Monthly Archives: September 2011

DarkMarket: Misha Glenny on digital crime #RSAGlenny

Misha Glenny has been doing the rounds promoting his new book “Dark Market”, and I caught his talk at the RSA. Subtitled “CyberThieves, CyberCops and You”, Glenny explained that the book aimed to look at the threats from cybercrime, cyberwarfare and (computer-mediated) industrial espionage in the 21st century through the cipher of DarkMarket, an illegal online operation.

He categorised cybercrime into three different type:

  • carding – high volume, low impact fraud and theft through a variety of means (including skimming, phishing and similar scams
  • industrial espionage and attacks, including sophisticated denial of service attacks targeted at organisations
  • cyberwarfare by state and non-state (read “terrorist”?) actors

No one knows how much money is lost to cybercrime, because it is hard to measure: countries, companies and individuals can chose not to disclose their losses, and there is no central organisation collating the figures that are released. Glenny put the figure at somewhere between $100bn and $1trn a year; perhaps $27bn a year in the UK. That is a lot of money. (Wikipedia put the global GDP at $74trn; so perhaps 1.35% of world GDP is being lost to cybercrime every year.) Organisations such as Sony PSP, Google, RBS Worldpay, Lockheed, TJ Maxx and the US National Security Agency have all been subject to criminal activity – and most cases will not be reported to minimise embarrassment. The vulnerability to criminal action is human, not technological.

Some of the illegal operations Glenny investigated were quite sophisticated. He described an organisation called Innovative Marketing which produced, released and sold (to end-users – that’s us) infectious malware. Their various software suites and fake, malicious products generated sales of $500m over three years; they had call centres dealing with “customers”(people who had paid to install the malware under false product descriptions and promises) in several languages. The people running them – the cybercriminals – Glenny described as smart, creative, ingenious and inventive. Your typical internet entrepreneur, then.

Summarising their characteristics, he said they were generally (and almost exclusively) obsessive games players, had advanced mathematical skills, developed computer skills in their mid teens, not solely motivated by money, and had poor communication skills. And they were all male. Again, these characteristics could describe any number of web-geeks.

They developed websites, and systems to support them, promoting their illegal wares and scams on an industrial scale. (I realise that last sentence was written in the past tense; many of the criminals Glenny described have been arrested and their activities halted. But it would be incredibly naieve to suggest that others are not undertaking similar activities, or that those currently in custody could not start their trade again upon release – whatever terms the court may impose.) They started escrow accounts to hold monies for transfer between criminals who don’t trust each other.

They had a certain chutzpah. As well as the structured organisation behind Innovative Marketing, another of Glenny’s subjects ran his criminal activities from the email address (No, I’ve not tried it.) Others have created videos to publicise and sell their activities.

One of the issues Glenny identified was the lack of research into the “hackers” (used in its popular rather than technical use). They are simply treated as criminals, and the police and security services are failing to learn from them. Cutting them off from the internet and technological communications is often a condition of their sentence; but these are highly technically-minded people for whom this is the main way they could legally earn a living. The technological criminals, with poor communication and social skills, are easier to catch than the “criminal brains” behind the operations.

In the main, the technological criminal represent an untapped resource. Who better to design and test security systems than hackers? It is possible that hackers may be in the employment of some security services: the FSB, the Russian security service, may be active or complicit in some criminal activities (apparently, the FSB keeps a mirror copy of all data transferred by Russian internet service providers, so they would be able to identify and track unusual activity); the Stuxnet worm which attacked Iranian nuclear systems may have been developed and distributed by US, Israeli or Chinese security services, implying that they were working with hackers. It is believed that the Chinese security services employ 2,000 to 3,000 hackers directly.

Glenny also believed that by studying and learning from hackers, it would be possible prevent them starting illegal activities. They generally start their criminal behaviour when teenagers, suggesting that school would be a good place to start identifying and rehabilitating them. Glenny’s only advice to avoid digital crime and hackers was to use Macs. But of course, if everyone did that, the hackers would attack that platform, too…

The Tip of a Talent Iceberg…

Last week’s issue of the Economist had a special report on the future of jobs, in particular the changing nature of work and the paradoxical mismatch between rising unemployment and unfilled demand for skilled workers.

It is an interesting series of articles – there’s a lot to mull over there – but one thing which caught my eye was what they described as “an intensifying war for talent” – employers competing with each other for high skilled workers.

I have always found the description of workers as “talent” curious; it makes me uncomfortable. How many employers would seek out untalented staff? The large bank where I used to work had a bit of its HR department designated “talent management”, focussing on the “top” 1,000 to 2,000 employers (about 1.5% of the total workforce). This cadre of managers had large resources spend on their training and development – I can’t remember the figures, but the budget for development of the “top” 5% was something like the amount spent on the remaining 95% of staff – those that weren’t talent, that is.

Did I mention that this was in a bank? You may guess where this is going…

Definitions of those that constituted “talent” were difficult to come by and sometime contradictory (part of the reason why those in “talent management” sometimes talked about the top 1,000, sometimes the top 5%).

Focussing so much on the top 5% created an elite; indeed, within the top 5% there were various sub-divisions, creating a strict hierarchy, each level receiving different development opportunities (so everyone knew what level they were, and it was apparent to those outside, too). Selection for the various programmes was assessed on performance and competences – so those on the various programmes were pretty similar and ticked the same boxes – and fitted (rather than questioned) the company’s model.

