Keep Your 40 Acres, Just Send the Mules


I suppose I can boil down my complaints about U.S. law enforcement's attempts to do something effective about rampant and metastasizing cybercrime to two things. The first is that our guys don't have good relations with Russia and other countries that are knowingly harboring the worst criminals. And the second is that they don't have bad relations with those countries--not bad enough to blow the whistle.

Instead, U.S. authorities are the co-dependents in a perennially depressing romance, always thinking that real change in their partner is right around the corner. Think about Lucy holding the football for Charlie Brown.

After spending a couple of vacation days this week at a cybercrime conference aimed mostly at bankers--'cause hey, that's how I roll--I'm still convinced that we are in much bigger trouble than people realize. The Zeus family of financial computer trojans, which are probably on millions of PCs and often escape the notice of antivirus software, is truly impressive. Even if your bank cares enough about you to hand over a gadget with ever-changing one-time passwords, Zeus can intercept them and do other neat tricks, like redirecting you to a "down for maintenance" page while it cleans out your account. It can then do math on the fly so that when you check your balance, it appears to be right where it should be. I'm pretty sure it can walk on its hands while juggling with its feet, but you should check with one of the people who have lost or nearly lost their businesses, like Karen McCarthy.

But I also spoke to the Secret Service and FBI delegates to the conference, and they gave me a glimmer of hope that I would like to fan into a faint glow. It wasn't their accounts of the five big cheese Ukranians detained recently in a $70 million Zeus case, though that was certainly a good thing. Those men still haven't been charged, let alone convicted and sent to jail; the FBI man grimaced when I asked about the chances for locking up Zeus' Russian author; and forensics maven Gary Warner reported this morning that new Zeus control servers are popping up every day.

What cheered me was that they showed more pragmatism and less bust-down-the-doors machismo than I have ever seen in high-level feds. They are making slow progress in tough spots like Ukraine, they said, in part because the criminals screwed up and started attacking their countrymen. If every other country starts cooperating, pressure on Russia will grow. In the meantime, they are seizing servers, building intelligence on 50 top criminals, and disrupting their networks when they can.

Looking at the big picture, they see that the current bottleneck for the mobsters is the mules--the tens of thousands of people in the U.S. alone who often unwittingly accept transfers from compromised accounts, take a cut, and wire the rest overseas. The cyber gangs have access to more bank money than they can get out of the country.

So that's why the FBI made a big deal out of picking up some dozens of mules a few weeks back. Arrests and news conferences get precious TV time and stories, which can alert people that those work-from-home payment processing jobs are a really bad idea. Like the occasional fall of one or another honcho or botnet, the removal of scores of low-level employees won't do much to stem the tide. But an amplified message could reduce access to some of the kingpins' most precious assets, and it's certainly a worthwhile thing to try.

Something else seems increasingly doable as well, but that calls for a broader effort from outside law enforcement. The recent Zeus cases depended on work by outside security researchers, who often know far more than the cops. I would really like to see more such collaboration. I don't see why thousands of people would work together on such open-source projects as Linux and Mozilla and not on something so core to defending the Internet as a reasonable place to exist.

This marks the end of my guest-blogging stint here at BoingBoing, and I want to thank my gracious hosts and all of you for reading. You can always follow me at @josephmenn.


  1. Mostly because “defending the Internet as a reasonable place to exist” would make you a felon and code a web browser won’t.

  2. Scary stuff, thanks for reporting on it! *checks stash under mattress*

    I object, however, to the title for this post. It’s a cute tie-in to the part of the post about “mules,” I suppose, but you’re appropriating, and trivializing, a significant event in African American history that still burns. That term evokes one of many broken promises to African Americans that still have real resonances, and real material effects. For instance, the average black American family’s wealth is eight to ten times lower than that of the average white American family–one of many financial, communal screw-overs with historical roots in the kind of retracted white promises that your post’s title trivializes.

  3. Anyone who answers and plays along with one of those “work from home, make a million” emails deserves to go to jail for clinical stupidity, if nothing else.

    I get about 10 emails a week offering the chance to get “good results in pay for almost no work!”

    First clue: email sender address never matches email reply address.

    Second clue: it’s too good to be true, therefore it’s a scam.

  4. Sorry, I haven’t had time to read these articles, but from what’s written above, this sounds like one more excellent reason for people to switch en masse to real operating systems with better security records than that of Windows.

    Am I wrong?

    1. this sounds like one more excellent reason for people to switch en masse to real operating systems with better security records than that of Windows.

      Windows is a rat-infested house of cards.

