One Hack Of A Crime Wave, Or So They Say

Keep calm and carry on: cyber crime is not the threat it’s made out to be. There is no better fodder for naked fearmongering than crime conducted online. You’ve about heard them all: Nigerian scams, 410 scams, and phishing scams. Banking fraud, credit card fraud, hackers, viruses and keystroke loggers. And there’s spam, zombies, malware, spoofing, scareware, worms, etc.
 
And there are the biggies: cyber crime, cyber terrorism, and full-blown cyber war. Typically these threats are all merged into each other, blurred by fearmongers to create a picture of a risky Wild West online. They feed into a fear that technology has somehow got out of control, a fear that our lives have become more dangerous as we’ve been sucked online.
 
On Tuesday, ABC’s 7.30 cited the usual mix, warning of everything from petty identity theft to the ”cyber crime underworld”. The show claimed proceeds of cyber crime were now more than proceeds from illicit drugs. The next day, the federal government announced it would sign the Council of Europe convention on cyber crime – a treaty for international co-operation.
 
The size of any illegal industry is hard to estimate. But the claim that cyber crime is now a bigger concern than the drug trade relies entirely on an off-the-cuff remark made by a consultant to the US Treasury Department in 2005: ”Last year was the first year that proceeds from cyber crime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $US105 billion.”
 
Last week’s 7.30 interviewed a US defence contractor saying cyber crime was now $US3 trillion. At that price, cyber crime is the fifth-biggest economy in the world, slightly below Germany. It doesn’t ring true. Cyber crime would be the biggest crime wave in human history – hackers stealing an entire German economy every single year. Of course, we mostly hear these gargantuan numbers from consultants (drumming up business from law enforcement) and internet security companies (trying to sell software).
 
A new paper by researchers from Microsoft – Sex, Lies, and Cyber crime Surveys – explains why estimates of cyber crime have become so absurdly large. The authors, Dinei Florencio and Cormac Herley, point out that the bulk of what we know comes from tiny surveys. The authors found at least 75 per cent of losses were extrapolated from just one or two unverified, cases.
 
In other words, one bloke falls for the old ”I’m a prince from Nigeria” scam, and it is reported that cyber crime is a $3 trillion industry. This is not to deny that criminals use the internet.
 
But crime is crime, whether it’s online or not. Many cyber crimes are just digital variations of old cons. The Nigerian scam was originally conducted by post.
 
And much cyber crime is just vandalism, hard to police, but not hard to protect against. Lock your gate, use complicated and varied passwords, make backups. Don’t trust foreign princes or popups. Accept the updates for your anti-virus software. Make sure internet companies you deal with are responsible.
 
These are all pretty simple, and they will protect you from 90 per cent of the danger. Education is more necessary here than legislation. The majority of online transactions are safe. And certainly no reason to give government a blank cheque for any new law it wants.
 
Some of the proposals to deal with the cyber crime ”epidemic” have serious civil liberties issues. The treaty the federal government intends to sign may mean Australian internet service providers have to store records of every website we visit, and every person we email, just in case the police need it later.
 
We like to complain about privacy and Facebook, but that will be nothing compared with the massive amount of data compulsorily stored by our internet provider. Apart from the privacy implications, that requirement itself could increase online risk. There’s little more attractive to criminals than large banks of data stored in one place.
 
All the hype about cyber crime is nothing compared with the noises made by defence contractors and American military commanders who have been stoking fears of ”cyber war” and ”cyber terrorism”. But even the most famous instances of cyber war – like the StuxNet virus, which damaged Iran’s nuclear program in 2010 – are more hype than reality. StuxNet was trotted into an Iranian enrichment facility on a USB stick. It was plain, old espionage. So, next time you read of the dangers online, consider: the seriousness of the threat is inversely proportional to the number of uses of the word ”cyber”. There are risks online. But they are manageable.

Overreaction To Terrorism The Big Threat

Governments take terrorist threats very seriously. But the seriousness of terrorism has to be balanced against how very ineffective – even incompetent – most terrorists actually are.
When printer cartridge bombs were found on a flight about to depart from East Midlands Airport in England to the US on October 29, the regulatory and security response was immediate and uncompromising.
The packages originated from Yemen, so all cargo from Yemen was banned. And Somalia, too. The German government even stopped all passenger flights from Yemen. Toner and ink cartridges above 450 grams were completely banned from passenger flights travelling to the US, not just coming from Yemen, but coming from anywhere at all. The pat-down security procedures on all passengers travelling anywhere within or into the US were boosted.
A substantial reaction, but not an unusual one. Security agencies always hastily crack down on all sorts of activity when terrorist plots are discovered.
Yet just a few weeks later, it is hard to be scared by the printer cartridge bombs at all.
The plot failed on multiple counts. The bombs were found, they were disarmed, and they posed a minimal threat to human life and property. Neither does it represent innovation in terrorism – mail bombs have been around for centuries.
The bombs travelled on passenger jets, certainly, but only by accident. As they were cargo, the bombs were carried on passenger aircraft early on the journey from Yemen through the Middle East. The plan was to explode the bombs in US airspace, but investigators suggest it could have exploded over Canada.
Had the bombs exploded, they would have destroyed a cargo jet and its tiny crew, not the synagogues to which they were addressed.
The bomb maker to whom this has been attributed – Ibrahim Hassan al-Asiri, al-Qaeda’s chief engineer in the Arabian Peninsula – is responsible for the failed Christmas Day 2009 bomber, and a failed assassination attempt on a Saudi intelligence chief. The only fatality of that latter incident was al-Asiri’s brother, who had hidden the explosives in his rectum.
The printer cartridge bomb plot was detected by traditional counterterrorism intelligence. Some reports suggest information about the plan came from undercover Saudi agents within al-Qaeda’s Yemen operation – the terrorist network is, apparently, a lot easier to infiltrate as it tries to stave off long-term decline by expanding its franchises into Yemen and the Maghreb.
So, like many other terrorist scares, in retrospect, there is a lot less to the printer cartridge bombs than first seemed. There seems little reason to be worried.
But nothing quite demonstrates the strangely pathetic nature of the terrorism threat more clearly than al-Qaeda’s new English language magazine.
The October issue of Inspire contains some bizarre suggestions for jihadists plotting in the West. For instance: one article recommends terrorists weld steel blades onto the hubs of a four-wheel-drive and drive up onto a crowded footpath. Doing so, we read, will “achieve maximum carnage”. But that seems more like a terrorist plot hatched by Mad magazine than professional, trained Islamic revolutionaries.
When they’re not utterly stupid, they are oddly banal. Another Inspire recommendation is to shoot up lunch spots that are popular with government workers. So in a decade, al-Qaeda has gone from targeting the World Trade Centre and the Pentagon – the two symbolic organs of American power – to threatening Starbucks outlets one at a time.
Then there is “Make a bomb in the kitchen of your mom”, which suggests repurposing a home pressure cooker to become an explosive device. Such a device is weak, apparently, so the magazine recommends it is placed “close to the intended targets”.
It is surprisingly hard to detonate explosives successfully. Despite the large number of detailed guides to bomb-making littering the internet – whether written for anarchists or jihadists or self-destructive teenagers – the history of terrorism suggests budding bomb-makers are undertrained and underprepared.
The shoe-bomber, Richard Reid, who tried to blow up a flight from Paris to Miami in late 2001, failed because his explosives were damp. The Christmas Day bomber, Umar Farouk Abdulmutallab, burnt his trousers off trying to ignite explosives in his underpants.
The May 2010 Times Square bomber, Faisal Shahzad, could not get his car bomb to detonate. He just set the car on fire. Shahzad was apprehended, in part, because he left his house keys in the ignition.
In late November, the “Portland car bomb plot”, in which a 19-year-old Somali-American tried to blow up a Christmas event, was foiled because his car bomb was a fake. The explosives had been provided by undercover FBI agents who – it appears – had goaded him into becoming an operational terrorist in the first place.
If so, it would not be the first time: a 2007 plot to attack a US army base in New Jersey was almost certainly a case of FBI entrapment. And it will no doubt occur again. There was a bizarre case reported in The Washington Post this week of a mosque in Los Angeles taking out a restraining order on a man spouting pro-terrorism views, and reporting him to the FBI. The man turned out to be an FBI informant trying to infiltrate the jihad.
Despite all this clownishness, the overreaction to every failed terrorist attack has serious consequences. Terrorism succeeds not because of what it does to its target, but what its target does to itself in response.
Measured in money, the cost of terrorism is dwarfed by the cost of the reaction to terrorism. Security responses threaten civil liberties and the rule of law. Nobody needs to be reminded how, since the September 11, 2001, attacks the legal, political and administrative security apparatus has been unalterably changed in the US, Australia and throughout the Western world. The economic cost of this alone is staggering. There are now 1271 separate American government bureaucracies dedicated to security.
Millions of Americans have security clearance and access to this sprawling bureaucracy – apparently allowing a disaffected, low-ranking soldier to gather a huge number of military and diplomatic records and send it to WikiLeaks.
Our government has embarked on its own national security empire-building. The size of the Australian Security Intelligence Organisation has tripled in the past decade.
Then there are the inconveniences caused by knee-jerk reactions to failed terrorism plots. The discovery of the printer cartridge bombs may mean in-flight wireless internet is scrapped, in case the internet is used to detonate explosives. After all, if it is possible to imagine, it is necessary to ban.
There’s also political pressure in Britain to install high-tech screening devices to scan every piece of cargo travelling on aircraft, with the cost borne by freight companies.
After November’s car bomb attempt, Portland is now beefing up security and getting rid of parking at public events.
And after the Christmas bomber, the US government dramatically increased the number of body scanners and intrusive pat-downs. The outcry over the privacy and health consequences of these extraordinarily invasive measures has been deafening. The phrase “security theatre” has become widely used, even among commentators predisposed to being tough on terrorism.
Two things to note: the invasive body scanners have been installed in response to a failed terrorism attempt, not a successful one. And independent security experts have discovered that the scanners are unable to detect the sort of explosives the Christmas Day bomber tried to use.
So, naturally, the Australian government plans to spend $200 million introducing body scanners here within the next few months.
And measured in lives, the reaction to terrorism is often far worse than the potential damage caused by terrorists.
Admittedly, this point does not apply if you believe drone strikes and other military actions kill terrorists exclusively. There are indications the US will respond to the printer cartridge bombs by escalating its covert war in Yemen to include drone attacks.
Next year will be the 10th anniversary of September 11. The devastation of those attacks now looks like a rare fluke. It is one which is unlikely to be repeated. If nothing else, aircraft passengers will no longer passively allow anyone to forcibly take over a plane. Passenger awareness is probably the most powerful airline security “innovation” in the past decade.
And it is becoming increasingly clear there are no great terrorist “masterminds”. The war on terror has no great Bond villain. There is no Einstein of al-Qaeda.
Incompetent terrorists are still dangerous; they can still kill.
But after the initial panic, the vast majority of terrorist incidents are less threatening than they first seem.
The director of the US National Counterterrorism Centre said last week “we help define the success of an attack by our reaction to that attack”. Let’s try not to make our reaction to terrorism worse than the threat of terrorism.

The Expansion Of Presidential Power

In the United States, many thought Barack Obama’s election would be the moment the rule of law reasserted itself in the fight against jihadi terrorism.

After all, that’s what he promised – ending the use of torture and extreme rendition, revising the Patriot Act, closing down Guantanamo Bay detention camp, eliminating warrantless wiretaps, and restoring the right of prisoners to challenge their detention.

So the debate whether the Obama administration has the legal authority to assassinate an American citizen without any due process is pretty unedifying.

The citizen in question is Anwar al-Awlaki, a radical Muslim cleric. He’s probably holed up in Yemen. In April, the administration authorised his assassination.

Now his father is suing the government to prevent the government doing so. In response, the administration asked the court to dismiss the lawsuit because it involves state secrets.

There’s no doubt al-Awlaki is a bad guy. He’s reportedly called for American Muslims to wage violent jihad against the US. His sermons have been attended by an array of accused and convicted terrorists. He’s apparently the inspiration for the Times Square bomber and the Christmas Day bomber. The US government now claims he’s gone from encouraging terrorist attacks to actively participating in them.

American governments have long had the power to assassinate those waging war against the United States.

Yet assassinating a US citizen goes well beyond anything previous administrations have ever been able to do. A senior Bush legal official told the New York Times he couldn’t recall any similar case.

And, Barack Obama – or, at least, Barack Obama’s lawyers – believe the president has an absolute right to do so without limitation and without scrutiny.

As the legal commentator Glenn Greenwald wrote, the Obama administration seems to believe that “not only does the president have the right to sentence Americans to death with no due process or charges of any kind, but his decisions as to who will be killed and why he wants them dead are ‘state secrets,’ and thus no court may adjudicate their legality.”

One could make the case al-Awlaki has so abrogated his American citizenship he is effectively a foreigner, and that his threat to the US is so substantial they have no choice but to assassinate him. But that’s a case they should make to a court. Instead, the administration believes the government shouldn’t have to justify targeting the cleric.

This argument proposes the US president be given absolutely unlimited powers.

No matter how hawkish you are on the war on terror, that’s a bad idea.

In her 2008 book, The Dark Side: The Inside Story of How The War on Terror Turned into a War on American Ideals, Jane Mayer laid out how the administration of George W. Bush fumbled its way into its security framework.

Guantanamo Bay, the renditions, the blurring of legal and illegal torture, and the augmenting of the president’s war powers were a result of panic after September 11 attacks and an escalating security machismo within the White House.

The urgency meant it took less than 12 months for these policies to be fixed in place.

That’s not an excuse for the Bush administration blundering – and there was a lot of blundering while the administration tried to reform criminal processes to fight a war against terrorists. And it’s no excuse for their utter disregard of due process, civil liberties, and individual rights. But it is an explanation.

By contrast, it is nearly incomprehensible that, a decade after the September 11 attacks, those powers are still expanding rather than contracting.

Certainly, terrorism remains a national security problem in the US and around the world. Recent warnings about threats in Europe and India remind us of that. But the direct political pressure over terror has been relieved – partially due to the global financial crisis, which displaced public fear of the risk of attack with a much more real fear of unemployment.

And many of the tactics deployed after 2001 have been, in retrospect, dismal failures.

The effort to prosecute accused terrorists through military commissions rather than the civilian legal system has been decidedly uninspiring: those who could have been jailed for life had they faced the full gamut of civilian charges have received peculiarly light sentences.

The recent expansion of presidential power is made worse by the fact that Obama specifically campaigned against legal abuses in the conduct of the war on terror.

This brazenness is unlikely to hurt the president. Many in the American left have been reluctant – even embarrassed – to admit Obama has doubled down on some of the most reviled policies of the Bush administration. Those who do point out a Palin administration would be far worse.

And conservatives are more eager to criticise Obama for being too soft on terrorism than being unprecedentedly bold.

In his new book Obama’s Wars, Bob Woodward quotes the president claiming the US could “absorb” another terrorist attack. This has been described as a gaffe. And, from a political perspective, it is. But it’s also an uncommonly honest reflection of the nature of the terrorist threat.

If only that moderation was translated into policy.

Should terror suspects be protected by politics?

In Dr Strangelove, the crazed General Jack D Ripper claims ‘war is too important to be left to the politicians’.

So, it seems, is terrorism.

It’s been just over one week since a Nissan Pathfinder caught fire in Times Square. The press has focused on the modest drama of stopping the departing Emirates flight carrying the alleged terrorist Faisal Shahzad, as he tried to leave the country.

But still,it seems he was pretty easy to catch.

The Pathfinder was taken to a forensic lab where investigators quickly traced its provenance – it had been sold on Craigslist, two weeks before the incident. The sale was made in $100 bills in a supermarket car park.

But the seller had the buyer’s mobile number. And, with a sketch artist, was able to draw a picture of buyer’s face. Better: the buyer had driven himself to pick up the Nissan, and left his black IsuzuRodeo in the car park.

With the registration of the Isuzu, investigators now had Faisal Shahzad’s home address. They didn’t even have to break in. The key to his apartment was in the Nissan’s ignition.

Shahzad was in custody 53 hours after the bomb was left in Times Square.

The tale of Shahzad’s speedy arrest makes him look less like a formidable jihadist with Pakistani terror camp training, and more like an incompetent, failed criminal.

But it’s worth dwelling on the particulars of how Shahzad was identified and arrested because the legal system largely worked.

What little effort Shahzad made to cover his tracks was easily side-stepped. He took two days to try to leave the US. The US government says Shahzad claims to have learnt bomb-making from the best, but his bomb didn’t work.

And the legal case against Shahzad seems to have been made even easier because he started chatting to the FBI, apparently giving them “valuable intelligence and evidence”.

Seems too simple, doesn’t it? That’s because the politicians haven’t become involved yet.

Take the question of whether Shahzad should have been informed of his legal rights at his arrest. After investigators confirmed there were no other attacks imminent, he was. John McCain claimed doing so was a mistake. And the ranking Republican on the Homeland Security Committee, Peter King, strongly agreed, adding: “I know he’s an American citizen but still…”.

Joe Lieberman upped the ante by proposing to give the government power to remove anybody’s American citizenship if they are merely suspected of being a terrorist. In their view, the rights we afford criminals are getting in the way of winning the war on terror. But the sorts of legal changes they recommend could very well lose it.

Terrorism is against the law. It’s against a lot of laws. And even in a post-Guantanamo world, terrorism trials are conducted in the shadow of centuries of legal precedent, an adversarial court system, and extensive avenues of defence and appeal.

Those bombastic tough-on-terror politicians – if they got their way – could easily undermine terror prosecutions. Because it’s not a question of whether terrorists deserve legal rights. It’s that ignoring those rights allows terrorists to avoid justice.

As David Frum has pointed out, if Lieberman’s proposed citizenship laws were in effect, the US would be on its way “to court right now to litigate the issue whether the Times Square bomber’s bombing plot indicated an intent to relinquish his nationality. Only after taking that issue through trial and appeal (maybe multiple appeals) could we get to work questioning and punishing him”.

It’s happened before.

Ali Saleh Mohamed Kahlah al-Marri was arrested shortly after the September 11 terrorist attacks, accused by the government of being an al-Qaeda sleeper agent, and taking orders directly from Osama bin Laden.

With all the charges against him, al-Marri potentially faced 143 years in prison if convicted in a civilian court, according to the Cato Institute’s David Rittgers. But the Bush administration was eager to show that American counter-terrorist efforts were a ‘war’ in America as much as Afghanistan. It moved him out of the civilian court system and into military custody.

As a result, after years of legal wrangling and a Supreme Court case, he was convicted in October 2009 on just one count of material support for terrorism. He got eight years.

If you want to punish terrorists to the fullest extent of the law possible, that’s an awful outcome.

Like Australia, the United States has a civilian legal system which has evolved from centuries of English legal precedent. It’s handled mass murderers and politically-motivated misdeeds for hundreds of years.

Terrorists believe they are freedom fighters; captured terrorists believe they are political prisoners. Let’s give them the disrespect they deserve and treat them like common criminals
.

Terror Laid Bare

Flying is awful – and it looks like it’s only going to get worse. The actual “flying” part can be all right if you get one of those exotic personal entertainment systems with a trillion movies and every kind of Tetris rip-off imaginable.

Modern airlines come in two types: those that pride themselves on their hospitality, and those that pride themselves on abusing the goodwill of passengers to keep costs down. Either way, commercial airlines aim to please in some fashion.

