
Career Choice Tip: Cybercrime Is Mostly Boring - todsacerdoti
https://krebsonsecurity.com/2020/05/career-choice-tip-cybercrime-is-mostly-boring/
======
paulpauper
the biggest and most profitable criminals are not breaking into banks,
stealing passwords, or stuff like that. they rather just abuse the features
that already exist on sites, such as posting thousands of spam pill or porn
links to Facebook or twitter using thousands of accounts or using paid shills
on amazon,. very repetitious but it scales well and profitable and very hard
to stop because it is not exploiting or hacking anything. You cannot really
patch features in the same way you can patch bugs.

------
bowmessage
All of the "cybercrime" stock photos now just look like regular white-hats
working in a post-COVID environment :)

~~~
FillardMillmore
I've noticed it before but never thought too deeply about it. Where did this
'stereotypical hacker' image stem from anyway? Computer 'nerds' are often cast
with pressed button-up shirts, pocket protectors, and thick glasses. But if
they are a 'bad nerd', they suddenly don a mysterious hoodie that covers their
face as they work in a cave-like room like some kind of new-age techno-
troglodyte?

~~~
bitwize
I think it comes from recent popular media, like the _Watch_Dogs_ games and
the TV show _Mr. Robot_. Hoodies are a way to prevent people from seeing or
identifying you, so media people use it as a visual shorthand for "this person
wishes to conceal their identity". Back in the 90s, hackers were all cybergoth
ravers; this image is more in line with the $CURRENT_YEAR zeitgeist in which
pervasive surveillance is a top issue.

~~~
andrewflnr
It's definitely a lot older than Mr. Robot. They were only playing into the
established trope.

------
anonymouswacker
Yes, cybercrime is boring, just like security is boring, or app development.
The article is focusing on the mundane parts of the business side of certain
enterprises (cybercrime-as-a-service), not the individual thrill of
discovering something new & exploiting it or selling it to be exploited.
Obviously being an article literally written by the opposition would mean it
is going to paint their adversaries' life choice as one of a bored drone...

------
olliej
Isn’t the vast majority of “cyber crime” just normal white collar crime (eg
fraud) done over the internet?

Do people really think it’s exciting?

~~~
Judgmentality
You don't think crime is more exciting than a desk job?

~~~
freehunter
Cyber crime is a desk job, that’s the point of the comment.

------
HelloFellowDevs
I am really glad that I took the cyber security 101 course in college and the
professor beat the idea of it being interesting or exciting right out of me.
Steered me clear of a less engaging path (for me at least).

~~~
Nextgrid
Most corporate security is about compliance, audits, regulation and balancing
the need for security with the needs of the (often stupid) users. Very little
of it is actually tech. There is pentesting and malware analysis for the
actual "tech" stuff but it is quite a small market to be honest.

~~~
ackbar03
>but it is quite a small market to be honest.

I get that impression too. I do some cybersecurity type stuff as a hobby and
was hoping to make a business out of it somehow but it doesn't seem to be a
easy market to crack.

~~~
throwaway9482
What’s military cyber security like and how does it compare with consumer or
enterprise security? I‘d wager the appeal of cyber security is mostly in the
domain of military. Think stuxnet or NSA

~~~
thatfunkymunki
Nah, having been on active duty being involved in cyber warfare and later
joining the corporate world, the latter is so much more advanced and
interesting, with generally a lot better people.

~~~
throwaway9482
Hm interesting

------
diablo1
Like anything, it's usually the payoff that is exciting and glamorous. I know
the old hacker mantra: 'boredom and drudgery are evil' hence why we automate
everything, but I don't think the mantra holds true for most hackers. The best
hackers know that programming essentially works _against_ you when you do it,
because there's no instant gratification. You have to constantly bang your
head against the wall (even because of simple syntax mistakes that make you
feel like a n00b all over again).

The payoff is always fantastic though. Whitehat or blackhat, knowing that all
that hard work and grunt pays off is a wonderful feeling. I tend to veer
towards whitehat stuff though because of the old saying: 'If you can't do the
time, don't do the crime'.

