2 Dec 2008 15:08
Re: BBC 'vague' reporting again!
Ian Batten <igb@...>
2008-12-02 14:08:52 GMT
2008-12-02 14:08:52 GMT
> The problem with this whole debate is it revolves around geeks `solving' the problem of law-abiding criminals. What do I mean by `law abiding criminals'? I mean that peculiar creature of the pages of crypto conferences, the criminal who will invest limitless time and effort in subtle side-channel attacks involving terabytes of chosen plaintext, but won't put a pistol to a key-holder's wife's head, kidnap their children, bribe them or burn their house down. The security community has decided that break-ins that rely on crypto and other security weaknesses are a different, less immoral, class of crimes than rubber-hose solutions, perhaps because they don't have friends with sawn-off twelve bores but they do have friends with rainbow tables. The upshot is that resources are poured into dealing with problems that are caused by these law abiding criminals, problems whose linkage to real harm to real people are indirect at best. Crimes like possession of child pornography may well drive the production of child pornography and hence child abuse, although equally it could be a secondary market in photographs of abuse that was already happening. But we also have crimes involving pseudo-pictures and textual material which are further indirect, in that the most that can be said of them is that they may have a tendency to cause unbalanced people to commit crimes against real individuals. But this sort of investigation can be conducted from the office, and the perpetrators are largely pathetic losers who are unlikely to cause trouble when arrested, so the whole sorry dance proceeds without too much adrenaline being expended. Meanwhile, the less law abiding criminals, the ones that do real physical harm to real physical people, appear to be outside this scope. They can take their victims to Doctor Thakur Singh through nineteen pregnancies safe in the knowledge that he won't notice anything amiss. They can take their victim to Doctor Sabah Al-Zayyat with a broken back and be confident they won't get caught. And if someone does chance to make a complaint, they can hide behind the police saying that accusations are slanderous, or social workers who are keen to help. There's no suggestion that these children could have been protected by sooper-sekrit ninja malware attacks. Less emotively, there isn't the slightly evidence that your bank robbers and car-jackers are engaging in complex schemes and themes by email, replacing the master criminal who finds the scores to be taken down (yes, I re-watched Heat last week, what of it?) with a trip to www.possible-bank-jobs.com . Real criminals perhaps don't have a great deal of faith in their infosec chops, so simply don't connect their machines to the outside world. So the whole thing, to me, smacks of policemen who don't want to get their hands dirty pursuing criminals whose crimes are indirect ones. At best this might provide an avenue against the botnet brigade, but that's never presented as one of the targets. ian