Network News

X My Profile
View More Activity

Q&A With FBI's Cyber Division Chief

At the end of the Black Hat hacker convention in Las Vegas a week ago Thursday, I had a few minutes to sit down with James Finch, head of the FBI's Cyber Division. What follows is an excerpted Q&A from that discussion, in which Finch describes himself as a serious geek who refuses to be spooked by organized cyber criminal gangs that target online banking customers and other 'Netizens.

Q: I see you've got a nice MacBook Pro there. Are you a pure Mac user?

A: No, I am not. I raised my daughters on Windows machines, but my 4-year-old son, I'm raising him on a Mac. I just bought him an iMac. I prefer flavors of Unix over Windows.

Q: Which flavors?

A: Well, I'm running SUSE, Fedora 9. I don't spend as much quality time with these operating systems as I used to.

Q: So what does the director of the FBI's cyber crime division like to do in his spare time?

A: Build computers, learn new operating systems. One thing this job doesn't give me enough time to do is spend quality time with my computers. I was a gamer before gaming was cool, playing games like Doom, Quake, Half-Life, [Castle] Wolfenstein. I have quite a few newer games and because of the faster video cards....the last machine I built was a water-cooled video card as well as the processor. In the wintertime, it's great. Keeps the processor cool, but just heats up the room, and I haven't' even put the other video card in it to run in SLI mode.

Q: Are you a coder, or...?

A: No, I'm not. I started out as a computer science major in college. Back then, the required courses were Fortran, COBOL, Pascal...all the things that don't exist anymore [laughs]. And, so any programming experience I have is obsolete. I've bought the books to do some self-teaching for Java, but I just haven't had the time to sit down and start picking it up.

Q: So why do you prefer Linux?

A: I just think it's more efficient. To me, it's more powerful. You don't need this huge powerful processor because of the efficiency associated with the Unix operating system. I believe it's closer to how we should be computing. But, you know, it's not to really..I don't want to dismiss Windows, because it's serving a very useful purpose. Because of Microsoft, you have people who wouldn't otherwise be using computers.

Q: Right, but of course part of the problem with the situation we're in right now with botnets and peoples' computers being used for all kinds of cyber crime seems to be a direct result of that.

A: That's true, but my thought is, they shouldn't have to be so concerned. It's kind of like driving. There are those cars that really require a lot of attention because they have safety issues. But you can drive them without any real concern of anything happening. People shouldn't have to be concerned about someone stealing their information, but then the Internet wasn't created with security in mind, and unfortunately before we connected everything to it, all of our information to it, governments...military, we should have ensured that it was secure. Instead, we jumped right in there headfirst, and now it's too late.

Now, we have a foundation that is what I consider...I don't want to say unstable...but not prepared for the level of use that it is currently receiving, and it is the ideal environment for what I consider people selling snake oil solutions. And I don't mean that in a bad way, but when you offer security on the Internet, how much permanence is there? If you're talking strictly information security, I come in to sell you border routers, intrusion detection and intrusion prevention devices, and I tell you that this will help you secure your system...but for how long? Until a hardware or software vulnerability is discovered in one those appliances? And that's another issue. If we can't secure the applications, where you should start out with security in mind...but there's so much rush to market and pressure on those creating software.

Q: Do you do online banking?

A: Yes, I do.

Q: How long have you been doing that?

A: Maybe ten years?

Q: And you don't get freaked out by what you see every day? I certainly do.

A: Yeah, so does my wife. I do online banking. I pay my bills online. I file my taxes online. I truly believe in the Internet. Do I believe it's a scary place? Without a doubt. I'm in law enforcement, and I run the cyber division for the FBI. I don't want to say that I'm so intimidated by the bad guys that I am going to allow them to dictate taking full advantage of what I consider to be the benefits of the Internet. Yes, there are people who are targeting online bank accounts on a regular basis, but not to the point where it's going to cause me to stop using it.

Q: There are some people who say the threat from cyber crime, the financial threat and threat to our economy, that this is over-hyped. What do you think?

