Not our fault!
""But [NSA whistleblower Edward] Snowden has made it more difficult for law enforcement to hunt down the wolves,"
And of course, the cyber-plods were soooooooo successful up until that point.
Europe's top cyber-cop has called for a shift in focus from the prosecution of online crims to the disruption of their activities. This comes as crooks increasingly make use of the darknet – private peer-to-peer networks such as Tor – to stay hidden and anonymous; cops find it difficult to work out suspects' true identities …
"But [NSA whistleblower Edward] Snowden has made it more difficult for law enforcement to hunt down the wolves"
Or rather, law enforcement has made it more difficult for law enforcement. If they had limited their work to recording the activities of known or suspected criminals (with a court order) instead of a blanket dragnet recording the minutest activity of millions of law-abiding people around the world, then perhaps there would be less of a rush to keep private activities private.
They have only themselves to blame.
Let us not forget the inherent security flaws that were built-in to the said protocols to facilitate access for the g-men, like the NSA "random number generator" - Dual_EC_DRBG.
Nor the fact that compromised encryption has been the only sort allowed for many years, and it is only a matter of time before the exploits become known first to the crims, then to the public cryptology community. (look at SAT solvers..)
~The fundamental issue centres around what citizens are permitted to do, and thus the effort needed to police them, and thus the degree of compromise built into their privacy.
We are not allowed to interfere with the governments and corporations through any sort of meaningful protest, instead we must watch the globalisation of, for instance, medicine (astra-zeneca-smithkline-beecham-etc-etc), the unbelievable abuse that is PFI, and too much more.
Legitimate contempt and protest must be suppressed or big money gets upset.
But [NSA whistleblower Edward] Snowden has made it more difficult for law enforcement to hunt down the wolves," he added
Yes because they were so good at getting them before this....so c'mon, out of the several thousand banking Trojans that have been created, the 10's of thousands of victims,and the millions of pounds been stolen, how many have you crim's have you caught and prosecuted BEFORE Snowden?
"But [NSA whistleblower Edward] Snowden has made it more difficult for law enforcement to hunt down the wolves," he added – implying, we assume, that crims have switched up their security to avoid the authorities following leaks on how Western intelligence operates.
It would seem the Guardian has more information on this and reports the main problem post Snowden being that Companies are now less willing to share data, even if it clearly relates to criminal activity
Let's assume for a minute that all this "cybercrime" is actual crime: taking stuff that doesn't belong to them. Whacking law-abiding citizens with a large stick (or whatever the "cyber" equivalent is: tweeting that their mothers smell of cabbage, maybe?). Possibly even persuading online sellers to give them stuff in return for no money?
Rather than going through a public wringing of hands and gnashing of teeth as they bewail the fact that these criminals are doing the online equivalent of wearing a mask with two eye-holes, aren't there other ways to use their time and budget to better effect? Such as stopping crimes from occurring rather than running around - Keystone Cops style - trying to catch them afterwards: once they have their swag, or have tweeted vaguely insulting things about someones mother.
Obviously it's not as sexy: going from online business to online business and saying "did you know, that there are lots of bad people who can persuade you to give them your money, unless you do X, Y and Z". Given the lack of any visible deterrent on t'net, placing the onus on the e-tailers (e.g. refusing to insure them unless security holes were fixed) and using the existing cyber-cops to uncover those weaknesses, might get "cybercrime" down in a more efficient way than their current activities.
"Rather than going through a public wringing of hands and gnashing of teeth as they bewail the fact that these criminals are doing the online equivalent of wearing a mask with two eye-holes, aren't there other ways to use their time and budget to better effect? Such as stopping crimes from occurring rather than running around - Keystone Cops style - trying to catch them afterwards: once they have their swag, or have tweeted vaguely insulting things about someones mother."
Because you run into the "eternal vigilance" problem. YOU have to be lucky all the time. THEY only have to be lucky ONCE. Meaning, by the Law of Averages, they're gonna get through at some point. Look at Stuxnet, that crossed a blankin' AIR GAP! So given that inevitability, the next step is to try to limit the damage, which is also easier said than done.
> the "eternal vigilance" problem
You're quite right. However the goal should be to design intrinsically secure systems. Not ones that require people to be vigilant, as we know they simply can't be trusted with secure information. No, the security has to designed in as the default option - and designed properly to not impact usability, so that users/owners have neither the need nor the ability to disable it.
