Today’s net.wars (at NewsWirelessNet or at home) is My Weekend in Second Life and explains why I think SL is going to be increasingly important (rather than the fad a lot of people dismiss it as).

In the midst of it there is a brief digression to yesterday’s InfoSecurity conference, which I wanted to talk a little more about here.

First, in connection with geek ghettoes: the professionalism panel made it plain that the “geek ghetto” isn’t *enough* of a ghetto any more, at least in the terms of these infosec professionals. There is this to be said for geek ghettoes: when they are small and tight and the culture is close-knit, everyone knows who can be trusted and who can’t. In a world full of badly understood technology, there is a lot of efficiency in that. There is, of course, also a lack of diversity, and as a result you get things like software designed by people who think WordPerfect’s DOS commands were intuitive. The solution under discussion was to create a trusted third party - a professional body that would endorse credentials, screen members, etc. This is of course how we manage doctors, lawyers, and many other professionals. But the most interesting suggestion was that infosec professionals could gain their infosec-cred by working in the public sector, only moving on to the private sector after they had sufficient endorsement/expertise/qualifications/credentials. Should government be in the business of endorsing security professionals?

The second thing was the hacker panel, which “Watching Them Watching Us” attended. I was amused that the organizers got a big audience for this panel by advertising that the participants’ names were being withheld “for legal reasons”. As it turned out, everyone except WTWU, who went as “Mark”, gave their full names and tolerated being photographed, and the only one with sufficient cracker-cred to have been prosecuted was the only one the journalists all recognized: Gary McKinnon, currently trying to avoid being extradited to the US. (McKinnon seemed to have been terrified by his lawyers out of saying anything much.)

In that panel, there few things of note:

1) Government statistics wrt their own systems are not getting better. The US latest audit found that under 4% of penetration attempts were detected, and under 1% sparked any action.

2) Outsourcing contributes to the problems by increasing the number of players.

3) There were 71 successful prosecutions under the Computer Misuse Act between 2001 and 2005, and 36 failed ones (figures do not include Scotland). Number of foreigners ever extradited to the UK to stand trial for computer crimes: zero. By comparison, there were 81,121 crimes committed in London last year. There are of course computer crimes that are prosecuted under other laws.

4) The move of high-tech crimes into the Serious Fraud Office has made it harder to report computer crimes and has made investigators more remote.

5) The Crown Prosecution Service needs to be educated out of prosecuting people like Daniel Cuthbert (spyblog.org.uk has the details of that one).

6) Police chiefs are not rewarded for the number of phishers etc. they catch, but rather for the number of burglaries, etc., they solve. One proposal was that if everyone sent every phishing/scam/fraud message to the police for a month the police might begin to see our problems as something big they should be handling. (Mark again, considering launching it on spyblog).

wg