Hacker News new | comments | show | ask | jobs | submit login
An ‘Iceberg’ of Unseen Crimes: Many Cyber Offenses Go Unreported (nytimes.com)
114 points by ganlad 8 months ago | hide | past | web | favorite | 49 comments



Skimming the article, it seems to me that what they need most right now is not systems for gathering more data, but systems for analyzing data they already have. Like, the iPhone thing - they didn't notice because they classified each event as one-off, so nobody looked for possible connection. I assume police stations don't exchange data with each other as much as they should either.

As for the crimes going unreported, a cost-effective way of solving that would be investing in solving the crimes they know about, or at least making it look like they're good at solving them. Make people believe the police works effectively, and they'll hesitate less before reporting.


>>a cost-effective way of solving that would be investing in solving the crimes they know about,

it also has to involve looking at what is classified as a crime. Today priorities are often tilted in the wrong direction and resources misapplied. This article has some of that in it... The Fentanyl epidemic. 30+ years of the war on drugs as proved that Drug Addiction can be be solved with the criminal system, even the most charitable understanding of the research points to laws have no effect on use or abuse, and if you look at it realistically you can find substantive arguments for criminal enforcement being directly leading to increase death not to mention other negative effects.

However there is a ocean of federal funding, external resources, Civil Forfeiture and political capital to be spent on the Drug War, Local police depts will have their budgets flush in cash to go hard on drugs.... However to go over iphone thefts, or ID Fraud, or Property Crimes, or even non-drug related violent crimes it is a cost to the local dept...

In order to police work effectively, they need incentives to redirect their resources off of drugs and on to the other crimes... We as society also need to accept that the criminal war on drugs is a failure and always will be, it needs to be a medical and social battle, not a criminal one.

The best thing we can do for crime and drug addiction, is to stop treating drugs as a crime


I wholeheartedly agree.


What you're saying was more or less the argument in favor of the Patriot Act's expanding of domestic intelligence gathering, fwiw.

And how'd it work out? Apparently not too well, if we're still seeing the same comments a decade later.


Gathering together phone theft data, and the patriot act don't seem to have much in common.


Looking at one of my servers that services an external address, I see about 100 IPs listed in the authlog file that are trying various passwords and such to break in. Its not even a main server (www, mail, dns, etc.). Of course, I use keys only for login, but it is a bit annoying. I guess I am getting quite a block list built.

So, does the author expect me to report all these IPs? Who would I send them to? Is there an easy reporting system? I suspect that any report will be treated like many police departments treat a stereo being robbed from a car, they'll give a incident number but not much else.

PS: what the heck uses "chef" as a username? That is really getting common.


Maybe a common user for chef automation and chef client runs ? https://www.chef.io/


Interesting, well I guess folks using it should be just as careful as the rest of us. Someone with a 116.90.81.14 ip was really interested in it. Username "bernard" is also a new one on me.


I think these attackers just use wordlists for the most part. I had an SSH server log tens of thousands of attempts with the username ‘initech’ before I got fail2ban running and turned off password auth. Not sure there many people out there actually naming user accounts after the company from Office Space.


Lets make a big database of the popular usernames and passwords as of this moment. Has no one done this?



Well, yeah...the people running the scripts at least.


Would be nice if cloud providers automatically had a fence around your subnet with an ssh proxy that did this stuff already. Seems crazy that typically you open up ssh directly to everyone.


In my most recent setup I created two VMs, one with just 80/443 -> HAProxy open and a second with only openvpn open. It should be more common practice, and offered by default from more providers, but unfortunately for now, you still have to set it all up yourself:

http://penguindreams.org/blog/bee2-creating-a-small-infrastr...


I haven't done that for years, prefering instead to change ports to an uncommon one and even then that port is only opened upon port knocking. My logs are so much easier to parse. (These days in nftables instead of iptables.)

There actually is some security through obscurity, despite everyone loving to bandwagon otherwise.


You put a wall around your property. It kept the dilettantes out, which means you have free time for something else.

If there’s a buffer overflow attack against SSH then you have security through obscurity. In the meantime you have security and obscurity. Assuming you’re using known rsa keys to login remotely...


not sure if that's obscurity. changing the port means you have to scan the whole port range. port knocking gives you another 2-4 bytes of entropy. (a determined attacker will try all the port knocking permutations)

Seems like putting bars on the windows. You're taking a couple of well known steps to make things a little harder for an attacker.


The complaint isn't that it is worthless, it is that it is worthless if that is your only security measure.


Or any other trade off you make on the assumption you have more defense than you really do, surprisingly common.


Many, if not most, crimes go unreported offline. Is it really a shock that the same might be true online? It’s not as though police are likely to find and return your stolen property from a mugging or burglary.

Above all, policing needs “better systems for gathering data,” the report said.

Oooooh. Well that was predictable. Stingrays and lobbying for cryptographic backdoors not enough to do the job hm?


