Cenzic 232 Patent
Paid Advertising
web application security lab

Crime and Punishment

This post is meant to be overly controversial, but it’s also meant to make people think. Please take that for what it’s worth. My most recent publisher said that I shouldn’t make excuses before I say something, but in this case, I think it’s warranted because it’s a little out there, but I also think it’s a topic worth discussing. Please bear with me.

Looking back in American history, there have been a few significant military losses of recent years. We could easily call Korea a loss, and Vietnam was the worst “police action” in American history. Afghanistan is a tossup, and only time will tell. However, I think there is a perception that there is no way the United States could ever have won those wars. That’s just not true.

The United States has a wide variety of unconventional weapon options and military tactics that it never used. For instance, we never ventured north of a certain line in Vietnam, but only for political reasons. We also never used nuclear, or non-nuclear WMD’s. The United States stockpile of biological, radiological and chemical weapons is unrivaled by any country it has ever gone to war with since WWII. But it never chose to unleash those weapons or pursue those tactics, and ultimately the US lost. But more interestingly, the US chose to lose.

I think this analogy speaks nicely to a computer security problem regarding crime in general. There are a set of options that we as computer security practitioners have at our disposal but we also have chosen not to use them. I would say that in well over three quarters of the attacks that I am aware of, it is trivial to find the person who is responsible for them. Sure, that could change and yes, it’s easy to frame people for crimes they did not commit, but for the moment, let’s just pretend that that statistic was valid.

There are two ends of the spectrum of punishment. On one end we have capital punishment - the ultimate result. It’s pretty much a guarantee that their life of crime is concluded upon their death (barring time delay attacks which are incredibly rare). Most people don’t believe in capital punishment for any purpose other than extreme cases and still I would say there is no clear consensus about when it should be used. However, there is no debate about the finality and clear effects of capital punishment.

On the other end of the extreme we can do absolutely nothing, or worse yet, reward the attacker for their actions in some way. I would argue that more often than not the second is the option we as a security community take. When we are aware of a problem we either do nothing at all because we believe it won’t actually work against our systems, or we block the attackers, under the false premise that that will stop them. In reality it only makes them stronger because they now know how our defenses work, which they can either try to circumvent later or use as knowledge against other targets elsewhere.

Only in the most extreme cases do we actually bother to track down, locate, arrest and prosecute attackers. And even then the penalties are usually only a few years in jail. Most experts believe that jail is not an effective rehabilitation habitat. While it’s admittedly unclear what the effect is on computer criminals, it’s certain that it is not an effective deterrent given how much computer crime occurs.

Now let’s imagine for a moment that we were decide that capital punishment were a reasonable solution to a problem, because it was an actual deterrent. I know people who care a lot more about their life than they do about jail time, so it’s not an unrealistic assumption. Let’s take a small slice of computer crime, that’s considered by almost everyone to be a minimal offense but also highly annoying - spam.

A few years ago a spammer was killed with a hammer. Now let’s say whether by vigilante justice or state sponsorship, once a week a spammer was killed in the same way, as a symbol to all other spammers everywhere - keep it up and you’re going to end up like this. It’s a terrible fiction I’m spinning here, I know, but I honestly believe it would reduce the amount of spam far more than the amount that was generated by the deceased spammers alone. It would actually have the effect most punishment is designed to have - it would be a deterrent. Although, admittedly it’s gruesome and unrealistic.

So on one end of the spectrum we have nothing which is what we are primarily doing now, and on the other a punishment that outweighs the crime. (Technically, we actually are doing something - we are making it less financially viable for the attack to be profitable by reducing the amount of spam that gets through, but we are a long way from succeeding, unfortunately). In the same way that the US wasn’t about to start using thermonuclear weapons in Vietnam and Korea and most likely won’t in Afghanistan either, we as a society aren’t going to start killing spammers at any rate necessary to act as a proper deterrent. Now I told you all of that so that I could get to the real meat of the matter. What is the proper proportionate response to computer crime to act as a deterrent?

