People call me a lot of things. Nobody would ever call me a CIO, but after reading CSO magazine a little bit, I guess that\u2019s basically what I am. Maybe I\u2019m a little younger than you. A little more techy. I know my routers and code. Most of the guys I work with, they don\u2019t like computers. They get frustrated. Lots of times they want to shoot their computers, like that guy in Colorado did. I printed out that story and gave it to one of my guys. He loved it, especially the part where the guy hung the dead computer on the wall of his bar. \u201cI love this Colorado guy,\u201d he said. And he passed it around to all the guys. \u201cYou have to read this story MIT gave me.\u201d Yeah, they call me MIT, like, \u201cLet\u2019s ask MIT if we can set up an online account\u201d or \u201cMaybe MIT can make a website for that.\u201d A website for what? For making money, what else? Isn\u2019t that why anyone sets up a website? Yeah, I deal with the same stuff you do. Same headaches. I\u2019m constantly replacing and fixing stuff and trying to do whatever helps the bosses grow the business, as you call it.Bosses. I mean, bosses are the worst, right? The Penny Stock ScamWe\u2019re in a real boom right now. Credit cards. Gambling. You heard about that stock deal? The one that uses that new image spam? This is an old-fashioned pump-and-dump scam but with a cool techno twist. This wasn\u2019t mine, but I know a guy who knows the guy who set it up. Here\u2019s how he worked it. First, he rented a botnet. That was for e-mail distribution. He pays, I don\u2019t know, say $50Gs for a month, turns around and promises the bot-herder a taste in exchange for that month\u2019s usage and some guaranteed uptime. You know, he says, deliver 10 million e-mail messages for me and I\u2019ll guarantee you some back-end cash. So the bot-herder knows a kid who wrote this absolutely killer image spam application that creates the e-mail messages. Pays him a flat fee. I mean, the kid could\u2019ve asked for a lot more, but a lot of these programmers are pretty young and dumb. You wave some cash and they think, \u201cFlat screen TV!\u201d Anyway, he tells the kid to make the program create advertisements for pink slip stocks, those unlisted ones that trade for pennies. It all gets done in like 15 minutes after they get some of the basic wording down. So then this guy sets up offshore accounts online (in Brazil, I think) to collect the investments. His guys all buy something like 10,000 shares at 30 cents per. Then the botnet goes to work. Starts mass mailing the ads for the stocks. And the beauty part is those little messages get by all the spam filters because the filters are looking for text, but with the image spam all the filters see is a million different images, each one unique, even though they all say the same thing: Buy this stock. [Editor\u2019s note: For more on image spam, go to www.csoonline.com\/read\/040107\/fea_spam.html.] Genius. Finally, enough people invest to drive up the price. Eighty cents a share. A buck. Two. Eventually, our guys sell, make a nice chunk of change, the stock tanks and the suckers who got in on the e-mail tip lose their shirts. Like I said, a classic pump-and-dump, but back in the day it was a lot harder to do. It required a lot of legwork, relationships with reporters and brokers. Compared to that, this is, like, nothing. I know what you\u2019re thinking: Who believes an anonymous e-mail that says such-and-such company you\u2019ve never heard of is at a quarter a share now but is heading to five bucks? Hey, I don\u2019t know, but you send out 10 million messages, you get 1,000 to invest, that\u2019s only, what? A hundredth of a percent? I\u2019d say the sucker population is a lot bigger than that. It was a great little business. One of those stocks hit six bucks! But then the Feds sniffed it out and suspended trading on those penny stocks in March. Maybe when things cool off, it\u2019ll pick up again. By that time, the spam filters will probably have adjusted and we\u2019ll have to go back to the programmers for their latest bots. Everyone Wants ID\u2026Just Not Their OwnThe big money is in credentials. Look, the world runs on credit, and what you need to get credit are personal credentials. That\u2019s what everyone is after right now. And that\u2019s where a lot of our investments are: credentials for lines of credit. That TJX thing last January? No, not me. But let\u2019s say I\u2019ve had beers with someone who worked on that job. It sounds like the heist of the century, right? What, 40 million personal records? But really it\u2019s pretty basic stuff. If you want to get into the credentials market, you do three things: One, get inside access to someone who stores lots of personal data. Retail is great for that. Think about how many cards are swiped every second at those places. Two, invest in antiforensics, because once you\u2019re in, you want to stay invisible until you\u2019re done. [Editor\u2019s note: more on antiforensics] Three, after you got the credentials, behave. I\u2019ll explain that one in a minute. I\u2019m not saying the TJX deal went down this way, but here\u2019s how I\u2019d do it based on what this guy told me. Inside access. That\u2019s easy. You spread some USB keys around. People see them and go, Cool, free dongle! Only when they plug them in, a little program installs some bots or keyloggers onto their machine. From there, you root around until you get deeper into the network. (There are other ways too. Dumpster diving for paper records and credit card statements. Paying off the custodial staff. This stuff is as old as time; computers just make it easier.) After gaining access, it\u2019s time to invest in antiforensics. Look, I don\u2019t care if they can see what I did as long as they can\u2019t see it was me that done it. We have this saying here about antiforensics: Make it hard for them to find you and impossible for them to prove they found you. We\u2019ve got a whole bunch of software that allows us to cover our tracks and keep us basically invisible while we\u2019re inside someone\u2019s system. What\u2019s great is a lot of antiforensic tools are free. They\u2019re all over the Internet. We buy others, like encryption programs and data wipers like Evidence Eliminator. This guy I had beers with says a few guys are even experimenting with ways to make someone else look guilty. You know, send the cops down the wrong path. At that point, you install a little program that collects the credentials. Sometimes we use \u2019em; most of the time we sell \u2019em. We\u2019ve been working on a subscription service. You pay for access to credentials for a certain period of time. We can get $1,000 a month or more for a subscription pretty easy. That adds up. But what we\u2019ve run into\u2014a big problem\u2014is that lots of guys get their hands on this information and just start buying stuff. They have no discipline. Look at TJX. Those guys got busted for using the credentials they lifted to buy gift cards for, what, like $20Gs or something? I mean, you buy a $20,000 gift card, someone\u2019s going to notice. So don\u2019t do Visa\u2019s job for them. All it takes is one jerk who gets some credit and buys a Bentley to take down an entire business. Find guys who can wait to use the credentials and then, when they do, use them in a way that looks normal. They Gamble; We Don\u2019tRight now, we\u2019re setting up a service out of Costa Rica. It\u2019s a\u2014how do I put it?