, Triads & co. are now investing in. The book 'Future Crimes' is a shocking eye-opener to the scale of it. They set up businesses in large office blocks and pull huge, global scams, netting millions before they're eventually closed down. These are just like 'respectable' businesses, with a CEO and hierarchy, often with some poor sod at the bottom who they use for their bank account to temporarilly stash the money ('Earn $$$ working from home!'), who is oblivious.
With cash looking like it's slowly being phased out, these crimes are only going to get bigger. Bank robberies can now be committed thousands of miles from the physical bank building. Banks underreport the frequency of their losses for fear of scaring their customers. It's definitely a good idea to put more money into combatting this type of crime (a LOT more money).
Thank you for the TED talk on how things should be, but back in the real world, how do you propose any of this actually happens? Where will all of the cyber-savvy officers come from? What budget will pay for the equipment, software, training, and salary for each department's new task force? Who will make hostile nations cooperate with our investigations? Without an action plan, a goal will never be more than a goal and a feel-good TED talk.
How about the networks that are willing to host criminals? CloudFlare, DigitalOcean, Amazon, OVH, Alibaba, Leaseweb, Google, and the entire country of China. Reports of criminal activity are routinely ignored, or the reporting address isn't even real. Another dozen could be accused of creating services where criminals can activate services hundreds of times faster than they can be shut down; intentionally fabricating a whack-a-mole environment.
It is an established fact, ever so easily spun as a fiction, that the smarter one becomes in anything, the more vulnerabilities one can identify worthy of destructive/disruptive/creative exploitation.
Do you really want the likes of a PC Plod understanding the corrupted white collar systems administrations they have been fooled into protecting/aiding and abetting?
Surely not, for such would be ideally catastrophic and self-defeating?
And ..... can such a state of exciting affairs be avoided ie can the masses be kept ignorant of their arrogant capture in a rigged enterprise/failed New World Order Program?
A Service of Prayer for Truth As We All Know It
Introit
Dearly Beloved, we are gathered here to express aspects various known to us on the universal www mess.
As Is to Date:
1: The world of IT (aka The World of Smoke & Mirors) is made for them's who want to idle, sell crap*, fiddle proper and be generally naughty.
2: A Universal Precept of Justice:
Naughty boys should be caught + punished proper
+
The Solution
The Prayer - A Universal Call for Justice:
Just shoot the first 6 caught and proved naughty - the rest will be very cautious after that and naughty activity global will be much reduced
(universally applicable to naughtiness in all spheres of pre-planned naughty activity).
+
The Reality
BUT
Who are The Naughty Boys?
Hint:
Put other (in me best Latin) Qui Custard Custardio? - etc
+
Dismissal
Good Luck with making any improvements
(And that writ more in hope than expectation).
Saturday 01-02-20 - aka Brave New UK World Day 1
*NB. NOT an MS comment or sentiment.
The hard sell for police agencies will be in changing the framework of their agencies to include and staff units or divisions that are not revenue-generating. Most police divisions, with the exception of Homicide, generate revenue for their departments. So the inclusion of a Cybercrime fighting division that bears no prospect of generating revenue for an agency is doomed from the starting gate. . .ergo, why do it? It is certainly needed, but convincing the bean counters to staff, fund, train and promote a division that is non-revenue generating will be an uphill task. As a retired police commander in two states - Pennsylvania and Maryland, the weekly command staff meetings always address the “progress or lack thereof” in the revenue streams. Police commanders are scorned in open session for any drop in revenue. In Pennsylvania, state court records show fines, fees and court costs for traffic tickets issued by all police agencies in the state amounted to nearly $173 million in 2013, the last year for which a complete dataset was available. The money is then distributed between the state, counties and local municipalities. Creating cybercrime fighting units will face the “revenue generating” question. It is not an issue of ignorance, but yes - an issue of misplaced priorities. Reframing the structure of these agencies will be the most difficult task.