What's the point of reporting? We had an issue with a sysadmin. Ended up firing him but didn't revoke all his credentials in time. He logged in and deleted all our Azure servers and rm -rf'd our GCP boxes. MS wouldn't help us at all, but Google's console log showed the login from the guy's town. What're we supposed to do? He was in England and we the US.

Had a similar issue with a hacker that found a way around our billing systems. Ran up $90k of charges. He was in Montreal and we even had his ID. What're we gonna do, waste time trying to go after someone that'll claim it was our bug and he didn't know anything was wrong?


The US has police relations with both the UK and Canada. When happened when your company tried to contact authorities in those States? It seems like prosecution should be possible, or at least civil liability.


Important lesson: when dealing with a problem sysadmin, revoke their credentials before telling them they're fired.


The only reason I'd report property crime to the cops is because my insurance company makes me do it as part of the claims process.

The cops don't work for us; they work for the Them with a capital 'T'. The only thing that reliably works is best-effort individual defense plus insurance for when that fails. Keep your doors locked and your backups offsite, because chances are good that if anyone breaks in, police investigators won't produce any useful results, ever.

The Warren vs. D.C. decision just confirmed what was already fact.

If you live in the U.S., it is likely that you have lived your entire life such that the number of police encounters you might rate as positive are vastly outweighed by those you saw as negative. That is certainly true for me. At least my encounters have ranged from "unhelpful" to "annoying", rather than from "useless" to "deadly".

What they need is better systems to ensure that they are actually acting in the public interest, instead of like a hostile occupying army.


An ounce of prevention is expensive enough in this space, and yet we expect local police forces to provide pounds of cure?


I wonder what share of those "unseen crimes" are victimless? Such as dealing drugs through darknet marketplaces. Decriminalizing such activities could lighten the workload, perhaps considerably.

More generally, unsolvable online crime is arguably an unavoidable cost of online privacy and freedom. Just as with encryption, having backdoors for some good guys (cops) puts other good guys (dissidents) at risk from bad guys (repressive regimes).


More generally, unsolvable online crime is arguably an unavoidable cost of online privacy and freedom.

No kidding. A world with zero crime can be nothing but an authoritarian dystopia.

Just as with encryption, having backdoors for some good guys (cops) puts other good guys (dissidents) at risk from bad guys (repressive regimes).

On the other hand, encryption can also be used by companies to oppress and control their users ("walled gardens", DRM, and the like.)

Maybe the underlying philosophy here is that absolutism is never good, regardless of intention...


For entire classes of online crime, from a purely data perspective I wonder if providing a way to anonymously report a crime would help? Things like extortion, cheating spouses, lewd photos, revenge porn tend to be quite embarrassing, and perhaps pursuing justice isn't worth getting exposed. But knowing names, emails, patterns, and other details might help at least paint a better picture of the true nature of online crime.


An informal and anonymous process to allow the public to arbitrarily submit people’s names to a criminal watchlist? What could go wrong?


Makes me think of the Swatting incident.


Incidents


Sounds like a channel that would be instantly DDOSed for a number of reasons. Criminals would want it down, and the usual people with issues around law enforcement would want to hurt it, while younger people would potentially do it for shits and giggles.


Work in a SOC as part of a well funded security org at a Fortune 50.

A company's SOC ideally isn't in the business of reporting crimes, unless they're dealing with a very serious threat actor. In that case, we may notify the feds, but we'll also notify others in our line of business, including direct competitors. Sharing intelligence will help you long term. Trying to get the feds to crack down on a criminal gang operating from eastern Europe won't do much.

Machines that are compromised are isolated, analyzed to pull out indicators of compromise and intel about the methods used, and then nuked and disposed off. There's nothing left to even turn over to a criminal investigation, let alone anyone who wants the machines to begin with.


Or in the cryptocurrency space, reported public but unsolved and unenforced.


tech crimes are so much easier to commit than to solve, prevent, or punish that they represent a huge threat to the rule of law. in the West, crime hasn't had this kind of advantage over law enforcement since the Middle Ages. in particular, C and C++ could literally become the downfall of Western civilization.


Actually, the situation is complete opposite. Code is formal, deterministically executable rules. That's a boon for the rule of law, as the vast majority of "crimes" can be prevented a priori, rather than chased down post facto.

Even C++ is miles ahead of the "legalese" that forms traditional laws. Being executable by the common person, it avoids one glaring violation of equal protection that modern legalese limps along in spite of - legalese is only interpretable by specialized lawyers, who still generally default to "ambiguous no".

The real problem driving this article is the legacy ambient authorities wanting to expand their role, insisting that the informal intentions behind the design of (and decision to run) the code should carry more weight than the code itself! One of the implications of the End to End principle is that messages on the network carry no "universal" denotational meaning, but are purely what the endpoints make of them. Ambient authority has little place in a connected post-jurisdictional world, and so we must resist its attempts to further invade where it is simply inappropriate.


> The real problem driving this article is the legacy ambient authorities wanting to expand their role, insisting that the informal intentions behind the design of (and decision to run) the code should carry more weight than the code itself!

Just because I accidentally left my door unlocked today doesn't mean that entering my house, and taking all my stuff isn't burglary. You don't have to be a telepath to know that is wrong.

