• United States




In the security world, the good guys aren’t always good

Jul 07, 20154 mins
CybercrimeData and Information SecurityHacking

It's hard enough to fix Internet security without bad behavior from many of the entities that are supposed to be protecting our interests

Reading about the widespread bribery and corruption of public officials supposedly hired to catch Columbian drug lord Pablo Escobar reminds me of the current state of computer crime. In both instances you have criminal interests making hundreds of millions of dollars while the very entities that could easily bring them down only watch or, even worse, participate.

Computer crime isn’t going to diminish anytime soon. No one is taking the steps necessary to significantly decrease malicious hacking. This conclusion is strengthened by all the supposed law enforcers who could assist, but make bigger profits by allowing cyber crime to continue. No, I’m not talking about antimalware companies. I think most, if not all, antimalware players truly want to be the company that eliminates malware, though that will never happen.

I’m talking about corporate interests, law enforcement agencies, and governments that readily allow badness to happen on their watch.

Corporate interests

Everyone hates spam except spammers — and perhaps the companies whose products spammers peddle. For example, in his best-selling “Spam Nation” book, Brian Krebs reveals compelling evidence that some billion-dollar pharmaceutical companies allow pharma spam to continue unabated because it serves their interests.

If the pharmacy industry did more to stop illegal pharma spam and drug purchases, they would have to admit in court that most of the drugs sold are legitimate, which might lead to more people buying cheaper prescription drugs over the Internet. According to Krebs, multiple pharmaceutical-sponsored pharm spam studies were prevented from being released to the public after the sponsors deemed such information would be damaging.

It’s not only pharmaceutical companies that could do a better job. As detailed in Krebs’ book, for many years, most credit card processors helped facilitate billions in illegal transactions until the heat got too hot. Eventually the right pressure was applied, and today, most credit card processors work hard to block illegal transactions.

Krebs alleges the same profit motive with a portion of today’s online tax preparation industry. In multiple columns this year, Krebs has alleged that tax-prep companies could block tax fraud, but speculates they don’t because they get the tax prep fee either way.

“Spam Nation” also details routine payments made by spam-sending companies to government officials, law enforcement, and police. The very entities that are supposed to be stopping spam and online crime instead accept large payments for looking the other way. Sometimes it seems that illegal entities shut down only when their bribes have been trumped by those of their competitors.

Government interests

Many countries have a huge interest in allowing computer crime to continue. Let’s start with China, which is leading the world in stealing other countries’ secrets.

For years I have defended China only to conclude, finally, that the Chinese government must be in on — and explicitly allowing — Internet crime to occur. China controls its domestic Internet as effectively as any totalitarian society in the world. Chinese hackers could not do the stuff they do unless directly or tacitly allowed by their government.

I don’t mean to pick on China. I have little doubt many countries are participating in Internet crime — but they get caught less. Nonetheless, every country’s spy agencies have long lists of software and hardware vulnerabilities, which are unknown to the general public. It’s literally their job to have these vulnerabilities catalogued and to use them when called upon.

Sadly, I long ago stopped believing that we — meaning our global society — will fix Internet security in a meaningful way, mainly because we humans aren’t so good at being proactive. We’re much better at responding to disaster … again and again.

It’s even more depressing when you think about all the interests that don’t want it to be fixed. Certainly, most of the world’s governments don’t want a strong and secure Internet in which all traffic streams are confidential and all hackers can be immediately exposed. Nope, I suspect that most of the world’s governments will fight tooth and nail to stop a more secure Internet.

We live in a complex world. Sometimes, the good guys aren’t so good.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author