------
vijucat
This article missed a great opportunity to post that hacking scene from
Swordfish as a counterexample of what hacking does NOT look like:
[https://www.youtube.com/watch?v=u1Ds9CeG-
VY](https://www.youtube.com/watch?v=u1Ds9CeG-VY)

~~~
rbobby
The day to day is one thing but the hiring interviews are another:
[https://www.youtube.com/watch?v=MRkvEJqsagU](https://www.youtube.com/watch?v=MRkvEJqsagU)

------
jl2718
The thing that sealed the deal for me to never go back was meeting all the old
mafia dumbasses that actually went to jail for so-called ‘cybercrime’. These
guys could hardly read. Before computers they were shaking down hot dog
vendors and smuggling drug money through hair salons. They drove expensive
cars, wore lots of jewelry, and had a bunch of drug addict women falling all
over them.

No thanks. I met a girl from Harvard and discovered that I actually liked
talking to a smart human about real things. There was no comparison.

------
amelius
> But new research suggests that as cybercrime has become dominated by pay-
> for-service offerings, the vast majority of day-to-day activity needed to
> support these enterprises is in fact mind-numbingly boring and tedious

 _Fighting_ cybercrime must also be mostly boring then, as it is also done
through pay-for-service offerings.

------
ozim
Earning money is doing boring stuff that other people don't want to do.
Nothing really special about it then?

~~~
janci
Or are not able to. That's where you find money AND fun.

------
sheikheddy
Uh, funnily enough, the "boring" stuff they've mentioned in the article
doesn't seem THAT bad to me. But maybe that's because I haven't been forced to
do that sort of administrative work often enough for the novelty to wear off.

~~~
ashtonkem
Customer service work is unquestionably boring. The burnout rates for that
kind of work is pretty high.

------
bitwize
"You'll do shit work -- scan, crack copyrights, whatever I want."

------
christiansakai
Just wondering, is cyber crime career and pentester the same thing?

~~~
seisvelas
No. By cybercrime he means a literal career as a criminal. Pentesting is done
with permission from the target.

~~~
0xdeadbeefbabe
Pencil testers consider it a crime though.

~~~
HeWhoLurksLate
*otherwise?

------
vertak
I cannot find the original paper anywhere, if anyone finds it please post a
link here. Thank you!

~~~
wmf
Keep reading; the link is there.

~~~
susan_segfault
[https://www.cl.cam.ac.uk/~bjc63/Crime_is_boring.pdf](https://www.cl.cam.ac.uk/~bjc63/Crime_is_boring.pdf)

------
notokay
It's not, if you on the other side.

~~~
saagarjha
On the defending side? I hear it's pretty boring there, too.

~~~
galacticaactual
Hey you’re the guy that figured out how to toggle the private data flag on
MacOS logs. Rad work.

------
trade_unionist
The main problem with cyber crime for profit is you have to get the money at
some point. So no matter what at some point you have to either trust someone
(bad idea) or have the cahones to walk into a bank and withdraw the cash. Even
then you to explain how you got the money if it's over like $10,000 or people
start asking questions.

Yeah dumb people will focus on hacking but once you think it through you see
there isn't a good exit strategy.

~~~
RandomBacon
If your bank questions you for withdrawing $10,000 or more, I would use a
different bank.

I withdrew about $13,000 a few months ago, and my (national) credit union
didn't hesitate or ask me anything (except for an additional piece of
identification).

~~~
raincom
Yes, they don't ask you any thing. However, banks/car dealerships/etc have to
file CTRs(Currency Transaction reports). It is good that you withdrew $13K in
one shot. Structured withdrawals (4k, one day, 5k three days later, another 4k
ten days later) will be flagged by AML software of any financial institution.
And folks in the compliance team will file SAR(Suspicious activity report).

Lesson: when you legitimately need $30K cash, just withdraw it in one
transaction. Never ever withdraw $5K every week for six weeks. For every SAR,
there are 100 CTRs filed.

~~~
RandomBacon
Thank you, it sounds like you have some insight about the process.

I'm aware of structuring, but I don't think most people are. I've heard about
it only once in the news where a store owner had his money seized because he
was trying to avoid depositing more than $10,000 at a time, over a long time
period.

IIRC, this was the case:
[https://www.forbes.com/sites/instituteforjustice/2015/05/05/...](https://www.forbes.com/sites/instituteforjustice/2015/05/05/irs-
seizes-over-100000-from-innocent-small-business-owner-despite-promise-to-end-
raids/)

~~~
thephyber
Re: structuring, the most famous example I know of is Dennis Hastert[1].

[1]
[https://en.wikipedia.org/wiki/Dennis_Hastert#Indictment](https://en.wikipedia.org/wiki/Dennis_Hastert#Indictment)

