That's a nice law enforcement win. 'Blackhole' is variously known as an exploit-kit or -pack or just straight-up crimeware, as it often came with regular updates, or even support contracts. I have enough Blackhole references, dating back to 2012, in my database that it became boring to add them.
Brian Krebs reported this on 2016-04-14, at http://krebsonsecurity.com/2016/04/blackhole-exploit-kit-author-gets-8-years/. Note that there is a one year discrepancy between the URL and the the stated sentence.
I've already heard rumbles (possibly from other security worker-bees who hated plugging 'Blackhole' into a database for the nth time) that the sentence wasn't long enough. The line of thought was about scale: that Dmitry “Paunch” Fedotov, whom Krebs reports as having more than 1,000 customers, was earning $50,000 per month, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years.
I can see the temptation there. Particularly the bit about 'tens of millions', and particularly the 'small to mid-sized businesses'. Organizations that fit that size description have been some of my favorite clients, are often most in need of the help, and I just generally feel better about having helped out an organization of that size, rather than some Fortune 500 behemoth. I would be amazed if I were to discover that that viewpoint is unusual, if could somehow survey the people down in the security trenches.
But was the penalty really light, at seven or eight years? Possibly not. First off, this was a Russian law enforcement win, and the sentence will be served in a penal colony. I don't know about you, but the idea of spending 7-8 years in a Russian penal colony does not take me to my Happy Place. I'm not going to address that further.
Suppose this was a United States thing? A US citizen, in US courts, with a potential for serving a sentence in a US prison?
Krebs refers to the likelihood of 'tens of millions of dollars stolen'. I completely agree. But let's compare this to the physical world. That necessarily involves bank heists, armored car robberies, etc., where people are likely to be injured or killed. Much drama, making it a natural for movies, such as Oceans n, or based on the Lufthansa heist, etc. Wikipedia has a list of large-value US robberies, several of which are in that tens of millions category. The most recent of $10+ million robberies date to 1997. The largest of which was the Dunbar Armored robbery, involving $27.9 million in 2016 dollars. The sentence? 24 years for mastermind Allen Pace, an insider. Under parole guidelines, he will have to serve 18 years, and five others will have to serve 8-17 years.
Bear in mind that this was a record robbery: it seems likely that it was politicized to at least some degree. The Loomis Fargo robbery ($25.5 million today) occurred the same year, yielded sentences from probation to 11 years. I haven't researched possible parole dates.
Differences in criminal justice systems make it difficult to judge whether Fedotov drew a sentence that was appropriate. But it seems to me to be broadly comparable, at minimum. That is a win for law enforcement. Penalties used to be no more than a slap on the wrist, as long as the crime was committed over the network. The extent of the damages didn't seem to matter.
There will be no immediate effect, no matter how much we might wish otherwise.
Sending signals has been less than effective in even the geopolitical realm, where huge numbers of government bureaucrats (State Department, etc.) are employed to keep it all sorted out, and react in something like real-time. Criminals will entirely miss this one, even if it should prove to be the start of a trend toward commensurate sentencing. It seems likely to be a generational thing.
I'm fine with that.
A couple of years ago I posted Law Always Lags, As It Should, "The universal claim seems to be that the law is behind the times. My take is that is better to have law that lags than law that leads. While lagging legal thought will certainly lead to injustice, it is less likely to lead to wholesale injustice. It is the lesser of two evils in an imperfect world."
Greg Metcalfe. Random Security Droid.
Showing posts with label Law. Show all posts
Showing posts with label Law. Show all posts
Tuesday, April 19, 2016
Tuesday, October 13, 2015
Intellectual Property: A Useless Term
Commentary::Marketing
Audience::Entry
UUID: 3a061855-fa21-4efc-a0cc-494418698118
I mostly hate the term Intellectual Property (IP), because it is mostly useless. Copyright, patent, trademark, etc., law has little in common, anywhere in the world. Personal and societal impacts of those laws are similarly disparate, as one would expect.
Now and then, something that seems to absolutely fly in the face of common sense (granting that sense does not seem to be common) is particularly grating. Such was the case with Definitive Guide (TM) to Cyber Threat Intelligence.