      That said, phishing scams are OS-agnostic. A big area of growth here is iTunes accounts, apparently.

  5. Of course, banks/financial institutions actively assist in this process by (a) refusing to do some basic things that would help and (b) doing some very stupid things that make it much easier for The Bad Guys.

    Examples: any competent Perl programmer could write a routine in a few minutes that detected an account being emptied (online) and halted the funds transfers. Banks don’t issue cheap hardware crypto tokens (e.g. USB sticks). Banks don’t use technologies like ipdeny. Banks send out mail marked-up with HTML. Banks don’t prohibit use of IE. Banks still have internal systems running on Windows, which everyone knows CANNOT be secured by anyone — not even Microsoft. Banks don’t use passive OS fingerprinting of customer systems. Banks are pushing smart phone applications which are loaded with security holes. Banks are still trying to educate their customers, which is a completely lost cause: customers are very stupid and very greedy and are not educable.

    The whining about this from bankers has nothing to do with the security of customer data or funds: the bankers couldn’t care less about either. The whining is over the costs and hassles to them, which is why all of their efforts to date are not designed to be effective security, but to minimize their losses and inconvenience. It’s security theater, no more.

  6. Banks don’t prohibit use of IE.

    I’ve seen quite a few online banking systems that don’t promise to work on anything but IE.

  7. Thanks for the response, Ushao; nice to know someone around here cares.

    But, I’m confused–what did you glean from that link that constitutes a “downside”?

    If you’re saying that the historically resonant symbol of “40 acres and a mule” means something other than what I think it means, and/or that it shouldn’t have the kind of historical and contemporary resonance for many African Americans that it does, you’re wrong.

    And if you, like, are telling African Americans in general (or rather, “freeloading black people,” to use Cracked’s terms) that one of their communal symbols is wrongheaded, well, you’re a particular kind of wrong, a particularly nasty kind of wrong.

  8. Well mainly that the symbol people generally take it as is wrong. How it’s always been described is misleading and how some people use it is pretty terrible. I agree that the term they used to describe them was technically right but the spirit of it was bad. It was used to describe a very particular set of people not black people in general. I’m not the bigot you may be thinking I am, I’ve got enough minorities in my blood to be a category by myself and my wife is Native American (who definitely got the shaft).

    I’m also one of the few Texas who already knew the Alamo has a completely different meaning than other people think despite the propaganda.

  9. Ushao, I get the “Hey, I can’t be racist cuz I have dark friends!” part of your comment (which is not to say that I think such a claim is to your credit), but not the evasive vagueness in the rest of it.

    Who, for instance, uses what in terrible ways?

    And btw, I’m not talking about you and what you may or may not be; I’m objecting to the obnoxious, trivializing title of the OP and to the ill-informed “correction” that you linked to at that ultimate arbiter of historical accuracy,

    ‘m also one of the few Texas who already knew the Alamo has a completely different meaning than other people think despite the propaganda.

    Different things have different meanings from different perspectives. Whatever the specifics of the broken promise of “40 acres and a mule” actually were, the concept itself has remained sharply salient among black Americans because it signifies a long and detailed history of broken white promises and smiling white-liberal hypocrisy.

    1. Millie: Are you saying that it’s not relevant that the promise of 40 acres and a mule was made by a single (notorious) general in a specific wartime situation rather than by the federal government at large? Are you saying that making the distinction is racist?

      I, for one, thought that the 40 acres and a mule promise was made by the federal government. I think that most of the people who bring it up as a symbol of “broken white promises” believe that too. The fact that it was only a promise by Sherman, and that it was not made with any intent to make reparations for slavery, changes the significance quite a bit, in my opinion – and I don’t think saying that means I don’t like black people.

      If much of your dismay is in reference to the use of the word “downside” by the OP, then I would suggest that you would be equally upset had he said, “upside”. Either one can be read badly. He probably didn’t need the judgmental term in either case, but reading the comment, it doesn’t look to me like it’s anything other than a convenient way to start the sentence on a quick post. In other words, I think you’re reading racism where it didn’t exist.

  10. The first is that our guys don’t have good relations with Russia and other countries that are knowingly harboring the worst criminals.

    The worst criminals live in the United States of America, and their lieutenants are the people you are talking about.

    The majority of “cybercrime kingpins” live in Florida and California. Exploiting the jingoistic nationalism that dominates the 21st century developed world is part of their standard procedure. These people run truly global criminal enterprises. They typically recruit code monkeys in Russia and Eastern Europe, and they use local hit men to dispose of coders that know too much or have outlived their usefulness.

Comments are closed.