Up at @enigmaconf: "Cybercrime: Getting beyond Analog Cops and Digital Robbers" by Mieke Eoyang
#enigma2020
#enigma2020
@enigmaconf In May 2019 the city of Baltimore was hit by a cyberattack for the second time. Emergency services were shut down for 17 hours and the hackers demanded 13 bitcoin. They decided not to pay and instead fix the problem themselves. Cost: millions, and everyone yelled at each other.
But media and government weren't blaming the hacker, they were blaming operators, developers, etc.
When a breach becomes public, they blame the victim. It's the equivalent of "that was a mighty short firewall you were wearing"
[ 🔥🔥🔥 ]
When a breach becomes public, they blame the victim. It's the equivalent of "that was a mighty short firewall you were wearing"
[ 🔥🔥🔥 ]
Most of our talk about security is in system/defense rather than thinking about the human and offensive elements.
Should we hack back? I went to law school: the lawyer in me says that I could never recommend that because the liability risk is too great. But some people do...
Should we hack back? I went to law school: the lawyer in me says that I could never recommend that because the liability risk is too great. But some people do...
But even if you take down their domain names, etc, the hacker is still free to come up with new ideas and come back. What are we doing to find and hold that human accountable?
Zero-days don't matter unless a human being exploits them for nefarious purposes.
Wanting to hack back takes you to some pretty extreme places. Setting up a fake Twitter account or using a stolen credit card doesn't merit a drone strike!
The vast majority of attacks aren't these huge things which show up in the news: little bits of money stolen, accounts taken over, etc.
Why not? One check-kiting [?] scam netted a *huge* amount.
Why not? One check-kiting [?] scam netted a *huge* amount.
Police have the authority to investigate and bring indictments. But if people bring in a crime, they're told that it didn't happen in the juristiction, so can't report it there.
Well, if I could report to the internet police, then I would.
Well, if I could report to the internet police, then I would.
There's a massive undercount problem for the crimes, but also least-enforced crime in America.
[ animated pilgrim hats ]
[ animated pilgrim hats ]
Government security folks get hired away by private sector for 3x the money.
Not enough resources for attribution -- law enforcement agencies don't know how to handle this.
There are a few successes. Some criminals are stupid. But we need to be better at investigating.
Not enough resources for attribution -- law enforcement agencies don't know how to handle this.
There are a few successes. Some criminals are stupid. But we need to be better at investigating.
Third Way is trying to understand this gap and how to close it. Report: "To Catch a Hacker"
Where to focus:
1. Strengthen law enforcement
2. Expanding diplomacy and international cooperation
3. Strategy and political leadership
Where to focus:
1. Strengthen law enforcement
2. Expanding diplomacy and international cooperation
3. Strategy and political leadership
The law enforcement agencies can't just keep asking for exceptional access. They don't know what data to ask for and how to process it already -- don't ask for exceptional access until they know how to handle what is available.
Offer $$ rewards for the capture of cybercriminals.
The biggest obstacle to making progress is a sense of hopelessness -- we are just going to have to live with this because we can't do anything.
We can't solve all of it, but there are many things we can do which will make small improvements which will add up to big changes.
We can't solve all of it, but there are many things we can do which will make small improvements which will add up to big changes.
Q @JoeBeOne: I'm worried about the brain drain problem, but I don't think we can just solve it through contractors who get paid more.
A: Maybe we don't need to find people who can run and shoot and gun and know computers. Why not train them?
Retention bonuses, or pay for school
A: Maybe we don't need to find people who can run and shoot and gun and know computers. Why not train them?
Retention bonuses, or pay for school
@JoeBeOne Q: scammers keep finding holes and cracks for decades. I worry that focusing on the attackers is missing the problem.
A: the idea that you can't take crime down to zero is not a reason not to try.
A: the idea that you can't take crime down to zero is not a reason not to try.
A: Part of the problem in Nigeria is that they have a ton of technically trained people but not a tech industry.
They're committing fraud, we should go after them.
They're committing fraud, we should go after them.
A: But part of the problem is that we tell Nigeria that it's more important to track Boku Haram. But if you look at the volume of harm this isn't aligned.
Q: a lot of the things you're talking about already exist.
A: a lot of the law enforcement people can't ask for it competently -- like they ask for more data than they can handle. They need better training on what tools are available and how to use them.
A: a lot of the law enforcement people can't ask for it competently -- like they ask for more data than they can handle. They need better training on what tools are available and how to use them.
[ I didn't have a chance to ask my question, so putting it in this livetweet thread: why do FBI agents need to run? Is there room for a different kind of agent? If you're interested, @MiekeEoyang , please feel free to answer here. ]
