×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

2005 a Bad Year For Security

CowboyNeal posted more than 8 years ago | from the feels-good-to-be-gangsta dept.

Security 91

Greyfox writes "According to CNN, 2005 was a record year for security breaches, with cybercrime netting an estimated $105 billion and the Department of Homeland Security getting its cybersecurity budget cut 7%, to $16 Million. Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

91 comments

Whats the point.... (5, Insightful)

majjj (644070) | more than 8 years ago | (#14363417)

2005 also saw the largest use of computers on the network... so as a result the crime-rate onthe internet too go up.

Re:Whats the point.... (2, Insightful)

oztiks (921504) | more than 8 years ago | (#14363811)

This true but this also breads two things which are apparent these days, cybercrime is now a profitable business and the kids these days are getting smarter much younger age (contact to pcs is just so promienent).

I dont know about weather or not cybercrime has become worse or better and i'm satisfied beliving it could be directly proportional to the increase of use of the internet in 05 but one thing i do know is that we arent teaching safe programming methods to freshly trained developers and as a directly result compromising a system has stayed pretty much the same way for the last decade.

The bar in system compromise hasnt really been lifted as much as it should and getting people to develop more stricter programming practices is definitly an important issue that needs to be raised but again this all comes down to cost.

2005 a bad year for ... (1)

SgtChaireBourne (457691) | more than 8 years ago | (#14364233)

It may still go without saying, but the problems are still to be found with one particular vendors defects at the epicenter.

Exactly, drive more cars, have more wrecks. (1)

Ruger (237212) | more than 8 years ago | (#14364609)

Stats...50% of the time they are boogus, 50% of the time the are made up.

DHS Cybersecurity? (0, Interesting)

Anonymous Coward | more than 8 years ago | (#14363424)

So what do these guys actually do? Hunt eOsama bin Laden on the intarwebs, along with other famous cyberterrorists?

Well really.. Its not their job to secure our computers, is it?

Re:DHS Cybersecurity? (1)

moro_666 (414422) | more than 8 years ago | (#14363699)


Department of Homeland Security getting its cybersecurity budget cut 7%, to $16 Million.


  With such a lousy budget on such a big content as internet, they don't do anything.

over & out

Repost (2, Interesting)

NBarnes (586109) | more than 8 years ago | (#14363430)

Governments, Not paying attention to things until something bad happens; See also September 11, 2001

Alternatively... (0, Interesting)

Anonymous Coward | more than 8 years ago | (#14363486)

Agents acting on behalf of the very highest level of the United States Government creating such problems to distract citizens from other problems, and to soften them up for fear-induced manipulation.

Such As - (0)

Anonymous Coward | more than 8 years ago | (#14363548)

1. Enron: investigations into Bush admin involvement looming.

2. Image: Puppet-Prez viewed as embarrassment and liability by own nation.

3. Oil: 'nuff said about that.

4. "New Pearl Harbor": Military-Industrial-Security complex losing ground, needs new bogeyman.

Re:Alternatively... (1)

DigitalReality (903767) | more than 8 years ago | (#14363605)

Good to know someone else feels the same. I thought I was the only one insane (or is it really SANE!?) enough to believe that.

Re:Alternatively... (0, Offtopic)

grumpygrodyguy (603716) | more than 8 years ago | (#14363630)

Good to know someone else feels the same. I thought I was the only one insane (or is it really SANE!?) enough to believe that.

I agree with you guys. Even if there was no 'conspiracy', they shamelessly capitalized on 9/11 and continue to do the things mentioned by the grandparent poster. Bush getting reelected was the most heartbreaking political event of my life (so far).

Re:Repost (3, Insightful)

jc42 (318812) | more than 8 years ago | (#14364284)

Not paying attention to things until something bad happens; See also September 11, 2001

Then taking fast, effective action, e.g. banning nail clippers on airplanes.

Then, when it turns out that you had lots of information beforehand, but didn't have enough translators to handle it, you respond by harrassing the competent translators and forcing them out of government service. See also Sibyl Edmonds.

Uhuh. Sure. That was it. (0)

Anonymous Coward | more than 8 years ago | (#14367377)

The Bushies and NSA/CIA et al really would love to have prevented 9/11 but you know, they lacked resources.

All these sweeping new powers and the dismemberment of the Constitution is unfortunate but necessary to protect the chiiiiiiiildren.

Right.

Re:Repost (2, Insightful)

Thuktun (221615) | more than 8 years ago | (#14365499)

Governments, Not paying attention to things until something bad happens; See also September 11, 2001

This is not just security, this is everything. People tend to ignore possibilities that reason tells them can happen, but don't seem real because they haven't happened yet. Once something happens, then they react to it and take it seriously, at least until the urgency fades.

This is basic human nature and shouldn't surprise anyone.

Re:Repost (0)

Anonymous Coward | more than 8 years ago | (#14366809)

The "terrorist" events of September 11th make no sense at all if we accept the stories being forced upon us by the authorities.

In fact those events only make sense when viewed from the perspective being offered by conspiracy theorists. The "It wasn't Osama!" conspiracy theorists I mean, not the "It was Osama!" conspiracy theorists.

If we are to accept Bin Laden to be the man as portrayed by our government, there's no reason to believe he would do the things they claim he did: 911 could never benefit himself, his causes, Islam, or terrorists. The only people it benefits are those within the Bush administration.

All of the sheep with their fingers in the ears and eyes shut who chant the "Don't attribute to malice what can be attributed to incompetence", or "Apply Occam's Razor!" mantra should heed their own words: if they did they'd see 911 for what it was: a Bush administration plot.

Smells like opportunity (0, Redundant)

The Clockwork Troll (655321) | more than 8 years ago | (#14363438)

Smells like opportunity, either in consulting for security-related services, or training in security-related certifications.

And of course, for developers with proven records in secure systems design and implementation.

I'm interested in how they calculated this number (4, Interesting)

antifoidulus (807088) | more than 8 years ago | (#14363450)

$105 billion is more than the trade deficit between the US and Japan, in other words a VERY significant chunk of change. How much of this damage was "real" as oppossed to existing in name only? How did they manage to calculate such a number, and what is the overall effect on the economy? Who are the real winners and losers in this battle?

Re:I'm interested in how they calculated this numb (4, Interesting)

gbobeck (926553) | more than 8 years ago | (#14363668)

"How did they manage to calculate such a number"

Its actually fairly easy to calculate this number.

First, pick a LARGE random number. This number should be roughly equivalent to the biggest number you can think of. Next, multiply this number by 4. Finally, divide by a suitable power of 10 so that the number doesn't seem too impossible.

More seriously...

I recommend people to check out attrition.org's Statistics section ( http://attrition.org/errata/statistics/introductio n.html [attrition.org] )

One section I feel obligated to quote is:

"One of the largest things media outlets use to back their claims are statistics. It is absolutely incredible how many times a media outlet will quote a statistic and not credit where it came from. Further, they are fond of taking creative liberty with how they quote the article to suit their needs.

These stats cover damage to systems, percentage of intrusions, and everything else. There are simply too many instances of suspect statistics as they relate to the computer security industry to read, match and provide analysis of them all." (from http://attrition.org/errata/stats.html [attrition.org] )

Re:I'm interested in how they calculated this numb (1)

jesser (77961) | more than 8 years ago | (#14363732)

Funny that you compare it to a "trade deficit", an even more meaningless number.

Re:I'm interested in how they calculated this numb (1)

Comatose51 (687974) | more than 8 years ago | (#14364047)

Why do you say that? Just curious. I'm not an economist or anything like that.

Re:I'm interested in how they calculated this numb (1)

jesser (77961) | more than 8 years ago | (#14369428)

When the US has a "trade deficit" with Japan, Japanese companies or individuals have to be doing something with the extra money -- either investing in US companies (creating a "capital surplus") or allowing another country to import from the US (creating a "trade surpus" with a country other than Japan). The latter is sometimes called a trade triangle.

I'm not an economist either, but that's the explanation I remember from my an econ class I took a few years ago.

Re:I'm interested in how they calculated this numb (0)

Anonymous Coward | more than 8 years ago | (#14363875)

>> "How did they manage to calculate such a number"

They did it in the same way that the press calculates any other number. Take the actual number, and then multiply by four to six orders of magnitude.

Re:I'm interested in how they calculated this numb (1)

boingo82 (932244) | more than 8 years ago | (#14364476)

That number is derived from a study in which they wrote down figures until one of them looked about right.

Re:I'm interested in how they calculated this numb (0)

Anonymous Coward | more than 8 years ago | (#14367236)

How did they manage to calculate such a number, and what is the overall effect on the economy? Who are the real winners and losers in this battle?


Simple. They ask insurance companies. If you thought insurance companies only controlled access to the law, healthcare and retirement income, you'd be much mistaken. Their marketing departments don't just churn out statistics to scare folk - they're an essential part of any developed country's economic planning.
The winners are people who run insurance companies. You can guess who the losers are.

my prediction (0)

Anonymous Coward | more than 8 years ago | (#14363451)

2006 - record year for security
2007 - record year for security
2008 - record year for security
2009 - record year for security
2010 - record year for security ...

Do you get the point?

When will programmers start writing secure code? When will we stop hearing "security is hard" or even worst "security is impossible"? When will people start demanding that programmers write secure code?

Re:my prediction (2, Insightful)

TallMatthew (919136) | more than 8 years ago | (#14363619)

When will programmers start writing secure code? When will we stop hearing "security is hard" or even worst "security is impossible"? When will people start demanding that programmers write secure code?

Phishing, fraudulent Ebay auctions and Nigerian lottery scams have nothing to do with poorly-written code. They have to do with poorly-thinking brains. The Internet makes a great place for fraud because you don't know who you're communicating with. Some people haven't grasped that concept yet. I guess they don't give sermons about that stuff.

In a related story, cybersex as increased as well.

Re:my prediction (2, Insightful)

jesser (77961) | more than 8 years ago | (#14363767)

Phishing, fraudulent Ebay auctions and Nigerian lottery scams have nothing to do with poorly-written code. They have to do with poorly-thinking brains.

Phishing may not have anything to do with poorly-written code, but it does have a lot to do with poorly-designed protocols and user interfaces. Phishing is as successful as it is because

(1) Most email systems do not authenticate senders (even by hostname), so it's trivial to spoof email messages.

(2) Most web browsers expect users to parse URLs in their heads in order to determine what site they're on, and then parse hostnames (which happen to be written "backwards" compared to the rest of the URL) to determine whether to trust the site.

If protocols and software were better designed, phishing would only work on extremely gullible people.

Re:my prediction (0)

Anonymous Coward | more than 8 years ago | (#14363928)

If protocols and software were better designed, phishing would only work on extremely gullible people.

And if extremely gullible people weren't so commonplance, phishing wouldn't work at all. It's not like phishing is a "big secret" .. there's craploads of information, warnings and the like about it.

If some retards are still falling for it after months and months of being told by their banks, paypal, ebay and every other service involving money, then big deal. Hopefully they'll get phish-phucked all the way off the internet because they're too stupid to look after themselves and their financial details.

Re:my prediction (0)

Anonymous Coward | more than 8 years ago | (#14365882)

So we shouldn't do anything about sloppy programming? We shouldn't even *try*? This is exactly the attitude that's creating the problems!

Re:my prediction (2, Insightful)

dc29A (636871) | more than 8 years ago | (#14364154)

When will programmers start writing secure code? When will we stop hearing "security is hard" or even worst "security is impossible"? When will people start demanding that programmers write secure code?
- When software makers will be held liable for security holes in their products. Managers and marketing will wake up then and stop demanding ridiculously tight schedules that pretty much eliminates the time a programmer could take for code review and security measures. Until there is no $$ involved in punishing the culprit (corporation), there won't be any security improvments.

tangibles and intangibles (1)

zogger (617870) | more than 8 years ago | (#14364837)

Commercial software sellers/leasers are in a very unique position in industry where they can call their IP a "product", treat it like that in terms of profit, yet be treated differently from a legal perspective from tangible product manufacturers. They can get patents, etc, yet are under no obligation to provide any normal consumer warranty.

I think a rather interesting case could be made by some class action involving tangible manufacturers against some software company if they have been affected because of a software exploit, etc, and had to eat the "get out of any responsibility" free card that the software manufactuers enjoy and foist upon the other companies with their protected "product". I am amazed it hasn't happened yet actually. Equal protection under the law might be an avenue to explore there. If not that then perhaps an actual change to the law might be in order to force the issue. If that becomes too scary for the intangible IP peddlers, maybe they might rethink gathering up patents and calling their offerings products. Perhaps anyway. It would be interesting to watch. ACME hardware widgets vs ACME software widgets in other words. Paraphrased and slangified - "Judge, I have to provide a warranty for my widgets, why doesn't this guy? He calls it a product, it's got patents connected to it, money changed hands, we got pwned because of this patented product, so WTF is up with that "no warranty" action?"

Because that's the way business works. (1)

Escogido (884359) | more than 8 years ago | (#14367519)

It has been noted more than once that should the software companies writing code become obliged to pay for the damages caused, the price of such software would sky rocket, as the development times will. And this won't be implemented in any one single country, since the developers there would be put at a great disadvantage. The chances of such idea becoming law universally, of course, are infinestimal.

On an somewhat unrelated note, free software seems to be naturally exempted from this, and is thus allowed to be all buggy and exploitably, thus losing somewhat of an edge against commercial software... so I'm not all that sure it's the direction where the wind blows right now :)

Re:Because that's the way business works. (1)

zogger (617870) | more than 8 years ago | (#14368104)

For the first year or so,sure, some big problems, all profound changes always have a difficult transition period. I certainly wouldn't dispute that. Then they would get the message after a few suits got suited back down to size and lost a bit of their pompous egofied arrogance and unreal expectations about things, and write and release better code. Society would adapt, we've certainly adapted to larger changes than that. There is and would still be a huge demand for code, that wouldn't go away, so the ones who really wanted to suceed would get to business and just do it. Yes, the marginal players and wannabes and those just coasting along would probably fail. So what?? Who cares in the long run? 100 years from now do want to still be in a state of perpetual buggy beta ware?? Hasn't this gotten just a tad old? Isn't a half century hand holding and using legal training wheels like the no warranties-FU joe consumer perpetual whine-ware enough for this so called "industry" to be treated like a real industry? How much more time do you need to lose the diapers anyway? Got any hints? Never? really? if so, then why exactly should consumers pay much of anything for these "products", if they are by the creators own default admission, crapware, not even good enough for the most basic of warranties? Why is this worth serious money again then?

  You just have an ingrained mindset over two generations now that you can't write 'good enough' code. That's become a self fulfilling prophecy. I actually think much higher of coders and the industry then they do of themselves, I think it's more than possible for them to write gooe enough code for simple basic warranties, given an incentive and some encouragement.

    Tangible products aren't all perfect, not by a long shot, they fail, but industry has adapted to mandatory minimum warranties (there was a time that *didn't* apply, BTW, and "industry" said they couldn't do it then either, it was "too hard" and "impossible"), the failure rate is now low enough and acceptable enough that even with warranties they manage to "do business" and society has adjusted and adapted.. funny, huh, how that works?

    Becoming "responsible" for your actions has a profound effect on behavior. Or do you dispute this? You give an entire industry a perpetual excuse carved into stony law that they will never be required to produce "good enough" stuff for a warranty, why SHAZZAM, they probably won't ever do that!

    Every other business that sells a product can have a warranty, typed up bits could too, they just don't want to. IMO, if they can't/won't,then take away their patent toys, as they aren't deserved, nor do they fit the original criteria for something to be patentable either, and treat it like an artistic endeavor instead, like a typed up novel for instance, copyrights only.

As to FOSS, etc, sure,why not, if they charge money for it. Big difference between a totally free freebie and some expensive sold "product". If someone down the street hands me some widget they built and says "here, play with this, see what ya think", I know I am getting a protype, not something sold from the store, and chances are high it could be a total piece of crap, so i treat it like that, and no hard feelings to the creator if it IS crap. on the other hand, I walk into bigmart and buy something and it don't work, then I am annoyed, and they need to make it right. That's the difference. You don't walk into bigmart and buy somethinbg with two wheels and handlebars and a seat and take it home and find out it ain't a bicycle without taking it back and getting your money back. if you ride it one day and it gets 10 flats and the spokes pop out and the frame bends this is called crapware and we as consumers can see it, and take it back under warranty. But typed up bits from this oh so important "industry" we are just supposed to both accept the ten flats and bent frames, pay money for it, then get told to shove it when it's that defective? huh?

HAHAHAHA! Step to the other side of the transaction to see how *ludicrous* that is. Ya'all have had a half century, this way -> to the adult section of life.

I beg to differ. (1)

Escogido (884359) | more than 8 years ago | (#14368219)

Personally I am far from defending the poor programming practices and irresponsible coding; in fact, when I actually worked as a programmer, way back in early 90ths (and there weren't many of us in post-Soviet Russia then), I used to be very keen on the code quality and beta-testing. In fact, the hardest thing I get to do in my projects is persuading people to actually use some beta-testing in them. (You don't really want to know how the money is earned in IT business here these days...)

The problem that I am referring to has nothing to do with defending the bad coders and incompetent designers. It is about the inertia that the first-to-market and vendor lock-in concepts developed in the IT world. You cannot just stop a car by pressing a button, no matter how good your brakes are. And with the whole sector's business models built around faulty in this way models, I'd say it's not going to happen.

The instant the law that makes corporations liable for damages caused by malfunctioning of their software, everybody just plain stops selling software -- or get sued to bankruptcy. And that means lots of people lose jobs, nasdaq crashes, economies get another kick in the head they need so much right now etc.. Nobody in their right mind would want to do that.

That's why I don't expect a revolution anytime soon, and there doesn't seem much to be done about it.

Re:my prediction (1)

Greyfox (87712) | more than 8 years ago | (#14365448)

I worked at Data General for a while before IBM bought them out. They were working on getting a B2 certification for their UNIX and as such they had a team of programmers whose sole job was to audit every function in the OS. I was one of those. We'd get assigned a function (Printf was fun. So was awk.) and would document potential side effects of using the function, then write tests proving that thte function operated exactly as documented. If there were any side effects that could be used to compromise the integrity of the system, these were documented and sent to the developers for fixing. Eventually all the documentation and test output was bundled up and sent off to the NSA for review. To give you an idea of how effective this was, I found the environment variable handling hole in telnetd 3 years before anyone realized it was there in Linux.

I've never worked at another company that I've known to hire an entire team just to do code auditing like that. Certainly the quality of most of the commercial code we see on a day to day basis doesn't seem to indicate that anything of the sort would be going on. I believe that our efforts did make the entire system overall much more secure, but most companies won't invest that level of effort unless there is some financial or legal incentive for them to do so. And most programmers won't either because they have deadlines and auditing is not a viewed as a very glamorous thing to be doing. I had a lot of fun with it though, and learned more about C at that position than any college professor ever managed to get across.

Sorry Guys (1, Funny)

Anonymous Coward | more than 8 years ago | (#14363455)

Local mathematician here to update. We're still working on it. Sorry about the delay! We'll have security soon.

2005 a Bad Year For Security (0)

Anonymous Coward | more than 8 years ago | (#14363482)

Who said "SONY ROOTKIT" ?

Define "outgrown." (3, Insightful)

Phariom (941580) | more than 8 years ago | (#14363509)

"The Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said."

Perhaps dollarwise, yes. Dangerwise, no. I don't think any Federal agents ever had to face off with any Columbian coderunners in some remote jungle on the ass end of the world. Illegal drugs aren't going to fall off the top of the charts anytime soon just because some douche in the Treasury Department says so.

Furthermore, nine times out of ten, companies and individuals who fall for scams or suffer identity theft had it coming for total lack of judgement in how they used their personal information online or how high of a priority properly implementing security measures were for them.

Re:Define "outgrown." (2, Insightful)

hankdmoose (760291) | more than 8 years ago | (#14363521)

Or, they could just be a bit more specific. For example, they could say something like, "... in annual proceeds..." to make it more clear what they mean.

And he was modded "insightful" to boot. (nm) (0)

Anonymous Coward | more than 8 years ago | (#14364075)

nm

Re:Define "outgrown." (0)

Anonymous Coward | more than 8 years ago | (#14363719)

What the hell are Federal agents doing in some jungle anyway?

Re:Define "outgrown." (1)

Tsagadai (922574) | more than 8 years ago | (#14363772)

"The Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said." That sure is some big cybercrime! I wonder what fertilizer and hydro system they used?

Re:Define "outgrown." (1)

DogDude (805747) | more than 8 years ago | (#14364094)

Dangerwise, no. I don't think any Federal agents ever had to face off with any Columbian coderunners in some remote jungle on the ass end of the world

Those same Federal Agents created the danger themselves by making 100% safe drugs like pot illegal. The Drug War is completely bogus and immoral.

Drug laws make drugs dangerous. (1)

FatSean (18753) | more than 8 years ago | (#14364239)

If cybercrime got the money and attention some pot did, geeks would be in Abu Graib getting tortured by manish-looking women.

They forgot the biggest cyberthreat of all! (2, Funny)

Anonymous Coward | more than 8 years ago | (#14363519)

The SLASHDOT effect!

what are you expecting (2, Insightful)

User 956 (568564) | more than 8 years ago | (#14363531)

Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it. What do you expect? the way Congress works, nobody gets credit for *preventing* a problem. They only get attention for a fast response after everything all goes to hell.

the way Congress works, nobody gets credit (1)

dpilot (134227) | more than 8 years ago | (#14364044)

Why do you blame this one on Congress?

From what I see, just about everyone works that way, especially corporations. I wouldn't single out Congress on this one.

Re:the way Congress works, nobody gets credit (1)

User 956 (568564) | more than 8 years ago | (#14364138)

Why do you blame this one on Congress?

Well, pretty much because they're the ones setting the budget for Homeland Security, as discussed in the article. I know it sounds like wild-assed scapegoating, but there you have it.

If your point was that it's the corporations/individuals fault for not preventing the crime, well, that's like blaming your neighbor when his car gets broken into, isn't it?

"Cybercrime" is a problem because the level of the enforcement of the law makes it profitable. (People speed for the same reason, and litter, and lots of other things that aren't really enforced)

Re:the way Congress works, nobody gets credit (1)

dpilot (134227) | more than 8 years ago | (#14364599)

I wasn't talking specifically about Homeland Security, I was talking about the behavior. Neglecting prevention is Congress' fault in this situation, but they are by no means the only ones guilty of it. IMHO, businesses are even more guilty of neglecting prevention, because it frequently fails cost analysis, and because we're so bad at doing a good job at factoring risk. If we were good at cost/risk analysis, prevention would get much better play.

Re:what are you expecting (1)

Trolling4Columbine (679367) | more than 8 years ago | (#14364108)

Not only that, but I'm tired of knee-jerk know-nothings who always spout off "Budget cuts in <insert bloated spending program> means that government doesn't care about <insert contentious issue>".

Equating the spending of taxpayer dollars with a personal sense of caring and repsonsibility is how this country is trillions of dollars in debt.

Re:what are you expecting (1)

hankdmoose (760291) | more than 8 years ago | (#14366293)

Equating the spending of taxpayer dollars with a personal sense of caring and repsonsibility is how this country is trillions of dollars in debt.

