[t3rabytes]

More info in a directive from 1/14/24, https://www.cisa.gov/news-events/directives/ed-24-01-mitigat...:

> CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure solutions, hereafter referred to as “affected products.” Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.

[nonrandomstring]

> Agencies running the affected products must assume domain accounts associated with the affected products have been compromised.

This looks like a right shitshow.

Ross Anderson did a big group research "The Changing Cost of Cybercrime" [0]. I forget the number but it came out at several trillion.

After Solarwinds and the UK Horizon Post Office scandal I am wondering, how does cybercrime compare against simple incompetence and hopelessly broken software engineering? How can we measure that to see just how bad things really are?

[0] https://weis2019.econinfosec.org/wp-content/uploads/sites/6/...

[1oooqooq]

question is cyclical because cyber crime doesn't exist without incompetence.

There's very little cyber crime that happens by bribing someone. Most of it is just walking past an open door.

> How can we measure that to see just how bad things really are?

hence, cost of incompetence = cost of all cybercrime + n.

[rainclouds]

Cyber crime definitely exists without incompetence.

Defense is a costly vast landscape compared to attacking. Sure incompetence causes issues and major drives my blood pressure, but the problem doesn’t go away if incompetence goes away.

[worik]

> Defense is a costly vast landscape compared to attacking

Yes. But.

There are many defensive tactics that are not free but are cheap.

Keeping system software updated is one

https://infosec.exchange/@wdormann/111880313720252008

[nonrandomstring]

It's interesting when you put it that way.

In the Horizon case, and no doubt in many cases to come, the crime is committed by a company against the public. They tried to pass it off as incompetence, and blame "systems" but I expect the public enquiry will lead to criminal proceedings against Fujitsu now.

Big companies may laugh at fines for treating their customers badly, but I hope to see many more ruinously brought to book for their criminal incompetence.

> hence, cost of incompetence = cost of all cybercrime + n.

Where n is at least as large as the other part. Scary!

[sublinear]

> There's very little cyber crime that happens by bribing someone

If competence was the norm the bribes, violence, etc. become the preferred tactics

[nonrandomstring]

This is a really excellent point.

Someone on Bruce Schniere's site noted that about the Anderson study... that the increase in cyber-crime perfectly tracks the decrease in street crime. As online fraud goes up, robberies go down.

If crime remains a constant then having shitty software security is a safety valve - and fixing computer security means physical crime would rise again.

Interesting hypothesis.

[sublinear]

I don't think we can ever really "fix computer security" because there's so much software being written all the time by just about anyone and the demand keeps growing.

Hacking computers is usually just a means to an end: fraud or theft. Competence is more than just preventing hacks.

[worik]

> I don't think we can ever really "fix computer security"

But we can do much better

[lbatx]

This sort of implies the street criminals become cyber criminals, which seems to not be a matching skill set. Call me skeptical of the study I admittedly haven't read.

[nonrandomstring]

> This sort of implies the street criminals become cyber criminals,

Does it? I never considered that. It seems obvious to me that they aren't the same actual people.

We have more EV cars on the road displacing ICE vehicles, but that doesn't imply that the old cars "transformed" into electric ones.