A Tale of Cyber Horribles

It has to be assumed that Eugene Volokh didn’t post the analysis of his Mayer Brown colleague, Marcus Christian, without purpose. Christian, “an extremely experienced former federal prosecutor” who is now a Biglaw “white collar” defense lawyer, told a very scary tale of CyberVor, the sort designed to wrap oneself up in the comfort of government power to protect us from looming destruction.

Cybercrime is big business. According to a June 2014 study by the Center for Strategic and International Studies and McAfee, the annual economic cost of cybercrime is $475 billion and growing. The growth in costs result in part from the increasing productivity of cybercriminals.

Last month, Alex Holden, a cybercrime researcher, reported that a Russian cyber gang has built a database of 4.5 billion stolen Internet credentials. According to Holden, the records constituted the largest known assembly of stolen online credentials and included 1.2 billion user name and password combinations and more than 542 unique million e-mail addresses.

Huge numbers. It would appear that they’ve got us, all of us, and they could crush us like bugs, destroy our lives, undermine the very fabric of our society.

Holden described the group behind the illicit database as consisting of fewer than 12 Russian men in their 20s. Calling the group the “CyberVor” gang (a name that he created by adding the Russian word for thief to “cyber”), Holden said the members began working together in 2011 as amateur spammers.

But this is the first inkling that there is something less than savory about the analysis.  So CyberVor isn’t their name, like Anonymous, but rather a name imposed on them?  Whenever the government seeks to create a scary group out of whole cloth, it first manufactures a name to suggest a level of organization, conspiracy, so that they can point at something with which to strike fear in our hearts.  And this is certainly fearful.  4.5 billion stolen credentials? That’s more than the population of this nation. $475 billion in losses? That’s astronomical.  Where? Where is that money coming from? Where is it going to? How is this possible?

Businesses must assess and address their technological and human vulnerabilities vigilantly. But they also should collaborate with their peers, outside counsel and law enforcement agencies. . .

Moreover, working with industry groups can enable companies to pool resources and communicate regularly with policymakers to advocate for needed laws, including legislation to reduce cybercrime mitigation costs and to make cybercrime less profitable for organized crime groups. Individual businesses cannot afford to face cybercriminals alone.

Ah, there’s the rub.  More cooperation with law enforcement. More laws to facilitate our saviors, the government, protecting us from this made-up group.  And this, from a former government lawyer now selling his wares on the outside.

Upon reading this, it struck me as shocking that Eugene would publish such a vapid government press release.  Sadly, it didn’t surprise me at all that a former government lawyer was still promoting the government talking points, but that’s Biglaw.  Since when, however, did the Volokh Conspiracy use its soapbox to promote governmental fear-mongering, with law enforcement cooperation and facilitation as its solution?

Rob Graham, at Errata Security, wonders the same.

The “Volokh Conspiracy” is a wonderful libertarian law blog. Strangely, in the realm of cyber, Volokh ignores his libertarian roots and instead chooses authoritarian commentators, like NSA lawyer Stewart Baker or former prosecutor Marcus Christian. I suspect Volokh is insecure about his (lack of) cyber-knowledge, and therefore defers to these “experts” even when it goes against his libertarian instincts.

The latest example is a post by Marcus Christian about the CyberVor network — a network that stole 4.5 billion credentials, including 1.2 billion passwords. The data cited in support of its authoritarianism has little value.

While I was unprepared to accept the data for lack of supporting evidence, Rob didn’t really care much either way. It was nonsensical regardless of what numbers they used, and unworthy of the time to question something that could never be proven anyway.

A “billion” credentials sounds like a lot, but in reality, few of those credentials are valid. In a separate incident yesterday, 5 million Gmail passwords were dumped to the Internet. Google analyzed the passwords and found only 2% were valid, and that automated defenses would likely have blocked exploitation of most of them. Certainly, 100,000 valid passwords is a large number, but it’s not the headline 5 million number.

That’s the norm in cyber. Authoritarian types who want to sell you something can easily quote outrageous headline numbers, and while others can recognize the data are hyped, few have the technical expertise to adequately rebut them.

When Eugene offered Christian’s analysis, he gave him attributed credibility by blessing it with space on his blog, plus ascribed credibility by describing him as “an extremely experienced former federal prosecutor.”  Not just a former prosecutor. Not just an experienced former prosecutor. Oh no. An “extremely experienced former federal prosecutor.”  When he thus spilled numbers across the page, even in the absence of any supporting basis or analysis as to their efficacy, we bit.  Who are we to question the assertions of “an extremely experienced former federal prosecutor.”

But Rob isn’t any of those things. He’s just a top InfoSec guy, the one who is asked to talk at Defcon by the top hackers. No official title at all.

That blog post also cites a study by CSIS/McAfee claiming the economic cost of cybercrime is $475 billion per year. This number is similarly inflated, between 10 to 100 times.

We know the sources of income for hackers, such as credit card fraud, ransomware, and DDoS extortion. Of these, credit card fraud is by far the leading source of income. According to a July 2014 study by the US DoJ and FTC, all credit card fraud world-wide amounts to $5.55 billion per year. Since we know that less than half of this is due to hackers, and that credit card fraud is more than half of what hackers earn, this sets the upper limit on hacker income — about 1% of what CSIS/McAfee claim as the cost of cybercrime. Of course, the costs incurred by hackers can be much higher than their income, but knowing their income puts us in the right ballpark.

