[HN Gopher] The low, low cost of committing cybercrime
___________________________________________________________________
The low, low cost of committing cybercrime
Author : freedude
Score : 27 points
Date : 2023-08-31 19:34 UTC (3 hours ago)
(HTM) web link (isc.sans.edu)
(TXT) w3m dump (isc.sans.edu)
| badrabbit wrote:
| A handful if times, I was able to track down the guy distributing
| (not authoring) the malware via social media, youtube,discord,
| github and more (even opened a github issue respectfully asking
| them to stop distributing malware) and I was able to find the
| country they live in as well as their name (even a home address
| and cellphone in one case). I mention this because even with all
| that info there isn't much I can do that would be worth doing to
| take action against them. I have filed IC3 FBI complaints for far
| worse and they don't even so much as reply. I can get an
| "industry contact" to get me to relay that to an actual special
| agent but it would have to be something highly impactful like a
| ransomware, I can't do that for every small time crimeware I
| find.
|
| Jurisdictions like Russia have a policy of looking the other way
| as well so long as you look the other way and in some countries,
| just having actual cybercrime laws and then the diplomatic
| relation strong enough to cooperate with their cops can be rare
| to find.
|
| But focusing on the cost alone is a mistake, threat actor cost-
| benefit analysis is key here. In the 80s and early 90s for
| example, big cities were a crime horror show because cops
| couldn't catchup enough and the reward, relative to potential
| reward of law abiding life was dismal compared to today (well,
| that and lead babies!). I don't believe stop-and-frisk or "broken
| windows" policing made a difference nowhere near as much as
| better opportunities, entertainment, education and economy as
| well as "the internet" and tech making it harder to get away with
| crime did.
| sublimefire wrote:
| The title is misleading. It should be called "The low, low effort
| of ...". There is no dollar value expressed in conducting such a
| simple attack. One needs to buy emails, then setup dns and host
| the files on some servers. How do you pay for those servers?
| There are a bunch of interesting parts of this that were just not
| covered in the article nor there was any attempt to show the
| actual cost, nor did it prove it is actually cheap. The cost
| would be dictated by the amount of valuable emails you have and
| the ability to squeeze them into one campaign (minus the effort).
| CharlesW wrote:
| > _There is no dollar value expressed in conducting such a
| simple attack._
|
| "Cost" encompasses things like effort, loss, and sacrifice too.
| kwant_kiddo wrote:
| A bigger problem for me personally is the high cost of reducing
| developer productivity and increasing operational risk just for
| the sake of cyberponies trying to defend their job.
|
| Also I am not so sure the cost is that low. Well for phishing
| attacks maybe, but what is the return here?? Many skilled people
| had been caught doing 'cybercrime'. I just think if you compare
| this to e.g. tax-fraud then I would expect the risk/reward to be
| much higher than doing phishing attacks.
| gustavus wrote:
| And a bigger problem for me is the high cost of losing my job
| when some code cowboy leaks a bunch of people's data and
| passwords because "md5" was already in the standard library and
| easy to use.
|
| Or someone replaced all the pictures on the website with hentai
| because a developer found this "really cool GitHub project"
| that saved him the hassle of "having to learn regex" or decided
| to outsource a bunch of customer analytics to "this really cool
| startup I saw on ycombinator. No I just paid with the company
| pcard, no I didn't read the privacy and data documents those
| are boring."
|
| It's a funny worl like that.
|
| EDIT Or the developer who put the CORS to '*' because that was
| the only way to make it work on my machine.
|
| Or "Why is this random Serbian guy currently admin in our AWS
| account?" "Oh that's gavrilo great guy he was one of the front
| end guys we brought in back a couple of months ago to finish a
| project. We couldn't figure out the permissions to the s3
| bucket though so we just gave him admin rights. Should probably
| get around to removing his access. Cool dude though although he
| had problems with the Asutrians for some reason."
| pixl97 wrote:
| >A bigger problem for me personally is the high cost of
| reducing developer productivity and increasing operational risk
| just for the sake of cyberponies trying to defend their job.
|
| This is why programmers are not licensed engineers, and I have
| my doubts about being a serious engineering profession.
|
| "Oh, the bridge fell down and killed 15 people, but it was
| worth it because I built a lot of bridges this week"
| cdchn wrote:
| Lower stakes having looser tolerances is an engineering
| trade-off.
| xmprt wrote:
| I think programmers should re-evaluate the stakes that
| they're playing with. Even seemingly inconsequential things
| can have pretty large impacts at the scale that programmers
| operate. For example, if a form that you write doesn't
| properly support unicode characters then you might have
| just locked out millions of people from non western
| countries from using your software.
|
| And even worse, if you're building a "tiny low stakes"
| piece of a much larger software then you might end up
| accepting money from those paying customers who can no
| longer use your software because your form doesn't work for
| them. (I've had this happen to me personally). And then
| people don't bother fixing it because it's only 0.01% of
| the userbase.
___________________________________________________________________
(page generated 2023-08-31 23:00 UTC)