
An ‘Iceberg’ of Unseen Crimes: Many Cyber Offenses Go Unreported - ganlad
https://www.nytimes.com/2018/02/05/nyregion/cyber-crimes-unreported.html?hp
======
TeMPOraL
Skimming the article, it seems to me that what they need most right now is not
systems for _gathering more_ data, but systems for _analyzing data they
already have_. Like, the iPhone thing - they didn't notice because they
classified each event as one-off, so nobody looked for possible connection. I
assume police stations don't exchange data with each other as much as they
should either.

As for the crimes going unreported, a cost-effective way of solving that would
be investing in _solving the crimes they know about_ , or at least _making it
look like_ they're good at solving them. Make people believe the police works
effectively, and they'll hesitate less before reporting.

~~~
syshum
>>a cost-effective way of solving that would be investing in solving the
crimes they know about,

it also has to involve looking at what is classified as a crime. Today
priorities are often tilted in the wrong direction and resources misapplied.
This article has some of that in it... The Fentanyl epidemic. 30+ years of the
war on drugs as proved that Drug Addiction can be be solved with the criminal
system, even the most charitable understanding of the research points to laws
have no effect on use or abuse, and if you look at it realistically you can
find substantive arguments for criminal enforcement being directly leading to
increase death not to mention other negative effects.

However there is a ocean of federal funding, external resources, Civil
Forfeiture and political capital to be spent on the Drug War, Local police
depts will have their budgets flush in cash to go hard on drugs.... However to
go over iphone thefts, or ID Fraud, or Property Crimes, or even non-drug
related violent crimes it is a cost to the local dept...

In order to police work effectively, they need incentives to redirect their
resources off of drugs and on to the other crimes... We as society also need
to accept that the criminal war on drugs is a failure and always will be, it
needs to be a medical and social battle, not a criminal one.

The best thing we can do for crime and drug addiction, is to stop treating
drugs as a crime

~~~
TeMPOraL
I wholeheartedly agree.

------
protomyth
Looking at one of my servers that services an external address, I see about
100 IPs listed in the authlog file that are trying various passwords and such
to break in. Its not even a main server (www, mail, dns, etc.). Of course, I
use keys only for login, but it is a bit annoying. I guess I am getting quite
a block list built.

So, does the author expect me to report all these IPs? Who would I send them
to? Is there an easy reporting system? I suspect that any report will be
treated like many police departments treat a stereo being robbed from a car,
they'll give a incident number but not much else.

PS: what the heck uses "chef" as a username? That is really getting common.

~~~
rb808
Would be nice if cloud providers automatically had a fence around your subnet
with an ssh proxy that did this stuff already. Seems crazy that typically you
open up ssh directly to everyone.

~~~
arca_vorago
I haven't done that for years, prefering instead to change ports to an
uncommon one and even then that port is only opened upon port knocking. My
logs are so much easier to parse. (These days in nftables instead of
iptables.)

There actually is some security through obscurity, despite everyone loving to
bandwagon otherwise.

~~~
Larrikin
The complaint isn't that it is worthless, it is that it is worthless if that
is your only security measure.

~~~
wepple
Or any other trade off you make on the assumption you have more defense than
you really do, surprisingly common.

------
IntronExon
Many, if not most, crimes go unreported offline. Is it really a shock that the
same might be true online? It’s not as though police are likely to find and
return your stolen property from a mugging or burglary.

 _Above all, policing needs “better systems for gathering data,” the report
said._

Oooooh. Well that was predictable. Stingrays and lobbying for cryptographic
backdoors not enough to do the job hm?

~~~
MichaelGG
What's the point of reporting? We had an issue with a sysadmin. Ended up
firing him but didn't revoke all his credentials in time. He logged in and
deleted all our Azure servers and rm -rf'd our GCP boxes. MS wouldn't help us
at all, but Google's console log showed the login from the guy's town. What're
we supposed to do? He was in England and we the US.

Had a similar issue with a hacker that found a way around our billing systems.
Ran up $90k of charges. He was in Montreal and we even had his ID. What're we
gonna do, waste time trying to go after someone that'll claim it was our bug
and he didn't know anything was wrong?

~~~
djsumdog
The US has police relations with both the UK and Canada. When happened when
your company tried to contact authorities in those States? It seems like
prosecution should be possible, or at least civil liability.

------
ocschwar
An ounce of prevention is expensive enough in this space, and yet we expect
local police forces to provide pounds of cure?

------
mirimir
I wonder what share of those "unseen crimes" are victimless? Such as dealing
drugs through darknet marketplaces. Decriminalizing such activities could
lighten the workload, perhaps considerably.

