As for the crimes going unreported, a cost-effective way of solving that would be investing in solving the crimes they know about, or at least making it look like they're good at solving them. Make people believe the police works effectively, and they'll hesitate less before reporting.
it also has to involve looking at what is classified as a crime. Today priorities are often tilted in the wrong direction and resources misapplied. This article has some of that in it... The Fentanyl epidemic. 30+ years of the war on drugs as proved that Drug Addiction can be be solved with the criminal system, even the most charitable understanding of the research points to laws have no effect on use or abuse, and if you look at it realistically you can find substantive arguments for criminal enforcement being directly leading to increase death not to mention other negative effects.
However there is a ocean of federal funding, external resources, Civil Forfeiture and political capital to be spent on the Drug War, Local police depts will have their budgets flush in cash to go hard on drugs.... However to go over iphone thefts, or ID Fraud, or Property Crimes, or even non-drug related violent crimes it is a cost to the local dept...
In order to police work effectively, they need incentives to redirect their resources off of drugs and on to the other crimes... We as society also need to accept that the criminal war on drugs is a failure and always will be, it needs to be a medical and social battle, not a criminal one.
The best thing we can do for crime and drug addiction, is to stop treating drugs as a crime
And how'd it work out? Apparently not too well, if we're still seeing the same comments a decade later.
So, does the author expect me to report all these IPs? Who would I send them to? Is there an easy reporting system? I suspect that any report will be treated like many police departments treat a stereo being robbed from a car, they'll give a incident number but not much else.
PS: what the heck uses "chef" as a username? That is really getting common.
There actually is some security through obscurity, despite everyone loving to bandwagon otherwise.
If there’s a buffer overflow attack against SSH then you have security through obscurity. In the meantime you have security and obscurity. Assuming you’re using known rsa keys to login remotely...
Seems like putting bars on the windows. You're taking a couple of well known steps to make things a little harder for an attacker.
Above all, policing needs “better systems for gathering data,” the report said.
Oooooh. Well that was predictable. Stingrays and lobbying for cryptographic backdoors not enough to do the job hm?
Had a similar issue with a hacker that found a way around our billing systems. Ran up $90k of charges. He was in Montreal and we even had his ID. What're we gonna do, waste time trying to go after someone that'll claim it was our bug and he didn't know anything was wrong?
The cops don't work for us; they work for the Them with a capital 'T'. The only thing that reliably works is best-effort individual defense plus insurance for when that fails. Keep your doors locked and your backups offsite, because chances are good that if anyone breaks in, police investigators won't produce any useful results, ever.
The Warren vs. D.C. decision just confirmed what was already fact.
If you live in the U.S., it is likely that you have lived your entire life such that the number of police encounters you might rate as positive are vastly outweighed by those you saw as negative. That is certainly true for me. At least my encounters have ranged from "unhelpful" to "annoying", rather than from "useless" to "deadly".
What they need is better systems to ensure that they are actually acting in the public interest, instead of like a hostile occupying army.
More generally, unsolvable online crime is arguably an unavoidable cost of online privacy and freedom. Just as with encryption, having backdoors for some good guys (cops) puts other good guys (dissidents) at risk from bad guys (repressive regimes).
No kidding. A world with zero crime can be nothing but an authoritarian dystopia.
Just as with encryption, having backdoors for some good guys (cops) puts other good guys (dissidents) at risk from bad guys (repressive regimes).
On the other hand, encryption can also be used by companies to oppress and control their users ("walled gardens", DRM, and the like.)
Maybe the underlying philosophy here is that absolutism is never good, regardless of intention...
A company's SOC ideally isn't in the business of reporting crimes, unless they're dealing with a very serious threat actor. In that case, we may notify the feds, but we'll also notify others in our line of business, including direct competitors. Sharing intelligence will help you long term. Trying to get the feds to crack down on a criminal gang operating from eastern Europe won't do much.
Machines that are compromised are isolated, analyzed to pull out indicators of compromise and intel about the methods used, and then nuked and disposed off. There's nothing left to even turn over to a criminal investigation, let alone anyone who wants the machines to begin with.
Even C++ is miles ahead of the "legalese" that forms traditional laws. Being executable by the common person, it avoids one glaring violation of equal protection that modern legalese limps along in spite of - legalese is only interpretable by specialized lawyers, who still generally default to "ambiguous no".