No, I think the cost of "defense" is the reason the country is trillions of dollars in debt. Bombs and missiles and tanks and planes and nuclear warheads and biological and chemical weapons are expensive. Storing them all... also expensive. Expensive enough that it caused the USSR to collapse.

An extra $1.2 million here and there does not $10 trillion make. Unless there have been 100,000 such here's and there's over the last 100 years...

Frustrating but not surprising, really. (3, Interesting)

Parallax Blue (836836) | more than 8 years ago | (#14363532)

I'm not surprised. From what I hear, viruses/trojans/cyber attacks are increasingly done for profit only and not fame. And boy, money does talk... in this case, it's 105 billion doing the talking. And t3h h4x0rz are listening.

Meanwhile, a 7% drop in budget for cybersecurity under the dept. of Homeland Security! To how much? A billion, you say? Nope... 16 million. Ouch. I don't think that's nearly enough money... not by a longshot. And what about terrorist attacks on our nations internet infrastructure? I'm sure that's been considered by the terrorists.

Doesn't sound like a good situation to me, not at all..

-PlxBlu

Horse judges or conventional law enforcement? (1)

dbIII (701233) | more than 8 years ago | (#14363674)

cybersecurity under the dept. of Homeland Security! To how much? A billion, you say? Nope... 16 million. Ouch. I don't think that's nearly enough money
I don't know - that will pay for quite a few horse judges in the uber department and is a huge budget for "cyberterrorism", but if you are going to consider actual computer crime like fraud and various attacks then a group that actually takes it seriously (and doesn't give it a name that sounds like a robot with a bomb) is probably far better suited to handling it. This is a job for conventional national law enforcement - with newer skills and money to hire people to bring in those skills.

Crime involving computers has been a combination of hype and low budgets for many years - "The Hacker Crackdown" by Bruce Sterling (free online and dead tree versions available) shows what it was like some time ago and little has changed. Back then one of the high profile computer law enforcement people really wanted the budget to buy an Amiga - but I don't think that was ever approved.

Re:Frustrating but not surprising, really. (0)

Anonymous Coward | more than 8 years ago | (#14363749)

During the Iraq war, the US military tried to cut off the Iraqis' communication infrastructure. Despite their major attempts, packets were still managing to route themselves out of the country due to the nature of the TCP/IP and routing protocols. I'd like to see 'the terrorists' doing better, and I don't say so out of national pride, seeing as I hold a british passport.

Re:Frustrating but not surprising, really. (0)

Anonymous Coward | more than 8 years ago | (#14366008)

Meanwhile, a 7% drop in budget for cybersecurity under the dept. of Homeland Security! To how much? A billion, you say? Nope... 16 million. Ouch. I don't think that's nearly enough money... not by a longshot.

So they have $16million instead of $17miliion - so what. This is not a government issue that requires milions of dollars. Every vendor the government *pays* for AV & Spyware protection is making BIG money on this alleged horrible tragedy (that hasn't happened yet and probably will fizzle out).

Tell me why Antivirus companies never get hit from viruses??

This is BS in a major way - thx /.

wolf... wolf...wolf...wolf...wolf...wolf...

The Twelfth Step in TrustABLE IT (2, Interesting)

NZheretic (23872) | more than 8 years ago | (#14363539)

From Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs [blogspot.com]
[12] Governments, organizations and individuals are becoming increasingly concerned about software compatibility, conflicts and the possible existance of spyware in the software applications they use. If you have access to the source code, then you can check it and compile it for yourself. This is not an option for closed source proprietary applications, and not everyone has the resources to check each line of source code. One solution for these issues is to employ a trusted third party, separate from the application developer, who is tasked with maintaining a trusted build environment, to build the binaries from source code. The Trusted Build Agent (TBA) would hold the source to each build in escrow, releasing the source code for only open source licensed code. Competing businesses providing a TBA service in a free market would compete with each other in not only price and level of certification, but also on the ability to detect hostile, vulnerable, incompatible or just plain buggy source code. You could request a trusted build from multiple TBAs test the ability to detect defects. Defects would be reported back to the application developers, along with any patches and suggestions that provide a fix. To a lesser extent, most Linux distributions and other operating system vendors that build and redistribute open source licensed code already provide this role.

Re:The Twelfth Step in TrustABLE IT (0)

Anonymous Coward | more than 8 years ago | (#14366083)

The word "trust" makes me want to vomit.

Lol eh what (4, Insightful)

SmallFurryCreature (593017) | more than 8 years ago | (#14363597)

Even for a CNN article this is kinda, ehm, short? They quote figures but with absolutly no basis. 105 billion? WOW that is a huge wad of cash. But globally? Restricted to the US? 55 million americans affected that is what like 1 in 5? Again WOW.

As for the department of Homeland Security getting a budget cut. Well is it even its task? Isn't credit card fraud something for the FBI to tackle? And social security number fraud would probably fall under either your social security agency or the IRS.

The securing of military IT would be a task for the military and I think the NSA does something with it as well. The US seems to have so many agencies to keep it secure that I cannot remember them all.

So is that 16 million perhaps the budget for the departments of homeland security OWN security? Do they really have to keep the entire US of A safe with that money or just their own network.

I like a panic story as much as the next guy but at least give me some basis and do not just trow some random numbers around.

What exactly is lumped into that 105 billion dollar figure. Every bad check? Counterfit credit cards? Stolen Half-Life keys? And whose job is it to keep us safe? Army? NSA? CIA? FBI? Local police? Department of Homeland Security? Or more likely, all of them for different parts of it?

Re:Lol eh what (0)

Anonymous Coward | more than 8 years ago | (#14363873)

The securing of military IT would be a task for the military and I think the NSA does something with it as well.

I read something that confirms that in a Dan Brown book once, so that is almost certainly not the case...

Re:Lol eh what (2, Insightful)

kesuki (321456) | more than 8 years ago | (#14363879)

clearly to come to that number they're calculating $1 for every mp3 traded over kazza, emule etc... and $20 for every movie over said p2p services...

i can't imagine a better way to 'inflate' the dollar value of 'cybercrime' than to include the 'data sharing' crimes, which steal only 'potential' earnings, mostly from people who would have sacraficed on other manufactured goods etc if they had bought said material.

you might as well take netflix profit, inflate it by 20, and say that's what netflix has cost the movie studios by making it super easy to watch dvds at home.

Answer (1)

tacokill (531275) | more than 8 years ago | (#14364747)

"And whose job is it to keep us safe? Army? NSA? CIA? FBI? Local police? Department of Homeland Security?"

Its YOUR job. Not the government's.

No incentive (0)

Anonymous Coward | more than 8 years ago | (#14364916)

There is no incentive for any government policing agency to lobby and work towards total secure code for "the public". They are just as much in the rooting business as any other black hatter out there. Having well secured code in the general public's hands is counter productive for the total information surveillence society from their POV. For themselves, yes, for everyone else, nope. And the different agencies spy on each other as well, so there ya go, a situation that enforces the status quo of insecure software in general terms.

This is not likely to change soon (2, Insightful)

steinnes (774991) | more than 8 years ago | (#14363608)

We've still got overall internet usage increasing quite a bit every year, so just like everyone else, more criminals are getting online. There are so many aspects of the internet which have yet to be discovered by organized crime factions that find flaws in social systems to make money all the time, and it would be natural to assume that they will be discovering new criminal ways to make money on the internet over the next 5-6 years at least.

Not until we reach some sort of plateau in internet usage growth can we even start expecting cybercrime figures to start going down, but at the moment it's a growing market, and one which is largely untouched by organized crime and thus probably still rather ripe.

My information got compromised twice (2, Interesting)

cyberkahn (398201) | more than 8 years ago | (#14363690)

My information got compromised twice. The first incident was with eCheck (used at the time by Scottrade), which got hacked into. The other incident was with Colorado Technical University, in which an employee inadvertently mailed out an attachment with a roster of students. This roster included my whole life basically. Perhaps until there is some general law of accountability e.g. SOX, GLBA, or HIPAA companies and institutions will take protecting information more seriously? Perhaps when the cost of security is less than the legal suits that will follow the incident, they will be more proactive? The hacking incident might have been more difficult to guard against, but the email incident could have easily been prevented with something like Entrust [entrust.com].

Re:My information got compromised twice (1)

stonecold_phb (894554) | more than 8 years ago | (#14365289)

Did you sue Colorado TU for gross negligance?

I don't believe in frivolous lawsuits, but this was a good opportunity to highlight the situation with the media, as well as hurt them where it counts (the pocket).

While... (1)

ddx Christ (907967) | more than 8 years ago | (#14363714)

While I'm not sure how they are able to come up with such numbers, it's fairly obvious that internet-related crime has increased. After all, with each year more people sign on, more options are available, new technology, and new ways to trick others pop up.

I've seen first hand an increase in phishing attempts this year because I've had to fix - mostly clean - more relatives' computers. More spyware too. I'd say that most of us would agree. It's a shame, really. But I'll also be the first to admit that I've earned some cash on the side because of it. It's not something I'm proud of, but it was offered. It shouldn't have to come to that. Ah well. We'll manage. More threats arise with each year. I think that has something to do with the passage of time though, no?

This explains a lot (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14363717)

For Christ's sake, this kind of bitching is the exact reason you guys have ended up with that Patriot Act mess. For a start, rejoice that they've scaled Homeland Security back. It means that they're actually admitting that there's less terrorist threat than before, and that they're not trying to maintain the police state indefinitely.

As for the government not taking security seriously until something bad happens to it... all I can say to that is a big loud fart, since for the last five years of my life, which is a good 25%, not to mention the most recent 25%, all I've known is government obsession with security. It leaks down too. Businesses stop you taking photos of their buildings by means of scary guards, "because of terrorism".

The real reasons it was a bad year for security are things like the first collisions found for heavily-relied-on encryption methods. You won't find that kind of stuff on CNN though.

Re:This explains a lot (1)

Arcady13 (656165) | more than 8 years ago | (#14363770)

They probably cut the homeland security budget because most of Bush's buddies have been removed from that office. Whatever section they now inhabit probably saw an increase. Let's see what part of government his old drinking buddies can screw up next!

Re:This explains a lot (0)

Anonymous Coward | more than 8 years ago | (#14363868)

I agree we that the Patriot Act is a abomination to our civil liberties, but I don't agree HSI should be scaled back. I work conducting research at Purdue HSI and find that the funds are needed to conduct better research especially within economics of information ssecurity. We need to really know how much it costs first before the governement will invest into computer security.

Re:This explains a lot (1)

stonecold_phb (894554) | more than 8 years ago | (#14365343)

Could it be that the government has always been obsessed with security? Only recently (past 5 years) has instant communication really taken hold for the common person.

Technology has grown so fast that we have had to throw out the book on traditional security models and reinvent the wheel behind the technology curve.

Add in that we do not really know what is going on behind the government curtain and the Dept. of Homeland Security is quite possibly just a PR stunt to make the sheeple feel comfortable. If it's not terrorism, it's the commies/cartels/nazis/etc... A common enemy is the best way to herd the sheeple.

WebTrends spying on whitehouse? (1)

davidsyes (765062) | more than 8 years ago | (#14363818)

http://news.yahoo.com/s/ap/20051230/ap_on_hi_te/wh ite_house_bug [yahoo.com]:

"Cookies from the White House site are not generated simply by visiting it, according to analyses by the AP and by Richard M. Smith, a security consultant in Cambridge, Mass., who first noticed the Web bug this week.

Rather, WebTrends cookies are sometimes created when visiting other WebTrends clients. Smith said his analysis of network traffic shows such preexisting cookies have then been used when visiting the White House site."

Hmmm... Seems they were using web bugs, cookies/etc to track "something". Now, THEY'RE being investigated.

