Exaggerated Cybercrime | TechSNAP 54

Exaggerated Cybercrime | TechSNAP 54

We bust some Cybercrime propaganda, give you the scoop on a fresh openSSL vulnerability, and answer a common audience question.

All that and much more, on this week’s TechhSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com7

Want to save money on your entire order? Use our code spring7 and save 15%!


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Support the Show:

Show Notes:

OpenSSL Vulnerability

  • Two developers from the Google Security Team found a flaw in OpenSSL and contributed the fix
  • The flaw affects all versions of OpenSSL before 1.0.1a, 1.0.0i or 0.9.8v
  • Official Announcement
  • Full Disclosure
  • The vulnerability is in the way OpenSSL handles DER encoded data, which can cause a heap overflow and memory corruption
  • CVE Entry

US Unhappy With Australians Storing Data On Australian Shores

  • The US trade representatives specifically took issue with statements by the Australian Department of Defence, which has been making negative comments about various cloud providers based outside of Australia, implying that “hosting data overseas, including in the United States, by definition entails greater risk and unduly exposes consumers to their data being scrutinized by foreign governments.”
  • The issues first arose when the AU government started considering storing data in the cloud
  • The privacy commissioner raised many concerns about the security of the data in foriegn hands, and also the governments inability to legislate against foreign service providers
  • More coverage

    Cybercrime massively over reported, statistics totally unrealistic

  • Some reports claim that losses due to cybercrime could be as much as $1 Trillion US Dollars
  • Most cybercrime estimates are based on surveys of consumers and companies, and are very unreliable
  • Normal statistical polling for opinion questions, such as seen with political polling works well, however the same method does not work for questions related to a value, because there are no negative values to cancel out the statistical outliers when then get extrapolated resulting in a large upward bias
  • In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that, when extrapolated to the entire population, would have added $37 billion to the estimate, dwarfing that of all other respondents combined
  • Numbers are also exaggerated by the same pool of gullible and unprotected users being repeatedly targeted, which leads to diminishing returns, however the unreliable statistical models do not take this into consideration


Q: Simon asks about running multiple servers behind a single IP address


  • NAT may be the best answer, especially if you need NAT anyway for the 3 servers to connect out to the internet in the first place
  • You can forward the traffic using something like ‘balance’ or ‘HAProxy’, however the disadvantage to this over NAT is that the internal machines will see the source IP as the LAN IP of the internet facing machine, whereas with NAT they will see the original source IP address
  • For web traffic HTTP (80) and HTTPS (443), you can use nginx, and apache mod_rpaf to pass the original source IP to the internal apache server(s)
  • FreeBSD’s IPFW firewall has the ‘forward’ command, however this does not rewrite the headers of the packet, so the server that receives the forwarded packet needs to know what to do with it

War Story:

Mike sends in his own IBM war story:

After hearing so many war stories from the Other Other Alan, I decided to add one of my own IBM war stories.
I’ve been a contract employee from IBM since 1997. Early in 2000 I and 4 other guys were assigned to a new Network Operations Outsourcing Center. The basic idea was that we four would perform network operations for customers, small/medium businesses external to IBM. Our first customer was a textile company with facilities scattered across the continental US from Georgia to California. IBM sales sold the company a package of software, hardware and services which included IBM Tivoli and Netview monitoring that we were to use to do our monitoring and maintenance of their network.

So, as was always the case back then IBM had specialists who would go out in the field and perform installs and configuration for the customer (in this case us) and then we would be responsible for maintaining it. The initial install took nearly a week with a couple of days of training. Now imagine all the oohs and ahs as all this was running on three HUGE IBM Netfinity 5500 Quad PIII Beasts running Windows NT server and the technicians were explaining all the bells and whistles including event correlation and intelligent discovery. Two days after they left, the database crashed. Well we couldn’t be down with no method of monitoring the customer’s systems. So we took an old copy of “What’s up Gold” and installed it on the only spare hardware we had, a Thinkpad 765. So, as IBM repeatedly sent out technicians to fix one thing or another with the Tivoli environment, or the Oracle database from Hell, we chugged on for an entire year monitoring 40 odd NT servers and an equal amount of network hardware…from a little old pentium 166 laptop, while untold thousands of dollars worth of software and hardware sat almost unused until it was disassembled at the end of the contract.


Question? Comments? Contact us here!