Shostack + Friends Blog Archive


"You will eventually be caught"

I believe that if you are a low- to mid-skilled intruder physically located in the United States, you will eventually be caught. The days when hardly anyone cared about prosecuting digital crime are ending. The FBI has 13 Computer Hacking and Intellectual Property (CHIPS) units with plans to open more. The Computer Crime and Intellectual Property Section (CCIPS) are available to US Attorneys across the country. The Secret Service operates 15 Electronic Crimes Task Forces. There are 5 Regional Computer Forensic Laboratories operating now with 8 planned to open in the coming years. The Internet Fraud Complaint Center (IFCC) is taking reports from victims of cyber crime and the National White Collar Crime Center supports law enforcement efforts. All of this adds up to a lot of federal, state, and local police working to bust bad guys.

(From Richard Bejtlich’s TaoSecurity.)

This feels wrong to me. Investigating computer crimes is still a very labor-intensive process.
(I’m experimenting to see how MarsEdit handles extended entries.)

To be able to say that intruders will ‘eventually be caught,’ we need to know:

  1. How many individuals are in the target population, and how fast that’s changing
  2. What the “bandwidth” of that labs is, and how fast that’s changing, and
  3. What the statute of limitations is on the crimes being committed.

Its a sad comment on the immaturity of our industry that I don’t think we have hard numbers on any of those things. But we can estimate a little. There are about 6,000 attendees at Defcon. If we assume that half of those are Feds, and half of the remainder are professionals left over from BlackHat, that still leaves us 1,500 potential script kiddies and crackers. If we assume that 2/3s of them are posers and wanna-bes, that’s still 500 people. If we total up Richard’s numbers, there are 33 centers. Lets say that each can handle 5 investigations at a time. That’s 165 intruders caught per year out of 500, or just about a 1/3 chance.

This analysis assumes that computer crime resources are tasked with tracking down the low level attackers. There are other computer crimes that require investigation, which drive the odds even lower.

To be fair, Richard makes no claim that you will be punished, only caught. But what about the odds that you’ll be punished? Deterring crime by catching and punishing offenders is thought to work on something like an “expected punishment” model: Criminals guess how likely they are to be caught, and what the punishment will be, and then make a payoff decision. I don’t have a good estimate of how many arrested computer criminals are convicted.