[ISN] The Internet security business is a big fat con

From: InfoSec News (alerts@private)
Date: Wed May 30 2007 - 22:08:47 PDT


http://www.theinquirer.net/default.aspx?article=39948

By Paul Hales in Luton
30 May 2007

Comment Ever catch a phisherman?

WHAT MIGHT HAPPEN, we wonder, if the MPAA was put in charge of seeking 
out spammers?

Would, perchance, these 21st century wide boys awaken to find demands 
for $20,000 in their in-boxes. "Pay-up or go to court, charged with 
clogging up the Interweb," the missive might read. "We are the virtual 
cops. Cough up or face disgrace. Resistance is futile."

What might happen if the real Plod were interested in catching malware 
writers? Would doors be battered down at dawn? Would armed officers 
pursue suspected crackers through the London Tube?

"He looks like a hacker, Sarge!"

"Yeah, that openly-sourced T-shirt's a dead give-away. Shoot to kill."

Bang.

Bang, bang, bang, bang, bang.

"Well, we were close Sarge. A lot of phishermen are South American, 
apparently. Some must be Brazillian."

A little while ago I wrote a bit of a daft piece about Microsoft. Sat 
down with a couple of Volish security experts I asked them what the 
worse was that could happen if your corporate network was hacked into. 
And I wanted to know how many hackers, crackers or malware writers the 
firm had helped apprehend.

Spookily enough, within half an hour of that piece appearing on the 
pages of the INQ a further Micromissive appeared in my mailbox.

"Through a combination of teamwork, training, and technology, Microsoft 
works to identify, prosecute, and ultimately stop the developers and 
distributors of malicious code," it read.

The firm, it acknowledged, is "well situated" to fight threats like 
spyware "which undercuts trust in the online environment and can cause 
harm to individual users."

So what does Microsoft do about Spyware and the like?

"Microsoft has experienced attorneys, investigators, technical and 
forensic experts, technologies, and other resources to help fight 
cybercrime and bring those who use it to perpetrate crimes to justice," 
it says.

So how many spyware authors, malware writers, virus builders has 
Microsoft helped to apprehend in the thirty-odd years of its existence.

Well, directly? One, it seems.

Some bloke in India sent a death threat to the president. Microsoft 
helped out, it said proudly, by tracking the bloke down through the 
Hotmail account he used to send the message.

Cool, huh?

Microsoft says it has been involed (sic) in various initiatives to fight 
cybercrime. It has organised International Botnet Conferences. It got 
involved in the Child Exploitation and Online Protection (CEOP) thingy 
which seems to have helped tracked down Gary Glitter, and it has helped 
sponsor training courses for online coppers.

Details of the arrests all these efforts have spawned is not 
forthcoming. Not many seems to be the answer. While the Vole may 
certainly have helped catch our irate Indian who threatened a 
politician, its role in the arrest of Gary Glitter is rather more 
circumspect. It joined the organisation before the arrest was made, so 
obviously shares in the collective glory.

Of course, it's not really Microsoft's job to police the Interweb. It's 
not really the MPAA's or the RIAA's either. But these organisations 
represent the interests of their members and if they don't get a couple 
of bob every time someone plays a song in their home, their executives 
may run out of champagne and coke.

Whose interests are really threatened by cybercrime? Well, certainly not 
the software makers, the chip makers, the hard disk makers, the mouse 
makers, and least of all the virus busters and security firms which 
daily release news of the latest "vulnerabilities" plaguing the web.

No, the victims are the poor users. Not that they're likely to have 
their identity stolen or their bank account plundered or their data 
erased by some malicious bot or other. The chances of that happening are 
millions to one.

No, what they are forced to do is continually fork out for spam-busting 
protection, for "secure" operating systems, for funky firewalls, malware 
detectors or phish-sniffing software. All this junk clogs up their 
spanking new PC so that they continually have to upgrade to newer 
chippery clever enough to have a processing core dedicated to each of 
the bloatsome security routines keeping them safe while they surf.

It's a con, gentlemen. A big fat con.

No one has a business interest in catching identity thieves or malware 
writers. There's no money in it, so no-one's bothered.

Ponder this when your machine takes half an hour to download the latest 
virus patch or it takes hour to switch off since the Vole has plugged a 
bunch of its holes. Or you find yourself in PC World forking out a grand 
to replace your aging PC with a new one which will probably be as slow 
as our old one within a week or two.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed May 30 2007 - 22:19:40 PDT