I understand an organisation doing what it can to identify, recruit and retain the people in the organisation it is counting on to succeed; the trouble is what this says about the organisation – its culture and values. The bank was effectively saying that it didn’t believe 95% of its employees were worth much (reflected in its remuneration policy, too). The way to gain status in the firm was to be part of the elite – largely white and male. It created a very macho culture at senior levels.

And we all know where that led [PDF].

The Future Now.

I recently spent the weekend on Skye, climbing with a group of friends and former colleagues. Between us, we spend a fair bit of time travelling between London and Edinburgh, and we were discussing the train journey between the two cities, and points in-between: the east coast route, or the west.

It quickly degenerated into the modern equivalent of Monty Python’s “Four Yorkshiremen” sketch. One guy complained about the wifi on the train; another how there were 3G blackspots on the west coast route, so he couldn’t respond to emails on his Blackberry.

I had to stop them and point out quite how much they were taking for granted.

We were all of an age – part of the post-war baby boom. I used my first computer in 1982, doing some stats for my degree; I bought my first computer (a BBC Micro) to write my thesis in 1985.

When we were growing up, phones were attached by a wire to the wall (and, basically, that’s how it was until about 10 years ago – not that long); if you weren’t at work or at home and you wanted to make a phone call, had to queue in the rain to put coins into a slot in a phone box. If you could find one. And it was working.

Email didn’t really start to be used until 1990, about twenty years ago. When I first started working, if I wanted to send a business letter to someone, I would dictate it or draft it by hand, pass it onto a typist, correct their draft, probably correct it again, and then sign it, put it in an envelope and stick it in the mail. (By this point, typists were using word-processors – stand-alone computers; before that, they’d have had to type it out each time I corrected it.  Computers weren’t commonly networked for another five years or so – to move a file from one computer to another, you’d copy it to a real floppy disk and physically move it. I still have box-loads of unreadable 5½-inch floppy disks. Yes, there were lots of jokes about 5½-inch floppies…)

Music came on vinyl (it smelt better, and still does, thank god) or cassette tapes; you had to go to a shop to buy it, and anything else. To play that music before about 1982, you had to be indoors – no iPods, MP3s or even Walkmen (for me, mobile music started in 1985, when I bought a Walkman to keep me company on the same east coast route between Edinburgh and London).

You could only find out the price of things, the times of trains, even phone numbers – just about anything – by going to a shop or going to a library and looking it up in a book. You had to remember (or write down) phone numbers you used a lot – and you literally dialled them, rotating a numbered dial to produce the number (you had to stick your finger in a hole in the dial to move it).

An Old Phone Box

An Old Phone Box (image by Graham Woolrich on flickr, used under a Creative Commons licence)

The internet didn’t exist for most users until 1991 or so – that’s only twenty years.

When I was regularly heading up and down the east coast line in the mid-1980s, the thought that I could carry all my LPs in my pocket, reading communications written by people anywhere in the world on my handheld computer, watching videos they’ve recorded and shared, making phone calls as I speed along – well, if you’d told me that, I’d have said it was science fiction – the future.

The future really is now.

It is frankly boggling – something to be amazed about. We really shouldn’t take it for granted!

(All this reminds me of this rather excellent video, “Everything is amazing and nobody is happy”. Actually, he says just what I mean – only he’s funny, too!)

(The title of this post comes from a

“The Armchair Economist” – purely average

I’m quite interested in economics; I’m not an economist, though I have done some economics classes over the years, and I find popular economics books like Levitt and Dubner’s Freakonomics and Harford’s The Undercover Economist fascinating. In another life, I might have been an economist.

I recently read the first of this style of popular economics books, Steven Landsberg’s The Armchair Economist: economics and everyday life, originally published in 1993.

Some of the book was interesting; some baffling. But much was irritating and badly written or edited, too.

He brings it on himself. In his chapter “Choosing Sides In The Drugs War”, he lambasts Richard J. Dennis for “the most poorly executed cost-benefit analysis ever to appear in print” (p95), in which (according to Landsburg) Dennis counts “costs as benefits… benefits as costs, omitting a variety of important factors on each side of the ledger, and double counting some of those that he remembers to include” (ibid).

And then in the later chapter “How Statistics Lie”, Landsburg writes this paragraph:

“Suppose that initially we all have incomes of $50,000, with no inequality whatsoever. Now a change in the economic causes half of all incomes to fall to $40,000 while the other half rise to $100,000. You might think that half of all households are worse off and the other half are better off. But if we all take turns, so that half of us earn $40,000 in the even-numbered years and $100,000 in the odd-numbered years while the rest of us do the reverse, then we all average $70,000 a year and we all win.” (The Armchair Economist, p133.)

This is undoubtedly true. But it is also meaningless. If the economy Landsburg writes about has 100 people in it, the initial state is total income of $5,000,000 (average income $50,000); Landsburg then waves his magic wand (and I bet governments throughout the world wish they could do the same just now!) and 50 people earn $40,000 and 50 $100,000 – as Landsburg says, average $70,000 with total income of $7,000,000. Or, he could equally well wave his wand and everyone’s income could rise from $50,000 to $70,000 – with no increase in inequality.

All that Landsburg has shown, I think, is that if the total income goes up, the average income goes up.

Who’d have thunk it?

(It is of course possible that I am missing something. In which case I will be glad to be enlightened!)