There was an interesting section of a book (the title is escaping me as I write this) that described things that were off limits in a pen test. Things like rubber hose cryptanalysis are apparently not allowed during a pen test (although if anyone wants me to beat them up to see if I can get their password out of them, just let me know - I’ll give you a discount too). It’s funny but it’s also true. In the real world that is an option, just not one that many people use.

So things that are typically off the table that we don’t talk about as a real option are things like kidnapping loved ones, extortion, torture, and of course capital punishment. While all real actual options, we have tied our own hands and said we aren’t allowed to use them. We also take other options off the table, like hacking into people who hack into us, DoSing them and so on. We aren’t even allowed to fight back! So the real heart of the matter is what is the right response to a packet bound for your network that intends to do you harm? Should we keep ignoring it or should we instead track the originator to the ends of the planet and enact a gruesome deterrent for the greater good of all humanity?

No, put your gun down, I’m not saying we should go on a spammer killing spree, although I’d be plenty happy to use my rubber hose on them every once in a while. Perhaps instead of killing people we should make it a priority to actually pursue attackers instead of defending ourselves in a reactionary manner. My friend Mike Rothman is fond of saying “REACT FASTER”, but maybe reacting isn’t enough. Maybe we as a society are missing the most important dimension of this whole thing by focusing on reacting instead of going on the offensive.

We actually pursue shoplifters and put them in handcuffs, which in terms of monetary loss can pale in comparison to a computer criminal’s potential. Shoplifting is a relatively petty crime too, yet the consequences are so severe compared to the crime itself and with the wide proliferation of modern loss prevention technology most people don’t shoplift. Maybe if more people were actually forced to face the consequences of their computer crimes all over the world, it would have the effect the laws were intended to have - which is to limit the breadth and scale of the crime itself.

Until something like that happens, I find it difficult to believe we will ever see a real decline in computer crime. I know one thing for certain - what we’re doing now isn’t working.

21 Responses to “Crime and Punishment”

  1. Zach Says:

    Well, the reason we don’t go on the offensive is because you will have giant protests about our loss of privacy even if it isn’t directly us.

    While you may not have been totally serious about harsh punishment, I’m all for it. If you commit a spam crime that does millions of dollars in damage, you should be an indentured servant at the wage of an average IT job until you pay it off. By indentured I mean basically a slave that is not technically owned; can’t leave the place you are at and have living quarters. Basically if you do enough damage you are a slave for life.

  2. Dan Says:

    What we need is a really nerdy Jack Bauer!

  3. Chad Grant Says:

    As I have been indicted under federal hacking charges and beat the BS wrap after two trials … I feel like I should input some of my experience.

    It is way too easy to frame someone for a computer crime. I know you acknowledged this, but it needs to be emphasized. The system worked for me (barely) but it could have very easily gone the other way. It has happened.

    The court system and the law enforcement of the united states is incompetent when it comes to investigating and prosecuting computer crime. As it stands now, it is still a modern day witch hunt and common sense does not exist. In the end, the jury of your “peers” has to understand everything you do about computers and security. Good luck educating a bunch of soccer moms and 7-11 tellers in a trial.

    If anyone deserves this amount of anger in your post, it would be the very people and organizations you expect to investigate and prosecute these cases.

    The FBI is corrupt. The agent in my case was good buddies with the “victim” and helped manufacture fake invoices of incident response. They were faxed from the FBI offices and time stamped before the work was said to be completed in the invoices. The invoices even consisted of nonexistent dates! They supposedly spent around $11,000 @ $450/hr on April 31st! The people attributed to doing the work in the invoices even testified that they did not do the work and didn’t have access or passwords needed to perform the work. The only money exchanged that could be verified in the case was $40.

    Since sentencing laws are based on amount of damage and the cost of securing your compromised system after the fact is allowed as “damage”. You can send someone away for life by: faking the logs, buy a million dollar security system, send receipt to FBI and return the security system.

    Our peers are also corrupt and are willing to testify to just about anything for the sake of money. In my case, it was Kevin Mandia. http://www.mandiant.com/biopages/KevinMandia.htm

    He has been instrumental in putting innocent good people in prison. This is not an opinion. Just do the research on his testimony in US vs Bret McDanel. Security researchers should be aware of Bret’s case. He spent a year and some change in prison and the conviction was eventually overturned by the very prosecutor who sent him to the big house. That is unheard of in our court system. His case was instrumental in the Good Samaritan exemptions for security disclosure. In the end, it was Kevin Mandia that sent him to prison and was the most capable of being aware of his innocence. In my case he was nothing more than a puppet for the prosecutor and testified to things that either showed his lack of security knowledge or just flat lied.

    I could write a book on all the incompetence, corruption and fallacies of our court system in regards to computer crime.

    Be careful of what you wish for …

  4. CrazyDave Says:

    I agree with both the post and [Chad Grant]’s comment. It is a fundemental balance in a free self-governing society to weigh these two extremes and find the right balance in the middle.

    I don’t claim to have a solution, but it seems like the courts (as they currently exist) are incapable of handling these cases…perhaps if it was not illegal to hack, then counter-hacking would be the deterent of choice…but then there are repercussion from that as well.

  5. MikeM Says:

    Your premise relies on the belief that deterrence actually works when there isn’t significant evidence to support the argument. Deterrence is regarded by many as being completely ineffective and unfair. I would argue people don’t consider the possibility of punishment because they don’t think they are going to get caught, they rationalize it away, or they are so desperate the consequences are meaningless in the moment. How can a harsh punishment possibly be effective in deterring criminals in such states?

    A more effective solution would probably be to eliminate the incentive to commit the crime. People don’t steal bread when their stomaches are full.

  6. Jonathan Says:

    The U.S. has used WMD. We bombed Hiroshima and Nagasaki both with Atomic Bombs.

  7. RSnake Says:

    @Jonathan - I was referring to the wars I mentioned, not prior (nuclear in WWII and chemical in WWI).

    @Chad Grant - very thoughtful reply. I wasn’t aware of your case. Perhaps you should write a book. I’d probably read a book called “the modern day witch hunt”.

  8. mark Says:

    I’d like to give a slice of historical perspective in this very interesting discussion. US did not use atomic bomb since WWII because since this period, “conventional” battlefields have tremendously changed. An atomic bomb is useless in a guerilla or ambush war (Vietnam, Afghanistan, Iraq right now…) because there is no “hard core” target, no visible enemy in front of you. It is not a symmetrical warfare. (this is just a very schematic, very simplified way of seeing facts… Real life is a little bit more complex from a tactical and strategic point of view… but let’s keep it this way for the rest of the discussion).

    Spam, like a guerilla war, is very pervasive, infrastructures are fuzzy, and legal weapon of massive destruction (I love the idea of lawyers transformed in WMDs) are useless. Useless when the hosting system is international or botnet based. Useless when local regulations are protecting the major part of the business, creating real anti-atomic shelters to protect massive spammers. I do not intend to “troll” or to criticism US institutions –being a European citizen, it would certainly be an unforgivable lack of good manners and respect- but without attacking the problem to the roots –the CAN spam act for eg. -, the fight will be lost before beginning. (I don’t say we have better protections… we have lawyers and politicians too, in Europe…)

    From a more general point of view, use of legal WMD could NOT be used because “organized crime” is not so “organized”. Have a look at the “McColo story”. Less than 40 days after shutting down this provider, the level of spam and other calamities was reaching the same level as before. With a slight difference: resources and servers were a little bit more scattered, between Latvia, Russia, China, USA, Germay, UK…. Stricking a single point of failure against those enemies is like striking a bowl of quicksilver: the sum is exploding in an infinite number of independent elements, trying to hide in this multitude. Can you aim at a multitude ? you probably can catch one or two individuals but not the group. Fishes, birds, social insects use this strategy for quite a long time, with some success.

    No regular army has ever won against a guerilla organization. And trying to apply disproportional penalties in a fight without proportion has little chances to change the story.