\u2014it\u2019s a high-risk, high-return investment service for sports fans. So how do I set up something like that? Like any project, with a lot of legwork. I\u2019ve got to get my guy in Costa Rica to set up the back-end servers. Costa Rica\u2019s great because everything\u2019s available right in one building. I call my guy and say, \u201cIt\u2019s MIT. I need some stuff.\u201d He just walks down the hall to the ISP, gets servers and backups, and then goes upstairs to the Web developers. It\u2019s out-of-the-box, like calling up IBM Global Services or something. There\u2019s even a little online payment service outfit down there. We like it better than the big ones up here because those guys, they\u2019re better with international currency and security. After we get all that going, we\u2019ve got to do all the testing. I\u2019m telling you, it\u2019s really not much different than those e-commerce projects I read about in CSO. We do the same due diligence. Same troubleshooting. Same thing with bosses yelling, \u201cMIT, you got that site up yet? Super Bowl\u2019s in a few weeks. Site\u2019s gotta be up for that!\u201d They ask for some ROI up front, by the way. It\u2019s a little more informal than the way most of your readers do it. They\u2019ll ask, \u201cBallpark, what do we gotta spend?\u201d I give them a number. They say, \u201cWhat can we clear in an average month?\u201d I give them another number. I\u2019m not making these up either. I ask around. I mean, that\u2019s cost-benefit analysis right there, right? Anyway, once that site\u2019s up and running it\u2019ll be a nice little business\u2026for the overseas market, of course. Even Crooks Need SecurityI invest in top-notch security because, believe me, gaming sites are constantly dealing with extortion. Criminals. Not a day goes by when a site doesn\u2019t have some Russian hacker launching a DDoS attack, asking for cash to call it off. We encrypt everything, and we\u2019ve got pretty severe authentication for access. We don\u2019t outsource or contract the security. We keep it in-house. I pay my security guy well. I\u2019d say about 25 to 30 percent above what you\u2019d pay. Met him at the Black Hat conference in Vegas a couple of years ago. I liked him right away because he wasn\u2019t presenting or bragging about what a hotshot he was. He was in the back, taking notes, trying to learn. Quiet. I knew right away he\u2019d fit in. I\u2019ve also tasked him (that\u2019s how you say it, right?) with internal security. Basically, his job is chief privacy officer for a bunch of guys who really value privacy. All this technology\u2014phones, the Internet\u2014it\u2019s all great for making money, but the problem is, everything gets logged. My security guy has written and used lots of antiforensic tools to erase those logs, and I\u2019m comfortable telling my boss we have better privacy than the big banks. My security guy knows how to disable the GPS in our cell phones. He\u2019s building some routing programs, sort of like that Onion Router project that, like it says on their website, \u201cprevents the transport medium from knowing who is communicating with whom\u201d so that anything we send over the Internet is scrambled through different routes and hops all over the world, completely anonymous and untraceable. And everything, I mean everything, is encrypted. Say someone stole the servers we keep here at the home office. My guy designed it so that really only two people can access the data: me and him. We have the private keys and no one else does. Not even the boss. My Kind of GuysThe guys I keep, or keep on a kind of retainer, are the ones that show me something extra. We had one guy who came to us selling a great new way to set up temporary international cell phone accounts, using credentials bought in the identity market. Guys will pay a lot for a disposable international cell phone. We bought some and were so impressed we decided to get into business with him. He set up the phones; we handled distribution. I asked the guy what else he was working on. He flips his laptop around and shows me his own website where he\u2019s auctioning off credit credentials to the highest bidder. Slick. I said to him, \u201cYou could be our R&D.\u201d He said, \u201cCool.\u201d And that was that. Compared to you guys, I\u2019m pretty lucky with talent. My guys are way ahead on the technology. They work hard. They\u2019re innovative and entrepreneurial. I think they\u2019re some of the most talented IT staff around. Alignment Among ThievesActually, there is one way you and I are different. I read all those stories in CSO about how hard you have to work to align technology with the business\u2019s goals. That\u2019s one problem I don\u2019t have. My bosses don\u2019t let me spend a dime on anything that\u2019s not going to make them money. Why should they? And I wouldn\u2019t even think about investing in a huge project that might fail to live up to expectations. I don\u2019t get play money to buy technology that doesn\u2019t work. I don\u2019t have vendors paying the freight to conferences at swank resorts to convince me to invest in something that\u2019s half-developed and overhyped. I never use jargon. I spend zero time doing PowerPoints. Speculation? That\u2019s not part of our business model. So maybe I don\u2019t get the newest gadgets all the time but, man, I\u2019m aligned. With the bosses. With the business. There\u2019s really no other choice, you know? Send feedback to Senior Editor Scott Berinato at firstname.lastname@example.org.