There are various regulatory (and attempts to self-regulate, in order to avoid actual regulation, such as PCI) regimes that require a lot of reading related to possible threats. Fine. Been doing it for years, because I regard it as necessary, and so I applaud that. But it is extremely time-consuming: the doc mentioned above is a 74-page PDF, and is only part of today's reading list. The madness that allows a common phrase to be trademarked is annoying as hell.
Still, one of the contexts that I'll be reading this in (and marking it up for future reference) is DevOps, where there might possibly be some insight to be had from Table 1-1. The first table, so I will have to read this entire pile of marketing nonsense, in case there is support for it later in the doc. There might be something relevant to more recent DevOps concepts (and other marketing nonsense that have been about it) as opposed to older security-related divisions (network, infrastructure, and security operations) within an organization, and their contributions at the 'Tactical, Operational and Strategic' levels. Never mind that tactical and operational divisions would seem very artificial.
So, 74 pages that is mostly marketing noise. Some of which is about banks, etc., being clients. I covered that above, writing about regulatory (and avoidance of same) requirements.
That DevOps reference? DevOps is also rife with marketing noise. But much of DevOps does promote ideas related to getting beyond some long-standing (and foolish) IT practices, such as throwing code over the wall. Which makes me far more tolerant of that group.
In the unlikely event that you have some twisted urge to read this doc too, it can be had from https://cryptome.org/2015/09/cti-guide.pdf. I'm not supplying a direct link to these people directly, for two reasons:
If you never see another post on fubarnorthwest, it may be because reading
Sometimes I Just Have to Rant
Audience::Entry
UUID: 3a061855-fa21-4efc-a0cc-494418698118
I mostly hate the term Intellectual Property (IP), because it is mostly useless. Copyright, patent, trademark, etc., law has little in common, anywhere in the world. Personal and societal impacts of those laws are similarly disparate, as one would expect.
Now and then, something that seems to absolutely fly in the face of common sense (granting that sense does not seem to be common) is particularly grating. Such was the case with Definitive Guide (TM) to Cyber Threat Intelligence.
There are various regulatory (and attempts to self-regulate, in order to avoid actual regulation, such as PCI) regimes that require a lot of reading related to possible threats. Fine. Been doing it for years, because I regard it as necessary, and so I applaud that. But it is extremely time-consuming: the doc mentioned above is a 74-page PDF, and is only part of today's reading list. The madness that allows a common phrase to be trademarked is annoying as hell.
Still, one of the contexts that I'll be reading this in (and marking it up for future reference) is DevOps, where there might possibly be some insight to be had from Table 1-1. The first table, so I will have to read this entire pile of marketing nonsense, in case there is support for it later in the doc. There might be something relevant to more recent DevOps concepts (and other marketing nonsense that have been about it) as opposed to older security-related divisions (network, infrastructure, and security operations) within an organization, and their contributions at the 'Tactical, Operational and Strategic' levels. Never mind that tactical and operational divisions would seem very artificial.
So, 74 pages that is mostly marketing noise. Some of which is about banks, etc., being clients. I covered that above, writing about regulatory (and avoidance of same) requirements.
That DevOps reference? DevOps is also rife with marketing noise. But much of DevOps does promote ideas related to getting beyond some long-standing (and foolish) IT practices, such as throwing code over the wall. Which makes me far more tolerant of that group.
In the unlikely event that you have some twisted urge to read this doc too, it can be had from https://cryptome.org/2015/09/cti-guide.pdf. I'm not supplying a direct link to these people directly, for two reasons:
- Zero desire to provide them any Google-juice.
- I expect that some sort of registration would be required, hence you would be bombarded with email marketing for, roughly, forever.
If you never see another post on fubarnorthwest, it may be because reading
Chapter 7, "Selecting the Right Cyber Threat Intelligence Partner," enumerates criteria for evaluating cyber threat intelligence providers.caused immediate brain-death.
Sometimes I Just Have to Rant
That is a failure on my part. I've been working on a set of three posts that would likely have been more helpful, that do not involve Intellectual Property, and would point readers toward things that are more useful, such as why I am about to recommend the Computer Laboratory, University of Cambridge. Sorry about that. Coming soon.
Subscribe to:
Posts (Atom)