23 results back to index
Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman
23andMe, 3D printing, active measures, additive manufacturing, Affordable Care Act / Obamacare, Airbnb, airport security, Albert Einstein, algorithmic trading, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, augmented reality, autonomous vehicles, Baxter: Rethink Robotics, Bill Joy: nanobots, bitcoin, Black Swan, blockchain, borderless world, Brian Krebs, business process, butterfly effect, call centre, Charles Lindbergh, Chelsea Manning, cloud computing, cognitive dissonance, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, data acquisition, data is the new oil, Dean Kamen, disintermediation, don't be evil, double helix, Downton Abbey, drone strike, Edward Snowden, Elon Musk, Erik Brynjolfsson, Filter Bubble, Firefox, Flash crash, future of work, game design, global pandemic, Google Chrome, Google Earth, Google Glasses, Gordon Gekko, high net worth, High speed trading, hive mind, Howard Rheingold, hypertext link, illegal immigration, impulse control, industrial robot, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Jaron Lanier, Jeff Bezos, job automation, John Harrison: Longitude, John Markoff, Joi Ito, Jony Ive, Julian Assange, Kevin Kelly, Khan Academy, Kickstarter, knowledge worker, Kuwabatake Sanjuro: assassination market, Law of Accelerating Returns, Lean Startup, license plate recognition, lifelogging, litecoin, low earth orbit, M-Pesa, Mark Zuckerberg, Marshall McLuhan, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, mobile money, more computing power than Apollo, move fast and break things, move fast and break things, Nate Silver, national security letter, natural language processing, obamacare, Occupy movement, Oculus Rift, off grid, offshore financial centre, optical character recognition, Parag Khanna, pattern recognition, peer-to-peer, personalized medicine, Peter H. Diamandis: Planetary Resources, Peter Thiel, pre–internet, RAND corporation, ransomware, Ray Kurzweil, refrigerator car, RFID, ride hailing / ride sharing, Rodney Brooks, Ross Ulbricht, Satoshi Nakamoto, Second Machine Age, security theater, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, smart grid, smart meter, Snapchat, social graph, software as a service, speech recognition, stealth mode startup, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, supply-chain management, technological singularity, telepresence, telepresence robot, Tesla Model S, The Future of Employment, The Wisdom of Crowds, Tim Cook: Apple, trade route, uranium enrichment, Wall-E, Watson beat the top human players on Jeopardy!, Wave and Pay, We are Anonymous. We are Legion, web application, Westphalian system, WikiLeaks, Y Combinator, zero day
Mitnick and William L Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (New York: Little, Brown, 2012). 22 Poulsen’s ingenious 1990 hack: Jonathan Littman, “The Last Hacker,” Los Angeles Times, Sept. 12, 1993. 23 For example, in October 2013: “Adobe Hack: At Least 38 Million Accounts Breached,” BBC, Oct. 30, 2013. 24 But what changed in that attack: Brian Krebs, “Adobe to Announce Source Code, Customer Data Breach,” Krebs on Security, Oct. 3, 2013. 25 Yep, the company that is selling: Darlene Storm, “AntiSec Leaks Symantec pcAnywhere Source Code After $50K Extortion Not Paid,” Computerworld, Feb. 7, 2012. 26 Traditional organized crime groups: The Hague, Threat Assessment: Italian Organized Crime, Europol Public Information, June 2013; Nir Kshetri, The Global Cybercrime Industry: Economic, Institutional, and Strategic Perspectives (London: Springer, 2010), 1; Chuck Easttom, Computer Crime, Investigation, and the Law (Boston: Cengage Learning, 2010), 206. 27 These newly emerging: Mark Milian, “Top Ten Hacking Countries,” Bloomberg, April 23, 2013. 28 New syndicates: Brian Krebs, “Shadowy Russian Firm Seen as Conduit for Cybercrime,” Washington Post, Oct. 13, 2007; Verisign iDefense, The Russian Business Network: Survey of a Criminal ISP, June 27, 2007. 29 RBN famously provides: Trend Micro, The Business of Cybercrime: A Complex Business Model, Jan. 2010. 30 ShadowCrew operated the now-defunct Web site: Kevin Poulsen, “One Hacker’s Audacious Plan to Rule the Black Market in Stolen Credit Cards,” Wired, Dec. 22, 2008. 31 Founded by the notorious criminal hacker: James Verini, “The Great Cyberheist,” New York Times Magazine, Nov. 10, 2010. 32 The number and reach: John E.
Deep Web Harvesting,” BrightPlanet, July 31, 2013. 15 Whereas Silk Road: Andy Greenberg, “Inside the ‘DarkMarket’ Prototype, a Silk Road the FBI Can Never Seize,” Wired, April 24, 2014. 202 To that end, in mid-2014: Kim Zetter, “New ‘Google’ for the Dark Web Makes Buying Dope and Guns Easy,” Wired, April 17, 2014. 16 Certain criminal forums: Michael Riley, “Stolen Credit Cards Go for $3.50 at Amazon-Like Online Bazaar,” Bloomberg, Dec. 19, 2011. 17 Numerous illicit “torrents”: Ernesto, May 18, 2008, blog on TorrentFreak, accessed on June 27, 2014. 18 Another such site: “Inside the Mansion—and Mind—of Kim Dotcom, the Most Wanted Man on the Net,” Wired, Oct. 18, 2012. 19 Not only do they sell: Beth Stebner, “The Most Dangerous Drug in the World: ‘Devil’s Breath’ Chemical from Colombia Can Block Free Will, Wipe Memory, and Even Kill,” Mail Online, May 12, 2012. 20 Tor hidden sites: Forward-Looking Threat Research Team, “Deepweb and Cybercrime,” Trend Micro, 2013, 16. 21 Once stolen: Brian Krebs, “Peek Inside a Professional Carding Shop,” Krebs on Security, June 4, 2014. 22 Given the vast amounts: Max Goncharov, “Russian Underground Revisited,” Forward-Looking Threat Research Team, Trend Micro Research Paper. 23 The cards are sold: Brian Krebs, “Cards Stolen in Target Breach Flood Underground Markets,” Krebs on Security, Dec. 20, 2013; Dancho Danchev, “Exposing the Market for Stolen Credit Cards Data,” Dancho Danchev’s Blog, Oct. 31, 2011; “Meet the Hackers,” Bloomberg Businessweek, May 28, 2006; David S. Wall, “The Organization of Cybercrime in an Ever-Changing Cyberthreat Landscape” (draft paper for the Criminal Networks Conference, Montreal, Oct. 3–4, 2011). 24 The United States is the largest victim: “Skimming off the Top,” Economist, Feb. 15, 2014. 25 Nearly 20 percent: Pew Research Center, “More Online Americans Say They’ve Experienced a Personal Data Breach,” April 14, 2014; Rosie Murray-West, “UK Worst in Europe for Identity Fraud,” Telegraph, Oct. 1, 2012. 26 Medical identity theft: Herb Weisbaum, “U.S.
Millman, “Cybercriminals Work in a Sophisticated Market Structure,” Wall Street Journal, June 27, 2013. 79 Worse, it was the tool of choice: Dana Liebelson, “All About Blackshades, the Malware That Lets Hackers Watch You Through Your Webcam,” Mother Jones, May 21, 2014. 80 So good was the Blackshades RAT: “Syrian Activists Targeted with BlackShades Spy Software,” The Citizen Lab, June 19, 2012. 81 The rewards, however: Gregg Keizer, “Google to Pay Bounties for Chrome Browser Bugs,” Computerworld, Jan. 29, 2010. 82 Not to be outdone: Brian Krebs, “Meet Paunch: The Accused Author of the BlackHole Exploit Kit,” Krebs on Security, Dec. 6, 2013. 83 Dark Net chat rooms: Nicole Perlroth and David E. Sanger, “Nations Buying as Hackers Sell Flaws in Computer Code,” New York Times, July 13, 2013. 84 In 2012, the Grugq sold: Andy Greenberg, “Shopping for Zero-Days: A Price List For Hackers’ Secret Software Exploits,” Forbes, March 23, 2012. 85 Companies such as Vupen: Brian Krebs, “How Many Zero-Days Hit You Today,” Krebs on Security, Dec. 13, 2013. 86 The result, as pointed out: Josh Sanburn, “How Exactly Do Cyber Criminals Steal $78 Million?,” Time, July 3, 2012. 87 Worse, now that Stuxnet: Simonite, “Stuxnet Tricks Copied by Computer Criminals.” 88 Crime, Inc. can even draft: “The Child Porn PC Virus,” Week, Nov. 10, 2009. 89 According to the FBI: FBI, “GameOver Zeus Botnet Disrupted,” June 2, 2014. 90 As of mid-2014: Symantec, “Grappling with the ZeroAccess Botnet,” Sept. 30, 2013. 91 In the Russian digital underground: Ian Steadman, “The Russian Underground Economy Has Democratised Cybercrime,” Wired UK, Nov. 2, 2012. 92 Moreover, the threat: “Computer Says No,” Economist, June 22, 2013; Perlroth and Hardy, “Bank Hacking Was the Work of Iranians.” 93 The toll of victims: Chris Brook, “Meetup.com Back Online After DDoS Attacks, Extortion Attempt,” Threat Post, March 5, 2014; Pierluigi Paganini, “Botnet Authors Use Evernote Account as C&C Server,” Security Affairs, March 31, 2013. 94 Given these obvious advantages: Mathew J.
