The long arm of the law doesn't reach that far
The UK's cyber-cops can't raid crims in the Ukraine, Nigeria, or China; so defence remains a better option than attack.
The UK government should be spending more on catching cybercriminals instead of splurging taxpayers' money on antivirus software, tech boffins have said. Blighty goes through around £639m a year trying to clean up after attacks or prevent threats – including £108m it spends on antivirus – but the country is only spending £9.6m …
Yet the local government should spend some time making sure that the attacks aren't local, or from a place that will prosecute the attackers. To not investigate criminals because they could be in another country will teach the local scurvy rats that they can mask source of their attacks out of state and have little fear of reprisal.
The "scurvy rats" already know that. They target their attack by country to avoid hitting someone who can hit them back, or even outsource to another country like the fake AV call centres in India.
Or are you going to call in a drone strike?
Sure there are some locals you can go after but that's just the dumb ones and never going to have a significant effect.
they wouldn't need to spend so much buying al these AV / Firewalls if they actually installed them right in the first place.
I can't help but think they're buying this stuff, and then setting it up in such a way that it isn't effective. I mean I only have a free AV and no firewall, I visit some fairly dodgy sites on occasion, and yet I have 0 viruses and some tracking cookies.
Meanwhile my stepdad who has a paid for AV, a firewall, doesn't visit dodgy sites (apparently) seems to get a new virus every couple months. Its a bit silly when you think about it.
The current reactive, tactical approach is NEVER going to actually address the problems. Especially anti-virus is a good example of a tourniquet after the leg has been ripped off - it would be better to improve the fundamentals that cause the problem.
Maybe I'm just to old for IT - I can remember when you installed an OS that was in itself stable, and patches were an *exception*. Nowadays you install a code base that doesn't even fit on a single DVD anymore, and over the life of the product you basically install enough patches to replace the OS several times over - try missing a day worth of Internet connectivity and see just many alert flags show up. Not that such eternal patching does any good at all - you still need a plaster called "anti-virus" over it all to be sure.
The good news is, of course, that a tactical-only, process based approach provides *perfect* CYA for the people involved. Directors have approved spend, managers have imposed process and technical people get to play with standard toys, effectively turning qualified security people into administrators with a better salary. That a more strategic approach would lead to less of a need to have CYA in place seems to be an issue that is gladly overlooked let's not disturb a thriving market, after all. Sure, you need the tactical level, but if you restrict security work to that you will always fight at the bad end of an arms race - one mistake away from disaster.
I've been involved in turning the tables - not vigilante nonsense, but understanding the motive of assailants and acting on that. Not only is this more interesting (but less technical), it is also FAR more capital efficient. But it needs intelligent people with lateral thinking skills and more than just technical knowledge, and for there is as yet no valid qualification (translated: the peopel you need will get filtered out by HR, which is also not a novel observation)..
Just like cars need to have seatbelts and buildings need to be structurally safe, we should have minimal standards for computer security. Companies with a bad security track record should for example be banned from getting public orders.
Or we could try to enforce that certain aspects are proven in the code. For example that array boundaries are checked. This is trivial in many programming languages, but solves a lot of the current security problems.
Today we let every idiot program security critical software. If we had security standards which are easy to fulfill unless you are an idiot, we'd finally have a "not made by total idiots" stamp for software.
At the moment many systems are so badly designed they break by accident. If people would move forward and ditch the worst systems, criminals would have to be a lot smarter than they can possibly be.
Eventually opening a bank will be simpler than writing a banking trojan.
You don't need to outrun the wolfs, you only need to outrun your peers.
Patches and security would be nothing more than an inconvenience if commercial operations weren't gradually pushing everyone to do everything online. Requiring people to input sensitive information on their computers is the root of the problem.
I'm actually OK with that. What I'm not OK with is the fact 'they' promised us using online services would make everything less expensive. The reality is that doing the bulk of my business online has pushed up the cost of everything (to pay for their shiny electronics and IT staff) and has put my very existence, or at least credit rating, at risk. What's the point? Why not just use my computer to create some databases, do some email, examine products, and surf some porn. I'm beginning to doubt the long term validity of online. I certainly doubt the security.
That's my little rant. Sorry...
I would not be happy buying new locks every year because the police / locksmiths kept letting the crims find the pass key...
It's not just the money I object to, my m/c runs like a slug which I'm blaming (on no real evidence) on all the AV checking that goes on. As for the Mcafee crap on my work PC, I don't have time to list all the woes it has caused me.
It would be interesting to do a carbon footprint on the energy expended on AV processes, h/w upgrades required, ...
suitable punishments for the crims caught here instead of 200 hr community service because he had a difficult childhood.
Since cyber crime is super national now, how about 5 yrs in a nigerian prison?.. or just handing him over to the yanks for that special cuban holiday
Either sounds better than what I'd do to the little virus writing scumbags though..
They would'nt be able to use a keyboard afterwards....... or pick their nose
Boris
101 uses of a 3/4" ring spanner ...
You can only arrest a cyber criminal if he is operating from a country where:
Cybercrime is illegal, and in some places it isn't
The local criminal justice organisations are willing to help you
You have appropriate legal agreements in place
The criminals haven't corrupted local law enforcement or come to a tacit agreement with law enforcement and the state in return for 'services rendered' to help the state from time to time.
It's no co-incidence that much cybercrime originates from places where the criminals are pretty much immune from arrest and prosecution. Bullet-proof web hosting is one such example.
Nice idea, but only 6 out of 10 for grasp of the facts.
WTF????
I'm sorry, but good code isn't more expensive than bad code, and even if it was, programmers are dirt cheap. Why don't they just simply try to avoid the largest pitfalls. For example if a company avoids using PHP and C(++) a lot of the security problems they would otherwise have simply disappear. At no extra cost.
Security, at least up to a point, doesn't cost anything. And even beyond that it's so little that the cost of those people travelling to Berlin could have made a serious difference. Security research is not like cancer research. You don't need expensive lab equipment and mass tests, all you need is some scientists a room and a computer.