Just the other day, in my:

http://slashdot.org/comments.pl?sid=172431&cid=143 59599 [slashdot.org]

I commented that it's not just the CIA and other spook shops that track and do things, but I hadn't considered a rogue contractor doing things on its own. Then again, this could be yet another smokescreen to make "contractors" look worse than the government and deflect public attention.

Wow! Just under 45 hours 'til the end of the year; I wonder what OTHER stories we'll see before the fireworks light up...

image word: abrade

Tick tick tick (0)

Anonymous Coward | more than 8 years ago | (#14363882)

These are your leaders, folks. This is how they protect ya. Broadly spying on the communications of American citizens without constitutional authority? Sure! Securing the national computing infrastructure, or at least funding the incident response guys? Nahhhh, why bother.

Imaginary figures, real problem (2, Insightful)

FishandChips (695645) | more than 8 years ago | (#14363902)

It's hard to think of any other industry that costs society $105 billion a year but which goes unscathed, largely unregulated, the darling of the stock market and haven for some of the finest minds around, etc., etc. No the least of the difficulties with cybersecurity is that it's a world of smoke and mirrors in which nearly all the statistics are bogus and all the players claim it's the next guy's problem, not theirs.

A good example of this is the British guy who recently won a court case against a spammer, thereby setting a legal precedent (as reported on Slashdot yesterday). He managed what platoons of highly paid IT experts and IT lawyers totally failed to do. No one seemed to have asked why the finest minds of our time, blah blah, were unable to find $20 to fund a suit in the UK small claims court.

Even if the true cost is a fraction of that quoted, this is still a serious matter since it is replicated in every country where there is a worthwhile IT presence. Since the IT industry seems unwilling or unable to reform itself, perhaps governments should step in with a special tax on large IT outfits in order to fund the fighting of computer crime and a severe crackdown on ISPs who happily tolerate bot farms or software houses who knock out software full of holes. Bot/zombie farms, in particular, are the oxygen of online criminals since without them their job is a lot harder. It is almost incredible that so little has been done to choke them off.

Re:Imaginary figures, real problem (1)

WhiteWolf666 (145211) | more than 8 years ago | (#14363986)

A good example of this is the British guy who recently won a court case against a spammer, thereby setting a legal precedent (as reported on Slashdot yesterday). He managed what platoons of highly paid IT experts and IT lawyers totally failed to do. No one seemed to have asked why the finest minds of our time, blah blah, were unable to find $20 to fund a suit in the UK small claims court.
This may work for domestic spammers. The only effect it will have is to drive spamming overseas.

Even if you can sue someone internationally, its really, really expensive.



Even if the true cost is a fraction of that quoted, this is still a serious matter since it is replicated in every country where there is a worthwhile IT presence. Since the IT industry seems unwilling or unable to reform itself, perhaps governments should step in with a special tax on large IT outfits in order to fund the fighting of computer crime and a severe crackdown on ISPs who happily tolerate bot farms or software houses who knock out software full of holes. Bot/zombie farms, in particular, are the oxygen of online criminals since without them their job is a lot harder. It is almost incredible that so little has been done to choke them off.

The IT industry does reform itself. We've got competition in the industry.

Companies that do not want to be vulnerable to infection do not select Microsoft as a vendor. It's really that simple.

Companies that have migrated to Linux, or OS X, or Solaris, or whatever do not experience these security problems, or experience them on a much, much smaller scale.

Don Henley's latest Hit (1)

thaerin (937575) | more than 8 years ago | (#14364073)

The Garden of Ahhah (hahahahahahahaha) "It was a pretty big year for crashin' A lousy year for Cisco and vole The people gave their paychecks to crimes of phishin' It was a dark, dark night for the collection bowl."

Honest question... (1)

ErichTheRed (39327) | more than 8 years ago | (#14364185)

I'm an admin-type who has to deal with the aftermath of these security problems, but I;ve always wondered who actually has the time on their hands to discover them. This is especially true for some of the incredibly obscure holes that have popped up in Windows recently.

Half-jokingly, do malevolent organizations pay a legion of nerds full-time salaries and all the Jolt they can drink to hack on code all day? Or is it lone crackers who just want to be first with a new exploit?

Even if I wasn't married or had a house to help take care of, I don't think I could invest the time required to find some of the crazy exploits that are coming to light now.

Re:Honest question... (0)

Anonymous Coward | more than 8 years ago | (#14368331)

some do it because they like to learn about computers in general.
i sat on efnet for a few years gathering up advice, info, and etc..
until i realized 90% of the users are leeches of others work in infosec.

sooo i sat on redhat 7.2 until i found a bug for a local root.
it was in sudo.

then i quit using efnet when i found a job with a CLEC. i dont have
time for scouring source code for a bug anymore.

and i will not use my vacation time either.. that is for family and friends.

soo it is the young kids mostly in my opinion. 15-23 yrs.

Actually, they do pay attention (1)

jc42 (318812) | more than 8 years ago | (#14364230)

Apparently the government, just like private industry, doesn't pay attention to security until something bad happens to it.

Sure, they pay attention. They make sure they've got plenty of meaningless but showy actions and PR releases in place to convince the public that they're doing something. Just like private industry, if you think about it.

Then, when something bad happens, it's more of the same.

Meanwhile, if someone points out a real, specific problem that could be fixed, the usual response of both public and private organizations is to attack the messenger rather than the problem. And to increase secrecy, so that other problems can't be found easily and we can pretend that they don't exist.

