BBC 'vague' reporting again!

Ian Batten ukcrypto at chiark.greenend.org.uk
Tue, 2 Dec 2008 14:08:52 +0000 

>

The problem with this whole debate is it revolves around geeks  
`solving' the problem of law-abiding criminals.

What do I mean by `law abiding criminals'?  I mean that peculiar  
creature of the pages of crypto conferences, the criminal who will  
invest limitless time and effort in subtle side-channel attacks  
involving terabytes of chosen plaintext, but won't put a pistol to a  
key-holder's wife's head, kidnap their children, bribe them or burn  
their house down.  The security community has decided that break-ins  
that rely on crypto and other security weaknesses are a different,  
less immoral, class of crimes than rubber-hose solutions, perhaps  
because they don't have friends with sawn-off twelve bores but they do  
have friends with rainbow tables.

The upshot is that resources are poured into dealing with problems  
that are caused by these law abiding criminals, problems whose linkage  
to real harm to real people are indirect at best.  Crimes like  
possession of child pornography may well drive the production of child  
pornography and hence child abuse, although equally it could be a  
secondary market in photographs of abuse that was already happening.   
But we also have crimes involving pseudo-pictures and textual material  
which are further indirect, in that the most that can be said of them  
is that they may have a tendency to cause unbalanced people to commit  
crimes against real individuals.  But this sort of investigation can  
be conducted from the office, and the perpetrators are largely  
pathetic losers who are unlikely to cause trouble when arrested, so  
the whole sorry dance proceeds without too much adrenaline being  
expended.

Meanwhile, the less law abiding criminals, the ones that do real  
physical harm to real physical people, appear to be outside this  
scope.  They can take their victims to Doctor Thakur Singh through  
nineteen pregnancies safe in the knowledge that he won't notice  
anything amiss.  They can take their victim to Doctor Sabah Al-Zayyat  
with a broken back and be confident they won't get caught.  And if  
someone does chance to make a complaint, they can hide behind the  
police saying that accusations are slanderous, or social workers who  
are keen to help.  There's no suggestion that these children could  
have been protected by sooper-sekrit ninja malware attacks.

Less emotively, there isn't the slightly evidence that your bank  
robbers and car-jackers are engaging in complex schemes and themes by  
email, replacing the master criminal who finds the scores to be taken  
down (yes, I re-watched Heat last week, what of it?) with a trip to www.possible-bank-jobs.com 
.   Real criminals perhaps don't have a great deal of faith in their  
infosec chops, so simply don't connect their machines to the outside  
world.

So the whole thing, to me, smacks of policemen who don't want to get  
their hands dirty pursuing criminals whose crimes are indirect ones.   
At best this might provide an avenue against the botnet brigade, but  
that's never presented as one of the targets.

ian