mitigating botnet C&Cs has become useless

Tue Aug 8 23:10:01 UTC 2006

On Tue, 8 Aug 2006, Rick Wesson wrote:

> Last sunday at DEFCON I explained how one consumer ISP cost American business 
> $29M per month because of the existence of key-logging botnets.
>
> you want to talk economics? Its not complicated to show that mitigating 
> key-logging bots could save American business 2B or 4% of =losses to identity 
> theft -- using FTC loss estimates from 2003
>
> just because an ISP looses some money over transit costs does not equate to 
> the loss american business+consumers are loosing to fraud.

I am sure that the total cost would be less if everybody cleaned up their 
act. It doesn't change the fact that the individual ISP has to spend money 
it will never see returns on, for this common good to emerge.

If the government wants to do this, then I guess it should start demanding 
responsibility from individuals as well, otherwise I don't see this 
happening anytime soon. Microsoft has a big cash reserve, perhaps the US 
government should start demanding them clean up their act and release more 
secure products, and start fining people who don't use their products 
responsibly. Oh, and go after the companies installing spyware, in ernest? 
And to find these, they have to start wiretapping everybody to collect the 
information they need.

Otoh this added security might add up to more losses than 2B per year in 
less functionality and more administration and procedures (overhead), so 
perhaps those 2B is the price we pay for freedom and liberty in this 
space?

Always hard to find the balance.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se