I should add: I have absolutely no clue how someone would either design, or enforce the use of, such systems. Though I'd hope that the big internet players: the ones like Google, and FB who have the biggest investment in internet use - would be working on this problem as a "giving back" for all the wealth the internet has thrust upon them.
Impossible. The ability to access it is ALSO the ability to break it. Because of this, there's no way to create a system that is BOTH intrinsically secure AND easy to use: they work at cross-purposes. The only real way to improve security is to make it harder for EVERYONE to get in, but once you do that, you make it more onerous for the user, and it is usually the intractable PEBKAC problem that is going to do you in in.
".....it is usually the intractable PEBKAC problem that is going to do you in in." Maybe it's about time we started limiting access to the Internet to the PEBKAC lusers. A license for Internet users only after they pass a test (and a psychiatric review), that would keep a lot of the anonymity-seekers away! It would also limit the number of pro-Anon posters here too - win-win!
Or we could just block all Internet access from Russia and tell Putin he can go build his own Neo-Soviet 'Glorious Patriotic Network Of The International Proletariat' (100Mbits for senior Party members, back to 2kbps modems for everyone else). The Anonytwitz can go play there.
Keep up the good work, Matt Bryant. Sabu clones are an education and such fine entertainment too whenever the mainstream is just so pedestrian and blinkered/feeble minded and pathetic and apathetic.
And don't worry at all, unless of course you be into serial abuse of ignorance for exclusive personalised profit and fools' enrichment with arrogant misuse of zeroday vulnerability exploitation, about the PEBKAC, for smarter users discover/will uncover/have discovered Stealthy Sublime Internetworking Node Solutions to Former Persistent Perennial Problems ........ Abiding Systemic Corrupt Installations/Perverted Master Apps.
And coming soon in a clear explanation to you, in simple to understand papers and media programs, in any browser of your choice, via any internetworking communications device of your choice, for that is what can be effortlessly and seamlessly done with and within ICT Circles and SMARTR Quantum Communication Control Systems these days.
And if not a Western Confection and Concoction, then obviously an Eastern Attraction and Delight if not Foreign and Alien whenever Irregular and Unconventional. In any and all cases though, would it be a mistake to not always realise that its intellectual property is proprietary information and is protected and armed with suitably destructive explosive defensive devices .......akin to Astute Active Atomic and Advanced Autonomous Booby Traps.
This post has been deleted by a moderator
OK. How about ANY encrypted traffic will be inspected and anything the plod can't decrypt (= trusted and vetted site) will bring the Men in Black. Then make every site I allow require image mangling and other anti-stego techniques such that anything that would get through would be extremely low on bandwidth: impractical for large applications.
Going to make business on the internet a bit tricky.
Of course the Eu could ask the Russian government to force all it's citizens and businesses to hand over all their SSL private keys, all their VOIP and VPN sessions etc to the Eu - and so the Americans.
And naturally this agreement would be reciprocal.
"But [NSA whistleblower Edward] Snowden has made it more difficult for law enforcement to hunt down the wolves," he added – implying, we assume, that crims have switched up their security to avoid the authorities following leaks on how Western intelligence operates. …. John Leyden/El Reg
Well, I suppose that could be the case, John L, although it would be much more likely in certain circles [and there is no need to be more specific and informative than that, to safeguard the natives] of vital interest to interested and interesting parties/agencies/organisation/governments/cabals/round tables etc. etc., that the establishment and authorities are a’fighting a losing battle long ago lost against considerably smarter forces and ever more resourceful programmers/project managers/creative directors because of the way that Western intelligence doesn’t operate.
Stuck in a rut pushing the same old failed agendas and methodologies is always gonna deliver increasingly decrepit failed agendas and methodologies stuck in a rut. Ever Bigger Boom Busts and Systems Collapses.
Since governments have become obsessed with (bogus) metrics, it seems to me that too often people think the police's purpose is to prosecute villains; they get metrics about "must get so many prosecutions for this crime or that crime".
It's to prevent the crime in the first place. If that fails, and OK, it inevitably must for some people, some crimes, *then* they must prosecute. But the world is a better place, and the population happier, if the crimes didn't occur in the first place.
That's why we bother to lock our doors and cars.