A: I don't think it's over-hyped. The Internet works the same for everybody, bad guys included. If you take the time to understand the Internet, let me tell you there aren't many things you can't peel back and look behind. Whether that requires decrypting encryption or undermining some of the safeguards we have, there's a way to do it.

A lot of people just don't take the basic precautions, or don't know how to take them. Many people just don't have the level of knowledge needed to safeguard themselves. The bar is raised every day. So how do you as a common user keep up with the necessary safeguards? How do you configure it? Should I let this in or not? Who's going to know unless they have some basic information security knowledge.

Q: The financial industry has taken heat from some people, who say the industry as a whole is not doing nearly enough to help protect customers from having their accounts taken over online. The perception is that the banks are very good at counting costs, and they know that as long as the fraud costs stay below a certain threshold, then there is no financial incentive for them to adopt more secure methods. What do you think?

A: Well, I really can't speak to that because, see, that's a business. And I think, as with any business, if they don't offer a service that is attractive, they will cease to exist. It's a competitive environment. The banks that are doing more...I'm sure they will see the benefits of their actions in a competitive market.

Q: I'm curious if you're at all concerned that - the U.S. financial institutions -- by waiting until some magical pain threshold is reached, that the banks aren't somehow encouraging...well, an industry that needs no encouragement? In other words, are you concerned at all that by the time the banks get around to rolling out new anti-fraud systems, that they will have allowed these cyber crime groups feeding off the low-hanging fruit to become far fatter, wealthier, more powerful and organized than they are today?

A: That's a business decision. And do I believe that waiting will cause more harm? I think that would be a pretty hard label to place on that industry. The decision I would make as a law enforcement official...might not be based on a cost-benefit analysis. For example, when I look at the resources the government uses to apprehend just one person, or one organization that might consist of 50 people? From a business perspective, would that sort of activity be beneficial? In a lot of cases, businesses might not say that's worth it.

The banking industry has done a lot to safeguard its position. However, as I have said before, the skill set of those who are out to do harm to those systems...their skill set increases fairly quickly, and it's something the banks and most other industries connecting to the Internet have to consider.

Q: I think in your talk yesterday you said you manage about 500 to 600 cyber agents?

A: Yeah, it fluctuates.

Q: Any luck recruiting here?

A: We don't really make too much of an effort to recruit here. My purpose in being here is to provide the FBI cyber perspective. That said, we are always looking for employees that meet our requirements.

Q: Is the older age and current skill set of the cyber agents you have...is that a concern for the FBI in facing today's cyber threats?

A: We're getting some really bright people coming in. Frankly, what I'm very happy to see is we're getting people who were raised on the Internet. Raised in an environment that is not foreign to them, and so trying to play catch-up is not an issue. It's a part of their existence. To them, it's no different from an MP3 player or any other piece of technology. Rather than looking at traditional methods, they are looking at technology solutions than can be applied or overlaid onto the traditional methods. And a lot of these problems require a technology solution, and so it's a not a struggle for them. They understand those solutions. They understand how the Internet works behind the curtain. They understand DNS, ARP, proxies, and so they get it. That's refreshing to me.

Q: Do you see there being an evolving approach to some of the techniques the FBI teaches in how to go after today's cyber criminals?

A: Well, not really, because many of the techniques are using standard network tools. We apply those in the same way a systems administrator would apply those tools.

Q: I'd like to hear about some of the ways the FBI is evolving to keep pace with cyber criminal gangs. Can you talk about--

A: First of all, one of the things I try not to do...and I've asked this of several reporters...I said how many bad guys do you interview who tell you their techniques so that it helps us catch them.

Q: Well, actually, quite a few.

A: But, you would prefer to put our techniques out there so that they can avoid being caught? It doesn't seem very patriotic. It doesn't seem like the right thing to do.

Q: Sure, but maybe you could talk about any innovative ways that the FBI is using to go after--

A: Brian, we have to adopt innovative ways of doing what I believe the public expects us to do. And that is to apprehend those people who have violated our electronic communications laws. In terms of being very detailed in how we do that, I don't think the public would appreciate us letting the bad guys know. I often times wonder why the press tends to put these tactics out there, and then it's cloaked as, well, the public has a right to know.

