Normalized Crime

Interesting laundry list here of what’s wrong with IT security:
Individuals and most companies simply do not have the time, money, skill and resources required to effectively manage all of today’s risks and threats.

Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. A long-overdue wake up call for the information security community. by Noam Eppel Vivica Information Security Inc.

And commentary on it in a blog:
He points out the various types of malware, then proceeds to work on the SANS Institute (, Symantec and panda virusometer as tools that are always reassuring because they rarely if ever go above green, seemingly meaning that the very tools we use to monitor the internet threat condition have adopted a process of procedurally incurred chaos as normal. That the threat levels of all the botnets, click bots, phishing scams have been normalized in our security communities.

Security Absurdity – Is information security “Broken”., by Dan Morrill, 16 May 2006, ITtoolbox Blogs > Managing Intellectual Property & IT Security Comments (0) | Trackbacks (0)

I’d go even beyond this.

We’ve lost the most widespread service on the Internet to an entire generation. Most people under about 25 don’t use electronic mail by choice, largely because it’s so infested with spam.

Dan Morrill goes ahead and proposes some potential solutions, which are all good. I don’t think they go far enough, because while many of them are about better training and better communications, they are mostly about actions within a single organization. To fight the aggregate damage miscreants use the leverage of the Internet to cause, we need collective action. The key word in that first quote above from Eppel is “individual”. Sure, there are some obvious steps that individuals can take and should: switch away from any web browser that is unsafe 98% of the time; run multiple operating systems, so that if one is attacked, another is likely to be up; and practice similar diversity in applications such as mail readers. Such steps can increase resilience and make individuals less susceptible. But individual people or companies will never be able to effectively stop the Internet organized world of exploit writers, bot herders, spammers, phishers, et al.

Only groups can fight spam and phishing and the rest. If the miscreants can buy cracking toolkits and whole botnets already cracked, all for cheap, the good guys (that’s the rest of us) need to be able to buy detection tools that tell us when a message is likely phishing, and even more tools or services that tell us who else is being phished the same way so everyone can react. And there need to be groups ready to act on such information; industry groups and law enforcement groups. A little liability for companies that knowingly sell bug-ridden software could go a long way, too. Even more liability for companies that deliberately distribute exploits such as rootkits along with their products is long overdue. And in some cases, such as mail, we may need new protocols or at least new layers of authentication and authorization on top of them.

Risk management has long involved pooling resources; it was a few Names at Lloyd’s coffeeshop a few hundred years ago who underwrote long ocean voyages and opened the golden age of sea-trading on the ocean sea. To do that effectively, they had to pool reports from multiple ship captains and harbor pilots about hazards and threats and ways to counter them. The individual ship captains were very capable, or they wouldn’t have returned to tell their tales or to show their rudders (logs) to Lloyd’s. But neither the individual captains nor the individual merchants could have handled the risk of global trade without further pooling of resources. Internet security has started moving beyond individual actions, with SANS and APWG other groups watching what’s going on. Yet spam is endemic, phishing is epidemic, and we find major companies distributing rootkits. It’s time to go beyond just watching and start taking more collective action, including everything from insurance to lawsuits to reputation systems and more.


2 thoughts on “Normalized Crime

  1. wpn

    We’ve lost the most widespread service on the Internet to an entire generation. Most people under about 25 don’t use electronic mail by choice, largely because it’s so infested with spam.

    They seem to be supplanting it not only with IM, but with private messages sent through social sites (MySpace, or any other blogging site that is allowing user registration and private messaging). The latter has the advantage over regular email in that it’s easier to secure from spamming. Comment spam is still a problem, but PM spams aren’t because the ONLY way you can send a PM is to register by hand. Spammers still try to abuse one site or another, but they’re detected quickly and kicked off; they can’t automate the process enough to make it worth their while. Social sites’ software by and large doesn’t support bulk private messaging.
    When you get right down to it, the problem with email is that the relaying itself doesn’t require any central registration or verification of the sender, and you can hit the same target from ANY given point, so you just go where the security’s weakest.
    Of course, regular postal mail doesn’t have the huge abuse problems either, because it’s more centrally controlled AND it costs the senders to use it. If we took either one of these steps in the email realm, we could reduce the number of problems. But as long as nobody wants either option, we’ll still have a wild wild west for email.
    The question is whether the preference for social sites will end up altering the organization of the Internet. In other words, will people group themselves willingly in the absence of centralization, to gain the security benefits? It was a good argument for tribes at the beginning …

  2. Dan Morrill

    I liked your commentary, collective heads are better than one, as I know I tend to be conservative and attempt to socialize information security to the masses, maybe at times a bit too much.
    Regards, Dan Morrill

Comments are closed.