Sunday, March 21, 2010

Punishing Cybercrime

Is chasing cybercrooks worth it?

That's the headline to this article from CNN. I was a bit shocked to see it. The triggering event for that article was the arrest of three men who appear to have operated the 13 million computer "Mariposa" botnet. I would have expected that taking down such a significant* botnet would be followed by multiple rounds of self-congratulation, rather than questions about the value of the whole enterprise. However, according to the article

the whole get-the-bad-guys effort, while it makes for good drama, is a futile way to secure the Internet, some computer security experts say.

"The virus writers and the Trojan [horse] writers, they're still out there," said Tom Karygiannis, a computer scientist and senior researcher at the National Institute of Standards and Technology. "So I don't think they've deterred anyone by prosecuting these people."


It would be smarter, Karygiannis said, to develop new anti-virus technologies and to teach people how to protect themselves from Internet crime.

To my mind, the sentiment reflected in the above quote is simply wrong.

First, Karygiannis' proposed alternatives are, at best, highly imperfect solutions. With respect to user education, I suspect Karygiannis has underestimated how difficult user education actually is, though, given that it's common knowledge that people still fall for Nigerian email scams (see, e.g., here), I don't know why he would. Further, even if user education were perfect, it's not at all clear how it would protect against malware which spreads by exploiting vulnerabilities in legitimate software. Indeed, Mariposa itself has been observed to spread through vulnerabilities in Internet Explorer 6 (among other vectors, described here), so even the specific botnet addressed in the article provides a counterexample to the proposition that user education is some kind of panacea.
With respect to better anti-virus technologies, technical protection mechanisms are certainly helpful, but they too aren't a panacea. Better anti-virus protection is nice, but the people writing malware aren't dummies, and they constantly improve their products to address advances in security technology. A great example of how this works is Conficker, a malware program whose "unknown authors are ... believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities" (via Wikipedia).

Second, with respect to Karygiannis' comment that "I don't think they've deterred anyone by prosecuting these people," to the extent that comment is meant literally - that cybercriminals, as a class, are immune to the deterrent effect of criminal prosecution, it seems unbelievable. That's especially true since the arrests related to the Mariposa botnet are only part of a series of well publicized law enforcement actions against cybercriminals (for example, the recommended 25 year sentence for computer hacker Albert Gonzalez, described in this article). Further, even if it were true that prosecution of cybercriminals had no deterrent effect whatsoever, it would still have the effect of preventing the particular cybercriminals who had been prosecuted from committing further crimes. This effect, referred to as incapacitation, is something that has been well studied and documented with respect to other types of crimes (e.g., here), and there is no reason why it shouldn't apply to cybercrime as well.

The bottom line is that punishment of cybercriminals is a necessary part of our collective defense against cybercrime. To simply focus on user education and technical protection mechanisms, while those are important tools, would do nothing to address the source of these crimes.

*Determining the actual size of botnets is, to put it mildly, an inexact science. For example, this article about the size of the "Kraken" botnet pointed out that the controversy regarding Kraken's size was not limited to how many machines it controlled, but also reached more basic questions, such as whether Kraken was really separate from the older "Bobax" botnet. However, regardless of how botnet size is counted, Mariposa is undeniably huge (by comparison, Kraken was estimated at 400,000 machines - several orders of magnitude smaller than Mariposa).


Runescape Money said...

Do this again procedure and make 500k 1 hour.One more wonderful strategy is gonna planet A single or even Several along with go into the wildy Runescape Gold. Grab Since Significantly adamant/mithril arrows on the ground. Interesting studying,expect these new manuals could let you could possibly get an increasing number of rich inside RS GP,just appreciate by yourself amongst gamers!

Anonymous said...

An example could be the guildwars 2 gold ability to utilize Charzooka, the explode launcher together with restricted ammunition that one could equip, or the buy guild wars 2 gold cheap power to call for a pair of hot hounds for any brief length. On the 5 contests