October Surprise

Hi Uri,

I loved the Enigma machine, 70 years ago it was one of a group of innovative tools, although still physical, rather than digital, in the vein of somewhat earlier Alberti devices from the 1400's. While the Brits did a good job to crack it and more importantly, keep it quiet, they were only up against a German improvement on a 13th century idea.

It is now 2008 and there are 'improved' versions. Perhaps compare a 1938 race car of the day with the modern F1 equivalent and it provides some reference. Perhaps an improvement would be where it didn't matter if the device fell into the hands of the enemy, the fatal blow for the Germans and stroke of luck for the Brits. It was clearly a flawed concept.

Alan Turings approach wouldn't work against todays equivalents, but I'm sure he was bright enough to think of a different approach, however it is easy to deliver messages incapable of being 'broken' in todays world in ways that even Turing could not defeat.

I have, as a hobby, been working on one a little larger, and it's a little more user friendly because you don't have to keep swapping cogs or jiggling levers. The digital world certainly provides for more possibilities. It also means that Turing's approach with the Bombe can be deployed more quickly and effectively so those Medieval style systems will no longer suffice.

I don't think October Surprise was really the best title for your blog, I certainly wasn't surprised at all - and perhaps neither should you have been. Maybe I need to start being less subtle. I notice the jump in the graph started at almost the minute I was writing More's Law. Curiously if you invert that graph it looks remarkably like the google share price for the same period.

By the way it's great to see RSA with all those antique encryption machines. It sure is a lot easier to carry your current offerings in a pocket.

As always I appreciate your comments Dean – but the title managed to confuse you. It is not the industry who got surprised. It is the fraud underground, who probably expected a quiet October as many security companies and IT security professionals in Europe get ready for RSA Conference. Well, they were wrong, and got an unpleasant October Surprise.  

Pardon my misunderstanding. I lost concentration at the point about 'striking fear' into the 'fraud underground' by arresting 56 fraudsters.

I seriously doubt that this will cause any fraudsters to lose much sleep, apart from possibly those 56 individuals arrested.

Do you perhaps have any numbers on how many fear struck fraudsters there are out there?

While I, as much as anyone in the industry, appreciate the fine efforts of law enforcement, I don't imagine that this puts a dent in things, certianly in the absense of complete information about the 'bust'. In the past I have noticed that law enforcement seems to be many years behind even the average fraudster, a view supported by your comment that this network and trojan has been around for several years operating perfectly well without any interference from law enforcement. The RSA blog  even expresses surprise that they still used it for so long. The fraudsters too, are probably just as surprised.

The usual plan smart fraudsters use is to utilise an exploit and get their returns, then pass the exploit on to others, effectively obfuscating the original perpetrator's involvement and leading law enforcement off on a secondary wild goose chase. Hence my comment about not knowing the full details. The statements on the RSA blog about it previously being hosted with associates of the Russian Business Network and switching to other host arrangements could support that view.

In most cases the crux of the exploit is to gain information which may be used whenever the fraudster feels it is convenient. For example  - it's Christmas, they want to buy some gifts and have a holiday, so  out come the fruits of their previous labours and exploits. The exploit is no longer required because they already have sufficient passwords and account details to carry out the frauds. Not an exploit in sight.

What does law enforcement do in this case? Generally nothing - and it is left to the customer to prove to the bank that they did not withdraw the funds or buy the item.

We aren't the only ones who realise that law enforcement resources are insufficient to investigate every small fraud, and even the big ones seldom get investigated unless, such probably what occurred as in this case - the 'industry' no doubt assisted or simply handed the investigation to law enforcement on a platter. That is not a criticism of law enforcement - they have their limitations set by others.

Just as a reality check, do you happen to have the numbers on how many fraudsters are actually successfully prosecuted?

I have an inkling it is such a small percentage of the total that the thought of being apprehended by law enforcement is the least likely scenario to 'strilke fear into the hearts' of fraudsters.

October was not 'Shock and Awe' in the cyber fraud war and I don't believe that any amount of spin will make it so.

Cheers.

Dean,

Let me take you back to the Enigma machine.

Cracking the Enigma code was a major breakthrough, but no one claims it was the most important factor in the success of the Allies' campaign. There are a huge number of contributors, from individuals to technological advancements to tactical improvements.

Just take one historic example: the battle of the Atlantic. For years it was completely controlled by U-boat 'Wolf Packs', which were so effective in cutting Britain from fuel and supplies that in early 1943 there was talk of ceasing the war effort.

But in mid 1943 the tide turned through a combination of smart leadership by newly appointed Admiral Horton of the Royal Navy, technological advancements such as the Active Sonar, hit-and-explode depth charges and next generation radars, as well as new tactics used by allied aircrafts and escort ships.

It took several months to reverse the economical equation of sinking more ships than what the US could replace. This made U-boats less of an ultimate weapon.  

