The Criminal Mindset, or, “I Think I Can”

Theories abound as to the motivation of someone who decides to sink below the letter of the law (or rise above it, depending), from the far out to the mundane.  Quite interestingly, it may be nearly impossible to ever retrieve a scientifically accurate representation of this data – criminals, much like wild animals, are rarely academically observed in the wild, only in the zoo of the prison system, where they will invariably act much different toward their prospective observers.

Speaking candidly as someone who has stolen from, emotionally harmed, and otherwise caused detriment to others in a distant past, I would offer the opinion that more often than not, a psychologically healthy criminal has one mindset, which boils down to, simply, “I can get away with this.”

Mind you, I have never committed a violent crime against another, nor would I; nor am I what you would call a “hardened criminal,” though I have spent an aggregate of roughly 24 hours in various jails across the country – so take the rest as you will.

Objectively, I could stand by an argument that in some felonies, a certain amount of very rudimentary “cost-benefit analysis” takes place.  Though deranged as it may be, a young person with no positive influences in their world could certainly value the kinship at stake in murdering an unknown person in order to gain favor in a gang over that stranger’s life.  Alternately, it may even be subjectively worth it to defraud hundreds or thousands of people out of millions or billions of dollars, depending on your personal morals.

For some, it can be deduced that trading a downtrodden life of poverty and loneliness for wealth and companionship could transcend any artificial, manmade consequences.

However, in the commission of most, if not all crimes, there must exist a certain measure of confidence in one’s ability to reap the reward without said consequence.  Whether it’s the aforementioned murderer, or a speeder on the interstate, or even or a child trying to play video games with the sound off after bedtime, the action can only even enter the mind after successfully spurning previous boundaries.

I realize this must sound paradoxical, but as toddlers, we absorb the world around us in very unique ways.  We are constantly pushing boundaries, both ours and those of others, and customarily, we are restrained.  It is only upon the absence of such restraint do we find the behaviors that we find what we are capable of outside of the limits of “regulations,” whether they be household rules, or manmade laws.

By building upon the selfish character of our human nature as we age, we eventually grow to learn that sometimes, there are rules that can be broken, and we discover the methodologies to do so.  Expanding on this, we can arrive at the logical mindset of what, socially and ethically, we can call “a criminal.”

In short, as long as there are humans, there will be opportunists, and as long as there are opportunists, there will continue to be those who are willing to subvert the laws put forth before them.

Citations:
http://bit.ly/xzTgpl – “The Overly Confident Mentality of Criminals”
http://bit.ly/zQyFhu – ”Criminal Mindset”

Carrier IQ

About a month and a half ago it was revealed that there has been tracking software pre-installed on over 141 million cell phones. The software designed by Carrier IQ is responsible for recording and reporting metrics to your phone carrier. This discovery forces a dialogue about the trust relationship that is established between the customers and their carrier and exactly how the carrier treats the information that is being is being stored. There have been many allegations about what is exactly being tracked by the software, some true and some more along the lines of half-truths.

As it turns out Carrier IQ was intended to be a utility that allows for a carrier to be able to intelligently diagnose network and phone issues that a customer might be experiencing. For example, prior to the development of Carrier IQ, a carrier might only be detecting that 1 out of every 100 phone calls being placed on their network are being dropped; when in reality it might be much closer to 8 or 9 calls out of those 100 placed. This disparity between the actual numbers and the ones being recorded by the carrier allowed Carrier IQ to see a possible use case and ended up meeting the needs of the carrier.

They haven’t explicitly admitted everything they track, but have specifically said that they track call drops correlated with GPS information, SMS information, web history and application/CPU usage.

Carrier IQ has made an effort to create a line in the proverbial sand in what they do and do not want to collect from users. They say that they don’t collect any content, whether it be what was actually sent in an SMS text message or the contents of a webpage that you access. They do however track the metadata for your activity, this includes who you sent your SMS message to and if it was successfully sent. The same can be said about your web history, they are tracking the URLs being accessed not what is actually being displayed on your screen.

Carrier IQ thinks that what they are collecting is harmless to the consumer but a debate is now forming on what type of information should be okay to track and what really shouldn’t be. Carrier IQ has stated that they don’t capture the content of what the user is doing. Content is really an ambiguous term. Carrier IQ might not consider my URL history to be a private matter. I consider pretty much all of my usage history sans maybe CPU utilization to be a private matter (no matter how mundane my life really is). Its something that really shouldn’t existing in a database somewhere, ready to be hacked, subpoenaed or looked at by a rogue employee that has decided that they want to know more about me. What becomes even more disconcerting is that this information is being tracked even while I am out of the country, on a Wi-Fi network not even connected to their cellular network.