  9. Anonymous Says:

    @Jonathan
    The Atomic bombs did nothing compared to chemical weaponry the US used in the Vietnam war. Look up “Agent Orange”, they sprayed that stuff over millions of people.

  10. Zac B Says:

    I wish we *could* be truly responsive - DoSing the blackhats for instance - instead of just twitching when the hammer hits our knees. If the laws allowed us to do more than paint a new bulls-eye on a different part of our ‘body’ or only change the colour of the paint then perhaps we could change the cost/benefit ratio.

    The problem is that with the current laws on the subject prevent us (whitehats) from digitally tracking down the miscreants (blackhats) and digitally beating the bits and bytes out of them. If we could ‘take out’ compromised systems that are used to attack our systems, dump their data so we can use it against them (the blackhats), etc - then, and only then, would the cost/benefit become such that it would act as a deterrent against computer crime.

    @MikeM: the number of ppl that ’steal bread’ because their hungry pales quite significantly compared to those that do it (a) for kicks and/or (b) for profit.

    @Chad Grant: STBY! But this is just supportive evidence of screwed laws in regards to computer crime - particularly since you have so little options in undoing the damages caused be such abuses.

  11. Eponymous Says:

    It really comes down to the matter of international law and borders. I think that we could realistically see much better analysis, detection, and prosecution of computer felons within the next few years in America, as well as within the borders of our allies, due to cooperation and extradition. But unless we apply strong diplomatic pressure and possibly even trade sanctions on the countries that don’t particularly care to cooperate with our law enforcement, while allowing them to be connected to the internet that Americans built, we will never get at the heart of the matter..which is that people are allowed to electronically participate in our society without being bound to the laws of our society, making them effectively immune, like the invisible man or a spoiled brat diplomat.

  12. rvdh Says:

    Clearly the U.S. has a moral issue, always had actually. Problem with a moralistic world-view is that you get both sides of a problem on your table. These morals, result in control and regulation. Which in terms result in resistance, because people don’t like to be policed.

    Personally i think the U.S. would be better of in a Wu-Wei kinda way. With that I mean: You don’t have to control the world and solve every problem, because once you mix in it, you will become part of the problem.

    Secondly, I think -as do many Europeans- that the U.S. seems a bit arrogant in the way that it tries to moralize the world, denies U.N. regulations and plays wars when it wants too, while being immersed in perpetual debt, loaned from Europe and China. :)

    I think the U.S. now pays and will pay the price for it, how sad that may sound. Currently, I think there will be change in global power, and it won’t be coming from Obama ;)

    So in regard to security, I think the answer is overly-simple. Security is and always was an economics issue. Criminals are mainly interested in financial gain, with few exceptions. If you solve the economics issue, you will solve security and you might drop security as a whole, since there is reason to take a risk when you have a proper financial status. You won’t solve it by punishing the criminals, because they will do it again and again. On the side of security, one solution is to have nothing of value or if you do, being able to take a loss, like the credit-card companies do. It’s already calculated into their budgets.

  13. Nels Says:

    If a robber walks into a bank and steals just $500 there is an APB put out and a massive search is goes on. If an online bank account is compromised, and the “thief” gets away with $5000. Nothing happens, except the customer is repaid and the bank eats the cost.
    I am all for tracking down the perps, but there are hard realities to deal with:
    1) is it cheaper to just pay the customer, or try to track down the attacker? (who could be anywhere)
    2) now that you get em, what do you do? (evidence)
    3) could you ever really track down the attacker?
    In the end, it would be cheaper to eat the cost….realistically. Typically the machine was just infested with some trojan/malware that allowed the online account to get compromised. The one change I would like to see is that the customer also gets a new $800 computer w/ a shiny flat panel monitor. The financial institution then gets the infested box. That box then becomes a subject of analysis to learn what happened and share the information with others. It may be a dime-a-dozen, but perhaps that information could be used for detection/protection against similar attacks. It would also be nice to verify how exactly the account got compromised…..