So it seems entirely sensible to do what this article says they will; prevention is better than retroactive punishment. The punishment part is only useful beforehand if it actually deters; its effect of preventing recurrence is secondary, surely? We'd all rather not have been burgled/hit/whatever in the first place.
But the world is a better place, and the population happier, if the crimes didn't occur in the first place.
If only all this snooping had any benficial effect in that respect, instead of just alienating everyone to the extent that they no longer volunteer information to the Authorities...
@Hugo Tyson. I agree with your first parapraph; the role of the police is the uphold the law; it is the role of the judiciary to enforce the law, via the Court system, and the role of the CPS to bring prosecutions - and incidentally, in the UK we don't prosecute villians, we prosecute defendants who are alleged to have committed a crime, they are only villians once found guilty, otherwise they are ordinary honest innocent members of the public. Benefit of the judicial system. Thankfully.
And there isn't anything to disagree with in your second paragraph, its logical.
But the last paragraph, woaaa neddy! Are you suggesting we punish individuals before they have committed a crime? How do you decide which individuals to 'proactively punish', and whether they would have committed a crime had they not been so punished? Sorry, you show a lack of understanding of the law. A given crime carries a given penalty. The deterrent is the risk of being caught, prosecuted and punished for committing the crime. The deterrent is already built into the law. Does it deter everyone. No, and never will do.
Police have a habit of using the phrase "known villains", eg they will say "we know he's a bad'un, we've just never caught him". So perhaps these are the people who should be proactively punished? Greta - except the Police also have a habit of getting it wrong, arresting and charging innocent people, and in several cases fatally shooting them. Still so keen on 'proactive punishment'? Will you be so keen when they knock on your door, arrest you, and say "given you have a history of using a computer to access the Internet, we are going to jail you for 5 years, just to deter you from carrying out any hacking-related crime".
In regards to the article, the concept of allowing police to "disrupt" criminals is disturbing. Partially because there is no mention of judicial oversight; partially because it is by definition a criminal act in and of itself - unless with an authority that ought to remain with the judiciary and not politicians; and partially because there would appear to be little definition of what "disruption" is. As an example, do they intend to disrupt the personal lives of suspected criminals, perhaps by sending a txt message apparently from Mr Hugo, to Mrs Hugo's phone, saying "cant wait until Mrs Hugo has gone to work, then I can see you again"... instant thermonuclear detonation on the part of Mrs Hugo. Sounds good? It is, unless its a perfectly innocent party involved, who ended on the radar simply because they and a.n.other party were chatting other Google Talk about their intense dislike of Tony Blair or the current PM, and joking swapped details of the slow, painful deaths they would inflict on them and other politicians. Think it could never happen? Think how 'intelligence' is already collected.
But on the other hand, some things are irreversible once committed (murder, for example, or destruction of a unique object), so the only satisfactory solution in that case is prevention; anything else is too late for the victim(s). So in that sense, we won't settle for less than prevention because the only way the victim is happy is if they don't get victimized.
So how do you reconcile the justice system with such a desire?
".....So how do you reconcile the justice system with such a desire?" In English law you have the additional class of intention to commit a crime. This can be shown in court by either statement ("I'm going to kill that muthafudger!") and/or preparation (going to the intended victim's house with a machete, a shovel, a bag of lime and plenty of bin liners in the boot of your car, for which no other reason for their carriage can be suggested). It would be relatively simple to extend the laws on Internet crime to include an intent to commit such crimes, demonstrated by chat room logs, IMs, emails, preparation of zombie nets, port scanning, etc. That and licensing security workers so that those found in possession of virii and other hacking tools that are not so licensed can be prosecuted (which would cut down the skiddie population nicely). Simples!
The police have persistently treated self confessed cyber criminals as victims.
People who lose money to to well known scams like:
I am the chief cashier of (insert name of African Bank) and I control 200 millions of dollars in the account af a late white businessman and need an accomplice to claim the money etc.
By sending money to the fraudsters the victim has become a willing conspirator to obtain the funds, the fact that the account is non existent is irrelevant so, when they present themselves to the police why are thay not prosecuted?
Could it be that they are too stupid to recognise a criminal when he is standing right in their faces?
A prosecution would make a great tabloid story and the resulting publicity could actually encourage these gullible fools to take care of their own affairs.
Biting the hand that feeds IT © 1998–2020