Wait, so the total of credit card fraud, the hard source of revenue for those who steal credentials, is $5.5 billion, only half of which is due to hackers, where do they come up with $475 billion?

Where CSIS/McAfee get their eye-popping numbers is vague estimates about such things as “loss of reputation” and “intellectual property losses”.

So it’s like calculating loss under the fraud tables in the Sentencing Guidelines, imaginary numbers which make complete sense if one ignores all reality, fabricates bizarre assumptions, attributes made-up numbers to them, multiplies them by the number of ants in a hill, and then adds a few zeroes while telling the sad story of people who might have been harmed if only a meteor struck the earth. It could happen.

Rob goes on to eviscerate Marcus Christian’s government infomercial, ultimately reaching the point of explaining why the dire need for greater government control of cyberspace and your computer is nonsense.

I’m an expert in cybersecurity who helps companies defend against hackers, yet I’m regularly threatened and investigated by law enforcement thugs. They don’t understand what I do, it’s all witchcraft to them, so they see me as part of the problem rather than the solution. Law enforcement already has too much power in cyberspace, it needs to be rolled back, not extended.

While I may have enough experience in sifting through government-speak to smell a rat, I lacked the technical background to explain why it’s pandering to the fear and ignorance of the public.  For those impressed by anything sounding lawyerish, or authoritative, coming from someone with credentials that impress you, this is why you don’t get to form an opinion in the absence of sufficient knowledge to discern reality from hyperbole.

But hey, isn’t everybody entitled to an opinion, no matter how little they know and how much less they understand?  Isn’t fear-mongering and a decent story enough to make you willingly hand over your privacy to the government to protect you because the sky is falling?




10 thoughts on “A Tale of Cyber Horribles

  1. Robert David Graham

    I’m still confused. Any idiot can see that was a disguised press release — but Eugene isn’t an idiot. Also, it’s transparently authoritarian, whereas Eugene is libertarian. So, WTF is going on?

    1. SHG Post author

      The only person who can give a real answer is Eugene, and I don’t imagine it’s in his interest to explain. If I had to guess, I would speculate that Eugene owed Mayer Brown for its assistance, and this was payback. Whether he saw Christian’s post as an authoritarian press release or just one guy’s opinion, which may not be his, is another question.

      1. Marc J. Randazza

        Perhaps EV welcomes differing views on the VC? Back when my blog was a little more active, I had my fair share of posts by other authors, which I disagreed with, but I wanted to foster debate. Maybe that’s EV’s motivation here?

        1. SHG Post author

          That’s possible. One thing that dissuades me is that, as the saying goes, you’re entitled to your own opinion, but you’re not entitled to your own facts. Marcus Christian’s “facts” aren’t facts.

          Another is that Eugene didn’t include any thoughts of his own at the end raising any question, no less disagreement, suggesting that he endorsed the post. It’s an inference, but a pretty fair one.

  2. skullcowboy

    “What we need right now is a clear message to the people of this country. This message must be read in every newspaper, heard on every radio, seen on every television… I want EVERYONE to REMEMBER, why they NEED us!”

    The Right Honourable Adam Sutler

  3. tim

    I disagree with Rob Graham on many things but he is completely correct here. As someone who works for companies that do have relationships with various government law enforcement entities (secret service, FBI, etc) you run into a wall general incompetence or, worse, indifference. And there are more of a few law enforcement types that never got over being the bully in high school. Why in hell do you want to work with them?

    Passing laws to force “cooperation” with law enforcement is not going to advance anything.

  4. william doriss

    There is definitely a law enforcement mentality. It’s not an occupation you or I would consider, even if invited. The term SHG used in a series of essays recently was “command presence”. That certainly has a notable ring to it. (Which is not to say there are no exceptions!)
    The more laws you have on the books, the more crooks you have on the streets, in the homes and in the offices of Amerika. It’s a weird situation where we have become the “world’s policeman”, not only abroad but at home. Police State is now a cliche. Imagine someone coming into the world today! How is he going to learn all of the laws to which he will be subject in his lifetime, and how quickly will he learn them before getting “arrested”, charged, tried and incarcerated? This cannot be good. George Orwell could not possibly have foreseen the Year 2014. He was damn close with 1984, a book which opened the eyes of many of us in the post-WWII era.

    In nature we have floods, tornadoes, earthquakes, forest fires, hurricanes and natural disasters in order to wipe the slate clean and start all over again. Just thinkin’ to myself. 7 -one = 6.

  5. UltravioletAdmin

    Overestimation is common in computer crime cases. Often because of both Zealousness, incompetence, and saving face. The classic computer crime case is the ‘theft’ of enhanced 911 data from Bell South that led to a series of prosecutions under ‘Operation Sundevil’ against those related to the ‘Legion of Doom’ hacker club and included Steve Jackson Games (and led to the founding of the EFF). The key document the trial was based on was valued by the prosecution at $79,449.

    The cost was the technical writer to research, typist, copy fees, 31k for the server, 22k for the printer, etc. This all came from the Bell South exec who was made to look foolish by the hack, and gave those highly laughable numbers to the Secret Service and federal prosecutors who accepted it without question. The internal security guy at Bell South estimated it at less than a third of the cost.

    In the end it turns out the ‘hack’ only took an administrative document with no actual technical features. Another department in the same company freely sold their documents for reference purposes. The entire document could be ordered by mail for 13 bucks.

Comments are closed.