Archive for February, 2007

Back in the old days, hackers took the old Indian approach of “counting coup:” they penetrated a network just to say they did it, left you a little file that said “HI” and then departed. Even malicious hackers contented themselves with erasing your disk drive — a huge nuisance but recoverable; anyway if you weren’t backed up properly, a misfortune you maybe deserved. But now, hacking is strictly for profit and there’s a formal and all-too-real economy that’s risen around it.

Hacking gangs use schemes such as keystroke-logger programs, trojan programs, and phishing sites to extract your personal data, which they either use themselves or resell to others. And just like any other marketplace, there’s a going rate for various commodities. Trend Micro, a security vendor in Tokyo, believes that the following prices are currently representative for these kinds of data:

  • $490 — for a credit card number with its PIN;
  • $70 – $300  — Account data including name, account, SSN, address, and birth date;
  • $150  — Driver’s license number;
  • $100 — Valid SSN card;
  • $6 – $25 — Credit card number, expiration date, andCVV2 (security code);
  • $6  — Paypal account login and password.

In addition to what’s lost to automated data capture or willing disclosure through phishing sites, all the corporate and governmental data losses (that seem to happen about every few weeks) just add more data to this underground economy. Your data becomes their profits.

Furthermore, Trend Micro states that for anywhere from $1,000 to $5,000 a thief can get a modifiable trojan program to go out and acquire their own data. Internet Security Systems (now a division of IBM) issued a report last year describing how organized these gangs are: “Managed exploit providers are purchasing exploit code from the underground, encrypting it so it can’t be pirated, and selling it for top dollar to spam distributors.” The result? The Anti-Phishing Working Group noted that in December 2006 there were 340 new keylogger and trojan variants reported to them.

The real hotbed of these hacker gangs is currently in eastern Europe, Russia, China, and the US. Especially in the case of the first two, there’s a volatile mix of well-educated and technologically-skilled young people with an inadequate supply of legitimate job opportunities and so a great temptation to get into the business. And in some of these places, notably China and Romania, it isn’t against the law to grab data from other people.

Needless to say, these guys are fast on their feet (or their mice, as the case may be) and the police are really at a disadvantage in trying to take them on. But that’s a story for another post. Have a nice day!

A few links of interest, related to your data:

The Anti-Phishing Working Group

FBI’s Internet Crime Complaint Center

Privacy Rights Clearinghouse

Read Full Post »

So you think we have enemies abroad trying to do us in? It would be hard for them to do the damage that we’re doing to ourselves, if we don’t get a handle on the education of our children — and obviously also remedial education of our adults. The 2005 data from the National Assessment of Educational Progress 12th-grade tests were just released, and the results are uniformly grim. What the tests found out:

  • Over all student groups except the highest-performing, reading competence declined in comparison to 1990. Whereas 20% of students failed to meet the “basic” level in 1990, the number is now 28% failing. For example, if they can’t read at the “basic” level they would likely not be able to read a bus schedule to find the time when the lowest fare was in force.
  • The secular comparison in mathematics is not valid because they changed the test too much since 1990. But regardless:
  • Fewer than 25% of students are rated as “proficient” at mathematics, and a dismal 2% were rated as “advanced.”
  • 39% of math students couldn’t even perform at the “Basic” level, which means that they can’t be expected to handle the most primitive calculations, such as determining how much some item in a store costs per ounce.

And of course this carries forward through college and into the real world. In a recent MIT Technology Review article, David Duncan reports on a paper by Michigan State University political scientist Jon D. Miller presented to the American Association for the Advancement of Science meeting last week. By his measurement, only 28% of Americans are “scientifically literate.” The good news here is that in 1988 the same study came up with only 10% scientific literacy. But this is still a significant problem — as Duncan says,

“This level of science illiteracy may explain why over 40 percent of Americans do not believe in evolution and about 20 percent, when asked if the earth orbits the sun or vice versa, say it’s the sun that does the orbiting–placing these people in the same camp as the Inquisition that punished Galileo almost 400 years ago. It also explains the extraordinary disconnect between scientists and much of the public over issues the scientists think were settled long ago–never mind newer discoveries and research on topics such as the use of chimeras to study cancer, or pills that may extend life span by 30 or 40 percent.”

This is pretty scary stuff, if you think these people are somehow going to compete with engineers, scientists, and businessmen from India or Russia (where they are hungry and motivated), much less those from China. Don’t kid yourself, we have the standard of living we have not because we want it or deserve it, but because we have made it through our knowledge and our ability to apply it. The numbers I see above say we won’t be enjoying this standard much longer.

