On the Matter of Brian Krebs.
The WWW of Brian Krebs, perhaps the second-most-worshiped1 patron saint to all English-speaking "computer security" charlatans -- is sitting sadly offline today on account of a ~TB/sec DDOS flood.2
His titanic bandwidth, it turns out, was provided gratis by Akamai - spamatronicists par excellence and industrial-scale enablers of everything that makes the modern-day WWW a rancid sewer. Until it wasn't. As soon Krebs began to cost them serious coin, he was dropped like a discarded candy wrapper.
And I'm expected, apparently, to see the misadventures of Krebs as a lamentable thing. But I do not -- and am quite ready to explain why not to the patient and curious reader.
Krebs is renowned for his investigations of "cybercrime", which in his eyes consists of Russian (for some... reason - almost exclusively Russian) spammers, malware artists, and "carders".
Now, spam as we know it exists largely for two purposes: to mooch, by various means, from the great gas giants of advertising-crapolade, e.g., Google; and to spread malware. The latter exists mainly to facilitate "carding." 3
And if we listen to Krebs and his ilk, we might believe that these problems are problems because there is a faraway country, full of evil untermenschen, who like nothing more than to steal the last penny from every honest American Joe, and to pollute his Precious Bodily Fluids. And who decided that the best way to do this is to write virii and send spam.
And Krebs would also have us believe that the pill against such headaches is to make a pompous WWW site, with many flow charts, containing some names of especially-uppity untermenschen who are then to be kidnapped by NATO gauleiters and shipped, bound and gagged, to American prisons..
Now apparently, if we listen to Krebs et al., writing virii is a "cybercrime" -- but forcefeeding Microsoft's sorry excuse for an operating system to the ~entire planet, for decades, somehow is not.
And stealing credit card numbers is a "cybercrime" -- but forcing people to use a financial system where someone can drain your account by learning a constant string, printed in plain text4 on a piece of plastic in your pocket, somehow is not.
And guess what else - distributing amateur-hour "spyware" is a "cybercrime" -- but artfully sabotaging open source software somehow is not. When you're the NSA.
Because it is not about "crime". It is about the hegemony of a particular set of crowned criminals whom Krebs shills for.
When I wrote to Krebs regarding the Mahmood Khadeer bombshell - the most recent and spectacular of a series of discoveries proving the existence, in the wild, of sabotaged PGP clients - there was no response.
Which, in retrospect, ought to have been no sort of surprise. Because the mass5 sabotage of RSA implementations was not a crime authored by any criminal Krebs is interested in prosecuting, but by his beloved masters. Who hung him out to dry today. "The world's smallest violin plays."
Edit:
The next day, Krebs was taken under the wing of Google's "Project Shield":
Project Shield welcomes applications from websites serving news, human rights, or elections monitoring content. We do not provide service to other types of content, including gaming, businesses, or individual blogs. See our User Content and Conduct Policy for more details.
Say hello to The Internet of the Future! Where USG shills are hosted on an "infrastructural", one-way TV-style "Internet", and everybody else gets to inhabit the remains of the old, DDOSable kind.
- After Schneier, of course. ↩
- The DDOS-enabling design of the Internet as we know it is no accident. ↩
- "Carding" is a crime which happens at the pleasure of certain banks, who profit handsomely from it. This is not an especially well-kept secret. ↩
- Public-key cryptography has been around for quite a while. ↩
- We've found, one can surmise, only the tip of the Birthday Theorem iceberg thus far. ↩
"a financial system where someone can drain your account by learning a constant string, printed in plain text on a piece of plastic in your pocket"
Compounded by the fact that every time the credit card is used online that constant string is passed over the internet to another person who then must be trusted to keep it safe and secure. It is surprising that there is not more credit card fraud than there is currently.
Would the whole stolen credit card problem go away if they switched to something like RSA signed transactions?
Dear PeterL,
The recently mandated "chip card" that still spits out the same string on every use removed all doubt as to the actual reason for CC fraud still being a going concern.
There is no logical reason to expect actual solutions from people who profit from a festering problem.
Yours,
-Stanislav
The follow-on effects go deeper. See the whole "combatting fraud" dog-and-pony show introduced all sorts of measures that inspect anything and everything it can get its grubby hands on, increasingly powered by ever more "sophisticated" software trying to predict what you're doing next. If you don't match those expectations, then obviously you're a fraud and a crook. Conversely, if charges to your card don't raise red flags then your complaints that you didn't order any of those to be made are likewise fraudulent. See how that works? Heads, you lose; tails, the card company wins.
Now, I have no proof whatsoever that this is premeditated or deliberate, but it certainly is the obvious outcome of the way the "security" is structured. Electronic fiat handling is curiously uniformly set up and invariably means that if you're not the bank, you lose. Control, money, reputation, freedom, and so on.
It is but a little speculation to posit this is why governments got into the AML/KYC rigmarole: They saw the combatting fraud pretext being done and wanted in on that game, for information is power and having the mechanisms in place to cut individuals out of the system with convenient excuses is just prudence, if you think that way. And on the other side, it neatly explains why banks didn't utter a peep in defence of their formerly presumed to be innocent until proven otherwise clientele. They were doing the pre-crime policing already anyway.
I don't know what really curbs the fraud, but it may well be that the whole thing is too onerous to touch, rather than effectiveness of individual measures. Why legitimate users still wade in that filth, I don't know either.
Dear Chief Fetters,
The basic scam is more or less precisely as you describe (see this discussion re: "biometrics", for instance.)
The large merchants (e.g., Amazon, Walmart) are not satisfied with the status quo, and are hard at work to shift the burden back to the consumer - British-style.
"Legitimate users wade in the filth" because they - at least in the "civilized" world - have approximately zero say in the matter.
Yours,
-Stanislav
The links back to the text in the footnotes (the "↩" symbols) don't work.