Spam Nation: The Inside Story of Organized Cybercrime-From Global Epidemic to Your Front Door by Brian Krebs
barriers to entry, bitcoin, Brian Krebs, cashless society, defense in depth, Donald Trump, employer provided health coverage, John Markoff, mutually assured destruction, offshore financial centre, payday loans, pirate software, placebo effect, ransomware, Silicon Valley, Stuxnet, the payments system, transaction costs, web application
Thank you for purchasing this eBook. At Sourcebooks we believe one thing: BOOKS CHANGE LIVES. We would love to invite you to receive exclusive rewards. Sign up now for VIP savings, bonus content, early access to new ideas we're developing, and sneak peeks at our hottest titles! Happy reading! SIGN UP NOW! For my BizMgr Copyright © 2014 by Brian Krebs Cover and internal design © 2014 by Sourcebooks, Inc. Cover design by The Book Designers Sourcebooks and the colophon are registered trademarks of Sourcebooks, Inc. All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systems—except in the case of brief quotations embodied in critical articles or reviews—without permission in writing from its publisher, Sourcebooks, Inc.
—From a Declaration of Principles Jointly Adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations All brand names and product names used in this book are trademarks, registered trademarks, or trade names of their respective holders. Sourcebooks, Inc., is not associated with any product or vendor in this book. Published by Sourcebooks, Inc. P.O. Box 4410, Naperville, Illinois 60567-4410 (630) 961-3900 Fax: (630) 961-2168 www.sourcebooks.com Library of Congress Cataloging-in-Publication Data Krebs, Brian. Spam nation : the inside story of organized cybercrime—from global epidemic to your front door / Brian Krebs. pages cm 1. Computer crimes—United States. 2. Internet fraud—United States. 3. Spam (Electronic mail) 4. Phishing. 5. Organized crime—United States. I. Title. HV6773.2.K74 2014 364.16’80973—dc23 2014023007 CONTENTS Chapter 1: Parasite Chapter 2: Bulletproof Chapter 3: The Pharma Wars Chapter 4: Meet the Buyers Chapter 5: Russian Roulette Chapter 6: Partner(ka)s in (Dis)Organized Crime Chapter 7: Meet the Spammers Chapter 8: Old Friends, Bitter Enemies Chapter 9: Meeting in Moscow Chapter 10: The Antis Chapter 11: Takedown Chapter 12: Endgame Epilogue: A Spam-Free World: How You Can Protect Yourself from Cybercrime Acknowledgments Sources About the Author WHO’S WHO IN THE CYBERWORLD PAVEL VRUBLEVSKY, a.k.a “RedEye”—Cofounder of ChronoPay, a high-risk card processor and payment service provider that was closely tied to the rogue antivirus industry.
Tellingly, directly after 3FN was taken down—but before washingtonpost.com ran the story on ChronoPay’s ties to the rogue antivirus industry—Crutop.nu’s homepage was changed to a lengthy screed about the FTC’s action against 3FN. This would be my first introduction to Vrublevsky’s epic rants. The message read, in part: And in conclusion we would like to add, that while paragraph 1 of our rules has never been taken seriously before and was written as a joke, but related to recent events we would like to know how it was possible that five (5!) reputable experts-agents (including NASA experts and Mr. Brian Krebs) from the USA (where every tenth person speaks Russian, source: Wikipedia), could not figure out that on Crutop.nu in the SPAM sub-forum, discussions have nothing to do with mail spam or other cybercrimes? The story on Vrublevsky and ChronoPay’s key role in 3FN finally ran more than four months after I turned it in. No lawsuit from him or ChronoPay followed. But the editors at the Washington Post said they were still deeply concerned about my focus on Internet bad guys.
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics by Ben Buchanan
active measures, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, British Empire, Cass Sunstein, citizen journalism, credit crunch, cryptocurrency, cuban missile crisis, data acquisition, Donald Trump, drone strike, Edward Snowden, family office, hive mind, Internet Archive, Jacob Appelbaum, John Markoff, John von Neumann, Julian Assange, Kickstarter, kremlinology, MITM: man-in-the-middle, Nate Silver, profit motive, RAND corporation, ransomware, risk tolerance, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Silicon Valley, South China Sea, Steve Jobs, Stuxnet, technoutopianism, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, zero day
Fears Data Stolen by Chinese Hacker Could Identify Spies,” New York Times, July 24, 2015. 45. Nakashima, “Hacks of OPM Databases Compromised 22.1 Million People.” 46. Brian Krebs, “China to Blame in Anthem Hack?” Krebs on Security, February 6, 2015; United States of America v. Fujie Wang, John Doe, US District Court Southern District of Indiana, indictment filed May 7, 2019. 47. Brian Krebs, “Premera Blue Cross Breach Exposes Financial, Medical Records,” Krebs on Security, March 17, 2015. 48. Krebs, “China to Blame in Anthem Hack?” 49. Aruna Viswanatha and Kate O’Keefe, “Before It Was Hacked, Equifax Had a Different Fear: Chinese Spying,” Wall Street Journal, September 12, 2018. 50. For strong initial coverage of the breach, see Brian Krebs, “Breach at Equifax May Impact 143M Americans,” Krebs on Security, September 7, 2017. The eventual number of affected Americans reached 145 million.
Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James Wong, “Taiwan Heist: Lazarus Tools and Ransomware,” BAE Systems blog, October 16, 2017. For local reporting on the case, see “Shalila Moonasinghe Removed as Litro Gas Chairman,” Daily News, October 11, 2017. 32. Taipei Times Staff, “Lai Orders Information Security Review,” Taipei Times, October 8, 2017. 33. Brian Krebs, “Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M,” Krebs on Security, July 24, 2018. 34. Brian Krebs, “FBI Warns of ‘Unlimited’ ATM Cashout Blitz,” Krebs on Security, August 12, 2018. 35. The best discussion of the mechanics of the entire Cosmos case comes from Saher Naumaan, a central member of the BAE team. See Saher Naumaan, “Lazarus On The Rise: Insights from SWIFT Bank Attacks,” presentation to BSides Belfast 2018, Belfast, Ireland, September 27, 2018; Adrian Nish and Saher Naumaan, “The Cyber Threat Landscape: Confronting Challenges to the Financial System,” Carnegie Endowment for International Peace, paper, March 25, 2019. 36.
Ulasen reached out to Microsoft. He tried to tell the firm what he had found but received no reply. He contacted Realtek, the company whose digital certificate Stuxnet had illicitly used, and was met with similar silence. It was only after he and his colleagues began posting analysis online that the cybersecurity community started to take notice.27 In July 2010, the well-respected journalist Brian Krebs wrote a small story about one of the exploits at the core of the worm.28 After that, Microsoft started examining the malicious code, as did other cybersecurity companies.29 One of those companies was Symantec, a large American firm. Unlike VirusBlokAda, Symantec had the resources to do a major investigation into the code, which it called Stuxnet, a word made up by combining some of the attackers’ file names.
Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World by Bruce Schneier
23andMe, 3D printing, autonomous vehicles, barriers to entry, bitcoin, blockchain, Brian Krebs, business process, cloud computing, cognitive bias, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Heinemeier Hansson, Donald Trump, drone strike, Edward Snowden, Elon Musk, fault tolerance, Firefox, Flash crash, George Akerlof, industrial robot, information asymmetry, Internet of things, invention of radio, job automation, job satisfaction, John Markoff, Kevin Kelly, license plate recognition, loose coupling, market design, medical malpractice, Minecraft, MITM: man-in-the-middle, move fast and break things, move fast and break things, national security letter, Network effects, pattern recognition, profit maximization, Ralph Nader, RAND corporation, ransomware, Rodney Brooks, Ross Ulbricht, security theater, self-driving car, Shoshana Zuboff, Silicon Valley, smart cities, smart transportation, Snapchat, Stanislav Petrov, Stephen Hawking, Stuxnet, The Market for Lemons, too big to fail, Uber for X, Unsafe at Any Speed, uranium enrichment, Valery Gerasimov, web application, WikiLeaks, zero day
Blair et al. (22 Feb 2017), “Update to the IP Commission Report: The theft of American intellectual property: Reassessments of the challenge and United States Policy,” National Bureau of Asian Research, http://www.ipcommission.org/report/IP_Commission_Report_Update_2017.pdf. 75A thief pretends to be: Federal Bureau of Investigation (14 Jun 2016), “Business e-mail compromise: The 3.1 billion dollar scam,” https://www.ic3.gov/media/2016/160614.aspx. Brian Krebs (23 Jun 2016), “FBI: Extortion, CEO fraud among top online fraud complaints in 2016,” Krebs on Security, https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-online-fraud-complaints-in-2016. 75Or to divert the proceeds: Kenneth R. Harney (31 Mar 2016), “Scary new scam could swipe all your closing money,” Chicago Tribune, http://www.chicagotribune.com/classified/realestate/ct-re-0403-kenneth-harney-column-20160331-column.html. 75Turns out that the answer is: plenty: Brian Krebs (12 Oct 2012), “The scrap value of a hacked PC, revisited,” Krebs on Security, https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited. 75Botnets can be used for all sorts of things: Dan Goodin (2 Feb 2018), “Cryptocurrency botnets are rendering some companies unable to operate,” Ars Technica, https://arstechnica.com/information-technology/2018/02/cryptocurrency-botnets-generate-millions-but-exact-huge-cost-on-victims. 75Hackers use bots to commit click fraud: White Ops (20 Dec 2016), “The Methbot operation,” https://www.whiteops.com/hubfs/Resources/WO_Methbot_Operation_WP.pdf. 76“The CaaS model provides easy access”: Rob Wainwright et al. (15 Mar 2017), “European Union serious and organized crime threat assessment: Crime in the age of technology,” Europol, https://www.europol.europa.eu/activities-services/main-reports/european-union-serious-and-organised-crime-threat-assessment-2017. 76They sell hacking tools: Nicolas Rapp and Robert Hackett (25 Oct 2017), “A hacker’s tool kit,” Fortune, http://fortune.com/2017/10/25/cybercrime-spyware-marketplace.
v=bDJb8WOJYdA (video), https://www.usenix.org/sites/default/files/conference/protected-files/enigma_slides_joyce.pdf (slides). 45It’s how the Chinese hackers breached: Brendan I. Koerner (23 Oct 2016), “Inside the cyberattack that shocked the U.S. government,” Wired, https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government. 45The 2014 criminal attack against Target Corporation: Brian Krebs (5 Feb 2014), “Target hackers broke in via HVAC company,” Krebs on Security, https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company. 45From 2011 to 2014, Iranian hackers stole: Jim Finkle (29 May 2014), “Iranian hackers use fake Facebook accounts to spy on U.S., others,” Reuters, http://www.reuters.com/article/iran-hackers/iranian-hackers-use-fake-facebook-accounts-to-spy-on-u-s-others-idUSL1N0OE2CU20140529. 45The 2015 hacktivist who broke into: Lorenzo Franceschi-Bicchierai (15 Apr 2016), “The vigilante who hacked Hacking Team explains how he did it,” Vice Motherboard, https://motherboard.vice.com/en_us/article/3dad3n/the-vigilante-who-hacked-hacking-team-explains-how-he-did-it. 45And the 2016 Russian attacks against: David E.
journalCode=isec. 73“I think both China and the United States”: Gideon Rachman (5 Jan 2017), “Axis of power,” New World, BBC Radio 4, http://www.bbc.co.uk/programmes/b086tfbh. 73“We have better cyber rocks to throw”: This quote is attributed to several people, but this is the earliest citation I could find: Fred Kaplan (12 Dec 2016), “How the U.S. could respond to Russia’s hacking,” Slate, http://www.slate.com/articles/news_and_politics/war_stories/2016/12/the_u_s_response_to_russia_s_hacking_has_consequences_for_the_future_of.html. 74In early 2018, the Indiana hospital Hancock Health: Charlie Osborne (17 Jan 2018), “US hospital pays $55,000 to hackers after ransomware attack,” ZDNet, http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators. 74Ransomware is increasingly common: Brian Krebs (16 Sep 2016), “Ransomware getting more targeted, expensive,” Krebs on Security, https://krebsonsecurity.com/2016/09/ransomware-getting-more-targeted-expensive. 74Kaspersky Lab reported: Kaspersky Lab (28 Nov 2016), “Story of the year: The ransomware revolution,” Kaspersky Security Bulletin 2016, https://media.kaspersky.com/en/business-security/kaspersky-story-of-the-year-ransomware-revolution.pdf. 74Symantec found that average ransom amounts: Symantec Corporation (19 Jul 2016), “Ransomware and businesses 2016,” https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf.
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier
23andMe, Airbnb, airport security, AltaVista, Anne Wojcicki, augmented reality, Benjamin Mako Hill, Black Swan, Boris Johnson, Brewster Kahle, Brian Krebs, call centre, Cass Sunstein, Chelsea Manning, citizen journalism, cloud computing, congestion charging, disintermediation, drone strike, Edward Snowden, experimental subject, failed state, fault tolerance, Ferguson, Missouri, Filter Bubble, Firefox, friendly fire, Google Chrome, Google Glasses, hindsight bias, informal economy, Internet Archive, Internet of things, Jacob Appelbaum, Jaron Lanier, John Markoff, Julian Assange, Kevin Kelly, license plate recognition, lifelogging, linked data, Lyft, Mark Zuckerberg, moral panic, Nash equilibrium, Nate Silver, national security letter, Network effects, Occupy movement, Panopticon Jeremy Bentham, payday loans, pre–internet, price discrimination, profit motive, race to the bottom, RAND corporation, recommendation engine, RFID, Ross Ulbricht, self-driving car, Shoshana Zuboff, Silicon Valley, Skype, smart cities, smart grid, Snapchat, social graph, software as a service, South China Sea, stealth mode startup, Steven Levy, Stuxnet, TaskRabbit, telemarketer, Tim Cook: Apple, transaction costs, Uber and Lyft, uber lyft, undersea cable, urban planning, WikiLeaks, zero day
Alex Williams (23 Dec 2013), “Target may be liable for up to $3.6 billion for card data breach,” Tech Crunch, http://techcrunch.com/2013/12/23/target-may-be-liable-for-up-to-3-6-billion-from-credit-card-data-breach. Lance Duroni (3 Apr 2014), “JPML centralizes Target data breach suits in Minn.,” Law360, http://www.law360.com/articles/524968/jpml-centralizes-target-data-breach-suits-in-minn. banks are being sued: Brian Krebs (8 Jan 2014), “Firm bankrupted by cyberheist sues bank,” Krebs on Security, http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank. Brian Krebs (20 Jun 2014), “Oil Co. wins $350,000 cyberheist settlement,” Krebs on Security, http://krebsonsecurity.com/2014/06/oil-co-wins-350000-cyberheist-settlement. Brian Krebs (13 Aug 2014), “Tenn. firm sues bank over $327K cyberheist,” Krebs on Security, http://krebsonsecurity.com/2014/08/tenn-utility-sues-bank-over-327k-cyberheist. These cases can be complicated: Here’s one proposal. Maurizio Naldi, Marta Flamini, and Giuseppe D’Acquisto (2013), “Liability for data breaches: A proposal for a revenue-based sanctioning approach,” in Network and System Security (Lecture Notes in Computer Science Volume 7873), Springer, http://link.springer.com/chapter/10.1007%2F978-3-642-38631-2_20.
hackers broke into: Robert O’Harrow Jr. (17 Feb 2005), “ID data conned from firm,” Washington Post, http://www.washingtonpost.com/wp-dyn/articles/A30897-2005Feb16.html. hackers broke into Home Depot’s: Brian Krebs (2 Sep 2014), “Banks: Credit card breach at Home Depot,” Krebs on Security, http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot. Robin Sidel (18 Sep 2014), “Home Depot’s 56 million card breach bigger than Target’s,” Wall Street Journal, http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571. from JPMorgan Chase: Dominic Rushe (3 Oct 2014), “JP Morgan Chase reveals massive data breach affecting 76m households,” Guardian, http://www.theguardian.com/business/2014/oct/02/jp-morgan-76m-households-affected-data-breach. criminals have legally purchased: Brian Krebs (20 Oct 2013), “Experian sold consumer data to ID theft service,” Krebs on Security, http://krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service.
NSA’s BULLRUN program: James Ball, Julian Borger, and Glenn Greenwald (5 Sep 2013), “Revealed: How US and UK spy agencies defeat internet privacy and security,” Guardian, http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security. Nicole Perlroth, Jeff Larson, and Scott Shane (5 Sep 2013), “N.S.A. able to foil basic safeguards of privacy on Web,” New York Times, http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html. British, Russian, Israeli: Brian Krebs (28 May 2014), “Backdoor in call monitoring, surveillance gear,” Krebs on Security, http://krebsonsecurity.com/2014/05/backdoor-in-call-monitoring-surveillance-gear. they have employees secretly: Peter Maass and Laura Poitras (10 Oct 2014), “Core secrets: NSA saboteurs in China and Germany,” Intercept, https://firstlook.org/theintercept/2014/10/10/core-secrets. Eric Schmidt tried to reassure: Martin Bryant (7 Mar 2014), “Google is ‘pretty sure’ its data is now protected against government spying, Eric Schmidt says,” Next Web, http://thenextweb.com/google/2014/03/07/google-pretty-sure-protected-government-spying-eric-schmidt-says. 7: Political Liberty and Justice the First Unitarian Church of Los Angeles sued: David Greene (27 Jan 2014), “Deep dive into First Unitarian Church v.
Pax Technica: How the Internet of Things May Set Us Free or Lock Us Up by Philip N. Howard
Affordable Care Act / Obamacare, Berlin Wall, bitcoin, blood diamonds, Bretton Woods, Brian Krebs, British Empire, butter production in bangladesh, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, corporate social responsibility, creative destruction, crowdsourcing, digital map, Edward Snowden, en.wikipedia.org, failed state, Fall of the Berlin Wall, feminist movement, Filter Bubble, Firefox, Francis Fukuyama: the end of history, Google Earth, Howard Rheingold, income inequality, informal economy, Internet of things, Julian Assange, Kibera, Kickstarter, land reform, M-Pesa, Marshall McLuhan, megacity, Mikhail Gorbachev, mobile money, Mohammed Bouazizi, national security letter, Nelson Mandela, Network effects, obamacare, Occupy movement, packet switching, pension reform, prediction markets, sentiment analysis, Silicon Valley, Skype, spectrum auction, statistical model, Stuxnet, trade route, undersea cable, uranium enrichment, WikiLeaks, zero day
York, “Syria’s Twitter Spambots,” Guardian, April 21, 2011, accessed September 30, 2014, http://www.theguardian.com/commentisfree/2011/apr/21/syria-twitter-spambots-pro-revolution. 37. Qtiesh, “Spam Bots Flooding Twitter to Drown Info About #Syria Protests.” 38. Brian Krebs, “Twitter Bots Drown Out Anti-Kremlin Tweets,” Krebs on Security, December 8, 2011, accessed September 30, 2014, http://krebsonsecurity.com/2011/12/twitter-bots-drown-out-anti-kremlin-tweets/;Mike Orcutt, “Twitter Mischief Plagues Mexico’s Election,” MIT Technology Review, June 21, 2012, accessed September 30, 2014, http://www.technologyreview.com/news/428286/twitter-mischief-plagues-mexicos-election/; Brian Krebs, “Twitter Bots Target Tibetan Protests,” Krebs on Security, March 20, 2012, accessed September 30, 2014, http://krebsonsecurity.com/2012/03/twitter-bots-target-tibetan-protests/; Torin Peel, “The Coalition’s Twitter Fraud and Deception,” Independent Australia, August 26, 2013, accessed September 30, 2014, http://www.independentaustralia.net/politics/politics-display/the-coalitions-twitter-fraud-and-deception,5660; “Jasper Admits to Using Twitter Bots to Drive Election Bid,” Inside Croydon, November 26, 2012, accessed September 30, 2014, http://insidecroydon.com/2012/11/26/jasper-admits-to-using-twitter-bots-to-drive-election-bid/; W.
“Who Is Using EGHNA Media Server,” EGHNA Media Server, accessed September 30, 2014, http://media.eghna.com/success_stories. 27. “A Call to Harm: New Malware Attacks Target the Syrian Opposition,” Citizen Lab, June 21, 2013, accessed September 30, 2014, https://citizenlab.org/2013/06/a-call-to-harm/. 28. Alex Cheng and Mark Evans, Inside Twitter: An In-Depth Look at the 5% of Most Active Users (Toronto: Sysomos, August 2009), accessed September 30, 2014, http://www.sysomos.com/insidetwitter/mostactiveusers/. 29. Brian Krebs, “Twitter Bots Target Tibetan Protests,” Krebs on Security, March 20, 2012, accessed September 30, 2014, http://krebsonsecurity.com/2012/03/twitter-bots-target-tibetan-protests/. 30. Mike Orcutt, “Twitter Mischief Plagues Mexico’s Election,” MIT Technology Review, June 21, 2012, accessed September 30, 2014, http://www.technologyreview.com/news/428286/twitter-mischief-plagues-mexicos-election/. 31.
Dean Nelson, “China ‘Hacking Websites in Hunt for Tibetan Dissidents,’” Telegraph, August 13, 2013, accessed September 30, 2014, http://www.telegraph.co.uk/news/worldnews/asia/china/10240404/China-hacking-websites-in-hunt-for-Tibetan-dissidents.html. 28. Iain Thomson, “AntiLeaks Boss: We’ll Keep Pummeling WikiLeaks and Assange,” Register, August 13, 2012, accessed September 30, 2014, http://www.theregister.co.uk/2012/08/13/antileaks_wikileaks_attack_response/. 29. Brian Krebs, “Amnesty International Site Serving Java Exploit,” Krebs on Security, December 22, 2011, accessed September 30, 2014, http://krebsonsecurity.com/2011/12/amnesty-international-site-serving-java-exploit/. 30. @indiankanoon, “IK Servers Are Getting DDoSed Using the DNS Reflection Attack,” Indian Kanoon (October 19, 2013), accessed September 30, 2014, https://twitter.com/indiankanoon/status/391497714451492865. 31.
Engineering Security by Peter Gutmann
active measures, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, en.wikipedia.org, endowment effect, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Markoff, John von Neumann, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Network effects, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, Skype, slashdot, smart meter, social intelligence, speech recognition, statistical model, Steve Jobs, Steven Pinker, Stuxnet, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Turing complete, Turing machine, Turing test, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP
 “Adobe Revoking Code Signing Certificate Used To Sign Malware”, Fahmida Rashid, 27 September 2012, http://www.securityweek.com/adoberevoking-code-signing-certificate-used-sign-malware.  “Security Advisory: Revocation of Adobe code signing certificate”, Adobe Corporation, 27 September 2012, http://www.adobe.com/support/security/advisories/apsa12-01.html.  “Inappropriate Use of Adobe Code Signing Certificate”, Brad Arkin, 27 September 2012, http://blogs.adobe.com/asset/2012/09/inappropriateuse-of-adobe-code-signing-certificate.html.  “Bit9 and Our Customers’ Security”, Patrick Morley, 8 February 2013, https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security.  “Security Firm Bit9 Hacked, Used to Spread Malware”, Brian Krebs, 8 February 2013, http://krebsonsecurity.com/2013/02/security-firmbit9-hacked-used-to-spread-malware.  “Bit9 Breach Began in July 2012”, Brian Krebs, 20 February 2013, http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012.  “Bit9 Security Incident Update”, Harry Sverdlove, 25 February 2013, https://blog.bit9.com/2013/02/25/bit9-security-incident-update.  “Backdoor.Hikit: New Advanced Persistent Threat”, Branko Spasojevic, 24 August 2012, http://www.symantec.com/connect/blogs/backdoorhikitnew-advanced-persistent-threat.  “How to: Create Temporary Certificates for Use During Development”, Microsoft Corporation, 2007, http://technet.microsoft.com/enus/subscriptions/ms733813%28v=vs.85%29.aspx.  “Rootkit.TmpHider”, discussion thread, 12 July 2010, http://www.wilderssecurity.com/showthread.php?
References 235  “User Education Is Not the Answer to Security Problems”, Jakob Nielsen, 25 October 2004, http://www.useit.com/alertbox/20041025.html.  “AOL Names Top Spam Subjects For 2005”, Antone Gonsalves, Information Week TechWeb News, 28 December 2005, http://www.informationweek.com/news/showArticle.jhtml?articleID=175701011.  “Should E-Mail Addresses Be Considered Private Data?”, Brian Krebs, 19 October 2007, http://voices.washingtonpost.com/securityfix/2007/10/database_theft_leads_to_target.html.  “Deconstructing the Fake FTC E-mail Virus Attack”, Brian Krebs, 5 November 2007, http://voices.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em.html.  “Using Cartoons to Teach Internet Security”, Sukamol Srikwan and Markus Jakobsson, Cryptologia, Vol.32, No.2 (April 2008), p.137.  “Phishing education for banking customers useless”, Michael Crawford, Computerworld, 7 February 2007, http://www.networkworld.com/news/2007/020707-phishing-education-for-banking-customers.html.  “Active Content: Really Neat Technology or Impending Disaster”, Charlie Kaufman, invited talk at the 2001 Usenix Annual Technical Conference, June 2001.  Microformats, http://microformats.org/wiki/Main_Page.  “Microformats: Empowering your Markup for Web 2.0”, John Allsop, Friends of Ed Press, 2007.  “Vulnerability CVE-2004-0615”, US-CERT/NIST, 29 June 2004, http://cve.mitre.org/cgi-bin/cvename.cgi?
An Empirical Investigation of OpenID”, San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey and Konstantin Beznosov, Proceedings of the 7th Symposium on Usable Privacy and Security (SOUPS’11), July 2011, Article No.4.  “A Case (Study) For Usability in Secure Email Communication”, Apu Kapadia, IEEE Security and Privacy, Vol.5, No.2 (March/April 2007), p.80.  “Sights unseen”, Siri Carpenter, Monitor on Psychology, Vol.32, No.4 (April 2001), p.54.  “Fundamental Surprises”, Zvi Lanir, Center for Strategic Studies, University of Tel Aviv, 1986.  “Excession”, Iain Banks, Orbit, 1997.  “Self-certifying File System”, David Mazieres, PhD thesis, MIT, May 2000.  “The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information”, Paul Otto, Annie Antón and David Baumer, IEEE Security and Privacy, Vol.5, No.5 (September/October 2007), p.15.  “Web Fraud 2.0: Digital Forgeries”, Brian Krebs, 21 August 2008, http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_digital_forgeries.html.  “Cops Pull Plug on Rent-a-Fraudster Service for Bank Thieves”, Kim Zetter, Wired, 19 April 2010, http://www.wired.com/threatlevel/2010/04/callservicebiz/.  “(Un)trusted Certificates”, Eddy Nigg, 23 December 2008, https://blog.startcom.org/?p=145.  “Investigate incident with CA that allegedly issued bogus cert for www.mozilla.com”, Nelson Bolyard, 23 December 2008, https://bugzilla.mozilla.org/show_bug.cgi?
Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn
Brian Krebs, dumpster diving, fault tolerance, Firefox, John Markoff, Menlo Park, offshore financial centre, pirate software, plutocrats, Plutocrats, popular electronics, profit motive, RFID, Silicon Valley, zero day
He disabled a server hosted at an Atrivo data center in Silicon Valley and was told that the server had been leased to EST Domains. To his surprise, an EST executive called and asked what the problem was. The agent flew to meet him in Estonia, where the executive told him that he had re-leased the server to a customer in Moscow whom he only dealt with over ICQ. Armin and his allies got better results when they provided information on EST to Brian Krebs, a Washington Post tech security writer who gave the Atrivo and McColo studies the broadest exposure. Krebs reported on hundreds of malicious sites at EST Domains, then followed up with a report that EST Chief Executive Vladimir Tsastsin had recently been convicted of credit card fraud and forgery. ICANN, which for years had allowed companies to sell domain names with almost total secrecy to whomever they wanted, took the historic step of revoking EST’s right to peddle website addresses.
Some of the premier experts in government are cited in the text, while others asked not to be exposed. I was fortunate to be aided by many of the most able private researchers, not all of whom are paid for their work, including Joe Stewart, Rafal Rohozinski, Don Jackson, Jart Armin, Paul Ferguson, Avivah Litan, and Dmitri Alperovich. My fellow journalistic specialists also do an important service for followers like me and for the world at large. Among the very best are Brian Krebs, John Markoff, Jon Swartz, Byron Acohido, Kevin Poulsen, Kim Zetter, John Leyden, and Robert McMillan. I am grateful to my former colleagues at the Los Angeles Times, who supported my early reporting and allowed me a leave to write; my new friends at the Financial Times, who gave me time to finish; Lindsay Jones and others at PublicAffairs; my agent Jill Marsal; Chris Gaither, who served as an unpaid manuscript editor; and those close to me who dealt with my prolonged distraction and repeated absences.
CHAPTER 11 196 as high as possible, at King Arthur: Sources include Pohamov, others in Russian and U.K. law enforcement, and Lyon. 196 a man in his early twenties living in the Russian republic of Dagestan: A U.S. official with another federal agency confirmed that identification for its publication here, as did a colleague of Crocker’s at the NHTCU. 196 signaling an end to the subject: Crocker described this scene to colleagues. 196 The committee never pursued the case: Interviews with Russian law enforcement. 198 much to Andy’s amusement: Sources for this section include Lyon and another person at the party. 199 give his country another chance: Interview with Pohamov. 200 had to be numbered by hand: Crocker described the Russian format when discussing previous submissions. Other details are from Crocker’s law enforcement allies. 200 including Milsan: U.S. law enforcement sources. 201 within days of its release: According to security firm Commtouch. 201 Small businesses were increasingly targeted in account transfers: See such Brian Krebs articles on the topic as http://voices.washingtonpost.com/securitynx/2009/09/more_business_banking_victims.html?. 201 far less than half of 1 percent of the perpetrators: The Gartner study by Litan. 202 the top country for hacking: Interviews with Zenz, Henry, and others. 203 “political protection at a very strong level”: Interviews with U.K. and U.S. law enforcement, private researchers including Jart Armin, Paul Ferguson, David Bizeul, Don Jackson, and Zenz, along with written reports from those five and others.
Cybersecurity: What Everyone Needs to Know by P. W. Singer, Allan Friedman
4chan, A Declaration of the Independence of Cyberspace, Apple's 1984 Super Bowl advert, barriers to entry, Berlin Wall, bitcoin, blood diamonds, borderless world, Brian Krebs, business continuity plan, Chelsea Manning, cloud computing, crowdsourcing, cuban missile crisis, data acquisition, do-ocracy, drone strike, Edward Snowden, energy security, failed state, Fall of the Berlin Wall, fault tolerance, global supply chain, Google Earth, Internet of things, invention of the telegraph, John Markoff, Julian Assange, Khan Academy, M-Pesa, MITM: man-in-the-middle, mutually assured destruction, Network effects, packet switching, Peace of Westphalia, pre–internet, profit motive, RAND corporation, ransomware, RFC: Request For Comment, risk tolerance, rolodex, Silicon Valley, Skype, smart grid, Steve Jobs, Stuxnet, uranium enrichment, We are Anonymous. We are Legion, web application, WikiLeaks, zero day, zero-sum game
On the other hand, since the world of cybersecurity is not a unified one, why should we expect a single approach to solve all the problems that have emerged, or frankly even to be possible? Approach It as a Public-Private Problem: How Do We Better Coordinate Defense? For a few weeks, a single blogger was the savior of the Internet. But, as with all superheroes, he actually needed a little bit of help. In 2008, Washington Post reporter Brian Krebs, who blogs at the Security Fix site, became curious about a single company that was poisoning the Internet and why everyone else was letting them get away with it. The company in question was McColo, a web hosting company physically based in California with a client list that, as Krebs wrote, “includes some of the most disreputable cyber-criminal gangs in business today.” After spending four months gathering data on the company and its clients, Krebs then reached out to the large commercial ISPs that provided McColo with their bandwidth to reach the Internet.
While Krebs had started out on his own, he depended on the network of companies that provided Internet service to act, who in turn depended on him to provide the information and intelligence they needed to act on. It’s not enough for single actors or organizations to try to build higher walls or better malware detection on their own. Attackers adapt. Moreover, attackers exploit boundaries of control and responsibility, setting up a collective action problem. By bringing together the necessary actors and information, Brian Krebs was able to spur effective action, leveraging cooperation against the right fulcrum. While cyberspace seems diffuse and decentralized—simultaneously one of the key advantages and insecurities of the Internet—there are often bottlenecks of control, choke points where the defenders can concentrate resources to gain an advantage. The dependence on large ISPs is one that helped shut down the McColo problem.
Again, though, the same argument was made about lifeboats and other safety measures on early ocean liners like the Titanic, fire codes for buildings, protections at nuclear power plants, seatbelts and air bags in cars, and so on. By working together to find standards that meet evolving needs but still allow firms to flourish, the public and private sectors can find a good balance. The key point is that cybersecurity requires coordination and action outside of the immediate victims or even owners of the networks under attack. Brian Krebs didn’t have the power of the government behind him, but his actions mattered because he mobilized a network that could target key choke points by malicious actors in cyberspace. But some problems of scale or target move the matter from the easily resolved situations where private parties have incentives to come together, like the ISPs in the McColo case or banks in financial fraud, to situations where the incentives might not be sufficient or the threat touches on public security concerns.
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen
Apple II, Brian Krebs, Burning Man, corporate governance, dumpster diving, Exxon Valdez, Hacker Ethic, hive mind, index card, Kickstarter, McMansion, Mercator projection, offshore financial centre, packet switching, pirate software, Ponzi scheme, Robert Hanssen: Double agent, Saturday Night Live, Silicon Valley, Steve Jobs, Steve Wozniak, Steven Levy, traffic fines, web application, WikiLeaks, zero day, Zipcar
District Court for the Eastern District of New York. 3 it was Jonathan James who would pay the highest price: See the author’s “Former Teen Hacker’s Suicide Linked to TJX Probe,” Wired.com, July 9, 2009 (http://www.wired.com/threatlevel/2009/07/hacker/). 4 They recruit ordinary consumers as unwitting money launderers: For more detail on these so-called “money mule” scams, see the blog of former Washingtonpost.com reporter Brian Krebs, who has covered the crime extensively: http://krebsonsecurity.com/. 5 the Secret Service had been paying Gonzalez an annual salary of $75,000 a year: First reported in Kim Zetter, “Secret Service Paid TJX Hacker $75,000 a Year,” Wired.com, March 22, 2010. 6 filed by the attorneys general of 41 states: Sources include Dan Kaplan, “TJX settles over breach with 41 states for $9.75 million,” SC Magazine, June 23, 2009 (http://www.scmagazineus.com/tjx-settles-over-breach-with-41-states-for-975-million/article/138930/). 7 another $40 million to Visa-issuing banks: Mark Jewell, “TJX to pay up to $40.9 million in settlement with Visa over data breach,” Associated Press, November 30, 2007. 8 Heartland had been certified PCI compliant: Sources include Ellen Messmer, “Heartland breach raises questions about PCI standard’s effectiveness,” Network World, January 22, 2009 (http://www.networkworld.com/news/2009/012209-heartland-breach.html). 9 Hannaford Brothers won the security certification even as hackers were in its systems: Sources include Andrew Conry-Murray, “Supermarket Breach Calls PCI Compliance into Question,” InformationWeek, March 22, 2008. 10 The restaurants filed a class-action lawsuit: http://www.prlog.org/10425165-secret-service-investigation-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html.
The story of Max Vision would have listed heavily to his criminal side were it not for Tim Spencer and Marty Roesch, who shared their experience of Max as white-hat hacker, and Kimi Mack, who spoke candidly about her marriage to Max. My thanks also to security wunderkind Marc Maiffret, who helped isolate some of Max’s exploits. The underworld that Kingpin delves into has been illuminated by a number of first-rate journalists, including Bob Sullivan, Brian Krebs, Joseph Menn, Byron Acohido, Jon Swartz, and my Wired colleague Kim Zetter. Finally, my thanks to my wife, Lauren Gelman, without whose loving support and sacrifice this book would not have been possible, and to Sadelle and Asher, who will find their computer use closely supervised until they’re eighteen. ABOUT THE AUTHOR KEVIN POULSEN is a senior editor at Wired.com and a contributor to Wired magazine.
DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny
Berlin Wall, Bretton Woods, Brian Krebs, BRICs, call centre, Chelsea Manning, Fall of the Berlin Wall, illegal immigration, James Watt: steam engine, Julian Assange, MITM: man-in-the-middle, pirate software, Potemkin village, reserve currency, Silicon Valley, Skype, Stuxnet, urban sprawl, white flight, WikiLeaks, zero day
Like many others, he believed that the person behind Lord Cyric lived in Montreal, Canada, but his enquiries of the Royal Canadian Mounted Police cyber division brought him no joy. In fact, although Cyric’s IP addresses could be traced to Montreal, they would occasionally show up as being located in Toronto, which is where some sleuths suspected he really lived. Several carders picked up and ran with the rumour that Lord Cyric was in reality Brian Krebs, a journalist writing on cyber security who at the time worked for The Washington Post. There was no evidence for this – indeed, quite the contrary, for Krebs is far too serious a writer to risk ruining his reputation by becoming involved with the people he is actually investigating. There followed a slew of rumours, but nobody ever got to the bottom of who Lord Cyric really was or what he was doing.
For thoroughness, I would highlight the work of Kevin Poulsen and his team whose blog, Threat Level, is both well-written and properly researched. I would recommend two books dealing specifically with cyber crime, Kevin Poulsen’s Kingpin and Joseph Menn’s Fatal System Error. For a broader introduction into some of the challenges emerging as a consequence of Internet technology, Jonathan Zittrain’s The Future of the Internet: And How to Stop It should be the first port of call. Other blogs of real value include Krebsonsecurity by Brian Krebs; Bruce Schneier’s newsletter, Crypto-gram; the blog of F-Secure, the Finnish Computer Security company; and, finally, Dancho Danchev and Ryan Naraine’s Zero Day blog on Znet. ACKNOWLEDGEMENTS Writing this book presented many challenges which I could never have met had it not been for the generous assistance I received from a number of friends and colleagues around the world. In Britain, two people played a vital role.