Well, this report was issued this week, and except for the odd article in the newspaper, there doesn’t seem to be much reaction from anybody. Maybe it’s because they can’t read it — or the writing on the wall.

Read Full Post »

Much of the criticism against the Bush Administration concerns the almost hopeless incompetence of their execution of this war — underplanning, underfunding, under-trooping, and allowing the most colossal level of war-profiteering in history. But there is something more profound, one of failing to understand the jihadist movement at its most basic and motivational level, and of failing to devise suitable policies and tactics to counter it at this level. As my father always said (speaking of his experience in WW2): “the professional military is always busy preparing for and fighting the last war.”

So imagine my joy to find a very levelheaded analysis of this problem — discussed not from a partisan standpoint, but one steeped in the current geo-political realities and in the social sciences — in the New Yorker Magazine. A small sample:

“Since September 11th, the government’s traditional approach to national security has proved inadequate in one area after another. The intelligence agencies habitually rely on satellites and spies, when most of the information that matters now, as Kilcullen pointed out, is “open source”—available to anyone with an Internet connection. Traditional diplomacy, with its emphasis on treaties and geopolitical debates, is less relevant than the ability to understand and influence foreign populations—not in their councils of state but in their villages and slums. And future enemies are unlikely to confront the world’s overwhelming military power with conventional warfare; technology-assisted insurgency is proving far more effective. At the highest levels of Western governments, the failure of traditional approaches to counter the jihadist threat has had a paralyzing effect. “I sense we’ve lost the ability to think strategically,” Field Marshal Sir Peter Inge, the former chief of the British armed forces, has said of his government. He could have been describing the White House and the Pentagon.”


Terms like “totalitarianism” and “Islamofascism,” . . . which stir the American historical memory, mislead policymakers into greatly increasing the number of our enemies and coming up with wrongheaded strategies against them.


In other words, even if we think that a jihadi in Yemen has ideas similar to those of an Islamist in Java, we have to approach them in discrete ways, both to prevent them from becoming a unified movement and because their particular political yearnings are different.

I encourage you to read this article. It points out both the poverty of our current policy approach and what some of the correct basline policies might be, policies that lead to strategies that in turn help us devise tactics that will — eventually — help us successfully recover from our impending defeat in Iraq. If, that is, we can find the patience to implement things that take more than one election cycle to bear fruit.

Read Full Post »

Just recently the GAO released a status report on the state of federal programs and operations that are high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. This is a wide-ranging, recurring examination that seeks to identify stuff the needs to be fixed, and now.

Among their other findings, they pointedly identified the Department of Homeland Security and its laughably-named National Cyber Security Division, which it stated did not meet “any of its key responsibilities,” for example completing national cyber threat and vulnerability assessments or public/private recovery plans for cybersecurity.

A few quotes:

“More than 5 years after 9/11, the federal government still lacks an implemented set of policies and processes for sharing terrorism information . . . However, as we reported in March 2006, the federal government still has not implemented the governmentwide policies and processes that the 9/11 Commission recommended and that Congress

“DHS has produced a strategic plan that contains most elements required by the Government Performance and Results Act and the under secretary of management is working to integrate some management functions. However, DHS has not linked its goals to resource requirements in its strategic plan and has not involved all stakeholders in its strategic planning process. Moreover, DHS lacks not only a comprehensive strategy with overall goals and a timeline but also a dedicated management integration team to support its management integration efforts.”

So it would seem that operationally they’re just spinning their wheels. Do we know where all the expenditures for this inaction are going? The financial examination is not hopeful:

“DHS and its components are developing corrective action plans to address material weaknesses identified by the financial statement auditor, but recent audits found its financial systems do not conform to federal requirements, and (it’s) financial statements contain numerous material weaknesses.”

In other words, things are out of control. This is a similar pattern to what we see elsewhere, even in Iraq: the Administration’s rapacious view of the Federal treasury as their own kitty to use to award sole-source contracts to their friends, at a scale unheard-of in the last century. I’m a taxpayer, I want my money back!

Now, if this were just the usual stuff of the William Proxmire “Golden Fleece” award genre, it would be one thing: deplorable. But these guys are supposed to be protecting us from terrorists as well as the rapidly-deteriorating weather, and that puts their failings in a totally different light. This is life-or-death kinds of stuff, friends; our lives and livelihoods depend on their doing it right. What’s wrong with us, that we accept this kind of performance without a squeak?

The full report from the GAO is available here.

Read Full Post »