2005 a Bad Year For Security 91
Greyfox writes "According to CNN, 2005 was a record year for security breaches, with cybercrime netting an estimated $105 billion and the Department of Homeland Security getting its cybersecurity budget cut 7%, to $16 Million. Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it."
Whats the point.... (Score:5, Insightful)
Define "outgrown." (Score:2, Insightful)
Perhaps dollarwise, yes. Dangerwise, no. I don't think any Federal agents ever had to face off with any Columbian coderunners in some remote jungle on the ass end of the world. Illegal drugs aren't going to fall off the top of the charts anytime soon just because some douche in the Treasury Department says so.
Furthermore, nine times out of ten, companies and individuals who fall for scams or suffer identity theft had it coming for total lack of judgement in how they used their personal information online or how high of a priority properly implementing security measures were for them.
Re:Define "outgrown." (Score:2, Insightful)
what are you expecting (Score:3, Insightful)
Lol eh what (Score:5, Insightful)
As for the department of Homeland Security getting a budget cut. Well is it even its task? Isn't credit card fraud something for the FBI to tackle? And social security number fraud would probably fall under either your social security agency or the IRS.
The securing of military IT would be a task for the military and I think the NSA does something with it as well. The US seems to have so many agencies to keep it secure that I cannot remember them all.
So is that 16 million perhaps the budget for the departments of homeland security OWN security? Do they really have to keep the entire US of A safe with that money or just their own network.
I like a panic story as much as the next guy but at least give me some basis and do not just trow some random numbers around.
What exactly is lumped into that 105 billion dollar figure. Every bad check? Counterfit credit cards? Stolen Half-Life keys? And whose job is it to keep us safe? Army? NSA? CIA? FBI? Local police? Department of Homeland Security? Or more likely, all of them for different parts of it?
This is not likely to change soon (Score:2, Insightful)
Not until we reach some sort of plateau in internet usage growth can we even start expecting cybercrime figures to start going down, but at the moment it's a growing market, and one which is largely untouched by organized crime and thus probably still rather ripe.
Re:my prediction (Score:3, Insightful)
Phishing, fraudulent Ebay auctions and Nigerian lottery scams have nothing to do with poorly-written code. They have to do with poorly-thinking brains. The Internet makes a great place for fraud because you don't know who you're communicating with. Some people haven't grasped that concept yet. I guess they don't give sermons about that stuff.
In a related story, cybersex as increased as well.
This explains a lot (Score:2, Insightful)
As for the government not taking security seriously until something bad happens to it... all I can say to that is a big loud fart, since for the last five years of my life, which is a good 25%, not to mention the most recent 25%, all I've known is government obsession with security. It leaks down too. Businesses stop you taking photos of their buildings by means of scary guards, "because of terrorism".
The real reasons it was a bad year for security are things like the first collisions found for heavily-relied-on encryption methods. You won't find that kind of stuff on CNN though.
Re:my prediction (Score:3, Insightful)
Phishing may not have anything to do with poorly-written code, but it does have a lot to do with poorly-designed protocols and user interfaces. Phishing is as successful as it is because
(1) Most email systems do not authenticate senders (even by hostname), so it's trivial to spoof email messages.
(2) Most web browsers expect users to parse URLs in their heads in order to determine what site they're on, and then parse hostnames (which happen to be written "backwards" compared to the rest of the URL) to determine whether to trust the site.
If protocols and software were better designed, phishing would only work on extremely gullible people.
Re:Whats the point.... (Score:2, Insightful)
I dont know about weather or not cybercrime has become worse or better and i'm satisfied beliving it could be directly proportional to the increase of use of the internet in 05 but one thing i do know is that we arent teaching safe programming methods to freshly trained developers and as a directly result compromising a system has stayed pretty much the same way for the last decade.
The bar in system compromise hasnt really been lifted as much as it should and getting people to develop more stricter programming practices is definitly an important issue that needs to be raised but again this all comes down to cost.
Re:Lol eh what (Score:3, Insightful)
i can't imagine a better way to 'inflate' the dollar value of 'cybercrime' than to include the 'data sharing' crimes, which steal only 'potential' earnings, mostly from people who would have sacraficed on other manufactured goods etc if they had bought said material.
you might as well take netflix profit, inflate it by 20, and say that's what netflix has cost the movie studios by making it super easy to watch dvds at home.
Imaginary figures, real problem (Score:3, Insightful)
A good example of this is the British guy who recently won a court case against a spammer, thereby setting a legal precedent (as reported on Slashdot yesterday). He managed what platoons of highly paid IT experts and IT lawyers totally failed to do. No one seemed to have asked why the finest minds of our time, blah blah, were unable to find $20 to fund a suit in the UK small claims court.
Even if the true cost is a fraction of that quoted, this is still a serious matter since it is replicated in every country where there is a worthwhile IT presence. Since the IT industry seems unwilling or unable to reform itself, perhaps governments should step in with a special tax on large IT outfits in order to fund the fighting of computer crime and a severe crackdown on ISPs who happily tolerate bot farms or software houses who knock out software full of holes. Bot/zombie farms, in particular, are the oxygen of online criminals since without them their job is a lot harder. It is almost incredible that so little has been done to choke them off.
Re:my prediction (Score:2, Insightful)
- When software makers will be held liable for security holes in their products. Managers and marketing will wake up then and stop demanding ridiculously tight schedules that pretty much eliminates the time a programmer could take for code review and security measures. Until there is no $$ involved in punishing the culprit (corporation), there won't be any security improvments.
Re:Repost (Score:4, Insightful)
Then taking fast, effective action, e.g. banning nail clippers on airplanes.
Then, when it turns out that you had lots of information beforehand, but didn't have enough translators to handle it, you respond by harrassing the competent translators and forcing them out of government service. See also Sibyl Edmonds.
Re:Repost (Score:3, Insightful)
This is not just security, this is everything. People tend to ignore possibilities that reason tells them can happen, but don't seem real because they haven't happened yet. Once something happens, then they react to it and take it seriously, at least until the urgency fades.
This is basic human nature and shouldn't surprise anyone.