By Paul Hales in Luton
30 May 2007
Comment Ever catch a phisherman?
WHAT MIGHT HAPPEN, we wonder, if the MPAA was put in charge of seeking
Would, perchance, these 21st century wide boys awaken to find demands
for $20,000 in their in-boxes. "Pay-up or go to court, charged with
clogging up the Interweb," the missive might read. "We are the virtual
cops. Cough up or face disgrace. Resistance is futile."
What might happen if the real Plod were interested in catching malware
writers? Would doors be battered down at dawn? Would armed officers
pursue suspected crackers through the London Tube?
"He looks like a hacker, Sarge!"
"Yeah, that openly-sourced T-shirt's a dead give-away. Shoot to kill."
Bang, bang, bang, bang, bang.
"Well, we were close Sarge. A lot of phishermen are South American,
apparently. Some must be Brazillian."
A little while ago I wrote a bit of a daft piece about Microsoft. Sat
down with a couple of Volish security experts I asked them what the
worse was that could happen if your corporate network was hacked into.
And I wanted to know how many hackers, crackers or malware writers the
firm had helped apprehend.
Spookily enough, within half an hour of that piece appearing on the
pages of the INQ a further Micromissive appeared in my mailbox.
"Through a combination of teamwork, training, and technology, Microsoft
works to identify, prosecute, and ultimately stop the developers and
distributors of malicious code," it read.
The firm, it acknowledged, is "well situated" to fight threats like
spyware "which undercuts trust in the online environment and can cause
harm to individual users."
So what does Microsoft do about Spyware and the like?
"Microsoft has experienced attorneys, investigators, technical and
forensic experts, technologies, and other resources to help fight
cybercrime and bring those who use it to perpetrate crimes to justice,"
So how many spyware authors, malware writers, virus builders has
Microsoft helped to apprehend in the thirty-odd years of its existence.
Well, directly? One, it seems.
Some bloke in India sent a death threat to the president. Microsoft
helped out, it said proudly, by tracking the bloke down through the
Hotmail account he used to send the message.
Microsoft says it has been involed (sic) in various initiatives to fight
cybercrime. It has organised International Botnet Conferences. It got
involved in the Child Exploitation and Online Protection (CEOP) thingy
which seems to have helped tracked down Gary Glitter, and it has helped
sponsor training courses for online coppers.
Details of the arrests all these efforts have spawned is not
forthcoming. Not many seems to be the answer. While the Vole may
certainly have helped catch our irate Indian who threatened a
politician, its role in the arrest of Gary Glitter is rather more
circumspect. It joined the organisation before the arrest was made, so
obviously shares in the collective glory.
Of course, it's not really Microsoft's job to police the Interweb. It's
not really the MPAA's or the RIAA's either. But these organisations
represent the interests of their members and if they don't get a couple
of bob every time someone plays a song in their home, their executives
may run out of champagne and coke.
Whose interests are really threatened by cybercrime? Well, certainly not
the software makers, the chip makers, the hard disk makers, the mouse
makers, and least of all the virus busters and security firms which
daily release news of the latest "vulnerabilities" plaguing the web.
No, the victims are the poor users. Not that they're likely to have
their identity stolen or their bank account plundered or their data
erased by some malicious bot or other. The chances of that happening are
millions to one.
No, what they are forced to do is continually fork out for spam-busting
protection, for "secure" operating systems, for funky firewalls, malware
detectors or phish-sniffing software. All this junk clogs up their
spanking new PC so that they continually have to upgrade to newer
chippery clever enough to have a processing core dedicated to each of
the bloatsome security routines keeping them safe while they surf.
It's a con, gentlemen. A big fat con.
No one has a business interest in catching identity thieves or malware
writers. There's no money in it, so no-one's bothered.
Ponder this when your machine takes half an hour to download the latest
virus patch or it takes hour to switch off since the Vole has plugged a
bunch of its holes. Or you find yourself in PC World forking out a grand
to replace your aging PC with a new one which will probably be as slow
as our old one within a week or two.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com