  14. ImIke Says:

    Criminals with full stomachs will remain criminals and greed, if nothing else will take them back to a life of crime. The full stomach argument is also ineffective when the crime is committed for the thrill of the act.
    Draconian laws will not solve the problem, neither will the supposed deterrent effect of punishing one in the hopes that others will be scared away. What may be the answer is securing targets enough that it will be more feasible for a would be attacker to move on to easier targets. So you see I don’t think there are easy answers but tough questions that must be asked.

  15. Robert Says:

    Then why are our jails overflowing if punishment is a deterrent?

  16. Jon A. Longoria Says:

    @MikeM

    “Deterrence is regarded by many as being completely ineffective and unfair.”

    Could you provide an example of whom is arguing this point? I would like to review their assertments and analysis.

    From a operational standpoint, deterrents and their use included in standard OPSEC, INFOSEC, COMPSEC, etc. in government/military perspectives have been proven effective and at times saved lives as far as installations go. The depth in overview of these programs is public domain and can be found online if you’re interested.

    Does it catch every offender, every time? Obviously not, but the positive does outweigh the negative. Reactivity cannot be an efficient substitute for proactivity.

    @rvdh
    I’m sure you mean well, but your argument seems atypical of a European audience - not to profile anyone of course - which seemingly comes off as resentful and taudry to others, just as you would consider US citizens arrogant.

    I’d like to understand your perspective more though, and ask if you could you provide us with a bit more concrete examples than just “the war” and “economic woes” generalizations? I’m not naive enough to believe that as a US citizen my crap doesn’t stink and would of course be willing to listen to global counterparts on how we might effect change in our government and/or foreign policy from an outside perspective.

    @RSnake
    As always buddy, good post. Hit me up over e-mail whenever you’ve got time regarding a upcoming article in the works.

  17. MikeM Says:

    @Jon:

    http://www.iserp.columbia.edu/news/articles/capital_punishment.html
    http://www.amazon.com/English-Legal-System-Jacqueline-Martin/dp/0340899913/ref=sr_11_1?ie=UTF8&qid=1232325491&sr=11-1

    I am not suggesting we shouldn’t be proactive. I am merely suggesting there might be more productive ways to be proactive than deterrence through long prison sentences and chopping off hands so to speak.

    @Zac B:

    You probably can’t do anything about people doing it for kicks. Profit is arguable. Perhaps many of these profit seekers would lose the motivation to commit crimes to make money if they made a reasonable wage doing interesting work. Such jobs aren’t available everywhere. My thought is that a bread thief is going to be significantly more risk averse if they don’t really need to steal the bread (say, they aren’t starving). Would that eliminate crime? Of course not, there is no absolute answer here. The real solution is probably a mix between the right kind of deterrence and the right kind of prevention through other means. Some will steal bread even if their stomachs are full, but even if feeding people only decreases the bread-theft rate by 10% is that such a waste? Clearly the issue isn’t black and white.

  18. laZee Says:

    I get the impression, that the current state is understood as “war” between spammers and us. Maybe thats why people are willing to go offensive instead of just reacting. We could trace the attackers, but we dont do it.

    But i think, the current state isn’t “war”, it’s more “business”. I guess it would switch to “war”, the blackhats could do much more damage. Imagine how much data could have been destroyed, but instead, it usually gets only stolen. I think very much more damage is possible and could occur. Not only we are holding back with our actions.

  19. Jon A. Longoria Says:

    @MikeM

    Thank you for the links!

    I can see what you’re saying, although I might consider those more reactive than proactive myself. I think we would, of course, be wrong to consider all avenues in any case.

  20. Rafal Los Says:

    Since I’m too lady/tired to read ALL the replies… here are two very short thoughts… (ok 3)…

    1) Rob, seriously, you’re deep man… I never knew!
    2) There is a reason that crime is typically “low” under a totalitarian regime (I grew up under martial law for a few years, trust me…)
    3) @Chad Grant - excellent point… our politicians can’t even quantify “the Internet”, much less understand complex cyber-crime issues…

    … we’re doomed.

  21. Ed. Says:

    Really agree with your ideas but what would this world’s peoples agree to ,as the right solution?