Coders: The Making of a New Tribe and the Remaking of the World by Clive Thompson
2013 Report for America's Infrastructure - American Society of Civil Engineers - 19 March 2013, 4chan, 8-hour work day, Ada Lovelace, AI winter, Airbnb, Amazon Web Services, Asperger Syndrome, augmented reality, Ayatollah Khomeini, barriers to entry, basic income, Bernie Sanders, bitcoin, blockchain, blue-collar work, Brewster Kahle, Brian Krebs, Broken windows theory, call centre, cellular automata, Chelsea Manning, clean water, cloud computing, cognitive dissonance, computer vision, Conway's Game of Life, crowdsourcing, cryptocurrency, Danny Hillis, David Heinemeier Hansson, don't be evil, don't repeat yourself, Donald Trump, dumpster diving, Edward Snowden, Elon Musk, Erik Brynjolfsson, Ernest Rutherford, Ethereum, ethereum blockchain, Firefox, Frederick Winslow Taylor, game design, glass ceiling, Golden Gate Park, Google Hangouts, Google X / Alphabet X, Grace Hopper, Guido van Rossum, Hacker Ethic, HyperCard, illegal immigration, ImageNet competition, Internet Archive, Internet of things, Jane Jacobs, John Markoff, Jony Ive, Julian Assange, Kickstarter, Larry Wall, lone genius, Lyft, Marc Andreessen, Mark Shuttleworth, Mark Zuckerberg, Menlo Park, microservices, Minecraft, move fast and break things, move fast and break things, Nate Silver, Network effects, neurotypical, Nicholas Carr, Oculus Rift, PageRank, pattern recognition, Paul Graham, paypal mafia, Peter Thiel, pink-collar, planetary scale, profit motive, ransomware, recommendation engine, Richard Stallman, ride hailing / ride sharing, Rubik’s Cube, Ruby on Rails, Sam Altman, Satoshi Nakamoto, Saturday Night Live, self-driving car, side project, Silicon Valley, Silicon Valley ideology, Silicon Valley startup, single-payer health, Skype, smart contracts, Snapchat, social software, software is eating the world, sorting algorithm, South of Market, San Francisco, speech recognition, Steve Wozniak, Steven Levy, TaskRabbit, the High Line, Travis Kalanick, Uber and Lyft, Uber for X, uber lyft, universal basic income, urban planning, Wall-E, Watson beat the top human players on Jeopardy!, WikiLeaks, women in the workforce, Y Combinator, Zimmermann PGP, éminence grise
them back to you: Doug Olenick, “Simple, but Not Cheap, Phishing Kit Found for Sale on Dark Web,” SC Magazine, April 26, 2018, accessed August 19, 2018, https://www.scmagazine.com/simple-but-not-cheap-phishing-kit-found-for-sale-on-dark-web/article/761520; Kishalaya Kundu, “New Phishing Kit on Dark Web Lets Anyone Launch Cyber Attacks,” Beebom, April 30, 2018, accessed August 19, 2018, https://beebom.com/new-phishing-kit-dark-web; Ionut Arghire, “New Advanced Phishing Kit Targets eCommerce,” SecurityWeek, April 25, 2018, accessed August 19, 2018, https://www.securityweek.com/new-advanced-phishing-kit-targets-ecommerce. of all intrusion groups: Internet Threat Security Report: Volume 23 (March 2018), Symantec, accessed August 19, 2018, https://www.symantec.com/security-center/threat-report. of gray indeed: Brian Krebs, “Who Is Anna-Senpai, the Mirai Worm Author?,” Krebs on Security, January 17, 2017, accessed August 19, 2018, https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author; Brian Krebs, “Mirai IoT Botnet Co-authors Plead Guilty,” Krebs on Security, December 17, 2017, accessed August 19, 2018, https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty; Mark Thiessen, “3 Hackers Get Light Sentences after Working with the FBI,” Associated Press, September 19, 2018, accessed October 2, 2018, https://apnews.com/b6f03f9a13e04b19afed3375476b4132; Garrett M.
In forum posts, Jha came off as a moody, nihilistic youth who boasted about his coding skills. When the owner of a site that Jha had attacked explained that there were real-life consequences for these digital onslaughts, he replied with cynicism. “Well, I stopped caring about other people a long time ago,” he wrote. “My life experience has always been get fucked over or fuck someone else over.” The law eventually caught up with him. Brian Krebs, a prominent journalist who investigates the world of malware, spent months patiently rooting up Jha’s identity (like all malware authors, he’d kept it a deep secret). After the authorities arrested Jha, he and his Mirai partners were sentenced five years of probation and 62.5 workweeks of community service; as it happens, they had already flipped and begun helping the FBI “on cybercrime and cybersecurity matters,” as the sentencing memorandum noted.
The Internet of Garbage by Sarah Jeong
But today spam is largely understood as robotically generated text issued from “botnets” of compromised computers that have been unknowingly recruited into transmitting mind-bogglingly large amounts of unwanted messages advertising Viagra, genital enhancements, Nigerian get-rich-quick schemes, or linking to malware in order to steal passwords or simply recruit yet another computer into the mechanical zombie horde. Spam has become the realm of Russian crime rings (as documented by Brian Krebs in many places, including his book Spam Nation), a multi-million-dollar industry that is combated in turn by billions of dollars in anti-spam technology. Of course, the old definition of spam still lingers. For example, someone might be chided for “spamming a mailing list,” when they themselves are not a robot attempting to evade a filter, nor a commercial mailer advertising a product or a service.
@War: The Rise of the Military-Internet Complex by Shane Harris
Amazon Web Services, barriers to entry, Berlin Wall, Brian Krebs, centralized clearinghouse, clean water, computer age, crowdsourcing, data acquisition, don't be evil, Edward Snowden, failed state, Firefox, John Markoff, Julian Assange, mutually assured destruction, peer-to-peer, Silicon Valley, Silicon Valley startup, Skype, Stuxnet, undersea cable, uranium enrichment, WikiLeaks, zero day
. [>] Homeland Security, the FBI, the Energy Department: Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team, Monthly Monitor (ICS—MM201310), July–September 2013, released October 31, 2013, http://ics-cert.us-cert.gov/sites/default/files/Monitors/NCCIC_ICS-CERT_Monitor_Jul-Sep2013.pdf. [>] Shell, Schlumberger, and other: Zain Shauk, “Phishing Still Hooks Energy Workers,” FuelFix, December 22, 2013, http://fuelfix.com/blog/2013/12/22/phishing-still-hooks-energy-workers/. [>] In a rare public appearance: Berlin spoke at a cyber security conference at the Newsuem in Washington, DC, on May 22, 2013. [>] A few months after the intrusions: Brian Krebs, “Chinese Hackers Blamed for Intrusion at Energy industry Giant Telvent,” KrebsonSecurity, September 26, 2012, http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/. [>] But the country also needs: World Bank, “GDP Growth,” http://data.worldbank.org/indicator/NY.GDP.MKTP.KD.ZG [>] China is the world’s second-largest: US Energy Information Administration, http://www.eia.gov/countries/country-data.cfm?
. [>] Earlier in the year a pair: Nicole Perlroth, “Electrical Grid Is Called Vulnerable to Power Shutdown,” Bits, New York Times, October 18, 2013, http://bits.blogs.nytimes.com/2013/10/18/electrical-grid-called-vulnerable-to-power-shutdown/. [>] “There isn’t a computer system”: McConnell spoke at a cyber security conference sponsored by Bloomberg in Washington, DC, October 30, 2013. [>] Investigators concluded that the hackers: Brian Krebs, “Target Hackers Broke in Via HVAC Company,” KrebsonSecurity, February 5, 2014, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. [>] In February 2014 a Senate committee report: Craig Timberg and Lisa Rein, “Senate Cybersecurity Report Finds Agencies Often Fail to Take Basic Preventative Measures,” Washington Post, February 4, 2013, http://www.washingtonpost.com/business/technology/senate-cybersecurity-report-finds-agencies-often-fail-to-take-basic-preventive-measures/2014/02/03/493390c2-8ab6-11e3-833c-33098f9e5267_story.html. [>] At a security conference in Washington, DC: Alexander spoke in Washington, DC, at the Newsuem on October 8, 2013, http://www.youtube.com/watch?
Army of None: Autonomous Weapons and the Future of War by Paul Scharre
active measures, Air France Flight 447, algorithmic trading, artificial general intelligence, augmented reality, automated trading system, autonomous vehicles, basic income, brain emulation, Brian Krebs, cognitive bias, computer vision, cuban missile crisis, dark matter, DARPA: Urban Challenge, DevOps, drone strike, Elon Musk, en.wikipedia.org, Erik Brynjolfsson, facts on the ground, fault tolerance, Flash crash, Freestyle chess, friendly fire, IFF: identification friend or foe, ImageNet competition, Internet of things, Johann Wolfgang von Goethe, John Markoff, Kevin Kelly, Loebner Prize, loose coupling, Mark Zuckerberg, moral hazard, mutually assured destruction, Nate Silver, pattern recognition, Rodney Brooks, Rubik’s Cube, self-driving car, sensor fusion, South China Sea, speech recognition, Stanislav Petrov, Stephen Hawking, Steve Ballmer, Steve Wozniak, Stuxnet, superintelligent machines, Tesla Model S, The Signal and the Noise by Nate Silver, theory of mind, Turing test, universal basic income, Valery Gerasimov, Wall-E, William Langewiesche, Y2K, zero day
DARPA, “Home | DRC Finals,” accessed June 14, 2017, http://archive.darpa.mil/roboticschallenge/. 217 “automatically check the world’s software”: David Brumley, “Why CGC Matters to Me,” ForAllSecure, July 26, 2016, https://forallsecure.com/blog/2016/07/26/why-cgc-matters-to-me/. 217 “fully autonomous system for finding and fixing”: David Brumley, “Mayhem Wins DARPA CGC,” ForAllSecure, August 6, 2016, https://forallsecure.com/blog/2016/08/06/mayhem-wins-darpa-cgc/. 217 vulnerability is analogous to a weak lock: David Brumley, interview, November 24, 2016. 218 “There’s grades of security”: Ibid. 218 “an autonomous system that’s taking all of those things”: Ibid. 218 “Our goal was to come up with a skeleton key”: Ibid. 219 “true autonomy in the cyber domain”: Michael Walker, interview, December 5, 2016. 219 comparable to a “competent” computer security professional: David Brumley, interview, November 24, 2016. 219 DEF CON hacking conference: Daniel Tkacik, “CMU Team Wins Fourth ‘World Series of Hacking’ Competition,” CMU.edu, July 31, 2017. 219 Brumley’s team from Carnegie Mellon: Ibid. 219 Mirai: Brian Krebs, “Who Makes the IoT Things Under Attack?” Krebs on Security, October 3, 2016, https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/. 219 massive DDoS attack: Brian Krebs, “KrebsOnSecurity Hit With Record DDoS,” Krebs on Security, September 21, 2016, https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/. 219 most IoT devices are “ridiculous vulnerable”: David Brumley, interview, November 24, 2016. 219 6.4 billion IoT devices: “Gartner Says 6.4 Billion Connected,” Gartner, November 10, 2015, http://www.gartner.com/newsroom/id/3165317. 220 “check all these locks”: David Brumley, interview, November 24, 2016. 220 “no difference” between the technology: Ibid. 220 “All computer security technologies are dual-use”: Michael Walker, interview, December 5, 2016. 220 “you have to trust the researchers”: David Brumley, interview, November 24, 2016. 220 “It’s going to take the same kind”: Michael Walker, interview, December 5, 2016. 221 “I’m not saying that we can change to a place”: Ibid. 221 “It’s scary to think of Russia”: David Brumley, interview, November 24, 2016. 221 “counter-autonomy”: David Brumley, “Winning Cyber Battles: The Next 20 Years,” unpublished working paper, November 2016. 221 “trying to find vulnerabilities”: David Brumley, interview, November 24, 2016. 221 “you play the opponent”: Ibid. 221 “It’s a little bit like a Trojan horse”: Ibid. 222 “computer equivalent to ‘the long con’”: Brumley, “Winning Cyber Battles: The Next 20 Years.” 222 “Make no mistake, cyber is a war”: Ibid. 222 F-35 . . . tens of millions of lines of code: Jacquelyn Schneider, “Digitally-Enabled Warfare: The Capability-Vulnerability Paradox,” Center for a New American Security, Washington DC, August 29, 2016, https://www.cnas.org/publications/reports/digitally-enabled-warfare-the-capability-vulnerability-paradox. 223 Hacking back is when: Dorothy E.
Humans Need Not Apply: A Guide to Wealth and Work in the Age of Artificial Intelligence by Jerry Kaplan
Affordable Care Act / Obamacare, Amazon Web Services, asset allocation, autonomous vehicles, bank run, bitcoin, Bob Noyce, Brian Krebs, business cycle, buy low sell high, Capital in the Twenty-First Century by Thomas Piketty, combinatorial explosion, computer vision, corporate governance, crowdsourcing, en.wikipedia.org, Erik Brynjolfsson, estate planning, Flash crash, Gini coefficient, Goldman Sachs: Vampire Squid, haute couture, hiring and firing, income inequality, index card, industrial robot, information asymmetry, invention of agriculture, Jaron Lanier, Jeff Bezos, job automation, John Markoff, John Maynard Keynes: Economic Possibilities for our Grandchildren, Loebner Prize, Mark Zuckerberg, mortgage debt, natural language processing, Own Your Own Home, pattern recognition, Satoshi Nakamoto, school choice, Schrödinger's Cat, Second Machine Age, self-driving car, sentiment analysis, Silicon Valley, Silicon Valley startup, Skype, software as a service, The Chicago School, The Future of Employment, Turing test, Watson beat the top human players on Jeopardy!, winner-take-all economy, women in the workforce, working poor, Works Progress Administration
CAPTCHA stands for “Completely Automated Public Turing Test to tell Computers and Humans Apart.” Mark Twain famously said, “It is my … hope … that all of us … may eventually be gathered together in heaven … except the inventor of the telephone.” Were he alive today, I’m confident he would include the inventor of the CAPTCHA. Regarding the use of low-skilled low-cost labor to solve these, see Brian Krebs, “Virtual Sweatshops Defeat Bot-or-Not Tests,” Krebs on Security (blog), January 9, 2012, http://krebsonsecurity.com/2012/01/virtual-sweatshops-defeat-bot-or-not-tests/. 5. OFFICER, ARREST THAT ROBOT 1. E. P. Evans, The Criminal Prosecution and Capital Punishment of Animals (1906; repr., Clark, N.J.: Lawbook Exchange, 2009). 2. Craig S. Neumann and Robert D. Hare, “Psychopathic Traits in a Large Community Sample: Links to Violence, Alcohol Use, and Intelligence,” Journal of Consulting and Clinical Psychology 76 no. 5 (2008): 893–99. 3.
Silk Road by Eileen Ormsby
4chan, bitcoin, blockchain, Brian Krebs, corporate governance, cryptocurrency, Edward Snowden, fiat currency, Firefox, Julian Assange, litecoin, Mark Zuckerberg, Network effects, peer-to-peer, Ponzi scheme, profit motive, Right to Buy, Ross Ulbricht, Satoshi Nakamoto, stealth mode startup, Ted Nelson, trade route, Turing test, web application, WikiLeaks
The commercial services includes listings for fake IDs, dodgy university degrees and counterfeit coupons, services that research and write college papers, and a service that allows people to buy into fixed sporting events. Several stores offer stolen or counterfeit Apple products. One advertiser offers to steal goods to order, another offers bomb-making lessons and yet another says they can arrange for an enemy to be visited by a SWAT team. (This seemed a bit far-fetched, but ‘swatting’ is a real phenomenon in the United States, as security expert and blogger Brian Krebs discovered in March 2013. He had annoyed many hackers and shady websites over the years with his investigations, so someone placed a 911 call using instant message chats via a relay service designed for hearing-impaired and deaf callers. They said Russians had broken into Krebs’ house, killing his wife. The result was something straight out of a movie – half a dozen squad cars with lights flashing and police leaning over their bonnets pointing guns at him when he opened his door.
Black Code: Inside the Battle for Cyberspace by Ronald J. Deibert
4chan, Any sufficiently advanced technology is indistinguishable from magic, Brian Krebs, call centre, citizen journalism, cloud computing, connected car, corporate social responsibility, crowdsourcing, cuban missile crisis, data acquisition, failed state, Firefox, global supply chain, global village, Google Hangouts, Hacker Ethic, informal economy, invention of writing, Iridium satellite, jimmy wales, John Markoff, Kibera, Kickstarter, knowledge economy, low earth orbit, Marshall McLuhan, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, new economy, Occupy movement, Panopticon Jeremy Bentham, planetary scale, rent-seeking, Ronald Reagan, Ronald Reagan: Tear down this wall, Silicon Valley, Silicon Valley startup, Skype, smart grid, South China Sea, Steven Levy, Stuxnet, Ted Kaczynski, the medium is the message, Turing test, undersea cable, We are Anonymous. We are Legion, WikiLeaks, zero day
In January 2012, Jan Droemer and Dirk Kollberg reported on their own detailed investigation of the Koobface perpetrators in “The Koobface Malware Gang Exposed,” Sophos Lab, January 2012, http://www.sophos.com/medialibrary/PDFs/other/sophoskoobfacearticle_rev_na.pdf?dl=true. 2 Electrons may move at the speed of light, but legal systems crawl at the speed of bureaucratic institutions: The lack of international co-operation around cyber security is discussed in Brian Krebs, “From (& To) Russia, With Love,” Washington Post, March 3, 2009, http://voices.washingtonpost.com/securityfix/2009/03/from_to_russia_with_love.html. See also Jeremy Kirk, “UK Police Reveal Arrests Over Zeus Banking Malware,” Computer World, November 18, 2009, http://www.computerworld.com/s/article/9141092/UK_police_reveal_arrests_over_Zeus_banking_malware; and Omar El-Akkad, “Canadian Firm Helps Disable Massive Botnet,” Globe and Mail, March 3, 2010, http://www.globeandmail.com/news/technology/canadian-firm-helps-disable-massive-botnet/article1488838. 3 Specialists working for Facebook, Jan Droemer, and other security researchers: In January 2012, Facebook outed the identity of the Koobface perpetrators in “Facebook’s Continued Fight Against Koobface,” January 17, 2012, https://www.facebook.com/note.php?
The Industries of the Future by Alec Ross
23andMe, 3D printing, Airbnb, algorithmic trading, AltaVista, Anne Wojcicki, autonomous vehicles, banking crisis, barriers to entry, Bernie Madoff, bioinformatics, bitcoin, blockchain, Brian Krebs, British Empire, business intelligence, call centre, carbon footprint, cloud computing, collaborative consumption, connected car, corporate governance, Credit Default Swap, cryptocurrency, David Brooks, disintermediation, Dissolution of the Soviet Union, distributed ledger, Edward Glaeser, Edward Snowden, en.wikipedia.org, Erik Brynjolfsson, fiat currency, future of work, global supply chain, Google X / Alphabet X, industrial robot, Internet of things, invention of the printing press, Jaron Lanier, Jeff Bezos, job automation, John Markoff, Joi Ito, Kickstarter, knowledge economy, knowledge worker, lifelogging, litecoin, M-Pesa, Marc Andreessen, Mark Zuckerberg, Mikhail Gorbachev, mobile money, money: store of value / unit of account / medium of exchange, Nelson Mandela, new economy, offshore financial centre, open economy, Parag Khanna, paypal mafia, peer-to-peer, peer-to-peer lending, personalized medicine, Peter Thiel, precision agriculture, pre–internet, RAND corporation, Ray Kurzweil, recommendation engine, ride hailing / ride sharing, Rubik’s Cube, Satoshi Nakamoto, selective serotonin reuptake inhibitor (SSRI), self-driving car, sharing economy, Silicon Valley, Silicon Valley startup, Skype, smart cities, social graph, software as a service, special economic zone, supply-chain management, supply-chain management software, technoutopianism, The Future of Employment, Travis Kalanick, underbanked, Vernor Vinge, Watson beat the top human players on Jeopardy!, women in the workforce, Y Combinator, young professional
In addition, the hackers stole: Mark Hosenball, “Target Vendor Says Hackers Breached Data Link Used for Billing,” Reuters, February 6, 2014, http://www.reuters.com/article/2014/02/06/us-target-breach-vendor-idUSBREA1523E20140206. Profits fell 46 percent in: Elizabeth A. Harris, “Faltering Target Parts Ways with Chief,” New York Times, May 6, 2014, http://www.nytimes.com/2014/05/06/business/target-chief-executive-resigns.html?ref=technology&_r=0. The company could still face: Brian Krebs, “Target Hackers Broke in via HVAC Company,” Krebs on Security (blog), February 5, 2014, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/. It lost billions of dollars: Susan Taylor, Siddharth Cavale, and Jim Finkle, “Target’s Decision to Remove CEO Rattles Investors,” Reuters, May 5, 2014, http://www.reuters.com/article/2014/05/05/us-target-ceo-idUSBREA440BD20140505.
The Black Box Society: The Secret Algorithms That Control Money and Information by Frank Pasquale
Affordable Care Act / Obamacare, algorithmic trading, Amazon Mechanical Turk, American Legislative Exchange Council, asset-backed security, Atul Gawande, bank run, barriers to entry, basic income, Berlin Wall, Bernie Madoff, Black Swan, bonus culture, Brian Krebs, business cycle, call centre, Capital in the Twenty-First Century by Thomas Piketty, Chelsea Manning, Chuck Templeton: OpenTable:, cloud computing, collateralized debt obligation, computerized markets, corporate governance, Credit Default Swap, credit default swaps / collateralized debt obligations, crowdsourcing, cryptocurrency, Debian, don't be evil, drone strike, Edward Snowden, en.wikipedia.org, Fall of the Berlin Wall, Filter Bubble, financial innovation, financial thriller, fixed income, Flash crash, full employment, Goldman Sachs: Vampire Squid, Google Earth, Hernando de Soto, High speed trading, hiring and firing, housing crisis, informal economy, information asymmetry, information retrieval, interest rate swap, Internet of things, invisible hand, Jaron Lanier, Jeff Bezos, job automation, Julian Assange, Kevin Kelly, knowledge worker, Kodak vs Instagram, kremlinology, late fees, London Interbank Offered Rate, London Whale, Marc Andreessen, Mark Zuckerberg, mobile money, moral hazard, new economy, Nicholas Carr, offshore financial centre, PageRank, pattern recognition, Philip Mirowski, precariat, profit maximization, profit motive, quantitative easing, race to the bottom, recommendation engine, regulatory arbitrage, risk-adjusted returns, Satyajit Das, search engine result page, shareholder value, Silicon Valley, Snapchat, social intelligence, Spread Networks laid a new fibre optics cable between New York and Chicago, statistical arbitrage, statistical model, Steven Levy, the scientific method, too big to fail, transaction costs, two-sided market, universal basic income, Upton Sinclair, value at risk, WikiLeaks, zero-sum game
Harris and Nicole Perlroth, “For Target, the Breach Numbers Grow,” New York Times, January 1, 2014, http://www.nytimes.com /2014 /01/11/business/target-breach-affected-70 -million-customers.html?_r=0. 59. Thomas R. McLean & Alexander B. McLean, “Dependence on Cyberscribes-Issues in E-Security,” 8 J. Bus. & Tech. L. (2013): 59 (discussing instances of medical information on the black market); Brian Krebs & Anita Kumar, “Hackers Want Millions for Data on Prescriptions,” Wash. Post, May 8, 2009, at B1. 60. Misha Glenny, DarkMarket: How Hackers Became the New Mafi a (New York: Vintage Books, 2012) 2 (“this minuscule elite (call them geeks, technos, hackers, coders, securocrats, or what you will) has a profound understanding of a technology that every day directs our lives more intensively and extensively, while most of the rest of us understand absolutely zip about it.”). 61.
Liars and Outliers: How Security Holds Society Together by Bruce Schneier
airport security, barriers to entry, Berlin Wall, Bernie Madoff, Bernie Sanders, Brian Krebs, Broken windows theory, carried interest, Cass Sunstein, Chelsea Manning, commoditize, corporate governance, crack epidemic, credit crunch, crowdsourcing, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Graeber, desegregation, don't be evil, Double Irish / Dutch Sandwich, Douglas Hofstadter, experimental economics, Fall of the Berlin Wall, financial deregulation, George Akerlof, hydraulic fracturing, impulse control, income inequality, invention of agriculture, invention of gunpowder, iterative process, Jean Tirole, John Nash: game theory, joint-stock company, Julian Assange, longitudinal study, mass incarceration, meta analysis, meta-analysis, microcredit, moral hazard, mutually assured destruction, Nate Silver, Network effects, Nick Leeson, offshore financial centre, patent troll, phenotype, pre–internet, principal–agent problem, prisoner's dilemma, profit maximization, profit motive, race to the bottom, Ralph Waldo Emerson, RAND corporation, rent-seeking, RFID, Richard Thaler, risk tolerance, Ronald Coase, security theater, shareholder value, slashdot, statistical model, Steven Pinker, Stuxnet, technological singularity, The Market for Lemons, The Nature of the Firm, The Spirit Level, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, theory of mind, too big to fail, traffic fines, transaction costs, ultimatum game, UNCLOS, union organizing, Vernor Vinge, WikiLeaks, World Values Survey, Y2K, zero-sum game
“Stop Snitching” campaign Rick Hampson (28 Mar 2006), “Anti-Snitch Campaign Riles Police, Prosecutors,” USA Today. Rick Frei (2010), “Witness Intimidation and the Snitching Project,” written testimony submitted to the Subcommittee on Drugs and Crime, U.S. Senate Committee on the Judiciary. Con artists try David Maurer (1940), The Big Con: The Story of the Confidence Man, Bobbs Merrill. Fake anti-virus software Brian Krebs (3 Aug 2011), “Fake Antivirus Industry Down, But Not Out,” Krebs on Security. Internet money laundering Mitchell Zuckoff (15 May 2005), “Annals of Crime: The Perfect Mark,” The New Yorker, 36–42. doctrine of necessity Leslie Wolf-Phillips (1979), “Constitutional Legitimacy: A Study of the Doctrine of Necessity.” Third World Quarterly, 1:99–133. competing interests H.E. Mason, ed. (1996), Moral Dilemmas and Moral Theory, Oxford University Press.
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter
Ayatollah Khomeini, Brian Krebs, crowdsourcing, data acquisition, Doomsday Clock, drone strike, Edward Snowden, facts on the ground, Firefox, friendly fire, Google Earth, information retrieval, John Markoff, Julian Assange, Kickstarter, Loma Prieta earthquake, Maui Hawaii, MITM: man-in-the-middle, pre–internet, RAND corporation, Silicon Valley, skunkworks, smart grid, smart meter, South China Sea, Stuxnet, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, Y2K, zero day
They had to go public with the news.15 So on July 12, Ulasen posted a brief announcement about the zero-day to his company’s website and to an online English-language security forum, warning that an epidemic of infections was about to break out.16 He divulged few details about the hole it was attacking, to avoid giving copycat hackers information that would help them exploit it. But members of the forum grasped the implications quickly, noting that it had the potential to be “deadly to many.” Three days later, tech journalist Brian Krebs picked up the announcement and wrote a blog post about it, summarizing what little was known about the vulnerability and exploit at the time.17 The news raced through the security community, causing everyone to brace for a wave of assaults expected to come from the worm and copycat attacks using the same exploit.18 In the meantime, the head of an institute in Germany that researched and tested antivirus products brokered an introduction between Ulasen and his contacts at Microsoft, prompting the software company to begin work on a patch.19 But with news of the vulnerability already leaked, Microsoft decided to release an immediate advisory about the critical flaw to customers, along with a few tips advising them how to mitigate their risk of infection in the meantime.
Terms of Service: Social Media and the Price of Constant Connection by Jacob Silverman
23andMe, 4chan, A Declaration of the Independence of Cyberspace, Airbnb, airport security, Amazon Mechanical Turk, augmented reality, basic income, Brian Krebs, California gold rush, call centre, cloud computing, cognitive dissonance, commoditize, correlation does not imply causation, Credit Default Swap, crowdsourcing, don't be evil, drone strike, Edward Snowden, feminist movement, Filter Bubble, Firefox, Flash crash, game design, global village, Google Chrome, Google Glasses, hive mind, income inequality, informal economy, information retrieval, Internet of things, Jaron Lanier, jimmy wales, Kevin Kelly, Kickstarter, knowledge economy, knowledge worker, late capitalism, license plate recognition, life extension, lifelogging, Lyft, Mark Zuckerberg, Mars Rover, Marshall McLuhan, mass incarceration, meta analysis, meta-analysis, Minecraft, move fast and break things, move fast and break things, national security letter, Network effects, new economy, Nicholas Carr, Occupy movement, optical character recognition, payday loans, Peter Thiel, postindustrial economy, prediction markets, pre–internet, price discrimination, price stability, profit motive, quantitative hedge fund, race to the bottom, Ray Kurzweil, recommendation engine, rent control, RFID, ride hailing / ride sharing, self-driving car, sentiment analysis, shareholder value, sharing economy, Silicon Valley, Silicon Valley ideology, Snapchat, social graph, social intelligence, social web, sorting algorithm, Steve Ballmer, Steve Jobs, Steven Levy, TaskRabbit, technoutopianism, telemarketer, transportation-network company, Travis Kalanick, Turing test, Uber and Lyft, Uber for X, uber lyft, universal basic income, unpaid internship, women in the workforce, Y Combinator, Zipcar
“Everything We Know About What Data Brokers Know About You.” ProPublica. Sept. 13, 2013. propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you. 215 TSA sells to debt collectors: Susan Stellin. “Security Check Now Starts Long Before You Fly.” New York Times. Oct. 21, 2013. nytimes.com/2013/10/22/business/security-check-now-starts-long-before-you-fly.html. 215 Experian investigation: Brian Krebs. “Experian Sold Consumer Data to ID Theft Service.” KrebsonSecurity. Oct. 20, 2013. krebsonsecurity.com/2013/10/experian-sold-consumer-data-to-id-theft-service. 215 Identity thieves in Vietnam: Sean Vitka. “Experian-Acquired Data Broker Sold Social Security Numbers to Identity Thieves.” Slate. Oct. 25, 2013. slate.com/blogs/moneybox/2013/10/25/experian_data_broker_social_security_numbers_sold_to_identity_thieves.html. 215 Experian revenue: “Investor Centre.”