Hacker News new | ask | show | jobs
by 1oooqooq 870 days ago
question is cyclical because cyber crime doesn't exist without incompetence.

There's very little cyber crime that happens by bribing someone. Most of it is just walking past an open door.

> How can we measure that to see just how bad things really are?

hence, cost of incompetence = cost of all cybercrime + n.
3 comments
rainclouds 870 days ago
Cyber crime definitely exists without incompetence.

Defense is a costly vast landscape compared to attacking. Sure incompetence causes issues and major drives my blood pressure, but the problem doesn’t go away if incompetence goes away.

link
worik 866 days ago
> Defense is a costly vast landscape compared to attacking

Yes. But.

There are many defensive tactics that are not free but are cheap.

Keeping system software updated is one

https://infosec.exchange/@wdormann/111880313720252008

link
nonrandomstring 870 days ago
It's interesting when you put it that way.

In the Horizon case, and no doubt in many cases to come, the crime is committed by a company against the public. They tried to pass it off as incompetence, and blame "systems" but I expect the public enquiry will lead to criminal proceedings against Fujitsu now.

Big companies may laugh at fines for treating their customers badly, but I hope to see many more ruinously brought to book for their criminal incompetence.

> hence, cost of incompetence = cost of all cybercrime + n.

Where n is at least as large as the other part. Scary!

link
sublinear 870 days ago
> There's very little cyber crime that happens by bribing someone

If competence was the norm the bribes, violence, etc. become the preferred tactics

link
nonrandomstring 870 days ago
This is a really excellent point.

Someone on Bruce Schniere's site noted that about the Anderson study... that the increase in cyber-crime perfectly tracks the decrease in street crime. As online fraud goes up, robberies go down.

If crime remains a constant then having shitty software security is a safety valve - and fixing computer security means physical crime would rise again.

Interesting hypothesis.

link
sublinear 869 days ago
I don't think we can ever really "fix computer security" because there's so much software being written all the time by just about anyone and the demand keeps growing.

Hacking computers is usually just a means to an end: fraud or theft. Competence is more than just preventing hacks.

link
worik 866 days ago
> I don't think we can ever really "fix computer security"

But we can do much better

link
lbatx 870 days ago
This sort of implies the street criminals become cyber criminals, which seems to not be a matching skill set. Call me skeptical of the study I admittedly haven't read.
link
nonrandomstring 870 days ago
> This sort of implies the street criminals become cyber criminals,

Does it? I never considered that. It seems obvious to me that they aren't the same actual people.

We have more EV cars on the road displacing ICE vehicles, but that doesn't imply that the old cars "transformed" into electric ones.

link
dvfjsdhgfv 868 days ago
You literally wrote "If crime remains a constant then having shitty software security is a safety valve" - so there is some implication otherwise how would that work? Why would crime become constant? If these are two different groups of people, why don't we have increase in both? This explanation seems too simplistic to me.
link
nonrandomstring 868 days ago
I can only respond to the part of your question that is coherent to me. The "how would that work?" part feels ill-formed and something I've already answered.

But "Why would crime become constant?" is very interesting. For that we turn to "criminology" [0,1]. Roughly, there are three "layers", biological, psychological and sociological. All of these are either fixed, or very slow and hard to change.

Indeed the biggest factors in "how much crime there is" are laws and reporting, how visible the crime is. Obviously we could make crime disappear overnight by declaring all behaviours legal. Really, the justice system can only absorb and respond to what the underlying social and economic conditions set.

Most crimes are resource motivated [2]. Violent crime makes headlines, ruins lives, changes votes and is generally undesirable. "Soft" crimes are less visible and have less impact, especially when they are against actors that are so immensely wealthy they do not even care (for example big-tech companies that see huge fines as simply the cost of doing business as usual)

When we have a fixed pool of criminal potential (set by these structural conditions), which would you choose as a new criminal entering the "market"?

And not surprisingly, Pew Research polls showed "violent and property crimes declined by 51% and 54%, respectively, between 1993 and 2018."

Therefore the hypothesis I was curious about was whether Removing the opportunity for cyber crime (via better security) would have the unintended side effect of shifting crime back into physical robbery and theft with its attendant violence.

What do you think?

[0] https://www.britannica.com/science/criminology/Major-concept...

[1] https://en.wikipedia.org/wiki/Criminology

[2] https://online.maryville.edu/blog/types-of-crimes/

link