http://www.vnunet.com/News/1141901 Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are "owned" by malicious groups. On the other hand, Information Risk Management questioned how any one person could "own" hundreds of computers at any one time. And systems are often not "owned" by a single group, but exploited by multiple groups Like most statistics, the "truth" is probably a little harder to find, and a little bit scarier. The FBI estimates a car is stolen every 27 seconds somewhere in the US. In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars were stolen; with an estimated value of $7.8 Billion. Police apprehend less than 15% of all auto thieves. Unfortunately this computer crime doesn't fit the FBI crime reporting statistics well. Vandalism of Property? Is the cracking of computers happening more or less often than car theft?
Hey, Sean. ] Trustcorps claims it has scientific and anecdotal resaerch supporting its ] conclusion that over three million computers are "owned" by malicious ] groups. Interesting. ] On the other hand, Information Risk Management questioned how any one ] person could "own" hundreds of computers at any one time. And systems are ] often not "owned" by a single group, but exploited by multiple groups How could one person "own" hundreds of computers at any one time? Since several individuals own thousands, tens of thousands, and even (low) hundreds of thousands of systems at any one time, I suppose the reason they don't own hundreds is because that isn't enough. :/ ] Like most statistics, the "truth" is probably a little harder to find, and ] a little bit scarier. Indeed. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
It would be interesting to know if the FBI or any other group can characterize how many computers are 0wn3d per minute. Then, of those computers, how many remain 0wn3d indefinitely? Marc
Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are "owned" by malicious groups.
The FBI estimates a car is stolen every 27 seconds somewhere in the US. In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars were stolen; with an estimated value of $7.8 Billion. Police apprehend less than 15% of all auto thieves.
marc@sachsfamily.net ("Marc") writes:
It would be interesting to know if the FBI or any other group can characterize how many computers are 0wn3d per minute. Then, of those computers, how many remain 0wn3d indefinitely?
what's interesting here is the changing definition of "0wn3d". there was a time when installing malbots on someone's computer meant you "0wn3d" it but now that there's spammer malware that searches for "open proxies" a vast number of said proxies appear to be of "0wn3d" computers. therefore a spammer who would not go so far as to install the malbot is absolutely willing to make use of it once it's been installed by others. "0wn3rship" seems to be pretty anonymous at this point. (shades of "shockwave rider".) i guess palladium will fix all this, somehow. -- Paul Vixie
Sean Donelan wrote:
http://www.vnunet.com/News/1141901
Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are "owned" by malicious groups.
Well, it isn't as if that article really had many of the details that were meaningful. I decided to go right to the source (www.trustcorps.com) and see what they had to say. Beyond seeing that they were yet another web site that looks great iff you are using IE, I found almost NO substance. I visited the "Press Room," and the "News" items, and even the archives thereof. Nothing there (at least not those claims). Ok, so maybe they haven't put it on their web site yet. Still, I suppose someone made those claims, and I think they deserve a little examination.
On the other hand, Information Risk Management questioned how any one person could "own" hundreds of computers at any one time. And systems are often not "owned" by a single group, but exploited by multiple groups
Well, no one here is truly defining what "owned" implies. I know what a ruckus it kicked up here on NANOG when the first truly distributed denial of service hit eBAy (or was it Yahoo???). No matter. That was no where near three million computers, but it certainly didn't require a lot of control to qualify as "control," or a lot of ownership to qualify as "owned." I'm amused at the thought that so-called hacker groups are in any way coordinated, or working together, other than a few here and there (and more for monetary gain than fame and glory). Three million? Sure, I believe, if you stretch the definition thin enough, that three million is quite believable. Organized in any way? Nonsense. Sheer, utter, mind-numbing nonsense. If it weren't for the tremendous amount of software out there that makes it EASY to take over machines (and I include every single default install of every single OS that enables anything more than port 22), if it weren't for the stunning array of folk who think that expediency is valuable, and ethics malleable, if it weren't for the vast populace that just wants pabulum, and padded cells, none of this would be possible. Trust me. The only bad guys that are organized are the ones who are after $$$, and they have absolutely no need to control three million computers. One or two is plenty, and for just long enough. The idea that there is a vast underground of pimply-faced teenagers just waiting to control the world would be laughable, were it not for the continued commercial assaults that insist it is so.
Unfortunately this computer crime doesn't fit the FBI crime reporting statistics well. Vandalism of Property? Is the cracking of computers happening more or less often than car theft?
Car theft is clear. Someone takes your car, and then you don't have it. When someone compromises your computer(s), what do you lose? What do they gain? It's a very unclear question. -- I apologize; I take it all back. MS Exchange is RFC-compliant. See RFC 1925, point three. http://www.faqs.org/rfcs/rfc1925.html
On Sat, 28 Jun 2003 19:04:25 PDT, Etaoin Shrdlu <shrdlu@deaddrop.org> said:
I include every single default install of every single OS that enables anything more than port 22),
Speaking of which, a heads-up... Jay Dyson was reporting on the incidents@securityfocus mailing list that he's seeing an upswing in scans for ssh. There's no big spike over on incidents.org, but there was a comparative quiet for the last few weeks and higher activity last 2-3 days....
On Sat, 28 Jun 2003, Etaoin Shrdlu wrote:
Sheer, utter, mind-numbing nonsense. If it weren't for the tremendous amount of software out there that makes it EASY to take over machines (and I include every single default install of every single OS that enables anything more than port 22), if it weren't for the stunning array of folk
Heavy sigh. Unfortunately even that isn't good enough for some vendors. Yep, believe it or not, at least one vendor managed to create a buffer overflow in their IP stack which didn't require *ANY* ports to be open on the victim. If it was connected to the network with an active IP interface, that was enough. If you want complete network safety, you want wire cutters. Then you just have to worry about the traditional physical stuff like sneaker net, theft, etc. The unanswered question is what should be considered reasonable? And how much of a burden should the end-user carry?
The unanswered question is what should be considered reasonable? And how much of a burden should the end-user carry?
Plugging into the network is like owning a house. You're at the edge of a public network, whether it be a road or a wire. Just as you lock your front door, there needs to be a way to lock your computer. It is up to the OS vendor to provide some user friendly means to access and secure ones computer.
From a provider point of view, computer security is reactive, just like our local police force. You call them once your own space has been compromised to assist in catching the intruder.
Adi
participants (7)
-
Adi Linden
-
Etaoin Shrdlu
-
Marc
-
Paul Vixie
-
Rob Thomas
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu