In Response To: Computer Crime-Abetting Sites...

Original Article:
        (Company Press Release)
        Computer Crime-Abetting Sites Will Dramatically Increase
        Costs for Businesses and Consumers
        Business Wire -- Oct. 18, 1999

When it Rains it Pours

It was only weeks ago that I wrote an article on inflated damage figures. After reading several pieces on supposed damage figures for various computer crimes, a pattern began to form that did not sit easy with me. As luck would have it, another damage figure jumped out that topped the previous record of the early 298 million amount set early on the Kevin Mitnick case. Do we hear half a billion? A billion? Nope, lets jump up one more notch and hit the TRILLION figure. No, I wish I were kidding too.

Because of the nature of this article (company press release) and the abundance of shady points, I will resort to the age old method of usenet/e-mail style reply. Text from the company press release will be in italics while my reply will be in regular text. You'll have to excuse me as I will have fun with this one!

My Response, Point by Point

> Hacking and computer-crime-abetting Web sites are supplying
> Web surfers with tools and instructions that could cost
> consumers and businesses worldwide over a trillion dollars this year.
Wow! What a dramatic and shocking intro to a company press release. Unfortunately for them, it did not have the desired affect like they had planned I am guessing. Rather than think "This is a serious problem!", many colleagues and myself said very little because of the laughter that ensued.

The first problem is defining "computer-crime-abetting Web sites". There are two basic things that could possibly brand a site with this label. Intent and Information. Did the we site knowingly and intentionally distribute information with the intent to encourage computer crime? Proving intent in such a fashion is very difficult and often falls as a debate among scholars. How can you positively say the site wasn't distributing the information with the intent to help people by making them aware of the problem?

Second, the information itself. Does posting information regarding activity that is illegal constitute 'abetting' criminals? Of course not. If it did, then sites like CERT, Security Focus, and Happy Hacker would all be guilty of this crime. I think it is safe to say at least two of those sites have good intentions. The only way to combat security problems and protect sites is knowing the details about attacks. Without these details, site administrators can not make the determination to shut a service down, upgrade their Operating System, apply new patches, or ignore it as it does not affect them.

Of particular interest is this 'trillion' dollar claim. Throughout the short press release, Computer Economics gives no support to this damage figure. They give no insight as to how they reached this number, who they surveyed, or anything else remotely insightful. Isn't this one of the signs of snake oil?! **link snake oil faq** Isn't one trillion dollars one quarter of the national deficit?!

> Computer Economics research shows that hacking and computer crime
> will experience a dramatic increase in the next few years due to
> the abundance of Web sites devoted to these topics. Also factoring
> into the growth of computer crime is the low cost of the tools and
> instructions that these sites sell, and the rise of the wireless
> Internet.
I can't help but wonder why they use the word 'sell' in relation to computer crime information. Why they would refer to a handful of distributers that pawn off half a CD-ROM of outdated text files while ignoring the sites that give away up-to-date information for free. Perhaps this falls into the picture of nefarious activity and helps sell their cause? And where in the world did the wireless aspect come in?

> "The Internet has always been a haven for computer criminals,"
> said Computer Economics research analyst Adam Harriss. "The
> technologically savvy hackers have been online swapping tips
> and programming for decades, but now the information is being
> posted and sold at low cost in a form that even the techno-illiterate
> can understand. Causing damage to machines and infiltrating systems
> has become as easy as putting together a child's Christmas toy."
I would be willing to bet a couple dollars that Adam Harriss has been on the Internet for less than two years. I certainly hope I am correct as the above quote should only come from a complete neophyte that has little to no clue about the history of the Internet. Founded on open resources and sharing of knowledge, the Internet was a research and development network designed to facilitate the advancement of technology and all scientific ideas. For the first decade or two, there were no laws governing it. There was no 'computer crime', no laws against hacking or intrusion. To make such absurd and un-intelligent claims as Harriss does is an outright insult to the founders of the Net.

> While some hacker sites warn that the products they sell are to be
> used for informational purposes only, other sites pander to malicious
> users, and are growing a future generation of hackers by targeting
> children. The proprietors of some hacking manuals tout them as guides
> that help users "search for company secrets." Vendors of hacking
> hardware often boast that their goods "screw up all types of computer
> disks." Software that could be used to pirate other programs is
> sometimes said to be "a must for anyone who doesn't want to pay full
> price for software."
I will send mail to the contact for this article as well, but let this be an open challenge for Computer Economics to quote where any "Vendor of hacking hardware" boasts that their goods "screw up all types of computer disks." It amazes me that industry charlatans get away with spewing loads of false claims without ever backing them in any fashion. That a single person gets taken in by such unfounded and wild claims still amazes me.

> Not only are these hacking tools priced very low, but many of the most
> popular hacking tools, such as L0phtCrack, AntiSniff, nmap, and netcat
> are free shareware. Manuals and software about hacking and computer
> crime interests such as viruses, counterfeiting, piracy, and various
> types of fraud typically run from $8 to $60.
Interesting that Computer Economics calls L0phtCrack a 'hacking' tool, while agencies like the Department of Energy pay for it as an internal auditing tool. Security consultants and hackers alike use NMAP and other network scanning utilities. If a hacker uses ISS or Retina to break into an NT machine, does it automatically change their status from 'Network Security Scanner' to 'hacking tool'?

I don't know about you, but I have never paid $8 to $60 for any manual or software about hacking and computer crime. In fact, it is rare that you see any organization selling this information, and even fewer that make any form of living off it. All of the information sold by these companies is readily available on hundreds of computer security sites. Using the word 'typically' is flat out wrong.

> The low cost of computer crime software and hardware combined with the
> dramatic expansion of the Internet into new, lesser-developed regions
> of the world promises to exacerbate the hacking problem. There are
> roughly three times as many people using wireless phone services as
> there are people on the Internet, so there is possibility for an
> online explosion once a wireless Internet is established. With the
> expansion and proliferation of the Internet in many countries with
> loose regulation of computer crime and poorly organized law enforcement,
> hacking and computer crime will flourish in the years to come.
Blame it on third world nations, that always works! This is just about the last possible point of blame that could be drug into this article in a desperate attempt to sell that 'trillion' figure. We also get the second mention of the 'wireless' Internet that will be established. I'd hate to be the first to break this to Computer Economics, but wireless is already here, and it is in no position to challenge the hardline backbone the Internet relies on. Using this is weak justification for a completely unrelated point (that of computer crime proliferation).

> Computer Economics is an independent research firm specializing in
> helping IT decision makers plan, manage, and control IT costs through
> advisory services, analyst support, an innovative Web site, and
> printed reports. Based in Carlsbad, Calif., Computer Economics serves
> 82 percent of the Fortune 500. For further information, please visit
> the Web site at
Wow. 82 percent of Fortune 500 and I have never heard of this company. Asking around I can't find a single colleague that has seen the name, many of which work daily for Fortune 5's. Looking at their statement, it is interesting to note there is absolutely no mention of security services, computer forensics, computer crime control or anything remotely related to the subject of this press release.

Lucky for us, they were kind enough to include a contact address for further inquiry. In case it wasn't apparent, I encourage all OSALL readers to take a moment and send mail to this company. Ask them some of the questions I have posed as well as anything that backs their claims. Let them know these articles will not go unchecked!

     Computer Economics Inc.
     Catherine Huneke, 760/438-8100, ext. 108 or 116
Inflated damage figures. No quoted sources backing their claims. No reputation good or bad among a dozen or so security professionals. Add them up and it seems to me we have a new industry charlatan in the making.

Brian Martin ( Copyright 1999