Who knows, maybe I’m just being a paranoid parrot. Maybe no one really cares anymore about their privacy, it has been said by numerous individuals that “Privacy is dead – get over it.” I for one don’t like it and I think I’ll take my ball and go home. In all seriousness though, this software really should be industry vetted to make sure that it cannot be exploited by malicious individuals and it should be established exactly what information each carrier is tracking and for how long. This would allow consumers to identify what tabs the carriers are keeping on their customers; which I’m sure most consumers won’t like and allow for free market forces to stifle the ones being over exuberant with this tracking technology.

http://www.theverge.com/2011/12/5/2609662/carrier-iq-interview

http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/

http://www.edition.cnn.com/2011/12/02/tech/mobile/carrier-iq-reactions/

Fake Documents

After the Wikileaks scandal, the Department of Defense is using a new software that generates fake documents that send an alert when they are opened. This would allow the DoD to provide misinformation but also to potentially see who opened the file and where they are.

Unfortuneatly, there seems to be a few ways around this techonlogy. You can disconnect your computer from the Internet before you open files, but this can be averted by requireing the document to authenticate and alert before the contents are visible to the user. Once you have access to the contents, you could easily take screenshots of the information and delete the original.

For more info, see: http://www.schneier.com/blog/archives/2011/11/fake_documents.html

Ethical Hackers 2

In a follow up to my post about ethical hackers, I found an article about a Cyber Challenge which was looking into getting teenagers and young adults, who have are partial to hacking, interested in cybersecurity jobs. “In the eyes of the organizers of the Maryland Cyber Challenge and Conference, today’s hacker could be tomorrow’s cybersecurity hero.”  Realizing that there is a shortage of security professionals in the work force, those who ran the whole conference, intended to help those who attended see the great aspects of cybersecurity. The challenge itself was:

an all-day brain tester for eight high school and eight college teams. The college students had to hack into a computer, gain control, and rummage through files for valuable information. Meanwhile the high-schoolers were required to defend six computer servers against attacks by cunning computer professionals seated across the room.

It would seem that the “Ethical Hacker” is a much needed resource in this day and age.

Article: http://www.homelandsecuritynewswire.com/cyber-challenge-encourages-teen-hackers-seek-security-jobs

Sam Antar video – more of a lesson in Ethics?

I’m not sure if the video about Sam Antar was entirely about social engineering.  Granted, Mr. Antar was adept at influencing the auditors, I think the video was more about Ethics.  The business world is based on integrity of financial information and the video showed that Sam Antar abused and manipulated that integrity to portray his family’s business in a better light.

Factual accounting is the means to ensure financial information is correct.  The financial information is used by investors, lenders, creditors, governments to make business and investing decisions.  As a certified public accountant, Sam Antar was fully aware of the importance of this information.  He gained knowledge about how accounting firms verified this information by working for the agency that audited Crazy Eddie’s.  He and his associates used this information to deceive auditors and misrepresent key accounts values to make their business more profitable.  Basically, he willfully deceived investors, creditors, lenders and the government when he knew better.

In class we learned that Ethics was the study of principles of conduct that apply to an individual or a group.  Furthermore, we learned that there are four Ethical Standards: Rights; Justice; Utility; and Care.  In reviewing the video and researching on-line, it is clear that Sam Antar violated all of these ethical standards.

1. Rights – an individual’s basic needs and welfare.  Sam and his co-conspirators elected to illegally manipulate business systems and take more than was rightfully theirs.
2. Justice – how the costs and benefits of an action or a policy can be fairly distributed fairly among a group.  Sam and his co-conspirators made millions off their illegal activities.  In the end (probably because of his cooperation with the government and legal plaintiffs), Sam did not go to jail and was not sued.  Sam isn’t living in poverty, as he makes a living as a consultant and is available for speaking engagements.
3. Utility – The positive and negative effects that an action or a policy has on the public.  Sam’s company cheated investors, lenders, and creditors and the government out of millions of dollars.  Customers were cheated out of warranties, paid “new” prices for “old” electronics.  Employees lost their jobs as a result of the company’s bankruptcy.  Lenders, creditors and the government lost out on monies they invested and taxes they could not collect.
4. Care – relationships we have with others.  Sam and his fellow criminals trampled on the trustworthiness of many people.  He admitted that he manipulated people to advance his company and personal interests.  In the end, he even served as a witness against family members in their trials for their crimes.

It is clear that ethics was not a high priority to Mr. Antar while he was working at Crazy Eddie’s.  However, according to his website, it appears that he is attempting educate the public so transgressions like this can be avoided.  Time will tell if his intentions are indeed good and ethical.

http://www.whitecollarfraud.com/

The hackivist group Anonymous

The hackivist group Anonymous is described by Wikipedia as “an international hacking group, spread through the Internet, initiating active civil disobedience, while attempting to maintain anonymity”.

Recently, they have been attributed as the source of denial of service attacks against the Oregon Tea Party, Sony, and the Irish political party Fine Gael.  They have also employed attacks against the governments of Australia, Egypt, and Libya.

The group has also provided websites and support for social-political efforts like Occupy Wall Street, the Green Party movement in Iran, and the Arab Spring efforts in Egypt and Syria.  Additionally, Anonymous recently took down 40 child porn websites and published the names of 1500 people who often visited the illegal websites.

In October, parts of Anonymous have taken on the Los Zetas drug cartel in Mexico.  The drug cartel had kidnapped a member of Anonymous.  In response, Anonymous has threatened to release the names of police and political officials who are illegally collaborating with the Los Zetas drug cartel.  We will see how Anonymous fairs in this battle since more is at stake than just lawsuits and prison time.  Los Zetas has been known to kill whistle-blowers and hacktivists in the past.

So what role do you see hacktivists playing in society?  Do they act as modern-day Robin Hoods to correct social injustices, or are they disruptive elements like Tyler Durden in “Fight Club”?

In my readings about them, it looks to me like Anonymous is more of a brand that can be placed on a hacking attack.  There does not appear to be any hierarchy or centralized managing authority, which makes it easy nearly anyone to say that they are part of the group.  If a hacker attack is popular and successful, then the event is publicized.  Case-in-point is the fact that parts of Anonymous were active both for and against the war in Libya.  Anonymous members were also divided over the Westboro Baptist Church and its claim to free speech while protesting at military funerals.

Thoughts?

http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous

Cyber Attack Effects

When it comes to cyber attacks, no matter the purpose behind the attack, it always seems to cause harm.  As we have found, attacks can be perpetrated for a number of reasons, some meant to be harmful and some not particularly so.  However, whichever the case the victims of the attack tend to be harmed regardless. For example, the sportswear company  Adidas website suffered an attack by unknown forces, this was discovered on Thursday.  Currently investigation of this incident is going on and they have not found that any consumer data has been impacted. Despite this they have shutdown the site  and will keep it this way until the investigation is complete and all problems are resolved.  So in the end, although the attack itself may have not done any particularly harm it has caused the site to be shutdown which will affect the company anyway.

Adidas attack info: http://www.straitstimes.com/BreakingNews/TechandScience/Story/STIStory_731336.html

Government requests to Google for information on users has spiked.

 

 

 

The number of requests from the government to Google for information on its users has increased by 29% in the last 6 months.  Google is one of the few companies that release these kinds of statistics to the public. The reason they give for doing this is that they want to raise awareness about the ECPA.

The ECPA is the Electronic Communications Privacy Act and it was enacted 25 years ago. It was set to provide people with protection and privacy against government intrusion but hasn’t been updated since it was made to reflect new advances in technologies. Because of this people are still massively vulnerable to government intrusion, with their ability to get access to users online information with out having to go through a judges approval like they would need to with a warrant. Google is just  one of many high tech companies that have formed the Digital Due Process coalition to advocate reform.

This isn’t the first time Google has attempted to rock the boat over government monitoring. Most of you probably remember back when Google refused to censor search results in China. Their refusal of this demand caused them to close up shop in a much of China. On the other hand companies like yahoo have no trouble with censoring or even monitoring and giving information on political dissidents.

http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11DF-8E02000C296BA163

http://m.wired.com/threatlevel/2011/10/google-data-requests/

Ethical Hackers

For those people out there that enjoy hacking but don’t want to worry about the consequences one may have to face because you are doing something unlawful, there’s a job in it for you. An ethical hacker is someone who rather than hacks to, for example, steal, instead hacks when hired to find weaknesses in a company’s security.

Hacking becomes a job, and a job means making money.  As a ethical hacker one has a decent pay grade. Depending on the jobs you take on as well as your experience, a person can make between $60,000 and $100,000 if not more.

In the end, being an ethical hacker is a complete win-win situation. Hacking to your hearts content is now a possibility, plus you earn a steady income and the chances of serving time have been eliminated. If you want to hack being an ethical hacker seems to be the way to go.

info obtained from: http://www.nypost.com/p/news/business/jobs/what_up_with_that_job_73bcepcf42NSN1m1fRsr2I?CMP=OTC-rss&FEEDNAME=

Police data leaked by Anonymous again

On late friday, Anonymous posted a notice on Pastebin claiming that it had leaked more information by hacking into websites such as the International Chiefs of Police, the Boston Police Patrolmens’ Association, and the law enforcement agencies in Alabama’s Birmingham and Jefferson Counties. This post from late friday was deleted off of Pastebin, though a different one appeared on saturday.

Saturday was the opening of the opening conference of The International Association of Chiefs of Police. The leaked information includes internal documents, membership rosters, Social Security Numbers, addresses, passwords, and other personal data.

Anonymous says that though the IACP conference was saturday, that day is also going to be the start of the Day of Action Against Police Brutality. Though Anonymous had done the same thing, with the release of data pertaining to the Arizona Department of Public Safety in June, they are continuing to leak sensitive data of other police and public safety organizations stating that they had little concern for the safety of those whose information it had made available with the most recent leak.Anonymouse state, this being their reasoning, that they had no problem targeting police and releasing their information even if it puts them at risk because they wanted them to experience just a taste of the brutality and misery they serve them on an everyday basis.

This latest action was also meant to show support for those arrested and charged with being members of the collective. Anonymous claims that they are conducting peaceful protests. Now is this really how it is going to last, or could this information that was leaked lead to something else happening which could end up in future bigger problems down the way. If these hacker groups keep posting this private information on the internet for the world to see, what could happen if a real criminal got a hold of this information at used it to get revenge on a law enforcement officer or other things like that. How far is this going to go?