It Is NOT Just The Net (2, Interesting)

camperslo (704715) | more than 8 years ago | (#14364343)

They're talking about tech (data) security overall, not just the net. The losses result from a variety of problems. Identity theft is high on the list I'm sure. While the online side of this is the first thing we tend to think of, it is also occuring at the retail/mailbox/trashcan/employee level. I read a recent article which pointed out that law enforcement was only fairly recently catching on to the motivation behind one large segment of identity theft. An increasing number of meth addicts are turning to identity theft in addition to more traditional crime to finance drug purchases. An deep understanding of what is happening is essential to dealing with our problems. While efforts to go after criminals after the fact are very important, we need to go beyond that and work at many types of prevention. Education of the public, data handlers, and other areas of law enforcement are essential. Some businesses need some major changes to improve security, and they have been too slow in coming. When companies focus on profits while neglecting the public good, regulation has failed. It's partly the fault of laws limiting liability that Windows continues to be so insecure. Credit card companies seem to be too busy ripping of their customers through obscenely high interest rates and fees generated through unethical behaviours including unethical promotions, contract terms, and business practices. If the credit industry were properly regulated and having to function on more reasonable rates, they'd have more incentive to protect those profits by improving the security of the system. As it is, as long as we're healthy enough for them to feed on, they're happy. (Sounds like the Wraith??)

It is very misleading to measure what's going on here by the amount of funding to one agency. The roots of our problems go far deeper than that. What we're needing is increased insight, reform, caring, and honesty in all levels of government and throughout society. Much of what government has done through improper regulation, especially at the federal level, has permitted us to be ripped off from all directions.
The banking deregulation act of 1980 let banks profit while the public was ripped off. It cost us over $1300 PER HOUSEHOLD. The picture grows larger. Some of the bad regulation and enforcement is from political corruption. Still other regulations encourage that. The F.C.C., who has left us ripe for feeding the cable/ISP/cellular/phone companies, has also undermined a core part of our society by changing regulations in a way where commercial broadcasters have strayed far from being responsible trustees of the public interest. We ought to have locally owned licensees (living in the coverage area of stations they own). Instead we've got the broadcast counterpart of Wal-Mart. They're masking much news that matters, and pushing many bad products and behaviours. As a start, if broadcasters had to provide fair and equal political information for free (NO PAID POLITICAL ADS), we'd have far less trouble with politicians needing to sell their souls to fund their campaigns. The media is also more directly connected to some of the lower-tech scams. Has anyone else noticed all of the scammers on info-mercials? Most are not high-tech, although some hide behind satellite phones.
Changing the rules relating to advertising brought us infomercials, drug ads, and attorney ads. If station ownership was far more diverse, we'd have fewer bad regulations sneaking though while the media acts like one giant eye focusing on one thing excessively while something much worse is happening.
I think many of our problems, including financial security, are more effectively tackled through good policy than brute-force spending.

"Good God Katie! This is supposed to be a news show!" - Jim Carrey on the Today Show, as Katie goes into the usual fluff in spite of the people of New York struggling with freezing temperatures outside while having no pubic transportation.

RIAA/MPAA agitprop (1)

gelfling (6534) | more than 8 years ago | (#14365352)

I'm sure most of that figure is made up by the **AA in terms of 'pirated intellectual property' and has nothing directly to do with security at all.

Ok, ok... (1)

ovit (246181) | more than 8 years ago | (#14366041)

I call shenanigans on this article.

Those numbers appear to be made of PURE foo foo dust.

      td

How do they know? (1)

NetRAVEN5000 (905777) | more than 8 years ago | (#14366693)

"cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said."


. . . how do they know how much money drug lords make? Are they somehow monitoring ALL the drug deals and not making a move to stop drug deals that they KNOW ABOUT?


How do they know how many drugs are sold - surely not every drug user or dealer gets busted. . .

Re:How do they know? (1)

TallMatthew (919136) | more than 8 years ago | (#14368410)

. . . how do they know how much money drug lords make? Are they somehow monitoring ALL the drug deals and not making a move to stop drug deals that they KNOW ABOUT?

That's a really good question. In terms of volume (the measurement, not the quantity), the amount of cocaine alone flowing across the borders to the streets defies lack of detection. Something on the order of a skyscraper on a daily basis, I suspect. A big one. How does one accomplish that? Hmmm....

Re:How do they know? (1)

TallMatthew (919136) | more than 8 years ago | (#14368451)

It's pretty lame to reply to your own post, I know, but it's worth noting that all the cocaine in the world is grown in a region of Central America roughly the size of Iraq. With the same troop deployment and budget currently being spent in the Middle East, we could have eradicated cocaine crops from the face of the earth, saved countless lives and families, reduced the crime rate in this country by 50% immediately, kept kids alive and out of jail and destroyed the business of the most powerful criminals alive. Nope. Not interested.

The same goes with Afghanistan. 90% of the world's opium is grown there. We have an occupying force there, why not have them torch the crops? Nope. Not interested. Heroin remains as available on American streets as it ever has been.

Regardless of what you think of drug addicts, ridding the world of the dope that gets them high does society a world of good. Crime and drugs go hand in hand. We could absolutely do something about it. The reasons we're not are pretty frightening.

complexity (1)

MikeURL (890801) | more than 8 years ago | (#14367666)

This isn't going to get better, it is going to get worse. Look at human beings...extremely complex and complete with a operating system that is CONSCIOUS. Man it can actually tell you when something is wrong. But even a conscious operating system sometimes misses low level hacks until it is too late. Then you have to call in the network admins to try to do some selective reboots which are not always successful.

Computer systems are very complex, not as complex as humans yet but pretty complex. Their operating systems are not conscious but their admins' operating systems are, usually. As the complexity of computer systems go up and up and up you're going to reach a point where the network will become conscious itself. Up until that point the number of hacks, breakdowns, etc is going increase. Right after consciousness is achieved by the network these attacks will decline greatly as the system becomes able to point to where it hurts and either fix itself or call in network admins.

If you're wondering, no, I am NOT currently on LSD.

Companies are required to disclose breaches now (0)

Anonymous Coward | more than 8 years ago | (#14368268)

I don't know about all states, but California requires companies to admit any case where personal information may have been leaked, as opposed to being somewhat optional before. And since large companies tend to do business in California (along with the other states), we've had more disclosures.

And of course, there are the other common sense reasons too -- more computers, etc..
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...