Q: Can you give me an example of what you mean there, or of the last time that happened?

A: You mean, computer-related? Child exploitation-related? Terrorism-related? I'd have to sit down at my computer, but I'm sure I could pull up numerous examples. I know it's a job you guys do, and I have no problem with that. I know the press often gets things out there that we want people to know. But there are times when the press will get things out there that really don't help our cause when it comes to making the world a safer place, making the Internet a safer place.

Q: At the "Meet the Feds" talk at Black Hat yesterday, someone raised a question that I wanted to follow up on. It speaks to the issue of how we tackle cyber crime that originates from other countries. The common perception is that we're not getting terribly good cooperation from similar authorities in Eastern Europe and Russia in particular, and I'm curious whether--

A: Look, I've had good cooperation from most countries we've worked with. I really have. To include those...countries people believe we really don't get good cooperation from. Now, I'm not sure why, and I don't really know if people believe that -- that we're not getting the cooperation that we need. I have...I've traveled to various parts of Eastern Europe and Romania to set up task forces there, and I've made arrests in intellectual property cases with the Chinese.

Q: Well, since you mentioned these intellectual property cases, I wonder if you think it would be helpful to build in some kind of cyber security component into treaties we have with other countries, as we have done with intellectual property and software and so on?

A: One of the things I get real concerned about is...the point, shoot, aim type of action when it comes to writing certain clauses into various agreements. I don't want to get into the State Department's area or the Justice Department's area, but because we are at what I consider to be the infancy of the Internet...we're veering into a point where a lot of things will be Web-based, we're probably going to see some things that will make us probably regret acting too quickly in terms of writing things into trade agreements.

Q: But what's the harm there? Is it maybe because it might make it easier to extradite U.S. citizens accused of cyber crimes against other nations?

A: Well, when you start talking about trade agreements, and look at the state of our economy right now, there's a reason why we have much of our manufacturing right now outside of the United States. If you make that difficult, I'm not sure that will be a good thing in the long-term for our economy.

Q: Should the federal government be doing more to educate people about how to use the Internet safely?

A: Why is it that people always turn to the government, saying the government should be doing more? Brian, wait a minute. Is it the government's fault? Is that what you're saying?

Q: No, I'm asking a sincere question. Do you think the government has a bigger role to play here in educating people in what they need to do and the attitudes they should adopt in order to stay safe online?

A: I think the government...if you look at the various agencies and the type of outreach they have, I think the government is doing a fairly good job of reaching and making people aware. Take, for example, www.lookstoogoodtobetrue.com, or www.ic3.gov, those are public awareness sites. Other agencies have public awareness sites on cyber. What do you want, the government to teach classes? I mean, the number one criticism in many cases is that the government has overreached, they're reaching into our privacy, into our lives, they're interfering too much. Well, what more do we do than to try to make people aware, provide them with a place to go if they believe they've been harmed on the Internet. We can't force people to become more aware.

Q: On the other hand, it does seem like the whole Web 2.0 evolution could be helping law enforcement, what with people putting so much more information about themselves out on the Internet. Is that helpful to your job? Are you finding the abundance of information on social networking sites and so on becoming useful in investigations?

A: The Internet has made information in general more available. Is it easier to find certain things now? We were generating intelligence and finding things long before the Internet. The Internet becomes just another tool. Does it make it easier? I don't know I would say that. Just means there's one more available source of information.

Q: It appears that a huge number of people committing crimes are doing so through botnets and distributed proxy and anonymization networks. Can you talk about the challenges that development poses and how the FBI is addressing it?

A: Well, botnets do create an identification problem. It's a challenge. Reason being, you have computers that are unwittingly being used to commit crimes, and so when the owner of the computer doesn't know his or her PC is being used to commit a crime, it makes it difficult...well, you can't go after that person for that crime. If the attempt is to put someone out of business and going to execute a DDoS [distributed denial of service] attack against a business....