Under the 'code is law' doctrine, just because you could do something, you can do something. This is incompatible with anything resembling civilized society.

Society only functions because we respect the informal intentions of other people.


> Society only functions because we respect the informal intentions of other people.

I agree wholeheartedly, in the local scale person-to-person sense.

But your argument is knocking down a straw man, by coming at it from the other direction. I'm not advocating for being an asshole via finding loopholes, but against the ridiculousness of creating a second set of half-formal rules to repair deficiencies in the fully formal ones.

> Under the 'code is law' doctrine, just because you could do something, you can do something. This is incompatible with anything resembling civilized society.

Yet this is exactly how the legal system does work. If an action is "wrong" but not illegal you can't actually be sanctioned for it. See: pretty much any large company in the news over some kind of outrage that will ultimately go unpunished.


> If an action is "wrong" but not illegal you can't actually be sanctioned for it. See: pretty much any large company in the news over some kind of outrage that will ultimately go unpunished.

Law is subject to human interpretation, evaluation of intent, and error correction. Every case has a number of unknowns that judges and juries are supposed to clarify. This is a feature, not a bug.

Code does not. The source for any non-trivial program encodes an uncountable number of unknowns that frequently lead us to absurd conclusions, with no ability to sanity check or correct them.


This flexibility is a feature for human-scale situations (eg it's really nice to distinguish between involuntary manslaughter and premeditated murder), but it doesn't scale - either to larger organizations, or across different cultures.


Law is interpreted by the courts, which creates jurisprudence. The letter of the law is subject to the interpretation of the courts to a very great extent.

Edit: I misread the comment I responded to, and as the poster rightly pointed out, my comment is just stating the obvious. Sorry about that.


How is that aspect not already incorporated in what I've said?


You’re absolutely right, I misread your comment.


    just because you could do something, you can do something. 
There is no more perfect state of Anarchy in the world than code.

What we are missing is good forensics. A number of people in this thread have hinted at this.



This remark is barely even related to my argument, so I don't get why you made it a reply. I'm just going to rephrase the argument you ignored. If you address it, at all, I'll try to return the favor and address the points you raised too.

To secure a computer system, you have to find and patch all of its vulnerabilities, as well as distribute your patch to every node in the network. It's like what Maggie Thatcher said about terrorism. If the defender messes up even one time, the attacker wins. So the amount of effort that the attacker needs is much, much smaller than what the defender needs.

Compare that to a European country without America's easy access to guns. Crime is always cheaper than law enforcement, but in a country without ubiquitous guns, crime is somewhat cheaper than law enforcement. Online, crime is massively cheaper than law enforcement. That means that crime has a systemic advantage.

Who even hires for cybersecurity, in government? Who has the resources for it? Do local police departments compete with startups for top tech talent? Of course not.

Say you're a small town in Pennsylvania. A woman who lives in your town is being harassed by a loosely affiliated global network of anonymous misogynistic trolls. Is your police department qualified to protect her? This is a major flaw in the police department's ability to fulfill its responsibilities towards its citizenry and taxpayers, and we haven't even added black hat hackers to the equation yet.

In a hacking situation, the defender needs to coordinate an entire network, to make sure everybody's using the latest patches, while the attacker can operate solo, which eliminates organizational overhead. Yet attackers can and do share information about attack vectors. The decentralization that network technology makes possible is very favorable for attackers. Meanwhile, most of our infrastructure runs on languages that are extremely difficult to secure, even without questions of coordination.

This is a fundamental threat to the rule of law. Some of these problems can be addressed by modifying which agencies are responsible for which types of problems. But the economic aspects are fundamental. Crime is cheaper than enforcement and security by orders of magnitude. Few people are qualified to secure these systems, and many of them can make more money by penetrating them. For every brilliant hacker who moves to the US and starts another Google, there are a hundred who are stuck in Estonia, where their best bet is stealing credit card numbers or breaking into Bitcoin exchanges. The profit potential there is literally in the billions; even Silicon Valley has a hard time competing with that.

These incentives are inherently dangerous, and that is unlikely to change.


My comment is directly related to the foundation of your argument - it's patently absurd to refer to a medium that is built entirely out of formal rules as being lawless.

The short of it is that if you take "the rule of law" to mean the ability for puppetmasters to make top-down dictats like "can't talk about Barbara Streisand", then sure, any distributed activity undermines that. Your comment is steeped in the idea of there being a singular godlike perspective, and implies having a single world jurisdiction. Aside from the impracticality, this would be a truly sorry day for humanity.


> C and C++ could literally become the downfall of Western civilization.

Rust coming to the rescue!

Seriously, I think peak insecure C/C++ has already passed, so if civilization hasn't fallen yet, it's not likely to fall for this reason.


Technology is threatening the steady supply of petty crime committed in person on which law enforcement's current business model is built. Woe is them. /s

Based on their history of respecting people's rights and their privacy I'm 100% ok with the FBI not having efficient cooperation with local law enforcement.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: