Stephen and Chey Cobb: Independent Researchers

Internet crime losses triple in three years, up 5X this decade to over $20 Billion

noreply@blogger.com (Stephen Cobb) — Thu, 16 Apr 2026 14:23:00 +0000

As I predicted, the topline figure in the recently published IC3 Annual Report 2025 is now over $20 billion. That is double the figure just three years ago. It makes for a truly troubling chart (see above).

This annual US government report is an analysis of losses from Internet crimes reported to the FBI's Internet Crime and Complaint Center (IC3). These losses are now running at 5X the level recorded in 2020, implying that efforts to reduce Internet crime are consistently falling short.

Follow this link to get the 2025 IC3 Annual Report, and all previous editions. They are the basis for the chart above, a chart that I have been curating and updating for over 20 years.

While there are some issues with using the IC3 numbers as crime metrics—they were not originally collected as an exercise in crime metrics—I am satisfied that over the years the IC3 report reflect real world trends in cybercrime's impact on victims, as measured by direct monetary loss (for more details, see this article: Advancing Accurate and Objective Cybercrime Metrics in the Journal of National Security Law & Policy).

For more on the history of these stats, see this extended article from last year. For more about the urgency of humans doing better at cybersecurity and cybercrime deterrence, consider what AI have to say:

As for the impact of Internet crime on human health and wellbeing, consider these articles:

Some of these articles are on Riskopia, a Substack that I have been building. Feel free to subscribe — it is free and this content will remain free.

That Was The Cybercrime Awareness Month That Was, 2025 marks a 30th malware anniversary

noreply@blogger.com (Stephen Cobb) — Fri, 31 Oct 2025 11:02:00 +0000

Hopefully, by now, you will have noticed that October is/was Cybersecurity Awareness Month. Keen observers of this blog — we know there are some of you out there — will have noticed that we have not yet posted anything for this Cybersecurity Awareness month, other than some 'tweets' on Bluesky, like this:

Cybersecurity awareness needs to include awareness of cybercrime
and its impact on human health

Or course, I did remind folks about the 31 articles on our Cybersecurity Awareness page. And rest assured, we have not lost interest in cybersecurity, or the need to raise awareness of its importance. However, three factors have been at work: 1/ Being unwell (Chey) and 2/ Caring for that unwell partner (Stephen) and 3/ A growing sense that in the cyber realm, crime is the thing about which more people need to be aware. For example:

How much cyber-related crime there is. (More that most folk realize.)
The extent to which the means, motive, and opportunity for crime are embedded in digital infrastructure. (Deeply.)
How closely the tech boom is intertwined with the crime boom. (Very.)

Ironically, I had started doing some research on point #3 earlier in the year, starting in June. That's when I noticed July of 1995 was the month in which the first macro virus (Word Concept), was spotted in the wild. And while that sounds like a minor event, in fact, it heralded a massive increase in malicious code development and deployment. And this was all thanks to a foolish decision by young men too much in love with tech, money, and their own egos. (Hey AI fans, does that sound familiar?) Furthermore, that macro virus enabled some of the biggest cyber crime waves we've ever seen, up and including ransomware attacks in 2025.

In July, I dubbed this phenomenon 'macro gold' and set about publishing an article on it. My own ego thought it would be cool if I was the first person to highlight the 30th anniversary of the Word Concept first macro virus in the wild. I could then raise my profile as "veteran expert who warned us" by riding the ensuing wave of news coverage.

So much for egos, hopes, and dreams. My care duties kept interupting my research. My research revealed that the uncovering of the Word Concept macro virus was a slow process. Technically, it was spotted and documented in July (hat tip to Gordon and Ford and the legendary Wild List). However, it took months for the story to break beyond the tiny realm of antivirus researchers.

That fact actually helped me out because I could avoid feeling guilty for not getting my article out in July. But I didn't get it done in August eiter. I did manage to put Macro Gold up on Substack in September, but very few people noticed it, and continuing care commitments limited my ability to drum up interest. By the time October arrived and we entered Cybersecurity Awareness Month I was running low on energy and enthusiasm.

As October ends, I note yet another news story highlighting the vulnerability of technology from Bill Gates company, notable Microsoft's cloud product Azure. This was to blame for global web service outages impacting Britain's biggest airport (Heathrow) and bank (NatWest), plus Minecraft and other big names. hitting over 1,000 companies and affecting millions of internet users." — BBC News

This followed news that AWS cloud services from the company built by fellow techbro billionaire Bezos had taken down "major social media platforms like Snapchat and Reddit, banks like Lloyds and Halifax, and games like Roblox and Fortnite." — BBC News

Another notable reminder of just how much crime our over-reliance on weak technology has enabled landed very close to my actual home this October: the criminal hacking of Jaguar Land Rover, a company synonymous with Coventry, the city in which I was born and now live. As Secure World's Cam Sivesind put it, this is "a chilling case study in the true cost of systemic risk—moving far beyond lost data to encompass crippling financial losses, manufacturing disruption, and supply chain contamination." — SecureWorld

As another annual cybersecurity awareness month comes to an end, let's hope the world will learn from the growing list of major cybercrimes, learn that they are rooted in:

the failure of humans to exercise adequate care when developing and deploying technology,
a shortage of moral character that leads to the exploitation of technology for theft, fraud, and profiteering, and
a huge cognitive gap that seems to stop humans heeding experts, over and over again.

AI pirated our books on network security and cryptography: we're up for Bartz v. Anthropic

noreply@blogger.com (Stephen Cobb) — Sat, 06 Sep 2025 16:45:00 +0000

Have you heard the one about the multi-billion dollar, Amazon-backed artificial intelligence (AI) company that stole digital copies of seven million books and used it to train its chatbots? I have not only heard it, my partner may be part of it.

An unknown number of the two dozen books that we have authored since 1992 were among the pirated volumes that the company known as Anthropic downloaded and used without permission. (There's a list of them down below.)

Thankfully, several authors sued Anthropic in a case that is referred to as Bartz v. Anthropic. The Authors Guild says the class action suit was "brought by authors against an AI company for using books without permission to train large language models." (Source)

An example of an unauthorized scan
of a book that was probably among
the 7 million that Anthropic
used to train its LLMs

In other words, Anthropic had engaged in mass digital piracy—downloading digital scans of thousands of books from illegal archives—to build its AI technology, technology that is now generating billions of dollars. At least, that's what Anthropic says:

"At the beginning of 2025, less than two years after launch, Anthropic's run-rate revenue had grown to approximately $1 billion. By August 2025, just eight months later, our run-rate revenue reached over $5 billion—making Anthropic one of the fastest-growing technology companies in history." (Source)

The suit against Anthropic was filed by fiction author Andrea Bartz (We Were Never Here) and two nonfiction authors Charles Graeber (The Good Nurse) and Kirk Wallace Johnson (The Feather Thief).

In June 2025, Judge William Alsup of the U.S. District Court for the Northern District of California found that Anthropic's piracy was not fair use. Now Anthropic has agreed to pay $1.5bn (£1.11bn) to settle the lawsuit. (Source)

However, Chey and I do not expect to receive any money any time soon, if at all. As with any lawsuit, there's a lot of small print. Here is what some of it means, as described by the Authors Guild:

The settlement agreement discloses that approximately 500,000 titles out of the 7 million copies of books that Anthropic reportedly downloaded from LibGen and PiLiMi [libraries of pirated copyright material] meet the definition required to be part of the class after accounting for duplicates and non-eligible works. That means that after attorneys’ fees and other expenses are deducted, rightsholders can expect approximately $3,000 total per title, which will be shared among the rightsholders for that title (if there is more than one rightsholder). (Source).

I definitely own the rights to two of my books, one through reversion, and the other because it was self-published by me (as Dreva Hill Press). The rest were standard publisher contract books. What is not mentioned in the superficial mainstream media coverage of this case is that the per book payment is subject to a default 50/50 split between authors and publishers.

And did you notice that the settlement only covers a small percentage of the books of which Anthropic made illegal use? The 500,000 titles covered by Bratz = 1/14 or just over 7%. We do not yet know how many of our books are included in that 7%.

Supposedly, a list of works included in the settlement will be published in October. The website for his will be here: Anthropic Works List Lookup.

A selection of books by Stephen and Chey Cobb
(Most are over 600 pages in length)

Irony and Ethics

Ironically, the copy of Cobb's Guide to PC and LAN Security that I found in one of the illegal repositories had been scanned into a .pdf from a paper book. That's ironic because I had made the entire contents of the book freely available in .pdf files made from the publisher's originals. These are available on this website and also ResearchGate.

I decided to share the book in that way because I didn't feel right charging money for access to something that was getting on in years (technically although not fundamentally). Also, sharing digitally is relatively cheap compared to mailing somebody a 700-page book that weighs a couple of pounds (1.3kg). Just FYI, the copy on ResearchGate stats received 98,000 reads. I've never bothered to couple how many times it has been downloaded from our website.

A reasonable question at this point might be: why should anthropic pay you for downloading a copy of your book when you yourself have made it free to download. The answer is pretty simple: I made the book freely available so that people who wanted to learn about computer security could read it, which is very different from offering it to a company using it to create a product.

Our Books/Lottery Tickets

Here is a list of Cobb books possibly pirated by Anthropic, the multi-billion dollar AI company. Those authored by Stephen Cobb are listed as SC with co-authors named appropriately.

Using Reflex: the Database Manager, SC
Using Quattro: the Professional Spreadsheet, SC
Working with DisplayWrite 4 - Stephen T. Cobb
Quattro Power User's Guide, SC
The Stephen Cobb User's Handbook to Excel for the IBM PC, SC
TOPS, the IBM/Macintosh Connection, SC & Marty Jost
Using Quattro Pro, SC
The Stephen Cobb User's Handbook to Lotus 1-2-3, Release 2.1, SC
Symphony Made Easy, SC
Using Quattro Pro 2, SC
The Steven Cobb User's guide to FileMaker, SC & Chey Romfo Cobb
Using Quattro Pro 3, SC
PC Magazine Guide to 1-2-3 Release 2.3, SC
The Stephen Cobb Complete Book of PC and LAN Security, SC
WordPerfect for Windows: the Complete Reference, Steve Dyson, Daniel J. Fingerman, and SC
Quattro Pro 4 Inside & Out, SC
Quattro Pro for Windows Inside & Out, SC and Bryan Pfaffenberger
Maximizing performance with Lotus 1-2-3 for Windows, SC & Sally Powers
The Quattro Pro for Windows Book, SC, Bryan Pfaffenberger, Yvonne Johnson
The NCSA Guide to PC and LAN Security, SC
Symphony Made Easy: Covers Version 2.2, SC
Cobb's Guide to PC and LAN Security, SC
Network Security for Dummies, Chey Cobb
Cryptography for Dummies, Chey Cobb
Privacy for Business: Web Sites and Email, SC

Anthropic Investors

These include: Amazon, ICONIQ Capital, Fidelity Management & Research Company, Lightspeed Venture Partners, Altimeter, Baillie Gifford, BlackRock, Blackstone, Coatue, D1 Capital Partners, GIC, General Atlantic, Growth Equity at Goldman Sachs Alternatives, Insight Partners, Jane Street, Qatar Investment Authority, TPG, and T. Rowe Price.

Technology, human weakness, and Trump's thing for fraudsters, grifters, and scammers

noreply@blogger.com (Stephen Cobb) — Sat, 30 Aug 2025 10:04:00 +0000

When I started researching computer crimes in the late 1980s it quickly became clear that digital technology was creating a lot of new opportunities for crime, but committing crimes was an age-old human problem. The more work I did in cybersecurity, the clearer this became.

In my first book on the subject (1992), I said that ultimate success in the struggle to protect information depends not upon technology, but upon the development of appropriate ethical standards for the information age. When I produced a new edition of that book (1996), I observed that the need to promote ethical behavior in all aspects of business and personal life would remain a priority if we wanted to avoid crippling powerful new technology with ancient human weaknesses.

1996 quote about technology and human weaknesses

So what does this have to do with Donald Trump, the convicted felon now ruling America? Well, in my opinion no American in recent memory has done more to damage ethical standards and normalize unethical behavior. My opinion is based on facts and this post lists just one category of these: the pardons and commutations he has issued to other convicted felons, frauds, and scammer.

Here are 10 pardons and three commutations that are particularly egregious in terms of lowering ethical standards and normalizing crimes of fraud and deceit, with references below that lead to more.

Ross Ulbricht, created the Silk Road dark web marketplace for selling drugs and ordering murders
Trevor Milton (Nikola founder), securities fraud that cheated investors out of more than $600 million
Todd and Julie Chrisley, convicted of bank fraud and tax evasion, having submitted false financial statements to obtain over $30 million
Benjamin Delo, Arthur Hayes, Samuel Reed, BitMEX co-founders convicted of Bank Secrecy Act violations
Rod Blagojevich, 10 counts of wire fraud, four counts of conspiracy/attempted extortion
Devon Archer, convicted of defrauding the Oglala Sioux Nation to the tune of $60 million
Carlos Watson (Ozy Media founder), wire fraud and identity theft
Brian Kelsey, defrauded US government, aided and abetted the acceptance of excessive campaign contributions
Scott Howard Jenkins, Sheriff of Culpeper County Jenkins who took $75,000 in bribes
Paul Walczak, willful failure to pay trust fund taxes, ordered to pay $4.4 million in restitution
Lawrence S. Duran, convicted of $200 million Medicare billing fraud (commuted)
Marian I. Morgan, convicted of running a $28 million ponzi scheme (commuted)
Imaad Zuberi, convicted of illegal campaign contributions, falsifying foreign agent records, obstructing investigation into the source of a $900,000 campaign contribution he made to the 2016 Trump inaugural committee (commuted and released from paying $1.75 million fine and $15.7 million in restitution

An analysis by the House Judiciary Committee is, these pardons will deprive victims and taxpayers of $1.3 billion in restitution and fines (link to report in PDF format). Many of these individuals, including Trevor Milton, were major Trump donors. For example, thanks to a donation of over $1.8 million to Trump's re-election campaign, Milton got out of prison and off the hook for the $661 million he was ordered to pay in restitution to retail.

In the case of Walczak, he was pardoned after his mother, Elizabeth Fago, donated $1 million to the MAGA Inc. investors. His conviction was for "failing to pay Social Security, Medicare, and federal income tax withholding taxes for employees of his health care companies, instead spending the money on personal expenses, including a $2 million yacht, [for which he was] sentenced to 18 months in prison and ordered to pay $4.4 million in restitution" (Wikipedia).

References:

How jagged AI botches research: an in-depth example of artificial jagged intelligence at work

noreply@blogger.com (Stephen Cobb) — Wed, 11 Jun 2025 06:00:00 +0000

Annotated screenshot of Google AI making errors describing the Vienna computer virus

During a recent research project at the intersection of artificial intelligence (AI) and cybersecurity, I had occasion to refresh my memory about a computer virus from the 1980s known as the Vienna virus. So I put the words vienna and virus into Google Search. At first glance the result delivered by Google's AI Overview feature looked quite impressive. This is not surprising because this feature, hereinafter referred to as GAIO, is powered by Google's Gemini Language Model, one of the most expensive AI models ever built, with costs rivaling Open AI's GPT-4.

Sadly, the information about the Vienna virus that GAIO so confidently laid out was both laughably inaccurate and seriously troubling (as I explain in depth below). Whether you call this hallucinating or just plain "getting it wrong," it is important to know that today's AI can tell you things that aren't true, but in ways that make it seem like they are true.

Welcome to the rough and unready world of Artificial Jagged Intelligence

To be clear, millions of people and organizations are, right now, in 2025, using a technology that has been widely praised and promoted as exhibiting intelligence, yet keeps making dumb errors, the kind that in real life would be attributed to a serious lack of intelligence. Some of these errors have been trivialized as hallucinations because they mix up pieces of information that are real but combine them in a way that produces false information (see my 2024 LinkedIn article: Is your AI lying or just hallucinating?).

I find it both weird and troubling that currently many billions of dollars are being spent to market and deploy this flawed AI technology. You would think persistent errors and hallucinations would give the leading commercial entities behind AI cause to pause. But no, they keep marching onward in the hope of progress. However, they do have a new term for this state of affairs: Artificial Jagged Intelligence.

AI leaders have a new term [jagged] for the fact that their models are not always so intelligent

That's right, Google's billionaire CEO, Sundar Pichai, recently used the term "artificial jagged intelligence or AJI" to describe the current state of AI, saying: "...you can trivially find they make errors or counting R's in strawberry or something, which seems to trip up most models...I feel like we are in the AJI phase where [there's] dramatic progress, some things don't work well, but overall, you're seeing lots of progress."

(I find it weirdly refreshing yet deeply scary that the billionaire CEO of a trillion-dollar company said that about a technology which he and his employer appear to be pushing into homes and businesses as fast as they can.)

Getting back to the jagged AI response to my simple search query about the Vienna virus, I decided to investigate how it came about. Fortunately, I am my own employer and can afford to treat my interactions with AI as experiments. In this case the experiment became: Determine the extent to which GAIO understands the history and concepts of malicious code, and explore why it get things wrong?

Here's the short version of what follows:

Google's AI Overview is an example of Artificial Jagged Intelligence or AJI, which sometimes responds to user queries with information that is incorrect.
LLMs like ChatGPT and DeepSeek, also exhibit this behaviour and I give links to examples.
AIs may not check whether the facts they present are infeasible, even though they have been trained on data by which such infeasibility could be determined.
Some AIs, like GAIO and ChatGPT, don't seem to ingest corrections (errors pointed out by users may be acknowledged by the AI, but nevertheless repeated in the future).
GAIO seems to use sketchy source weighting that gives more credence to content on some websites than others.
This seems to be true of other widely used AIs.

Bottomline: It would be foolish to publish or repeat anything that the current generation of Artificial Jagged Intelligence systems tell you unless you have verified that it is accurate, fair, and true. Such a heavy risk/reward ratio casts doubt on the value of this technology. (See: Trump administration's MAHA Report AI Fiasco.)

Where's the Intelligence in this jagged AI?

The annotated screenshot at the top of this article shows what Google's AI Overview said about the Vienna virus back in April (n.b. in this article the term virus refers exclusively to viral computer code). If you are familiar with the history of malicious code you may guffaw when you read it. Here's why:

If the Vienna virus was found in 1987 it could not have been one of the first macro viruses beecause in 1987 macros were not capable of being viral.
The 1995 Concept virus is generally considered to be the first macro virus.
The Vienna virus did not display a "crude drawing of Michelangelo's David".
I can find no record of any virus creating a "crude drawing of Michelangelo's David.
There was a boot sector virus called Michelangelo that appeared in 1991, but it had nothing to do with the artist and got its name from the fact that it activated on March 6, which just happens to be the artist's birthday.

There is more bad news: GAIO's response when asked about the Vienna virus on June 1, nearly two months after the erroneous results in April, was just as erroneous:

Screenshot of AI output that contains errors

Clearly, GAIO is not getting more knowledgeable over time. This is troubling because Google's Gemini, the AI behind Google AI Overview, does appear to have an accurate understanding of Vienna and knows that it is notable in the history of cybersecurity, as you can see in this exchange on June 1:

Screenshot of accurate AI output

At this point you might be wondering why I asked AI about the Vienna. Well, technically, I didn't. I started out just doing a search in Google to refresh my memory of this particular piece of malicious code before I mentioned it in something I was writing (pro tip: don't ever publish anything about malicious code without first doing a fact-check; malware experts can be merciless when they see errors).

In responding to my search query, it was Google's idea to present the AI Overview information, produced with the help of it's incredibly expensive and highly resource intensive Gemini AI. The fact that it was so obviously wrong bothered me and I felt the need to share that upon which I had stumbled. Because I tend to see life as a series of experiments, when actions that I take lead to errors, problems, or failures, I try to learn from them.

Applied learning and cybersecurity

When Google gave me these problematic errors, I knew right away that I could use this learning in my AI-related cybersecurity classes. (These have become a thing over the past five years as I have researched various aspects of AI from a perspective informed by my cybersecurity knowledge which has been gradually accumulating since the 1980s.)

In the process of teaching and talking about cybersecurity and cybercrime in the 2020s I have realized that many students don't know a lot about the history of malicious digital technology and this can seriously undermine their efforts to assess the risks posed by any new technology, including AI.

For example, if you know something about the history of computer viruses, worms, Trojans and other malicious code, you will have an idea of the lengths to which some people will go to deceive, damage, disrupt, and abuse computers and the data they process. Furthermore, you will appreciate how incredibly difficult it is to foil aggressively malicious code and the people who spend time developing it.

Fortunately, I know a thing or two about the history of computer viruses and other forms of malicious code (collectively malware), as well as the antivirus products designed to thwart them. This is not just because I started writing about them back in the 1980s. As it happens, the best corporate job I ever had was working at ESET, one of the oldest antivirus firms and now Europe's largest privately held cybersecurity company. (Disclaimer: I have no financial connections to ESET and no financial incentive to say nice things about the company.)

Working at ESET from 2011 to 2019 I had the privilege of collaborating with a lot of brilliant people, one of whom, Aryeh Goretsky, was the first person that John McAfee hired, way back in 1989. Aryeh has since become a walking encyclopedia of antivirus lore and helped me with some of the details of Vienna here (but any errors in what I've written here are entirely mine).

Back in the 1980s, there were probably less than two dozen computer viruses "in the wild" — the industry term for malicious code seen outside of a contained/managed environment. However, some of these viruses in the wild were very destructive and efforts to create tools to defend computers against them—such as the software that became known as McAfee Antivirus—were only just gearing up.

One such effort had begun in 1987 in the city of Bratislava in what was then the Czechoslovak Socialist Republic, a satellite state of the Soviet Union. That's where two young programmers, Miroslav Trnka and Peter Pasko, encountered a computer virus that was dubbed "Vienna" because that is where people thought it originated.

There is considerable irony in the fact that an AI today can spout nonsense about a virus found back then, because Trnka and Pasko went on to create a company that did important early work with proto-AI technology, for reasons I will now explain.

The Actual Vienna Virus

What the actual Vienna virus did was infect files on MS-DOS PCs (personal computers which ran the Microsoft Disk Operating System). Specifically, it infected program files that had the .COM. filename extension. Here is a technical description from a relatively reliable source and as you can see it differs considerably from Google's flawed AI Overviews:

Vienna is a non-resident, direct-action .com infector. When a file infected with the virus is run, it searches for .com files on the system and infects one of them. The seconds on the infected file's timestamp will read "62", an impossible value, making them easy to find. One of six to eight of the files will be destroyed when Vienna tries to infect them by overwriting the first five bytes with the hex character string "EAF0FF00F0", instructions that will cause a warm reboot when the program is run. — Virus Encyclopedia

When the programmers Trnka and Pasko encountered this very compact yet destructive piece of viral code, they took a stab writing a program that could detect the code and thus alert users. And when Trnka and Pasko achieved a working version they shared it with friends. They called it NOD, which stands for: "Nemocnica na Okraji Disku ("Hospital at the end of the disk"), a pun related to the Czechoslovak medical drama series Nemocnice na kraji města (Hospital at the End of the City) —Wikipedia.

(To me, this name reflects the ethos of many early anti-virus researchers who felt that protecting computer systems was more like healthcare for IT than just another opportunity to make money off human weaknesses.)

List of Vienna virus variants

When new viruses appeared in the wild, the NOD software was updated, but the effort required to do this kept increasing as more virus code appeared in the wild. Some of that new code was variations of earlier code and Trnka and Pasko could see that attempting to identify viruses purely by comparing all new executable code to a growing database of known malicious code would not be a sustainable long-term strategy.

Indeed, if Google's AI was really clever, it would have noted that the proliferation of virus variants is one of the most notable facts about the Vienna virus. The list on the right shows some of the dozens of variants of Vienna that were discovered in the years after it first appeared. I think I'm right in saying that there are two main reasons for this:

The original Vienna virus was a relatively simple piece of code; and
In 1988 that code was made public, notably being published in a book. "Unfortunately the source code to this virus has been published in a book: Computer viruses: A High-Tech Disease which has resulted in multiple variants of the virus." — F-Secure virus directory

Getting back to the birth of the NOD antivirus software, in the late 1980s it was clear that antivirus programs could have significant commercial value, but back then the state of Czechoslovakia was not open to private enterprise because it was a satellite state of the Soviet Union.

Fortunately, by the end of 1992, the independent republics of Czech and Slovakia had come into existence and the makers of NOD created a Slovakian company called ESET, to market their antivirus as a commercial product. (ESET is the Czech word for Isis, the Egyptian goddess of health, marriage and love, reinforcing the idea that antivirus software is intended to keep computers healthy.)

By this time it was clear to the programmers and data scientists at ESET that their heuristic approach to identifying and blocking malware was the way to go, e.g. identifying unknown or previously unseen malware by analyzing code behavior, structure, or patterns.

As the 1990s rolled on and new forms of computer viruses, worms, and Trojan code appeared — such as the macro viruses mentioned earlier — ESET experimented with machine learning and then deep learning with neural networks to implement this heuristic approach to malware detection and response.

What's worse than being wrong? Not knowing why

Naturally, I learned a lot about the benefits and pitfalls of these foundational elements of artificial intelligence during my time as a researcher at ESET. I was fortunate to interact on a regular basis with some brilliant minds working on these AI-versus-malware experiments. I recall one particular presentation about seven or eight years ago that described a neural network achieving an almost perfect result when tasked with finding instances of malicious code hidden within a massive collection of mainly legitimate code.

I say 'almost perfect' because even though 100% of the malware was successfully identified — a very impressive result — there was one very troubling false positive, a piece of legitimate code falsely flagged as malicious. Bear in mind that 100% detection with zero false positives is the holy grail of malware detection, and this test came tantalizingly close. However, the data scientist presenting these results described them as disappointing and deeply troubling because nobody could figure out why the system deemed that particular piece of good code to be bad.

That was my first exposure to the twin problems that have been called Interpretability and Explainability: the ability to understand how an AI model makes decisions (interpretability), and the capacity to provide human-understandable explanations for a model's output, even if the model's inner workings are not transparent (explainability).

Eight years on from that memorable talk, the sorry saga of the Vienna virus proves that these two problems — together with a third: reproducibility — still plague some of the most widely used AI models, systems that cost hundreds of millions of dollars to build and maintain. The reality is that today's most widely used form of AI is seriously flawed.

Guessing the Root of an LLM GPT Problem

My best guess as to why the AI feature integrated into Google Search (GAIO) jaggedly spouted nonsense about the Vienna virus goes like this:

It is optimized for speed so it responds with the first 'hit' that it gets on the search topic IF that hit is confirmed by a second source.
It uses a constrained list of ranked sources that leans on platform reputation.
It doesn't refer to past interactions about the search topic.
It doesn't perform adequate logic checks on its response.

In the case of the Vienna virus, I think the first thing GAIO found was an error-filled article on LinkedIn. I am not going to name the person who wrote the article but here is what it said:

"The Vienna virus, was a computer worm that originated in Vienna, Austria and is considered one of the first macro viruses. It was spread via Microsoft Word documents via floppy disk. The virus would infect the document template, then replicate itself by creating new copies of infected documents on any floppy disks inserted into an infected machine."

Sounds familiar, right? And the source looks very credible, as you can see here:

Screenshot of a LinkedIn article that contains errors

As for a second source to confirm the first source, that was easy to find because much of the incorrect information from the LinkedIn article was repeated in an article titled "Viruses of the 80s" on a university website in July of 2024 (perdue.edu). Again, I'm not going to name the author, but they wrote, in part: "Originating in Vienna, Austria this virus spread by way of Microsoft Word documents via floppy disks." In other words, this is the Word macro error all over again.

Was this plagiarism? Hard to say. But given the date, it is possible that the 2024 article is based on AI-generated output that parrots the 2022 LinkedIn article. And because GAIO assumes factual validity without topic-based reasoning, errors that are obvious to humans can get compounded.

All of which raises serious questions about any serious use of AI, the large, publicly available models of which are clearly not to be trusted. Relying on them in any aspect of business or service delivery is asking for trouble unless it is within a comprehensove risk management framework that includes humans in the loop.

We saw this writ large in the Trump administration's Make America Healthy Again report, which appears to have relied heavily on AI without adequate human-in-the-loop risk management (see RFK Jr.’s Disastrous MAHA Report Seems to Have Been Written Using AI). This hugely embarrassing — and very public — AI-riddled publication exposed the issue of "hallucinated" references for the whole world to see.

(As noted earlier, when I encountered the citation issue in my own work in 2024 I documented it on LinkedIn, where it was seen by a significantly smaller audience that the whole world.)

I have also documented examples of popular AIs getting facts wrong even after when they have been corrected. You can see the video version of this on YouTube.

Hopefully, these examples will help people better understand the limitations of current AIs and why they must only be used with great care.

AI turned my 6,000 word academic paper into a 5-minute podcast, without asking

noreply@blogger.com (Stephen Cobb) — Fri, 30 May 2025 16:16:00 +0000

I got a disturbing surprise in my email inbox a few days ago when a message appeared saying: "An AI created a podcast of your paper "Mind This Gap:..."

Back in 2016, I did write a paper with a title like that, a 6,000 word article about a perceived shortage of people to adequately fill cybersecurity roles. And I presented that paper, a PDF of which you can download with this link, at that year's Virus Bulletin Conference in Denver, Colorado.

But I have never considered turning that paper into a 5-minute podcast and never have I asked anyone else to do so. That's why that email was a disturbing surprise. Even more disturbing is what I found when I clicked the link in the email to experience the podcast.

I was presented with an audio player below a garbled version of the paper's title, and what I heard when I clicked "Play" struck me as shockingly bad. I knew at once that I needed to share it. First, to check my reaction. Is it really as bad as it sounds, and I don't mean the audio quality, I mean the content and the delivery style. Please give a listen:

Your browser does not support the audio element.

After I listened to the "podcast" there was a request for feedback from Academia, Inc. Out of five stars I gave it one, and in the Comments section I wrote:

This "podcast" is an appallingly bad piece of work and an atrocious waste of resources. It's a just piece of computer generated audio that lacks human review, a misleading and inaccurate fabrication delivered in a halting manner with a weird accent and banal choice of words. The whole thing is miles away from capturing the spirit, import, and stated facts of the work upon which it based. Furthermore, the value of the paper being abused for this nonsense if six years old and the recording makes no note of this. If I were to talk about this paper today it would only be in the context of how its findings have been heeded or not heeded since the time it was delivered. Stephen Cobb

If you're wondering how Academia, Inc. got hold of my paper in the first place, I am still trying to figure out exactly, but it was published on the Virus Bulletin website in 2016, not long after the conference in. For anyone not familiar with "academia.edu" it goes around finding papers and then asking authors to confirm their authorship. On the surface this is a service that can help academics build an online portfolio, and I have one (click here to view).

Yes, I did create a free academia.edu profile, and for a while I did pay to be a premium member. But I'm not a career academic at this point so I stopped paying the premium fee, partly because I was finding ResearchGate a more useful alternative.

But no, I did not, to the best of my knowledge ask, or give permission to, Academia, Inc. to allow or instruct an AI to make that thing it calls a podcast. And I suspect there may be other authors out there who are getting emails like this and wondering a. what the heck? and b. why me? and c. is it just me?

That's the second reason I immediately decided to share this experience, first on Bluesky, then more widely as soon as I can make the time to do so. On Bluesky I posted,

Attention Academics! And anyone who uses academia dot edu. The company behind this misleadingly named website just emailed me to say: "An AI created a podcast of your paper."

I included a copy of the screenshot that's at the top of this article along with a chunk of ALT text that reads in part:

The author of the paper did not ask for this to be made. To the best of the author’s knowledge they were not asked if they would like it to be made. Permission to make the audio was not requested or given. The creation of this audio by AI was entirely instigated and performed by Academia, Inc. The author of the paper, which is now nine years old, has listened to the audio and found it to be completely obnoxious: “It bears very little relation to the meat of the 6,000 word paper it is supposed to be analysing.” The author has asked Academia, Inc. not publish this monstrosity."

So what happens next? If you get one of these emails I suggest you open it and check out "your" podcast. When you get to the feedback page note the choices that Academia, Inc. appears to be offering in the form of either/or check boxes:

Either:

Add this AI Podcast to my public Academia profile. This will drive more visibility and downloads to your paper.

Do not display this AI Podcast on my Academia profile. We won't display this podcast publicly or generate any additional AI Podcasts for your papers.

Why do I say "appears to be offering? Because when you submit the form, you get this less than reassuring message: "The AI Podcast feature is not ready yet. Your podcast will [sic] private. Thank you for your feedback. The Academia Team"

All of which raises a LOT of questions. If I can find the time I will work on finding answers, but so far this is just another time-wasting interruption of my work, caused by someone who decided to mess with my work.

#AIEthics anyone?

2024 sets a record for cybercrime losses and at $16.6 billion it's a lot higher than I predicted

noreply@blogger.com (Stephen Cobb) — Wed, 23 Apr 2025 22:14:00 +0000

This chart of losses due to Internet crime per year from 2014 to 2024,
as reported to IC3/FBI, shows they have now reached $16.6 billion

The IC3 Annual Report 2024, an analysis of losses from Internet crimes reported to the FBI's Internet Crime and Complaint Center (IC3) during the past year, has just been published. And it's a shocker as the tabloids like to say.

But seriously, the total loss figure of $16.6 billion is a huge increase over 2023, a troubling jump of 33 percent in one year.

The 2024 total is $2 billion above my prediction last month of $14.5 billion (see Internet crime losses are on the rise). Follow this link to get the 2024 IC3 Annual Report, and all previous editions.

While there are some issues with using the IC3 numbers as crime metrics—they were not originally collected as an exercise in crime metrics—I am satisfied that over the years the IC3 reports have reflected real world trends in cybercrime's impact on victims, as measured by direct monetary loss (for more details, see this article: Advancing Accurate and Objective Cybercrime Metrics in the Journal of National Security Law & Policy).

In a future post, I will have more to say about this report and the other 2024 updates that have issued. In the meantime, if you need a professional, vendor-neutral opinion on what this report means for cybercrime and society in 2025 and beyond, feel free to DM @scobb.net on Bluesky or message me on LinkedIn.

More Internet crime stats from the IC3 Annual Report 2024

If you are looking to get some perspective on who makes Internet crime complaints made to IC3 there are several helpful breakdowns in the IC3 Annual Report 2024. Below you can see the top end of complaints by age group. Both the number of complaints and the amount lost are much higher for the 60+ demographic.

I think this reflects three things: a higher level of vulnerability among older folks; a concentration of wealth among the elderly; and the criminal logic of intentionally targeting of the wealthier and more vulnerable.

Another interesrting breakdown is the type of crime about which people file complaints, broken down by number of complaints and amount lost.

As always, a big shout out to the folks at IC3/FBI who work so diligently to put these reports together each year, not to mention responding to citizen complaints all year long. A fine example of how much valuable information and service the public and companies receive as a result of federal spending.

Internet crime losses are on the rise, but how fast? We could get latest IC3 stats as soon as this week ... or not

noreply@blogger.com (Stephen Cobb) — Sat, 15 Mar 2025 14:51:00 +0000

UPDATE, April 4, 2025 — After writing this article last month (March, 2025), I realized that the focus of the article, the IC3 annual reports, do not always come out in March, as I had stated. In fact, for the past 10 years, the median publication date for these reports has been April 13.

This became clear when I went back through my archives and checked the dates of the reports for years 2014 to 2013. I put these in a spreadsheet — see screenshot on the left — and for 2024 I calculated the median date, which turns out to be April 13.*

In my defense, the last five reports did appear before the median, with three in March, one in early April, and one in February.

So where does that leave us? Waiting for the report on Internet crime losses for 2024 which could arrive any day between now and — checks table — the middle of June!

Original Article: More and more people are losing more and more money to cyber-enabled criminals, or at least that's the way it seems to many of us. Unfortunately, solid metrics on cybercrime are hard to find, a topic that I explored in depth in this article: Advancing Accurate and Objective Cybercrime Metrics, Journal of National Security Law & Policy.

But as serious cybercrime watchers in the US will know, in March* of every year, one set of numbers is released that has stood the test of time: the IC3 Annual Report, an analysis of losses from Internet crimes reported to the FBI's Internet Crime and Complaint Center. While there are some issues with using the IC3 numbers as crime metrics—they were not originally collected as an exercise in crime metrics—I am satisfied that the IC3 reports reflect real world trends in cybercrime's impact on victims, as measured by direct monetary loss (for more details see the previously mentioned article).

The first of these reports was published in 2002 as the Internet Fraud Complaint Center (IFCC) 2001 Internet Fraud Report. I keep a PDF copy of that one on my hard drive, along with all the others since. In recent years the full title has been something like The Federal Bureau of Investigation Internet Crime and Complaint Center (IC3) Internet Crime Report.

As I write this, on March 15, 2025, I am eagerly awaiting the latest IC3 annual report, the one that shows Internet crime losses in 2024. When it comes out, I will update the graph at the top of this article. This charts the dramatic annual increase in losses over the last 10 years.

The full story, which begins at the start of this century, is even more dramatic. In 2001, losses reported to IC3 were less than US$20 million, and it took 14 years for them to reach US$1 billion. However, it took half that time to blow through US$10 billion in 2022—that's 10X in seven years. Clearly, the figure is heading for US$15 billion. Did it get there in 2024? I'm hoping not, and my guess is it will hit US$14.5 billion in the 2024 report.

I encourage you to check back here to see if I was right. Of course, it would be great if the number was substantially less than US$14.5 billion. In the meantime, I am keeping my fingers crossed that the IC3 report has not become a victim of the massive upheaval in federal agencies, ushered in by President Trump and executed by billionaire technocrat Elon Musk.

(Please feel free to DM @zcobb.bsky.social if you know how things are going at IC3.)

Welcome to Online: risks, harms, and duty of care in the virtual high crime neighborhood we all inhabit

noreply@blogger.com (Stephen Cobb) — Thu, 24 Oct 2024 10:50:00 +0000

Welcome to Online (see Alt text for credit)

Is the constant news of fresh cybercrimes getting you down?

Has your personal information been shared with criminals, again?
Are you sick of cybersecurity warnings and
annoying digital security measures?

Welcome to Online, a place that is both risky and unhealthy,
a worldwide high crime neighborhood,
out of which it is very hard to move.

Criminals have made Online a high crime neighborhood

Today, most of us have an online identity. We not only spend time online, our digital selves persist even when we are not actively using digital devices. Part of us now lives, and sometimes works, in a virtual neighborhood, a non-physical space we can we refer to as Online.

Sadly, Online is a place where many crimes are committed. Warnings about crime, evidence of past crimes, and measures to prevent crime: all of these are seen and encountered all over Online. Today, Online can reasonably be described as what social scientists call a "high crime neighborhood."

Unfortunately, Online is not only a high crime neighborhood, but it is a place in which we are increasingly forced to spend time, and out of which it is hard to move. And that is a serious problem because high crime neighborhoods are known to be bad for human health.

That's right, we already know for a fact that living in physical neighborhoods with high crime rates is not healthy. Residents of high crime neighborhoods suffer more health problems and die younger as a result. This has been researched and documented over many years by criminologists, epidemiologists, doctors, population health experts, and environmental health scientists.

I recently described this reality and the science behind it in a talk at Cyberhagen 2024, an annual cybersecurity conference in Copenhagen, Denmark. The title of the talk is: From Frontlines to Lifelines: How reducing cybercrime would make life healthier for us all. You can watch it here or on YouTube. (Feel free to skip to 8 minutes and 39 seconds if you want to dive right in.)

I have also made a handy page with a link to some of the related work I have been doing on this problem: Cybercrime & Health. If you want a short URL to share thex page, you can use tinyurl.com/cyberharm.

Why it's risky to tell people "just go online"

To be clear, if you have a smartphone, email address, or Internet account, then you have an online identity, you have a presence online. This identity persists even when you are not using or connected to the Internet.

That means there is 7x24 risk that digitally savvy criminals will target you, your devices, and your accounts. They may want to steal your money, take over your accounts, ransom your data, enroll your devices in criminal schemes, and so on. The threat of this happening does not go away when you log off and disconnect.

Yet, despite this state of affairs being well documented, many organizations still use the phrase "just go online" as though Online is a place that offers nothing but helpful and enjoyable experiences. Furthermore, some institutions are now requiring people to go online. This is the case in England where it is not uncommon for medical patients to be told they have to go online to book blood tests or "use the app" to order repeat prescription medication.

If you think about it, inviting or requiring people to go online is similar to some activities in the physical world. For example, when a hotel invites people to spend time on its premises it creates a responsibility to those people; this is commonly referred to as "a duty of care."

In many countries, it is established in law that hotels have a duty to take reasonable steps to ensure that their premises are safe, secure, and free from foreseeable risks that could result in injury or harm to guests. Hotels also have a duty to provide reasonable security measures to protect guests from criminal acts. A hotel that fails to meet these duties could be exposed to legal claims for compensation by injured or aggrieved guests.

Similarly, a duty of care is created when an employer sends an employee on a business trip. In fact, a duty of care exists in many areas of modern, and I think it is reasonable to make going online another such area.

In summary, it is my belief that a duty of care already applies to any entity that encourages or requires a person to go online. All that is missing is the right law or lawsuit to make this a concrete reality, one that can then be used to encourage or require serious upgrades in cybersecurity posture across society. In addition, this would create a new regulatory risk that companies would have address.

Global IT Outages and Monoculture: The “potato famine theory” of information system insecurity

noreply@blogger.com (Stephen Cobb) — Sat, 20 Jul 2024 12:52:00 +0000

Painting: An Irish Peasant Family Discovering the Blight of their Store, by Daniel MacDonald

The following article explains the problem of monoculture in IT systems, one of the root causes of the Global IT Outage of July 19, 2024. The article was originally published in August of 2003. Back then, Chey Cobb and I were writing a weekly cybersecurity column for the digital publication Newsscan (now defunct).

In a column titled "Of Potatoes and Worms" we used the classic example of monoculture—the Irish Potato Famine—to explain why relying on one company or one operating system for all your IT needs creates a potentially catastrophic level of vulnerability to software-specific threats, such as as computer worms, viruses, supply chains attacks, and of course, bugs in software updates (c.f. Crowdstrike). We hope you find it helpful.

Of Potatoes and Worms
by Chey Cobb, CISSP
and Stephen Cobb, CISSP
August, 2003

During the last two weeks, the world has witnessed hundreds of thousands of computer systems falling prey to worms. As we write this, the Sobig-F worm is reaching epidemic proportions, threatening to rival the 2000 Love Bug outbreak in terms of disruption wrought. We give you just one example, a good friend of ours who headed to France this week for a vacation: after the flight from LA to Paris he turned on his handheld computer to check email and found 500 infected messages waiting.

A lot has been written on this topic, but we haven’t seen many references lately to the “potato famine theory” of information system insecurity. This theory is a favorite of ours and it holds that a lack of diversity in software can be a dangerous thing, at either the enterprise or the national level. This might ring some bells right now if you are a CIO responsible for tens of thousands of Microsoft Windows or Outlook users.

The theory gets its name from a tragic chain of events that struck the island of Ireland in 1845, killing—by some estimates—more than a million people. At that time, potatoes were the primary source of food for most people living there, due to the fact that potatoes produce more calories per acre than another other crop you can grow in that climate (back then, most people did not have a lot of land to work with because land use was controlled by English landlords, many of whom were, to say the very least, selfish).

In fact, almost all the potatoes grown in Ireland at that time were of one particular strain, a strain that had been found to produce the most calories per acre. So when a potato fungus arrived in Ireland—possibly from somewhere in the Americas—its impact on the crop was exacerbated by the lack of diversity among potato strains. While some potato strains are more resistant to the fungus than others, the dominant strain in Ireland at that time was not one of them. [See: Great Famine: https://en.wikipedia.org/wiki/Great_Famine_(Ireland)]

The information system security analogy is this: reliance by an information system on one application or operating system, to the exclusion of others, [a monoculture] reduces the ability of that system to survive a vulnerability in that operating system or application.

Consider an organization that is using nothing but Microsoft products versus one that uses a mix of applications and operating systems. The Microsoft-only shop is more likely to have experienced widespread negative effects due to last week’s Blaster worm (which exploited a security hole in the Windows operating system) and this week’s Sobig-F worm (which exploits a Microsoft Outlook vulnerability)

We’re not sure how many people today are familiar with the Irish potato famine, so “fossil fuel dependence theory” might be a better term. The implications are the same: dependence on a single source of energy, or software, has inherent risks. What we particularly like about both analogies is that they encompass economics and politics as well as strategy and logistics.

The Irish were not growing that single dominant strain of potato because it tasted better than others—apparently it did not—they were growing it because the politics and economics of the time made maximum yield appear to be the highest good. America’s dependence on fossil fuel and a single source of software also has economic and political elements (prices have been relatively low, producers politically powerful, and so on).

Obviously, the dominance of Microsoft products in operating system and application areas has its own economic and political angles. However, while the reasons for Microsoft’s dominance, and the extent of the negative impact of that dominance on other companies, have been hotly debated, very few people have voiced the following argument: Regardless of how secure or insecure Microsoft software is—or has been, or becomes—we think that using it, or any other single source, to the virtual exclusion of all others, will never be good security.

In other words, even if Microsoft’s Trustworthy Computing initiative succeeds in making the company’s products more secure than they are right now, it would still be foolhardy for any organization to adopt them as a universal standard. Unfortunately, our opinion is not shared by the Department of Homeland Security and other 3LA’s that had best remain nameless.

And just to show how fair and balanced our coverage is, we will say the same of Adobe’s Acrobat format. This grows more powerful with each version. We use it. We love it’s convenience and the fact that most people with whom we communicate can read Acrobat documents. But the extent to which some government agencies are relying on it is now approaching scary.

Notes:

1. Portions of this column first appeared in a lecture we delivered in 2002 as part of the Master of Science program in Information Assurance at Norwich University, Vermont.

2. Crowdstrike has assured customers and the public that their software update, which led to the global IT outage of July 19, 2024, was not malicious. However, it is remains to be seen if this assertion will be confirmed by independent analysis.

3. The attack technique of placing malicious code in a software update has been used for many years, notably in the 2017 Wannacry incident that took down hundreds if thousands of systems and cost companies billions of dollars. Ironically, Wannacry did not impact organizations that were protected by some brands of endpoint protection software, the same category of software as Crowdstrike Falcon. [Disclaimer: In 2017, I was working for ESET, one of those brands that stopped Wannacry.]

Internet crime keeps on growing, as do efforts to understand the harm it causes

noreply@blogger.com (Stephen Cobb) — Mon, 01 Apr 2024 10:54:00 +0000

Internet crime losses 2014-2023, as reported to IC3/FBI,
and compiled by S. Cobb

Losses from Internet crimes reported to the FBI's Internet Crime and Complaint Center in 2023 rose 22% above the record losses in 2022.

This means that 2023 set a new annual record, just north of $12.5 billion, according to the press release announcing the latest IC3 annual report (PDF).

About the only good thing you can say about this news is that the annual Internet crime loss figure rose by only 22% in 2023. That is less than half the 49% increase in in 2022, which was well below the 64% surge in 2021. However, before anyone gets too optimistic, take another look at the chart at the top of the page.

While there have been several years this century in which rate of increase in losses to Internet crime has slowed down, I see the general direction over the last decade as fairly relentlessly upward. And this is despite record levels of spending on cybersecurity and cybercrime deterrence.

This time last year I discussed the implications of these trends in an article over on LinkedIn. That was written in the hope that more people will pay attention to the increasingly dire state of Internet crime prevention and deterrence, and how that impacts ordinary people. At the start of this year, I wrote about the implications of digitally-enabled fraud reaching record levels, framing this as a public health crisis.

During 2023, I delivered and recorded a well-received talk on cybercrime as a public health crisis. Here is the video, hosted on YouTube.

The talk was originally delivered at the Technical Summit and Researchers Sync-Up 2023 in Ireland. The event was organized by the European arm of APWG, the global Anti-Phishing Working Group. (Talks at that event were not recorded, so I made this recording myself; sadly, it lacks the usual gesticulation and audience interaction of my live delivery, but on the plus side you can speed up the playback on YouTube.)

Also sad is the fact that, due to carer/caregiver commitments, I had to cancel delivery of the next stage of my research at APWG's Symposium on Electronic Crime Research 2023 (eCrime 2023).

On the bright side, I did manage to write up my ideas in an article on Medium: Do Online Access Imperatives Violate Duty of Care? There I started building my case that exposure to crime online causes harm even to those who are not directly victimized by it, much in the same way that living in a high crime neighbourhood has been proven—by criminologists and epidemiologists—to be bad for human health. Basically, the article made four assertions:

going online exposes us to a lot of crime,
high crime environments are unhealthy,
governments and companies that make us go online may be breaching their duty of care,
there is an urgent need to reduce cybercrime and increase support for cybercrime victims.

To explain these assertions I introduced my "Five levels of crime impact in meatspace and cyberspace" which are captured in this table:

I also introduced my take on a concept used by environmental exposure scientists and epidemiologists: the exposome. A key role of the exposome is to help us acknowledge and account for everything to which we are exposed in our daily lives that may affect our health.

My article proposed using online exposome as a term for everything that individuals are exposed to when they go online. This builds on thinking by Guillermo Lopez-Campos et al. (2017) that there is a "digital component of the exposome derived from the interactions of individuals with the digital world."

In summary, as we look over the latest tabulation of reported financial losses due to Internet crimes I think we need to bear in mind that these are only a fraction of the total number of such crimes, and monetary loss is only a fraction of the harm these crimes cause. The stress and anxiety of victims has to be taken into account, as does the deleterious effect of having to spend time online where we are constantly exposed to, and reminded of, the many different ways in which digital technologies and their users are being abused.

Postscript: Not all the news about online crime is bad. The last 12 months have seen some very impressive anti-cybercrime law enforcement efforts all around the world, including the recent disruption of "the world’s most harmful cyber crime group." I applaud those efforts and encourage governments to fund more of them. Here's to a drop in Internet crime losses in 2024!

QR code abuse 2012-2023

noreply@blogger.com (Stephen Cobb) — Wed, 29 Nov 2023 09:22:00 +0000

QR code abuse is in the news again—see the list of headlines below—whch reminds me that I first wrote about this in 2012 (eleven years ago). Back then I made a short video to demonstrate one potential type of abuse, tricking people into visiting a malicious website:

As you can see from this video, there is plenty of potential for hijacking and misdirection via both QR and NFC technology, and that potential has existed for over a decade. In fact, this is a great example of how a known technology vulnerability can linger untapped for over a decade, before all the factors leading to active criminal exploitation align.

In other words, just because a vulnerability has not yet been turned into a common crime, does not mean it never will be. For example, the potential for ransomware attacks was there for many years before criminals turned it into a profitable business. Back in 2016, I suggested that combining ransomware with the increasing automation of vehicles would eventually lead to a form of criminal exploitation that I dubbed jackware. As of now, jackware is not a thing, but by 2026 it well might be.

Here are some recent QR code scam headlines:

The QR code scam leaving victims thousands out of pocket
Woman targeted in £13k railway station QR code scam
QR code warning: Cybersecurity experts report alarming rise in 'quishing' scam
QR code scams on the rise during festive celebrations; here’s how to be safe

Artificial Intelligence is really just another vulnerable, hackable, information system

noreply@blogger.com (Stephen Cobb) — Sat, 04 Nov 2023 18:22:00 +0000

Recent hype around Artificial Intelligence (AI) and the amazingly good and bad things that it can and may do has prompted me to remind the world that:

Every AI is an information system and every information system has fundamental vulnerabilities that make it susceptible to attack and abuse.

The fundamental information system vulnerabilities exist regardless of what the system is designed to do, whether that is processing payments, piloting a plane, or generating artificial intelligence.

Fundamental information system vulnerabilities put AI systems at risk of exploitation and abuse for selfish ends when the ‘right’ conditions arise. As a visual aid, I put together a checklist that shows the current status of the five essential ingredients of an AI:

Please let me know if you think I'm wrong about any of those checks and crosses (ticks and Xs if you prefer).

Criminology and Computing and AI

According to routine activity theory in criminology, the right conditions for exploitation of an information system, such as an AI, are as follows:

a motivated offender,
a suitable target, and
the absence of a capable guardian.

A motivated offender can be anyone who wants to enrich themselves at the expense of others. In terms of computer crime this could be a shoplifter who turned to online scamming (an example personally related to me by a senior law enforcement official in Scotland).

In the world of computing, a suitable target can be any exploitable information system, such as the payment processing system at a retail store. (Ironically the Target retail chain was the target of one of the most widely reported computer crimes of the last ten years.)

In the context of information systems, the absence of a capable guardian can be the lack of properly installed and managed anti-malware software, or an organization's failure to grasp the level of risk inherent in the use of digital technologies.

When it comes to information systems that perform artificial intelligence work, both the good and bad uses of AI will motivate targeting by offenders. The information systems at Target One were hit because they contained credit card details that could be sold to people who specialize in fraudulent card transactions. An AI trained on corporate financial data could be targeted to steal or exploit that data. An AI that enables unmanned vehicles could be targeted for extortion, just as hospital and local government IT systems are targeted.

Do AI fans even know this?

One has to wonder how many of the CEOs who are currently pushing their organizations to adopt AI understand all of this. Do they understand that all five ingredients of AI are vulnerable?

Perhaps companies and governments should initiate executive level AI vulnerability awareness programs. If you need to talk to your execs, it will help if you can give them vulnerability examples. Here's a starter list:

Chips – Meltdown, Spectre, Rowhammer, Downfall
Code – Firmware, OS, apps, viruses, worms, Trojans, logic bombs
Data – Poisoning, micro and macro (e.g. LLMs and SEO poisoning)
Connections – Remote access compromise, AITM attacks
Electricity – Backhoe attack, malware e.g. BlackEnergy, Industroyer

Whether or not vulnerabilities in one or more of these five ingredients are maliciously exploited depends on complex risk/reward calculations. However, execs need to know that many motivated offenders are adept at such calculations.

Execs also need to understand that there is an entire infrastructure already in place to monetize vulnerability exploitation. They are sophisticated markets in which to: sell stolen data, stolen access, stolen credentials; and buy or rent the tools to do the stealing, ransoming, etc. (see darkweb, malware as a service, botnets, ransomware, cryptocurrency, etc.).

As I see it, unless there is a sudden, global outbreak of moral rectitude, vulnerabilities in AI systems will—if they are not capably guarded—be exploited by motivated offenders.

Internet crime losses reported to IC3/FBI

For a sense of how capable guardianship in the digital realm is going, take a look at the rate at which losses due to Internet crime have risen in the last 10 years despite of record levels of spending on cybersecurity.

Attacks will target AI systems used for both "good" and "bad" purposes. Some offenders will try to make money attacking AI systems relied upon by hospitals, schools, companies, governments, military, etc. Other offenders will try to stop AI systems that are doing things of which they don’t approve: driving cars, taking jobs, firing weapons, educating children, making movies, exterminating humans.

Therein lies one piece of good news: we can take some comfort in the likelihood that, based on what has happened to every new digital technology in the last 40 years, AI systems will prove vulnerable to exploitation and abuse, thus reducing the chances that AI will be able to wipe us all out. Of course, it also means AI is not likely to make human life dramatically better.

Note: This is a revised version of an article that first appeared in November of 2023.

What is ChatGPT and how can AI get things wrong: an annotated example using jackware

noreply@blogger.com (Stephen Cobb) — Wed, 12 Apr 2023 20:07:00 +0000

You can't trust what ChatGPT says

ChatGPT is, as you probably know, a computer system that uses artificial intelligence (AI) to answer questions. Sometimes the answers it gives are wrong, and that's the short version of this article. The long version explains more about what ChatGPT is, with a detailed look at an example of how wrong it can be.

Here's how Mashable describes ChatGPT in Everything you need to know about ChatGPT: "in essence, a simple online artificial intelligence chatbot created by OpenAI in December 2022." Technically speaking, ChatGPT describes itself as "a language model developed by OpenAI, based on the GPT (Generative Pre-trained Transformer) architecture...designed to understand and respond to natural language queries and generate human-like text in response."

If you check out ChatGPT online it can come across as a chatty version of a search engine, but it can do things that search engines don't, such as put together plausible explanations of phenomena, as opposed to simply listing search results relating to them. For example, suppose you encounter the word jackware and wonder what it means. You could put the word into a search box and get a bunch of responses, like this:

If you are lucky, one or more of the search results will give you an idea of what the search term means. In this case we can see that "The goal of a jackware attack is to lock up the hijacked device until you pay" (which happens to be correct).

But what if you're writing an article or essay about jackware and want to know who came up with the term and when it was coined? I couldn't find that information in the search results for jackware, and looking for it took time. In my experience, search engines often fail to answer questions like this, as you can see from the following example. When asked who coined the term jackware, Google provides one link to a story about jackware, but all the rest of the results—many thousands of them—assume that jackware is just a typo for Jaguar, as in the car, not the animal:

Personally, I find the jackware/jaguar assumption very amusing—for reasons I will explain later—but first, let's see how ChatGPT gets on when asked the same question: Who coined the term jackware? Here's the answer ChatGPT provides:

The term "jackware" was coined by two researchers, Stefan Savage and Tadayoshi Kohno, in a 2016 paper titled "Experimental Security Analysis of a Modern Automobile". In the paper, Savage and Kohno described a proof-of-concept attack in which they were able to take control of a car's electronic systems using a laptop computer. They used the term "jackware" to describe a new class of malware that could be used to take control of vehicles in a similar way to how ransomware is used to take control of computer systems.

Frankly, at first glance this looks like is a very impressive answer: it names names and cites an academic source, while providing a helpful description of jackware, all articulated in grammatically correct English. It's way more helpful than the output of a plain old search. You can see why so many people get so excited about artificial intelligence.

But sadly, several key facts in ChatGPT's answer are just plain wrong, so wrong that you could be in serious trouble with your teacher-editor-readers if you pasted that paragraph of ChatGPT output into a piece of work. For a start, anyone familiar with the subject matter would know that you hadn't read that paper.

The academic paper to which ChaGPT refers was published in 2010, not 2016. You can see that from this listing of the paper. This is not just a pedantic quibble; the named paper is legendary in the world of automotive cybersecurity, partly because it was published way back in 2010. It documents groundbreaking work done by Savage et al. in the 2000s, way before the flashy Jeep hack of 2015 by Miller and Valasek.

More blatantly erroneous is the identification of this 2010 paper and its authors as the source of the term jackware. Simply put, the paper does not contain the word jackware. In fact, the person who coined the term jackware to describe malicious code used to take over vehicles, was me, Stephen Cobb, and I did that in May of 2016, on this blog, in a post titled: Jackware: coming soon to a car or truck near you?

In July of 2016, I penned Jackware: When connected cars meet ransomware for We Live Security, the award-winning global cybersecurity blog. As further evidence, I present exhibit A, which shows how you use can iterative time-constrained searches to help identify when something first appears. Constraining the search to the years 1998 to 2015, we see that no relevant mention of jackware was found prior to 2016:Apparently, jackware had been used as a collective noun for leather mugs, but there are no software-related search results before 2016. Next you can see that, when the search is expanded to include 2016, the We Live Security article tops the results:

So how did ChatGPT get things so wrong? The simple answer is that ChatGPT doesn't know what it's talking about. What it does know is how to string relevant words and numbers together in a plausible way. Stefan Savage is definitely relevant to car hacking. The year 2016 is relevant because that's when jackware was coined. And the research paper that ChatGPT referenced does contain numerous instances of the word jack. Why? Because the researchers wisely tested their automotive computer hacks on cars that were on jack stands.

To be clear, ChatGPT is not programmed to use a range of tools to make sure it is giving you the right answer. For example, it didn't perform an iterative time-constrained online search like the one I did in order to find the first use of a new term.

Hopefully, this example will help people see what I think is a massive gap between the bold claims made for artificial intelligence and the plain fact that AI is not yet intelligent in a way that equates to human intelligence. That means you cannot rely on ChatGPT to give you the right answer to your questions.

So what happens if we do get to a point where people rely—wisely or not—on AI? That's when AI will be maliciously targeted and abused by criminals, just like every other computer system, something I have written about here.

Ironically, the vulnerability of AI to abuse can be both a comfort to those who fear AI will exterminate humans, and a nightmare for those who dream of a blissful future powered by AI. In my opinion, the outlook for AI, at least for the next few decades, is likely to be a continuation of the enthusiasm-disillusionment cycle, with more AI winters to come.

--------------^-------------

Note 1: For more on those AI dreams and fears, I should first point out that they are based on expectations that the capabilities of AI will evolve from their current level to a far more powerful technology referred to as Artificial General Intelligence or AGI. For perspective on this, I recommend listening to "Eugenics and the Promise of Utopia through Artificial General Intelligence" by two of my Twitter friends, @timnitGebru and @xriskology. This is a good introduction the relationship between AI development and a bundle of beliefs/ideals/ideas known as TESCREAL: Transhumanism, Extropianism, Singularitarianism, Cosmism, Rationalism, Effective Altruism, Longtermism.

Note 2: When I first saw Google take jackware to be a typo for Jaguar I laughed out loud because I was born and raised in Coventry, England, the birthplace of Jaguar cars. In 2019, when my mum, who lives in Coventry, turned 90, Chey and I moved back to Coventry, and that is where I am writing this. Two of my neighbours drive Jaguars and they are a common sight in this neighbourhood, not because it's a posh part of the city, but because a lot of folks around here work at Jaguar Land Rover and have company vehicles.

Internet crime surged in 2022: possibly causing as much as $160 billion in non-financial losses

noreply@blogger.com (Stephen Cobb) — Tue, 14 Mar 2023 13:53:00 +0000

Financial losses reported to the FBI's Internet Crime Complaint Center in 2022 rose almost 50% over the prior year, reaching $10.3 billion according to the recently released annual report (available here).

This increase, which comes on top of a 64% surge from 2020 to 2021, has serious implications for companies and consumers who use the Internet, as well as for law enforcement and government.

Those implications are discussed in an article that I wrote over on LinkedIn in the hope that more people will pay attention to the increasingly dire state of Internet crime prevention and deterrence, and how that impacts people. In that article I also discuss the growing awareness that Internet crime creates even more harm than is reflected in the financial losses suffered by victims. There is mounting evidence—some of which I cite in the article—that the health and wellbeing of individuals hit by online fraud suffers considerably, even in cases of attempted fraud where no financial loss occurs.

One UK study estimated the value of this damage at the equivalent of more than $4,000 per victim. Consider what happens if we round down the number of cases reported in the IC3/FBI annual summary for 2020 to 800,000, then assume that number reflects a fifth of the actual number of cases in which financial loss occurred. That's 4 million cases. Now assume those cases were one tenth of the attempted online crimes and multiply that 40 million by the $4,000 average hit to health and wellbeing estimated by researchers. The result is $160 billion, and that's just for one year; a huge amount of harm to individuals and society.

Digital Baitballs and Shrinkage: a cybersecurity lesson from 2022

noreply@blogger.com (Stephen Cobb) — Sat, 17 Dec 2022 13:04:00 +0000

A school of baitfish forming a ball to reduce predation (Shutterstock)

If 2022 has taught us anything about cybersecurity, it is this: our combined efforts to protect the world's digital systems and the vital data that they process are capable of thwarting very high levels of sustained criminal activity, where "thwart" means preventing the complete collapse of trust in digital technology and limiting casualties to levels that appear to be survivable, if not acceptable.

In other words, despite all the efforts of bad actors, from local scammers to nation states, abusing all manner of digital technologies, to commit everything from petty crimes to war crimes, humans are surviving, and we are continuing to expand our reliance on said technologies.

Of course, this lesson would appear to offer little comfort to the victims of digital crime in 2022, the countless companies, consumers, non-profit organizations, and government entities that lost money and peace of mind to the hordes of ethically challenged and maliciously motivated perpetrators of cyber-badness.*

Is survival enough?

Baitball and a swordfish (Shutterstock)

You could argue that humans are in deep trouble if the best we can say about the struggle between cybersecurity and cybercrime at the end of 2022 is: "most of us survived." However, other species on our planet have endured for millions of years by embracing "most of us survive" as the goal of their defensive strategy.

For example, small fish that spend most of their lives in the open ocean form a tight group when predators approach; then they swirl around in a ball to make it harder for predators to select targets. I wrote about this phenomenon—the baitball—in a recent article on LinkedIn.

So, the good news for 2022 is that we can head into 2023 knowing that the world can survive a large amount of ongoing cyberbadness. We have seen that levels of criminal abuse of digital technology can rise quite high without resulting in the breakdown of society.

(You could even argue that cybercrime is falling in relation to the growing number of criminal opportunities created by the ongoing deployment of new digital technologies and devices, but that's for a different article.)

The bad news is that surviving is not as enjoyable and fulfilling as thriving. Living just this side of the breakdown of society means the other side is a looming presence, a constant stress factor, as is the knowledge that any one of us could be the next cybercrime victim.

Shrinkage

So what will it take to get from surviving to thriving, to a state in which cybercrime is either eliminated or reduced to a manageable level? Unfortunately, the short answer is: it will take a lot. The countries of the world need to agree to, and enforce, norms of ethical behaviour in the digital realm. If that sounds almost impossible given the current state of the world, then you have a measure of how much effort it is going to take to eliminate cybercrime or reduce it to a manageable level. However, it should be noted that the idea of reducing crime to a manageable level is not unprecedented.

Shopkeepers learned long ago that it is almost impossible to stop their stock from shrinking. Some employees will swipe stock from the stockroom. Some customers will shoplift. Furthermore, some vendors will over-charge and under-deliver. Taken together, these money-losing phenomena are known as shrinkage.

Despite efforts to reduce shrinkage, including the use of technology, it still cuts into retail revenue in America to the tune of 1.5% per year on average, equating to losses in the order of $100 billion in 2021. Nevertheless, despite shrinkage, the retail sector keeps going. Retailers don't expect to eliminate shrinkage, but they will spend time and money on measures to keep it to a relatively low percentage.

So what are the prospects for reducing the impact of cybercrime to a very low level, perhaps a very small percentage of GDP? I honestly don't know. We are still a long way from getting a full picture of cybercrime's impact; this is particularly true of the psychological and health impacts. There are hidden social and economic costs as well, given the not insignificant percentage of people who don't go online due to fear of cybercrime.

Some would argue that the term cybercrime is becoming problematic in discussions like this, given that most predatory crime today has "cyber" aspects. Fortunately, there is plenty of evidence that people who commit predatory crime can stop, and many do so as they get older, start families, get a "proper" job. In criminology this is known as desistance and may actually be easier for people with digital skills to desist.

In the broad scheme of things, the most intractable obstacle to reducing cyberbadness may not be predatory criminals clinging to a crooked lifestyle; it could well be humans who are prepared to use digital technologies like social media to spread disinformation, undermine truth, and foster hatred in furtherance of selfish agendas.

Note: To the best of my knowledge, the term cyber-badness was first coined by Cameron Camp, my friend and colleague at ESET.

Cobb's Guide to PC and LAN Security: the 30th anniversary of the first version

noreply@blogger.com (Stephen Cobb) — Fri, 22 Jul 2022 10:31:00 +0000

The Stephen Cobb Complete Book of PC and LAN Security first appeared in print in 1992, an amazing 30 years ago. In celebration of this anniversary, I'm reminding people that a PDF copy of the last version of the book is freely downloadable under a Creative Commons license.

While a lot of the book's technical content is now dated—a polite way of saying it is stuck in the late 1990s and thus mainly of historical interest—much of the theory and strategy still rings true

The large file size of this 700 page tome led me to publish it in three easily digestible parts: Part One; Part Two; and Part Three. (You can also scroll down the column on the right of this page for download inks.)

Despite the original title, which was imposed by the publisher, the volume that appeared 30 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though Amazon.com did not exist when the first version was published. The images on the left of this article are the current Amazon listings of the three versions (which I will explain shortly).

If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this observation:

"The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression."

I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia, history, and first principles. Along with a number of friends and fellow security professionals—like Winn Schwartau, Bruce Schneier, and Jeff Moss—I am inclined to think that the parlous state of cybersecurity in 2022, relative to the level of cybercriminal activity, could have been avoided is only more people had taken our advice more seriiously in the 1990s.

Three Versions and a Free Version

I made a lot of changes when I turned that 1992 volume into The NCSA Guide to PC and LAN Security—a 700 page paperback that was published in 1995—but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as Cobb's Guide to PC and LAN Security. This was done largely for sentimental reasons and the copies are only printed on demand.

However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; no claims are made as to accuracy of the information in this document; use at your own risk and discretion, etc.).

LEGAL STUFF: THIS FREE ELECTRONIC EDITION IS LICENSED BY THE AUTHOR FOR USE UNDER CREATIVE COMMONS, ATTRIBUTION, NONCOMMERCIAL, NO DERIVATES.

Computer Security Prognosis and Predictions

I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992 Stephen Cobb Complete Book of PC and LAN Security:

"The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use."

Big jump in losses due to Internet crimes in 2021, up 64% according to latest IC3/FBI report

noreply@blogger.com (Stephen Cobb) — Mon, 28 Mar 2022 19:09:00 +0000

IC3/FBI internet crime data graphed by S. Cobb

In 2021, the world came to rely on digital technologies even more than it had in 2020. Sadly, but quite predictably, at least from my perspective, 2021 also saw a lot more sleazy digital scams and dastardly data breaches than 2020.

How much more were the estimated losses suffered by individuals and businesses who reported internet crimes to IC3 in 2021? They were up 64% over 2020 according to the recently published 2021 Internet Crimes Report from the FBI and IC3, the Internet Crime Complaint Center.

The annual figure for this Internet crime metric rose from US$4.2 billion in 2020 to US$6.9 billion in 2021. That's almost a doubling in two years, from the 2019 figure of US$3.5 billion. The rise in losses from 2020 to 2021 was the second steepest annual increase in the last decade (2017-2018 saw a 91% jump).

While there are some issues with using the IC3 numbers as crime metrics—they were not originally collected as an exercise in crime metrics, but rather as an avenue of attack against the crimes they represent—I have studied each IC3 annual report and am satisfied that they reflect real world trends in cybercrime's impact on victims, as measured by direct monetary loss. (You can find out more about this in my article, Advancing Accurate and Objective Cybercrime Metrics in the Journal of National Security Law & Policy.)

When you put a 64% rise in annual internet crime losses in the context of record levels of spending on cybersecurity in recent years, it says to me that current strategies for securing our digital world against criminal activity are not working as well as they should. For more on cybercrime metrics relative to cybersecurity efforts, see this blog post from last year.

For more on the work that IC3 and the FBI do, please download the 2021 report, and any of the previous reports. If you're a criminology or risk and security geek like me, they make for interesting reading. The report lets you see which types of crime were on the increase in 2021—e.g. there is a growing overlap between romance scams and cryptocurrency fraud—and what steps IC3 has been taking to mitigate scams. The report's chart of losses by age group in 2021 was frankly depressing: older members of society are being hit hard by digital scammers.

What's next for cybercrime and its victims?

Firstly, I think we have to be honest with ourselves and acknowledge that, as human activities go, the abuse of digital systems for selfish ends has been a runaway success. Second, we need to realize that we are all victims of this success, regardless of whether or not we have lost any money as a direct result on such abuse.

As I have said elsewhere, the psychological impact of internet crime creates significant costs, to victims and to society. People lose self-esteem, confidence, and trust. They may need counselling. Their productivity may suffer. Unfortunately, we have not done a good job of measuring harms from criminal abuse of digital systems that are not easily summed up as "how much did you lose?"

One recent step in the right direction was research in the UK prompted by the consumer group Which? and reported here by the BBC. As the article states, the annual cost of the impact of scams on wellbeing was calculated to be £9.3 billion (roughly US$13 billion). The research suggested that "scam victims faced a drop in life satisfaction, significantly higher levels of anxiety, and lower levels of happiness." In addition, some victims reported "worse general health." Those findings echo this one in 2014 from the non-profit senior support organization Age UK: "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed."

When you translate these non-financial harms into the costs they produce: "The average drop in wellbeing for victims of fraud has been valued at £2,509 per year. For online fraud, this estimate is even higher at £3,684" (Which?).

Now, if assume that this UK estimate holds true in the US and turn £3,684 into US dollars we get roughly $5,000 per victim. I know this is guesswork, but I'd really love to see some entity replicate the Which? research in the US. Because, if that $5,000 proves to be a valid assumption, and we multiply it by the number of people reporting crimes to IC3 (847,376 in 2021) we get a figure that represents: "the personal and social cost of Internet crimes reported to IC3 in 2021 in addition to the reported financial losses."

And that number is a whopping US$4.2 billion (which is a bit uncanny because that same figure was the IC3 financial loss total for 2020). Then, if you put that US$4.2 billion together with the IC3 loss number for 2021 (US$6.9 billion) you're looking at an attention-grabbing annual impact for reported Internet crime of more than US$11 billion; hopefully, enough attention to get more public resources channeled into Internet crime prevention and victim support.

Notes:

A detailed look at the impact of fraud in general, 24-page PDF of a chapter from the book Cyber Frauds, Scams and Their Victims by Cassandra Cross and Mark Button, 2017.
The Fight Cybercrime website which has a lot of helpful info for victims of online fraud, in 12 languages!
The source for the statistic that "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed" — PDF of Age UK report, 2016.

From cyber-crime metrics to cyber-harm stories: shifting cybersecurity perspectives and cybercrime strategies

noreply@blogger.com (Stephen Cobb) — Thu, 29 Apr 2021 11:18:00 +0000

Is measuring the amount of cybercrime important? I have argued that it is, and for several different reasons which I have presented in many places; for example, in this article: Advancing Accurate and Objective Cybercrime Metrics in the Journal of National Security Law & Policy.

For me, the most pressing reason to pursue accurate and objective cybercrime metrics is the potential of those numbers to persuade governments and world leaders to do more to counter cybercrime (as in: detect, deter, disrupt, prosecute and sanction perpetrators). The persuasion goes like this:

Here's how big the cybercrime problem is.
Here's how fast it is growing despite current efforts to solve/reduce it.
Can you see how bad things will get if you don't do more to solve/reduce it?

A similar persuasion strategy has long existed in the cybersecurity industry as part of its efforts to make technology safer (while selling more security products and services—a reality that has undermined the value of industry metrics in policy debates).

The efficacy of this strategy—"look at these numbers, that's how bad the cyberbadness is, it's time you did more to protect us/you"—has been been disappointing to say the least, given the rate at which the cybercrime problem keeps growing.

Back in 2014, I decided to research this lack of efficacy, exploring risk perception as it relates to crime and technology. I delved into cultural theory of risk, cultural cognition, white male effect, identity protective cognition, and the science of science communication. One thing I learned was that some people are unmoved by statistics and data.

Relying on stats+facts to convince everyone that there is an urgent problem, one which merits attention and action, is a mistake. For whatever reason, some folk are relatively immune to stats+facts; however, they may be moved by stories.

Ironically, this was a phenomenon that I had already experienced in my early days of promoting security solutions. For some audiences there was nothing more effective than a case study, a story of how some person or organization had become a victim, or how someone had avoided becoming a victim. Even before then, when I was writing my first computer security book, I had made sure that I included stories from which people could learn the value of security policies and practices (The Stephen Cobb Handbook of PC and LAN Security, 1991).

The problem you run into when you try to use victim stories to pitch security is that, historically, very few people have been willing to share their stories. This may be due to embarrassment or, ironically, for operational reasons. (As a CISSP, I would advise organizations not to share the helpful story of "how Acme firewall is keeping us safe," or the helpful tale of "how our network was penetrated despite Acme firewall.")

All of which leads to some helpful coincidences. If you investigate the amount of harm caused by cybercrime, rather than just count the number of cybercrimes committed, you get more than just persuasive data, you get moving stories.

Furthermore, you get a fresh perspective on the problem of cybercrime and the challenge of getting more people to take it more seriously, at four different levels:

Personal: understand how I, or my organization, could be victimized and steps I can take to minimize the risk of that happening.
Political: grasp the level of pain and suffering caused by digitally enabled or enhanced crimes, and calculate their impact on society, down to the medical and social care burdens that victimization generated.
Strategic: use this perspective to argue that funding for medical and social care should include cyber-harm reduction initiatives because fewer people scammed = smaller care burden.
Professional: pursue both qualitative and quantitative research into the harms caused by rampant cyberbadness, from criminal successes to cybersecurity fails.

Moving forward, I want to explore all four levels and share what I find. The process took a step forward this week when I talked myself into delivering a training session about scam avoidance to a community support group. I've done this in the past, but in America. This session will be delivered to a UK audience, specifically people who support carers.

The Carer Factor

Since we moved back to the UK in 2019, we have found that the importance of social care and the work of unpaid carers is widely-recognized. These carers—who tend to be known as caregivers in America—are people who have become part-time or full-time unpaid carers for relatives and friends. (As you can imagine, part of that care work may include technical support, and that may include several aspects of cybersecurity.)

Local governments and charities in the UK make a concerted effort to support unpaid carers, both practically and emotionally. Let me give you an example: thanks to a charity called Carers Trust, I am formally registered as the designated carer for my partner Chey, and for my mother. That means, among other things, that if I get hit by a bus and first responders check my wallet, they will find a card that says I care for these two people plus a number to call if I am incapacitated.

That call triggers several services. Carers Trust will step in to provide care to my carees if I cannot be there for them. The organization already has a comprehensive file on the needs of my carees, their circumstances, and so on. Furthermore if the bus misses me, but I feel like I could really use a break from caring, the carers' support group can cover for me.

I'm sure you can imagine what a huge weight this care group has lifted from my shoulders, and how much peace of mind it has provided to my carees, now they know that there is backup help available. On a less dramatic, but still very important level, the care group provides me a place to meet with other carers and I find this helpful, both psychologically and practically.

My involvement with the care community has led me to consider fresh lines of inquiry into the reduction of cybercrime and technology abuse. Indeed, I can see this care group, and the many others like it around the country, becoming a valuable resource in the quest to reduce the harms caused by scammers and fraudsters.

If you check back here in the latter part of May there should have a link to the training session content. (Like all of my content these days, it is free and suitable for sharing.) In the meantime, here are some links that might be of interest:

A detailed look at the impact of fraud in general, 24-page PDF of a chapter from the book Cyber Frauds, Scams and Their Victims by Cassandra Cross and Mark Button, 2017.
The Fight Cybercrime website which has a lot of helpful info for victims of online fraud, in 12 languages!
The source for the statistic that "older [scam] victims are 2.4 times more likely to die or go into a care home than those who are not scammed" — PDF of Age UK report, 2016.
The website of Carers Trust in the UK: "a major charity for, with and about carers".

Note: If you found this page interesting or helpful or both, please consider clicking the button below to buy me a coffee and support a good cause while fueling more independent research and ad-free content like this. Thanks!

As predicted, Internet crime surged in 2020, losses up 20% based on FBI and IC3 reports: analysis and opinion

noreply@blogger.com (Stephen Cobb) — Thu, 18 Mar 2021 12:24:00 +0000

Losses to individual and business victims of internet crime in 2020 exceeded $4 billion according to the recently published 2020 Internet Crimes Report from the FBI and IC3; this represents a 20% increase over losses reported in 2019. The number of complaints also rose dramatically, up nearly 70%.

IC3/FBI internet crime data graphed by S. Cobb

Throughout 2020, criminologists and cybersecurity experts had expressed growing fears that 2020 would be a big year for internet crime, particularly as it became clear that many criminals were prepared to ruthlessly exploit the COVID-19 pandemic for their own selfish ends.

When the 2019 Internet Crimes Report was published in February of 2020 it documented "$3.5 billion in losses to individual and business victims."

What I said back then, about the loss number that I expected to see in the 2020 report, was this: "I certainly wouldn't bet against it blowing through $4 billion"

(Here's a link to the article where I said that).

Quite frankly, I'm not the least bit happy that I was right. Just as I take no pleasure in having been right for each of the last 20 years, when my annual response to "what does the year ahead look like for cybersecurity?" has been to say, with depressingly consistent accuracy: it's going to get worse before it gets better. As I see it, a 20% annual increase in losses to internet crime, despite record levels of spending on cybersecurity, is a clear indicator that current strategies for securing our digital world against criminal activity are not working.

A shred of hope?

However, like many cybersecurity professionals, I have always had an optimistic streak, a vein of hope compressed deep beneath the bedrock of my experience. (Periodically, we have to mine this hope to counter the urge to throw up our hands and declare: "We're screwed! Let's just go make music.")

So let me offer a small shred of hope.

I am honor bound to point out that cybercrime's impact last year may not have been as bad I had come to expect. Yes, at the start of 2020 I predicted that cybercrime would maintain its steep upward trajectory. I said the IC3/FBI loss number for 2020 would pass $4 billion and it did. But then "the Covid effect" kicked in, generating scores of headlines about criminal exploitation of the pandemic in both cyberspace and meatspace. And behind each of those headlines were thousands of victims experiencing a range of distressing psychological impacts and economic loss.

By the end of 2020 I was predicting that the IC3/FBI number could be as high as $4.7 billion (see my December, 2020, article: Cybersecurity had a rough 2020). In that context, the reported 2020 number of $4.2 billion was "better than expected." Indeed, the year-on-year increase from 2019 to 2020 of 20% was not as bad as the 2018-2019 increase of 29%.

However, when I look at the graph at the top of this article I'm not yet ready to say things are improving. And I'm very aware that every one of the 791,790 complaints of suspected internet crime that the IC3 catalogued in 2020—an increase of more than 300,000 from 2019—signifies a distressing incident that negatively impacted the victim, and often their family and friends as well.

In 2020, the pandemic proved to be a very criminogenic phenomenon. I'm pretty sure it also generated greater public awareness of statistical terms like growth curves, rolling averages, trend lines, dips, and plateaus. Right now I see no reason to think cybercrime will dip or even plateau in 2021. But let's hope I'm wrong and in the months and years to come there is a turnaround in the struggle to reduce to the abuse of digital technologies, hopefully before my vein of optimism is all mined out.

Disclaimer: I acknowledge that there are issues with using the IC3 numbers as crime metrics. For a start, they are not collected as an exercise in crime metrics, but rather as part of one avenue of attack against the crimes they represent, an issue I addressed in this law journal article. However, I have studied each IC3 annual report and am satisfied that collectively they reflect real world trends in cybercrime's impact on victims, as measured by direct monetary lost (the psychological impact of internet crime creates other costs, to victims and society, but so far we have done a woefully poor job of measuring those).

As soon as I get a chance I will dig deeper into the 2020 IC3/FBI report and report back; I'm particularly interested in trends impacting the "60 and over" demographic which @Chey_Cobb and I highlighted in the IEEE piece we wrote about age tech after last year's report.

Note:

If you found this page interesting or helpful or both, please consider clicking the button below to buy me a coffee and support a good cause, while fueling more independent research and ad-free content like this. Thanks!

Secu-ring video doorbells and other 'smart' security cameras: some helpful links

noreply@blogger.com (Stephen Cobb) — Fri, 05 Mar 2021 17:16:00 +0000

Are you thinking of installing a video doorbell or smart security camera? Are you concerned about the security of the one you have already installed? These links should help:

How to secure your Ring camera and account
https://www.theverge.com/2019/12/19/21030147/how-to-secure-ring-camera-account-amazon-set-up-2fa-password-strength-hack

Ring security camera settings
https://www.wired.co.uk/article/ring-security-camera-settings

Video doorbell security: How to stop your smart doorbell from being hacked
https://www.which.co.uk/reviews/smart-video-doorbells/article/video-doorbell-security-how-to-stop-your-smart-doorbell-from-being-hacked-aCklb4Y4rZnw

How the WYZE camera can be hacked
https://learncctv.com/can-the-wyze-camera-be-hacked/

How to secure your WYZE security camera account
https://www.cnet.com/how-to/wyze-camera-data-leak-how-to-secure-your-account-right-now/

How to protect 'smart' security cameras and baby monitors from cyber attack
https://www.ncsc.gov.uk/guidance/smart-security-cameras-using-them-safely-in-your-home

Yes, your security camera could be hacked: Here's how to stop spying eyes
https://www.cnet.com/how-to/yes-your-security-camera-could-be-hacked-heres-how-to-stop-spying-eyes/

On a related topic, and as a way to understand how hackers look for vulnerabilities in digital devices, check out this article at Hackaday: https://hackaday.com/2019/03/28/reverse-engineering-a-modern-ip-camera/. It links to a cool, four-part reverse engineering exercise by Alex Oporto: https://dalpix.com/reverse-engineering-ip-camera-part-1

Note:

Data Privacy Day 2021: Selected data privacy reading and viewing, past and present

noreply@blogger.com (Stephen Cobb) — Thu, 28 Jan 2021 14:11:00 +0000

For this Day Privacy Day—January 28, 2021—I have put together an assortment of items, suggested resources and observations that might prove helpful.

In years past I have both live and virtual Privacy Day event, often organized by the National CyberSecurity Alliance, on whose board I had the honour of serving for several years. For example, the 2014 event included me on a panel at Pew Research in D.C., along with Omer Tene of the International Association of Privacy Professionals (IAPP), plus John Gevertz, Global Chief Privacy Officer of ADP, and Erin Egan, CPO of Facebook (which arranged the live streaming).

In 2015, I was on another Data Privacy Day panel, this one focused on medical data and health privacy. It featured Peter Swire who was heavily involved in the creation of the HIPAA. By request, I told the story of Frankie and Jamie, "A Tale of Medical Fraud" that involved identity theft with serious data privacy implications.

Also on the panel were: Anne Adams, Chief Compliance & Privacy Officer for Emory Healthcare; Pam Dixon Executive Director of the World Privacy Forum, and Hilary M. Wandall, CPO of Merck—the person to whom I was listening very carefully in this still from the recorded video on Vimeo:

A useful resource for anyone looking to raise awareness of data privacy issues is The Circle, both the 2013 novel by Dave Eggers—my fairly lengthy review of which appears here—and the 2017 movie starring Emily Watson and Tom Hanks, the trailer for which should be playable below.

While many critics didn't like the film (Metascore is only 43), the content was close enough to the book for me to enjoy it (bearing in mind that I'm someone who's "into" data privacy). Also, the film managed to convey some of the data privacy nuances central to Eggers' prescient novel.

Consider the affirmation often used by the social media company at the heart of the story: "Sharing is caring." This is used to guilt trip users into sharing more and more of their lives with more and more people, because some of those people derive emotional and psychological support from that sharing.

Depending on where in the world you live, you may be able to catch The Circle on either Amazon Prime or Netflix (although the latter has—ironically, and possibly intentionally so—a reality TV series of the same name, the premise of which is about as depressing as it gets: ""Big Brother" meets "Catfish" in a reality series on which not everything is as it seems").

Note, if you are working in any sort of "need to raise awareness and/or spark discussions of data privacy issues" role then films can be very helpful. Back around 2005 or so, Chey organized a week-long "Privacy Film Festival" at Microsoft's headquarters. Four movies were screened at lunchtime on consecutive weekdays and then a Friday panel session brought in some privacy and security heavyweights (including both Don Parker and Ari Schwartz as I recall—movies included Enemy of the State and Minority Report). The overall feedback on the whole endeavor was very positive.

Check out the Privacy Meter: this is another a useful tool to raise awareness and/or spark discussions of data privacy issues. I started using it in 2002 when talking to companies about what at that time was, for many of them, an emerging issue/concern/requirement.

The idea was to provide a starting point for reflection and conversation. The goal was to help everyone from management to employees to see that there were many different attitudes to personal privacy within the organization. What I did not convey back then—at least not as much as I probably should have—was the extent to which privilege and economic status can influence these attitudes. See the next item for more on that.

The following privacy reading list may prove helpful. This one is shamelessly headed by my 2016 white paper on data privacy law. While the paper does not cover developments in data privacy law in the last few years, several people have told me that the historical background it provides is very helpful, particularly when it comes to understanding why Data Privacy Day in America is Data Protection Day in many other countries. And, it does contain about 80 references, including links to all major US privacy legislation up into 2016.

Moving from data privacy laws to privacy data realities, like the intersection of privacy, poverty, and privilege, here are a number of thought-provoking articles you might want to read:

Check your privacy privilege, by Heather Burns, 2020
Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor, Virginia Eubanks, 2018 ("systematically investigates the impacts of data mining, policy algorithms, and predictive risk models on poor and working-class people in America").
Privacy for Whom? Sam Adler Bell, the New Inquiry, 2018
Why Some Women Don't Actually Have Privacy Rights, Tanvi Misra, Bloomberg, 2017
The Poverty of Privacy Rights, Khiara M. Bridges, 2016
A Poor Mother's Right to Privacy: A Review, Danielle K. Citron, 2018

Finally, getting back to a point raised earlier in this post, one that comes up every Data Privacy Day, here is my 2018 article "Data Privacy vs. Data Protection: Reflecting on Privacy Day and GDPR."

Note:

AI's most troubling problem? It's made of chips and code

noreply@blogger.com (Stephen Cobb) — Tue, 05 Jan 2021 11:55:00 +0000

If we define "AI problem" as any obstacle to maximizing the benefits of Artificial Intelligence, it is clear that there are a number of these, ranging from the technical and practical to the ethical and cultural. As we say goodbye to 2020, I think that we may look back on it in, a few years' time, as the year in which some of the most serious AI problems emerged into the mainstream of public discourse. However, there is one very troubling gap in this growing awareness of AI problems, a seldom discussed problem that I present below.

Growing Doubts About AI?

As one data science publication put it, 2020 was: "marked by ethical issues of AI going mainstream, including, but not limited to, gender/race bias, police and military use, face recognition, surveillance, and deep fakes." — The State of AI in 2020.

One of the most widely discussed indicators of problems in AI in 2020 was the “Timnit Gebru incident” (More than 1,200 Google workers condemn firing of AI scientist Timnit Gebru). This seems to be a debacle of Google’s own making, but it surfaced issues of AI bias, AI accountability, erosion of privacy, and environmental impact.

As we enter 2021, bias seems to be the AI problem that is “enjoying” the widest awareness. A quick Google search for ai bias produces 139 million results, of which more than 300,000 appear as News. However, 2020 also brought growing concerns about attacks on the way AI systems work, and the ways in which AI can be used to commit harm, notably the "Malicious Uses and Abuses of Artificial Intelligence," produced by Trend Micro Research in conjunction with the United Nations Interregional Crime and Justice Research Institute (UNICRI) and Europol’s European Cybercrime Centre (EC3).

Thankfully, awareness of AI problems was much in evidence at the "The Global AI Summit," an online "think-in" that I attended last month. The event was organized by Tortoise Media and some frank discussion of AI problems occurred after the presentation of highlights from the heavily researched and data rich Global AI Index. Unfortunately, the AI problem that troubles me the most was not on the agenda (it was also absent from the Trend/UN report).

AI's Chip and Code Problem

The stark reality, obscured by the hype around AI, is this: all implementations of AI are vulnerable to attacks on the hardware and software that run them. At the heart of every AI beats one or more CPUs running an operating system and applications. As someone who has spent decades studying and dealing with vulnerabilities in, and abuse of, chips and code, this is the AI problem that worries me the most:

AI RUNS ON CHIPS AND CODE, BOTH OF WHICH ARE VULNERABLE TO ABUSE

In the last 10 years we have seen successful attacks on the hardware and software at the heart of mission critical information systems in hundreds of prestigious entities both commercial and governmental. The roll call of organizations and technologies that have proven vulnerable to abuse includes the CIA, NSA, DHS, NASA, Intel, Cisco, Microsoft, Fireye, Linux, SS7, and AWS.

Yet despite a constant litany of new chip and code vulnerabilities, and wave after wave of cybercrime and systemic intrusions by nation states—some of which go undetected for months, even years—a constantly growing chorus of AI pundits persists in heralding imminent human reliance on AI systems as though it was an unequivocally good thing.

Such "AI boosterism" keeps building, seemingly regardless of the large body of compelling evidence that supports this statement: no builder or operator of any computer system, including those that run AI, can guarantee that it will not be abused, misused, impaired, corrupted, or commandeered through unauthorized access or changes to its chips and code.

And this AI problem is even more more serious when you consider it is the one about which meaningful awareness seems to be lowest. Frankly, I've been amazed at how infrequently this underlying vulnerability of AI is publicly mentioned, noted, or addressed, where publicly means: "discoverable by me using Google and asking around in AI circles."