I believe the same applies to the battle over Internet Fraud. Do 56 arrests leave a dent in the economy of online crime? Yes, at least in the immediate future, if you consider the fact fraudsters believe they are not supposed to be caught. Does this win us the war? No, and no one claims it does.

It's not a war we expect to finish anytime soon. It's not a duel that any single bullet will decide. No, my friend, this campaign against online fraud, this arms race between the industry, helped by law enforcement, anti-fraud technologies and each and every one of us as an individual consumer on one hand, and the legion of criminals on the other hand, will continue to rage – but this doesn’t mean we cannot celebrate important victories and applaud the brave lads and lasses who work hard fighting the bad guys.

Hi Uri,

I agree with you in regard to the celebration of victory in a minor battle, and I did congratulate the efforts, however winning a battle in what increasingly looks like a lost war war put's a damper on the celebrations.

Back to to that other war. A great Australian and family friend - Sir Mark Oliphant and I had discussions about aspects of the war and I believe that technology ultimately provided the victory. The most important technology was radar, as it provided both early warning of incoming attack, and also the means to direct an accurate attack against an enemy target. In the Pacific, the Japanese were also defeated by technology, a rather special bomb.

I equate the current state of the war against fraudsters as akin to WW2 before radar and lacking the atomic bomb to deliver the crushing blow. In our present case, the crushing blow will not be able to be delivered in one hit, a bomb, or a silver bullet, however until we have the technology - the radar - the early warning prior to the attack hitting and providing us with the means to direct our response at our attacker, we will be in the same position as Britain was at that stage of the war - very vulnerable. being hit more every day and in grave danger of being defeated.

In this case the defeat will be loss of consumer trust in the financial instruments and institutions and the economic cost of stalled progress.

There are other parallels and one I identify with is the discouragement and tribulations faced by the British scientists who went to America to warn of the possibility of a nuclear weapon. They were turned away, ignored, and only with persistence did their message get to the US President. Fortunately he subsequently became an enthusiastic supporter of the development of such weapons and the rest is history.

Here is some information.

It was at the Cavendish, for example, that the atom was first split in 1932. Amongst other research, Oliphant worked on the artificial disintegration of the atomic nucleus and positive ions, and he designed complex particle accelerators. Oliphant's contribution to this work was his discovery of the nuclei of helium 3 (helions) and tritium (tritons). He was also the first to discover heavy hydrogen nuclei could be made to react with each other (tritons and helions being the products, along with protons and neutrons). This fusion reaction is the basis of a hydrogen bomb and fusion power reactors. Ten years later, American scientist Edward Teller would press to use Oliphant's discovery in order to build one.

Mark Oliphant was at Birmingham, in 1940, Otto Frisch and Rudolf Peierls had calculated that a uranium-235 atomic bomb was feasible. Oliphant took their findings at once to higher authority. A committee, code-named Maud, sent the report to the US "Uranium Committee" around March 1941 but the Americans took no action.

Britain was at war and felt an atomic bomb was urgent; there was less urgency in the USA. Mark Oliphant was one of the people who pushed the American programme into action. Oliphant flew to the United States in late August 1941 in an unheated bomber, ostensibly to discuss the radar programme but was actually tasked to find out why the United States was ignoring the Maud Committee's findings. Oliphant said that "the minutes and reports had been sent to Lyman Briggs, who was the Director of the Uranium Committee, and we were puzzled to receive virtually no comment. I called on Briggs in Washington, only to find out that this inarticulate and unimpressive man had put the reports in his safe and had not shown them to members of his committee. I was amazed and distressed."

Oliphant then met with the Uranium Committee. Samuel K. Allison was a new committee member, a talented experimentalist and a protege of Arthur Compton at the University of Chicago. Oliphant "came to a meeting," Allison recalls, "and said 'bomb' in no uncertain terms. He told us we must concentrate every effort on the bomb and said we had no right to work on power plants or anything but the bomb. The bomb would cost 25 million dollars, he said, and Britain did not have the money or the manpower, so it was up to us." Allison was surprised that Briggs had kept the committee in the dark.

Oliphant then visited his friends Ernest Lawrence, James Conant and Enrico Fermi to explain the urgency. Lawrence then also contacted Conant and Arthur Compton. On July 1, 1941 Vannevar Bush, chairman of the National Defense Research Committee, created the larger and more powerful Office of Scientific Research and Development (OSRD) which was empowered to engage in large engineering projects in addition to research. The Uranium Committee became the S-1 Project of the OSRD and in December 1941, following the attack on Pearl Harbor, the Manhattan Engineering District was built, and the project was dubbed the Manhattan Project.

I feel exactly like Sir Mark Oliphant did when the warnings were initially ignored. I don't have the nuclear bomb, as I belive such 'solutions' are crude and particularly inappropriate in this case, however I do have the 'radar', or it's modern equivalent.

Best regards.

Apoligies for the spelling and grammar errors but I just whizzed of a quick response and don't have the benefit of an editing team.