More generally, unsolvable online crime is arguably an unavoidable cost of
online privacy and freedom. Just as with encryption, having backdoors for some
good guys (cops) puts other good guys (dissidents) at risk from bad guys
(repressive regimes).

~~~
userbinator
_More generally, unsolvable online crime is arguably an unavoidable cost of
online privacy and freedom._

No kidding. A world with zero crime can be nothing but an authoritarian
dystopia.

 _Just as with encryption, having backdoors for some good guys (cops) puts
other good guys (dissidents) at risk from bad guys (repressive regimes)._

On the other hand, encryption can also be used by companies to oppress and
control their users ("walled gardens", DRM, and the like.)

Maybe the underlying philosophy here is that absolutism is never good,
regardless of intention...

------
UseStrict
For entire classes of online crime, from a purely data perspective I wonder if
providing a way to anonymously report a crime would help? Things like
extortion, cheating spouses, lewd photos, revenge porn tend to be quite
embarrassing, and perhaps pursuing justice isn't worth getting exposed. But
knowing names, emails, patterns, and other details might help at least paint a
better picture of the true nature of online crime.

~~~
chatmasta
An informal and anonymous process to allow the public to arbitrarily submit
people’s names to a criminal watchlist? What could go wrong?

~~~
djsumdog
Makes me think of the Swatting incident.

~~~
emiliobumachar
Incident _s_

------
strictnein
Work in a SOC as part of a well funded security org at a Fortune 50.

A company's SOC ideally isn't in the business of reporting crimes, unless
they're dealing with a very serious threat actor. In that case, we may notify
the feds, but we'll also notify others in our line of business, including
direct competitors. Sharing intelligence will help you long term. Trying to
get the feds to crack down on a criminal gang operating from eastern Europe
won't do much.

Machines that are compromised are isolated, analyzed to pull out indicators of
compromise and intel about the methods used, and then nuked and disposed off.
There's nothing left to even turn over to a criminal investigation, let alone
anyone who wants the machines to begin with.

------
everdev
Or in the cryptocurrency space, reported public but unsolved and unenforced.

------
tessierashpool
tech crimes are so much easier to commit than to solve, prevent, or punish
that they represent a huge threat to the rule of law. in the West, crime
hasn't had this kind of advantage over law enforcement since the Middle Ages.
in particular, C and C++ could literally become the downfall of Western
civilization.

~~~
mindslight
Actually, the situation is complete opposite. Code _is_ formal,
deterministically executable rules. That's a _boon_ for the rule of law, as
the vast majority of "crimes" can be prevented _a priori_ , rather than chased
down post facto.

Even C++ is miles ahead of the "legalese" that forms traditional laws. Being
_executable_ by the common person, it avoids one glaring violation of _equal
protection_ that modern legalese limps along in spite of - legalese is only
interpretable by specialized _lawyers_ , who still generally default to
"ambiguous no".

The real problem driving this article is the legacy ambient authorities
wanting to expand their role, insisting that the informal intentions behind
the design of (and decision to run) the code should carry more weight than the
code itself! One of the implications of the End to End principle is that
messages on the network carry no "universal" denotational meaning, but are
purely what the endpoints make of them. Ambient authority has little place in
a connected post-jurisdictional world, and so we must resist its attempts to
further invade where it is simply inappropriate.

~~~
vkou
> The real problem driving this article is the legacy ambient authorities
> wanting to expand their role, insisting that the informal intentions behind
> the design of (and decision to run) the code should carry more weight than
> the code itself!

Just because I accidentally left my door unlocked today doesn't mean that
entering my house, and taking all my stuff isn't burglary. You don't have to
be a telepath to know that is wrong.

Under the 'code is law' doctrine, just because you _could_ do something, you
_can_ do something. This is incompatible with anything resembling civilized
society.

Society only functions because we respect the informal intentions of other
people.

~~~
mindslight
> _Society only functions because we respect the informal intentions of other
> people._

I agree wholeheartedly, in the local scale person-to-person sense.

But your argument is knocking down a straw man, by coming at it from the other
direction. I'm not advocating for being an asshole via finding loopholes, but
against the ridiculousness of creating a second set of half-formal rules to
repair deficiencies in the fully formal ones.

> _Under the 'code is law' doctrine, just because you could do something, you
> can do something. This is incompatible with anything resembling civilized
> society._

Yet this is _exactly_ how the legal system does work. If an action is "wrong"
but not illegal you can't actually be sanctioned for it. See: pretty much any
large company in the news over some kind of outrage that will ultimately go
unpunished.

~~~
vkou
> If an action is "wrong" but not illegal you can't actually be sanctioned for
> it. See: pretty much any large company in the news over some kind of outrage
> that will ultimately go unpunished.

Law is subject to human interpretation, evaluation of intent, and error
correction. Every case has a number of unknowns that judges and juries are
supposed to clarify. This is a feature, not a bug.

Code does not. The source for any non-trivial program encodes an uncountable
number of unknowns that frequently lead us to absurd conclusions, with no
ability to sanity check or correct them.

~~~
mindslight
This flexibility is a feature for human-scale situations (eg it's really nice
to distinguish between involuntary manslaughter and premeditated murder), but
it doesn't scale - either to larger organizations, or across different
cultures.

------
dsfyu404ed
Technology is threatening the steady supply of petty crime committed in person
on which law enforcement's current business model is built. Woe is them. /s

Based on their history of respecting people's rights and their privacy I'm
100% ok with the FBI not having efficient cooperation with local law
enforcement.