Of course, AI enthusiasts are not alone in assuming that, by the time their favorite technology is fully deployed, it will be magically immune to the chip-and-code vulnerabilities inherent in computing systems. Fans of space exploration are prone to similar assumptions. (Here's a suggestion for any journalists reading this: the next time you interview Elon Musk, ask him what kind of malware protection will be in place when he rides the SpaceX Starship to Mars.)

Boosters of every new technology — pun intended— seem destined to assume that the near future holds easy fixes for whatever downsides skeptics of that technology point out. Mankind has a habit of saying "we can fix that" but not actually fixing it, from the air-poisoning pollution of fossil fuels to ocean-clogging plastic waste. (I bet Mr. Musk sees no insurmountable problems with adding thousands of satellites to the Earth's growing shroud of space clutter.)

I'm not sure if I'm the first person to say that the path to progress is paved with assumptions, but I'm pretty sure it's true. I would also observe that many new technologies arrive wearing a veil of assumptions. This is evident when people present AI as so virtuous and beneficent that it would be downright churlish and immodest of anyone to question the vulnerability of their enabling technology.

The Ethics of AI Boosterism

One question I kept coming back to in 2020 was this: how does one avert the giddy rush to deploy AI systems for critical missions before they can be adequately protected from abuse? While I am prepared to engage in more detailed discussions about the validity of my concerns, I do worry that these will get bogged down in technicalities of which there is limited understanding among the general public.

However, as 2020 progressed and "the ethics of AI" began to enjoy long-overdue public attention, another way of breaking through the veil of assumptions obscuring AI's inherent technical vulnerability occurred to me. Why not question the ethics of "AI boosterism"? I mean, surely we can all agree that advocating development and adoption of AI without adequately disclosing its limitations raises ethical questions.

Consider this statement: as AI improves, doctors will be able to rely upon AI systems for faster diagnosis of more and more diseases. How ethical is it to say that, given what we know about how vulnerable AI systems will be if the hardware and software on which they run is not significantly more secure than what we have available today?

To be ethical, any pitches for AI backing and adoption should come with a qualifier, something like "provided that the current limitations of the enabling technology can be overcome." For example, I would argue that the earlier statement about medical use of AI would not be ethical unless it was worded something like this: as AI improves, and if the current limitations of the enabling technology can be overcome, doctors will be able to rely upon AI systems for faster diagnosis of more and more diseases.

Unlikely? Far-fetched? Never going to happen? I am optimistic that the correct answer is no. But I invite doubters to imagine for just a moment how much better things might have gone, how much better we might feel about digital technology today, if previous innovations had come with a clear up-front warning about their potential for abuse.

40 digital technologies open to abuse

A few months ago, to help us all think about this, I wrote "A Brief History of Digital Technology Abuse." The article title refers to "40 chapters" but these are only chapter headings that match the 40 items in this word cloud. I invite you to check it out.

In a few weeks I will have some statistics to share about the general public's awareness of AI problems. I will be sure to provide a link here. (See: AI problem awareness grew in 2020, but 46% still “not aware at all” of problems with artificial intelligence.)

In the meantime, I would love to hear from anyone about their work, or anyone else's, on the problem of defending systems that run AI against abuse. (Use the Comments or the contact form at the top of the page, or check out my socials on Linktree.)

Notes:

If you found this article interesting or helpful or both, please consider clicking the button below to buy me a coffee and support a good cause, while fueling more independent research and ad-free content like this. Thanks!

Cybersecurity had a rough 2020, but 50 recent headlines suggest the outlook for 2021 could be even worse

noreply@blogger.com (Stephen Cobb) — Thu, 31 Dec 2020 17:00:00 +0000

Sadly, my annual outlook for cybersecurity has, for the past 20 years, been this: "things will get worse before they get better."

In this context, "the outlook for cybersecurity" is the expected performance of efforts to defend information systems from abuse, as measured by the amount of system abuse that occurs despite those efforts.

If you boil cybersecurity outlook down to a single question it is this: will criminal acts targeting digital systems and the data they process cause more harm next year than they did this year?

On the right you can see just one measure of such harm, a dollar figure for internet crime losses reported to IC3 and the FBI. The losses recorded in this metric hit $3.5B in 2019.*

I predict that for 2020, the IC3/FBI report will show around $4.7B in losses, barring significant changes to the report's methodology. I further predict that the number will reach $6B in 2021.

Of course, I could be wrong, and I sincerely hope that the losses turn out to be lower than my predictions. What I can promise is that I will post the 2020 number as soon as it is published (about 45 days from now, if the Biden-Harris administration sticks to the traditional schedule).

One way of looking at the problem

Regardless of the IC3/FBI numbers for 2020, I think that criminal acts targeting digital systems and the data they process will cause more harm in 2021 than they did this year. And I say that despite 2020 being a quite unusual year, what with all that cybercrime which leveraged the pandemic, and the presidential election in the US, plus the massive Russian SolarWinds breaches.

The rest of this blog post is just one way of documenting why my outlook is bleak (I am working on a longer article about the history of my "will get worse before it gets better" perspective). What you have here are 50 cybersecurity headlines that I noticed during the last 30 days of 2020. These are not ALL the cybercrime headlines from December, 2020. These they are just a sample, plucked from one of the best cybersecurity "feeds" that I have found: InfoSecSherpa's Newsletter (subscription strongly recommended).

This daily email newsletter is produced by @InfoSecSherpa who pledges to provide: "a daily summary of 10 Information Security news items that aren't necessarily getting a lot of attention." So, here are 50 items I picked out to reflect the range of cyber-criminal activity currently taking place. I'm not saying that you should read them all. I think a quick scan will make my point:

These headlines paint a picture of rampant criminal activity abusing all manner of digital technology in all regions of the world, across all sectors of human endeavor, including education, research, medicine, healthcare, pharmaceuticals, heavy industry, light industry, commercial shipping, recreational shipping, retail, banking, software, hardware, the media, local government, state government, national government.

These headlines also document the main reason that I think the harm caused by such activity in 2021 will be even greater than in 2020: whatever deterrents there are to people continuing to engage in this type of activity, they are clearly not working. And in 2021 there will be more people than ever with both the motive and means to engage in cybercrime, and more opportunities than ever to commit cybercrime.

Motive increase: widespread pandemic-related economic hardship
Means increase: constantly improving cybercrime skills, increasingly accessible (e.g. crime-as-a-service)
Opportunities increase: more devices and data, in more locations, performing increasingly valuable functions

As 2021 rolls on I will continue to document the scale of the cybersecurity challenge as I see it. For now, let me extend a massive THANK YOU to all the dedicated and righteous souls who labored so hard in 2020 to fend off the bad actors.

Is there any room for optimism in 2021? Maybe, if the Biden Harris administration is allowed to get on with the job of instigating major improvements in globally coordinated cybercrime deterrence. (And to be clear, I do sincerely hope that six months from now reality will show that my current outlook was overly pessimistic.)

In any event, here's to "cyber" becoming way less crimey in 2021. Happy New Year!

Notes

If you found this article interesting and/or helpful, please consider clicking the button below to buy me a coffee and support a good cause, while fueling more independent research and ad-free content like this. Thanks!

* While IC3 is the source of the numbers in the graph, IC3 has not—to my knowledge—published them in a graph, in other words, I built the graph from their numbers. And I know that the IC3 numbers are by no means perfect crime metrics; they are based on data that is accumulated as a by-product of one avenue of attack against the crimes they represent. However, I have studied each of the annual report and I am satisfied that collectively they provide solid evidence of a real world cybercrime impact trend that looks very much like the line shown in the graph. For more on issues with cybercrime measurement, see my article in the Journal of National Security Law & Policy: Advancing Accurate and Objective Cybercrime Metrics.

Universal Recipe for Disaster: Works in Cyberspace as well as Meatspace (a plea to heed experts)

noreply@blogger.com (Stephen Cobb) — Thu, 05 Nov 2020 21:07:00 +0000

Getting people to heed your warnings is one of the toughest aspects of being an expert, whether your specialty is epidemiology or criminology, virology or malicious code, biology or botnets. How do you get people to pay attention to a problem that seems very urgent to you, but not urgent enough to others? One approach is to just keep trying.

One of my recent efforts was to describe "The COVID Effect." Another effort was "The Malware Factor." Today, I give you: Recipe for Disaster.

This Recipe for Disaster works in both cyberspace and meatspace. You simply combine these ingredients: rapid embrace of global connectivity and complex interdependence, at scale, absent universally agreed enforceable norms of behavior.

In other words, you create a situation where everything and everybody is not only connected to every other thing and person, but also heavily dependent upon those things and people and connections. Obviously this creates some level of risk that things could go wrong, but the trick to maximizing the potential for disaster is to do all this without everyone involved first committing to abide by an agreed set of rules as to what is permissible, or figuring out how you can and will censure anyone who breaks the rules.

What you get from this recipe is a situation in which every kind of human endeavor is at serious risk of failing, badly, and with potentially dire consequences.

A meatspace example would be a global pandemic caused by a deadly biological virus. A cyberspace example would be a digital infrastructure that enables a crisis like a biological pandemic to be abused for selfish ends by criminals wielding malicious code, potentially hindering efforts to deal with the crisis.

Of course, it is now clear that many experts in many fields were right in many ways. As has happened far too often in human history, we are finding out far too late that, like the song says: "What they've been saying all these years is true"* Had experts been heeded in the past, we could have avoided the deadly mess we're in today.

I can already hear some people saying "Okay, so we should have listened back then, but is there anything you can tell us now that will help us get out of this mess?" Well, as it happens, there is. For a start, I can tell you that increasing the number of people who recognize the mess for what it is will be critical for getting out of it.

And that's why I will keep trying to improve the effectiveness of my efforts to get people to pay attention.

Please feel free to share the recipe card at the top of the page, or make your own version.

Thanks.

Notes:

*The song being quoted is Bonnie Dobson's 1962 classic "Morning Dew," popularised in the late sixties by the late Tim Rose whose version is used to great effect by Japanese director Mori Masaki is this anti-war video, which some readers might find upsetting.

Stephen and Chey Cobb: Independent Researchers

Internet crime losses triple in three years, up 5X this decade to over $20 Billion

Follow this link to get the 2025 IC3 Annual Report, and all previous editions. They are the basis for the chart above, a chart that I have been curating and updating for over 20 years.

That Was The Cybercrime Awareness Month That Was, 2025 marks a 30th malware anniversary

AI pirated our books on network security and cryptography: we're up for Bartz v. Anthropic

Technology, human weakness, and Trump's thing for fraudsters, grifters, and scammers

How jagged AI botches research: an in-depth example of artificial jagged intelligence at work

Welcome to the rough and unready world of Artificial Jagged Intelligence

Where's the Intelligence in this jagged AI?

There is more bad news: GAIO's response when asked about the Vienna virus on June 1, nearly two months after the erroneous results in April, was just as erroneous:

Applied learning and cybersecurity

The Actual Vienna Virus

What's worse than being wrong? Not knowing why

Guessing the Root of an LLM GPT Problem

AI turned my 6,000 word academic paper into a 5-minute podcast, without asking

2024 sets a record for cybercrime losses and at $16.6 billion it's a lot higher than I predicted

The 2024 total is $2 billion above my prediction last month of $14.5 billion (see Internet crime losses are on the rise). Follow this link to get the 2024 IC3 Annual Report, and all previous editions.

More Internet crime stats from the IC3 Annual Report 2024

Internet crime losses are on the rise, but how fast? We could get latest IC3 stats as soon as this week ... or not

Welcome to Online: risks, harms, and duty of care in the virtual high crime neighborhood we all inhabit

Criminals have made Online a high crime neighborhood

Why it's risky to tell people "just go online"

Global IT Outages and Monoculture: The “potato famine theory” of information system insecurity

Of Potatoes and Wormsby Chey Cobb, CISSPand Stephen Cobb, CISSPAugust, 2003

Internet crime keeps on growing, as do efforts to understand the harm it causes

QR code abuse 2012-2023

Artificial Intelligence is really just another vulnerable, hackable, information system

Criminology and Computing and AI

Do AI fans even know this?

What is ChatGPT and how can AI get things wrong: an annotated example using jackware

Internet crime surged in 2022: possibly causing as much as $160 billion in non-financial losses

Digital Baitballs and Shrinkage: a cybersecurity lesson from 2022

Is survival enough?

Shrinkage

Cobb's Guide to PC and LAN Security: the 30th anniversary of the first version

Three Versions and a Free Version

Computer Security Prognosis and Predictions

Big jump in losses due to Internet crimes in 2021, up 64% according to latest IC3/FBI report

What's next for cybercrime and its victims?

From cyber-crime metrics to cyber-harm stories: shifting cybersecurity perspectives and cybercrime strategies

The Carer Factor

As predicted, Internet crime surged in 2020, losses up 20% based on FBI and IC3 reports: analysis and opinion

A shred of hope?

Secu-ring video doorbells and other 'smart' security cameras: some helpful links

Data Privacy Day 2021: Selected data privacy reading and viewing, past and present

AI's most troubling problem? It's made of chips and code

Growing Doubts About AI?

AI's Chip and Code Problem

The Ethics of AI Boosterism

Cybersecurity had a rough 2020, but 50 recent headlines suggest the outlook for 2021 could be even worse

One way of looking at the problem

Notes

Universal Recipe for Disaster: Works in Cyberspace as well as Meatspace (a plea to heed experts)

Of Potatoes and Worms
by Chey Cobb, CISSP
and Stephen Cobb, CISSP
August, 2003