The real problem driving this article is the legacy ambient authorities wanting to expand their role, insisting that the informal intentions behind the design of (and decision to run) the code should carry more weight than the code itself! One of the implications of the End to End principle is that messages on the network carry no "universal" denotational meaning, but are purely what the endpoints make of them. Ambient authority has little place in a connected post-jurisdictional world, and so we must resist its attempts to further invade where it is simply inappropriate.
Just because I accidentally left my door unlocked today doesn't mean that entering my house, and taking all my stuff isn't burglary. You don't have to be a telepath to know that is wrong.
Under the 'code is law' doctrine, just because you could do something, you can do something. This is incompatible with anything resembling civilized society.
Society only functions because we respect the informal intentions of other people.
I agree wholeheartedly, in the local scale person-to-person sense.
But your argument is knocking down a straw man, by coming at it from the other direction. I'm not advocating for being an asshole via finding loopholes, but against the ridiculousness of creating a second set of half-formal rules to repair deficiencies in the fully formal ones.
> Under the 'code is law' doctrine, just because you could do something, you can do something. This is incompatible with anything resembling civilized society.
Yet this is exactly how the legal system does work. If an action is "wrong" but not illegal you can't actually be sanctioned for it. See: pretty much any large company in the news over some kind of outrage that will ultimately go unpunished.
Law is subject to human interpretation, evaluation of intent, and error correction. Every case has a number of unknowns that judges and juries are supposed to clarify. This is a feature, not a bug.
Code does not. The source for any non-trivial program encodes an uncountable number of unknowns that frequently lead us to absurd conclusions, with no ability to sanity check or correct them.
Edit: I misread the comment I responded to, and as the poster rightly pointed out, my comment is just stating the obvious. Sorry about that.
just because you could do something, you can do something.
What we are missing is good forensics. A number of people in this thread have hinted at this.
To secure a computer system, you have to find and patch all of its vulnerabilities, as well as distribute your patch to every node in the network. It's like what Maggie Thatcher said about terrorism. If the defender messes up even one time, the attacker wins. So the amount of effort that the attacker needs is much, much smaller than what the defender needs.
Compare that to a European country without America's easy access to guns. Crime is always cheaper than law enforcement, but in a country without ubiquitous guns, crime is somewhat cheaper than law enforcement. Online, crime is massively cheaper than law enforcement. That means that crime has a systemic advantage.
Who even hires for cybersecurity, in government? Who has the resources for it? Do local police departments compete with startups for top tech talent? Of course not.
Say you're a small town in Pennsylvania. A woman who lives in your town is being harassed by a loosely affiliated global network of anonymous misogynistic trolls. Is your police department qualified to protect her? This is a major flaw in the police department's ability to fulfill its responsibilities towards its citizenry and taxpayers, and we haven't even added black hat hackers to the equation yet.
In a hacking situation, the defender needs to coordinate an entire network, to make sure everybody's using the latest patches, while the attacker can operate solo, which eliminates organizational overhead. Yet attackers can and do share information about attack vectors. The decentralization that network technology makes possible is very favorable for attackers. Meanwhile, most of our infrastructure runs on languages that are extremely difficult to secure, even without questions of coordination.
This is a fundamental threat to the rule of law. Some of these problems can be addressed by modifying which agencies are responsible for which types of problems. But the economic aspects are fundamental. Crime is cheaper than enforcement and security by orders of magnitude. Few people are qualified to secure these systems, and many of them can make more money by penetrating them. For every brilliant hacker who moves to the US and starts another Google, there are a hundred who are stuck in Estonia, where their best bet is stealing credit card numbers or breaking into Bitcoin exchanges. The profit potential there is literally in the billions; even Silicon Valley has a hard time competing with that.
These incentives are inherently dangerous, and that is unlikely to change.
The short of it is that if you take "the rule of law" to mean the ability for puppetmasters to make top-down dictats like "can't talk about Barbara Streisand", then sure, any distributed activity undermines that. Your comment is steeped in the idea of there being a singular godlike perspective, and implies having a single world jurisdiction. Aside from the impracticality, this would be a truly sorry day for humanity.
Rust coming to the rescue!
Seriously, I think peak insecure C/C++ has already passed, so if civilization hasn't fallen yet, it's not likely to fall for this reason.
Based on their history of respecting people's rights and their privacy I'm 100% ok with the FBI not having efficient cooperation with local law enforcement.