On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business
$29M per month because of the existence of key-logging botnets.
Why did you attribute responsibility for the cost only to the consumer
ISP? How much of the cost should be attributed the PC OEM, or the
software developers, or the American business, or the ....?
If the consumer changes to a different consumer ISP, are they now secure?
Or is the same compromised computer still compromised regardless of what
ISP the consumer uses?
On the other hand, if the consumer changes from one popular brand of
operating system to a different brand of operating system, or doesn't
use P2P software, or doesn't download free naked celeberties has their
risk exposure to key-logging botnets changed? Even if they keep the same
ISP?
If the risk stays the same with different ISPs, but the risk changes when
you change something besides the ISP, perhaps it would be better to
associate the cost with the things that more directly affect the risk.
you want to talk economics? Its not complicated to show that mitigating
key-logging bots could save American business 2B or 4% of =losses to identity
theft -- using FTC loss estimates from 2003
What are the economics of American businesses mitigating key-logging bots?
How much security would you get for an additional $20 per year per on-line
user? Spending more than the losses wouldn't save American business
money.
How much of a difference would it make? How many American businesses
provide "free" security software or one-time tokens or smarcards to their
online customers? How long did it take criminals in Europe to figure out
how to get around those security measures? How many banks pay to fix
their customers' computers after a key-logger bot steals their bank
account information? Why don't banks re-issue credit cards or notify
their customers after every report of a compromised account?
just because an ISP looses some money over transit costs does not equate to
the loss american business+consumers are loosing to fraud.
Postal inspectors have the authority to investigate and arrest people for
mail fraud. Where are the Internet inspectors with the authority to
arrest people?