9 posts • joined 22 Jan 2010
Sex Lies and Cybercrime surveys
- Missing methodology section? Check!
- Unverified user input? Check!
- Report the average but not the median? Check!
- Sponsored by security vendor? Check!
"It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy."
More junk surveys
Security vendor produces survey showing that everything is very scarey.
Sex, lies and cybercrime surveys: http://www.theregister.co.uk/2011/06/09/cybercrime_surveys_are_tosh_says_ms/
So, one virus 10 years ago cost the company your worked for 2 days worth of work. How do we get from that to trillion dollar estimates exactly?
I've always wondered where these estimates come from.What's going on is even worse than I imagined. One exaggerated response is all it takes to make the numbers rubbish.
The fact that estimates are usually put out by vendors and fudsters should have been a clue I guess.
6 chars is enough
> Your entry for Paypal, 8 chars, says you're wrong! Paypal may not think 12 chars is needed, but they obviously think that more than six is.
Not obvious. Everyone likes some margin for error. That serious sites like Facebook, hotmail, Fidelity manage with 6 chars suggests online brute-forcing can be resisted at that level.
> Anyway, many of those sites will not admit to intrusions even when they are aware of them, so your suggestion that "the people who run real sites know..." is spurious
> I suppose the people who run real banks know how to run, err, real banks? Experience of the past few years says they don't!
They knew how to run real banks for their own profit while shareholders got torched. Worked out rather well for them.
Threat to your password is not brute-frocing
The Georgia Tech analysis makes sense only if the attacker has the hashed passwords. The threat to your password is keylogging, phishing, SQL injection etc. Online brute-forcing isn't very feasable against well protected sites.
Schneier's recent Cryptogram has a section about password policies at various sites:
Policies at some well-known sites:
Amazon: 6 chars unrestricted
Fidelity Investments: 6 chars unrestricted
facebook: 6 chars unrestricted
Hotmail: 6 chars unrestricted
Yahoo: 6 chars unrestricted
Paypal: 8 chars unrestricted
The people who run real sites serving 100s of millions of users know that 6 chars is enough to protect against online attacks, and make sure that there's no offline attack. People who tell us that 12 chars are necessary have no idea what is actually going on.
Not a single verifiable fact
"Trend Micro researchers cite underground sources in speculation that ZeuS programmers earn more than $800,000 per year. The potential earnings of botnet herders may be even higher than this"
They might be earning more than $800k, or only $80k, or $8k or nothing. The only good FUD is more FUD.
Password advice does more harm than good
Users ignore it, because they understand that the cost is greater than the benefit.
Here we go again...........
The message here isn't the users who choose weak passwords. The message is the (32million-N) users who wasted their time choosing and remembering strong passwords and had them compromised anyway.
Users show a better understanding of the risk than most security people: