North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: mitigating botnet C&Cs has become useless

  • From: Sean Donelan
  • Date: Tue Aug 08 19:19:56 2006


On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets.

Why did you attribute responsibility for the cost only to the consumer ISP? How much of the cost should be attributed the PC OEM, or the software developers, or the American business, or the ....?


If the consumer changes to a different consumer ISP, are they now secure?
Or is the same compromised computer still compromised regardless of what
ISP the consumer uses?

On the other hand, if the consumer changes from one popular brand of operating system to a different brand of operating system, or doesn't
use P2P software, or doesn't download free naked celeberties has their risk exposure to key-logging botnets changed? Even if they keep the same ISP?


If the risk stays the same with different ISPs, but the risk changes when
you change something besides the ISP, perhaps it would be better to associate the cost with the things that more directly affect the risk.


you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003

What are the economics of American businesses mitigating key-logging bots?


How much security would you get for an additional $20 per year per on-line
user? Spending more than the losses wouldn't save American business money.


How much of a difference would it make? How many American businesses
provide "free" security software or one-time tokens or smarcards to their online customers? How long did it take criminals in Europe to figure out
how to get around those security measures? How many banks pay to fix
their customers' computers after a key-logger bot steals their bank account information? Why don't banks re-issue credit cards or notify their customers after every report of a compromised account?


just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud.

Postal inspectors have the authority to investigate and arrest people for mail fraud. Where are the Internet inspectors with the authority to arrest people?