But not even George Clooney in Up in the Air was able to make traversing the government’s airport security checkpoints look elegant.

Sociologists of the future will describe this as the “ritual” of travel: lists of what you can and cannot take into the plane; convenient check-in machines complemented by impossibly long baggage lines; the security barriers; making sure you remove your laptop; taking off your belt; and being swabbed for bomb residue.

Hop on a plane to the US and it’s worse. Since the underpants bomber failed to blow up his underpants on Christmas Day last year, airport security frisks passengers so intimately they can not only detect bombs in jocks, but can detonate them by hand.

Kevin Rudd has announced an extra $200 million for airport security. “It may,” said the Prime Minister in his best leadership voice, “mean it takes longer for passengers to pass through security, but the government believes that this inconvenience is a small price to pay for increased security.” (Incidentally, the prime ministerial jet was renovated in 2007, at a cost of $100,000.)

We’ll be paying this “small price” because the Prime Minister has decided to install full body scanners in Australian airports, scanners that can see through clothing to get almost naked images of passengers.

No surprise that some people worry about the privacy implications. In Britain, there is even serious concern that body scanners breach child porn laws. It’s illegal to create indecent images of children, and that’s what happens when children go through body scanners designed to look under clothing.

Privacy issues aside, what’s the point? Body scanners will be just another ceremony added to the elaborate ritual of travel – prime examples of “security theatre”. We might feel safer, but we’re not actually safer.

After all, how much safer could we possibly be? The risk of terrorism is infinitesimally small.

In the United States, there is an average of just one terrorist incident every 16.5 million flights, according to the US Bureau of Transportation Statistics.

In Australia, there are half a million domestic flights per year. Every day more than 100,000 people fly from one Australian city to another; 50,000 more either leave or enter the country.

But when in 2003 a parliamentary committee asked a witness from the Department of Transport whether there had ever been a terrorist incident on an aircraft in Australia, nobody could think of one. (There had been an unsuccessful hijacking attempt of a flight between Melbourne and Launceston in May that year, but the hijacker was suffering from severe paranoid schizophrenia. Hardly a professional jihadist.)

So even if full body scanners in every airport in the country halved the risk of terrorism, half of bugger-all is still bugger-all.

Human beings are terrible at assessing risk. In the past 12 months, there have been more than 1500 deaths on Australian roads. By contrast, over the past decade, 469 airline passengers died from bombings, hijackings or pilot shootings in the entire world. More than half of those fatalities occurred on September 11. The noughties were the second-safest decade for air travel since the 1950s, and there are a lot more passenger flights now.

Perhaps it’s all that security that makes flying so safe. But security specialist Bruce Schneier argues that there are just two truly effective protections against terrorism on airlines. The first is reinforced cockpit doors – without access to the cockpit, it’s hard to turn a plane into a flying missile. Since 2001, pilots do not open that door.

The second is us. Right now, the strongest defence we have against airplane hijackings or bombings isn’t terrorist no-fly lists or body scanners. It’s the passengers who now know they shouldn’t passively comply with the demands of terrorists, and who know the guy doing chemistry in the bathroom should not be left in peace.

The Christmas underpants bomber was scary, but security worked exactly as it should have. He couldn’t get a “good” bomb on board, so he tried to detonate a bomb so awkward it required 20 minutes of preparation in the toilet. And he couldn’t get it to work. He was quickly subdued by passengers when his pants caught on fire.

The Australian attempted hijacking was also defeated by passengers.

Back in 2005, then immigration minister Amanda Vanstone was candid about the absurdity of airline security. With obvious enthusiasm, she posed this hypothetical to a private audience: “If I was able to get on a plane with an HB pencil – which you are able to – and stabbed the HB pencil into your eyeball and wiggled it around down to your brain area, do you think you’d be focusing?”

Most terrorist plots are discovered through quiet investigative work, and foiled long before they are anywhere near ready, although we still haven’t dealt with the “Amanda Vanstone driving an HB pencil into your eyeball” threat. So the risk of airline terrorism will never be zero. But let’s try not to panic.