mitigating botnet C&Cs has become useless

• Previous message (by thread): mitigating botnet C&Cs has become useless
• Next message (by thread): mitigating botnet C&Cs has become useless
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 8 Aug 2006, Rick Wesson wrote:
> Last sunday at DEFCON I explained how one consumer ISP cost American business 
> $29M per month because of the existence of key-logging botnets.

Why did you attribute responsibility for the cost only to the consumer 
ISP?  How much of the cost should be attributed the PC OEM, or the 
software developers, or the American business, or the ....?

If the consumer changes to a different consumer ISP, are they now secure?
Or is the same compromised computer still compromised regardless of what
ISP the consumer uses?

On the other hand, if the consumer changes from one popular brand of 
operating system to a different brand of operating system, or doesn't
use P2P software, or doesn't download free naked celeberties has their 
risk exposure to key-logging botnets changed?  Even if they keep the same 
ISP?

If the risk stays the same with different ISPs, but the risk changes when
you change something besides the ISP, perhaps it would be better to 
associate the cost with the things that more directly affect the risk.

> you want to talk economics? Its not complicated to show that mitigating 
> key-logging bots could save American business 2B or 4% of =losses to identity 
> theft -- using FTC loss estimates from 2003

What are the economics of American businesses mitigating key-logging bots?

How much security would you get for an additional $20 per year per on-line
user?  Spending more than the losses wouldn't save American business 
money.

How much of a difference would it make?  How many American businesses
provide "free" security software or one-time tokens or smarcards to their 
online customers?  How long did it take criminals in Europe to figure out
how to get around those security measures?  How many banks pay to fix
their customers' computers after a key-logger bot steals their bank 
account information?  Why don't banks re-issue credit cards or notify 
their customers after every report of a compromised account?

> just because an ISP looses some money over transit costs does not equate to 
> the loss american business+consumers are loosing to fraud.

Postal inspectors have the authority to investigate and arrest people for 
mail fraud.  Where are the Internet inspectors with the authority to 
arrest people?

• Previous message (by thread): mitigating botnet C&Cs has become useless
• Next message (by thread): mitigating botnet C&Cs has become useless
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]