Q: Is DDoS a crime you're seeing a lot more of now?

A: Actually, no. It's kind of like buffer overflows, in programming. We used to see a lot of buffer overflows. But now, software writers and intrusion detection systems are protecting against those things, so we don't see much of that. DDoS? We still see some DDoSing, but not as much as we used to.

Q: Are there threats you see emerging that keep you up at night? Or is it more of the same old stuff?

A: Peer-to-peer botnets are becoming more prevalent, like Storm and Kraken. A lot of these are being created so that they avoid detection by anti-virus software, so they're hiding better. For the average user, if their anti-virus can't find it, then they don't have the background to delve deeper into the operating system to detect it.

Q: What about Operation Bot Roast? That's ongoing, no?

A: It is, yes.

Q: Can you talk about some of the ongoing actions in that?

A: Well, no, I can't. But I can tell you that it's far from over, because bots are evolving. It used to be IRC command and control, now it's predominantly peer-to-peer command and control, and botnets are now much more resilient.

Q: Do you get a sense that...just going back to the online banking question, that the problem is-

A: ...You know this article....now they're going to hack my account because of what I've said here...

Q: [Laugh]. But you're not worried about that, right?

A: You know a couple of years ago, my acting (director) came home and found his bank account had been cleared out.

Q: Really? Have you ever been the victim of cyber crime?

A: Don't put that in there!

Q: No, seriously.

A: No, I haven't.

Q: You're joking, right? I don't think I know anyone who hasn't had his credit card compromised at some point.

A: Well, I had one time a couple of years ago, one of the major banks reported to me a server was compromised and my card number might have been compromised, but I never saw any unauthorized activity as a result of that. If I was victimized, it wasn't noticed.

Q: I've been spending quite a bit of time recently at various online forums that cater to identity theft and all kinds of cyber crime, and one of the things that is very hard to ignore is that the bad guys appear to be using online gambling sites to launder their stolen credit cards. I know the Justice Department has long asserted that this activity was going on, but what are you seeing in this regard?

A: I don't really want to talk about this area too much, because I don't want to risk compromising any ongoing investigations we may have. I can tell you, however, that we have suspected money laundering through online gambling for some time now. And that's all I can really say about that for the time being.

Q: Someone told me you were getting close to retiring. Any idea what you'd like to do when you retire?

A: I would like to work in information security. Hopefully, for a company providing information security. It wouldn't bother me to have both information and physical security because I believe the two have to work hand in hand to provide an overall solution.

[We are interrupted by a passerby who engages Finch in a conversation, and our interview ends shortly thereafter].

By Brian Krebs  |  August 18, 2008; 11:44 AM ET
Categories:  Cyber Justice , Fraud , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Patches 26 Security Holes
Next: Web Fraud 2.0: Cloaking Connections

Comments

A little scary that the FBI cyborg chief thinks that Linux is a flavor of UNIX. Yes, Linux is UNIX-like by design. No, it is not a flavor of UNIX. Solaris, IRIX, Tru64 are flavors of UNIX. MacOSX is a flavor of BSD. Linux is Linux. It's a technical and trademark distinction, but I should think someone in his position would at least be aware of it.

Bk, you really don't know anyone who hasn't had his credit card compromised? Really? I only know a few who have.

Posted by: antibozo | August 18, 2008 12:33 PM | Report abuse

I'm "spooked" by his answers; seems like he's clueless.

Posted by: RK | August 18, 2008 12:57 PM | Report abuse

antibozo: You're just picking nits.

After all, this is the Washington Post, not some technical forum like one of the Ziff-NET properties. One cannot probably expect the typical Post reader to have any appreciation for (or even understand) the nuanced differences between UNIX and Linux, let alone between any specific versions of either.

Let's be honest, calling Linux a flavor of UNIX might be viewed from a lay perspective as referring to some form of compatibility. Which I would further venture to guess most (lay) people would take to mean taking a program (binary executable) from one environment and running in another without rebuilding (i.e., no compilation).

From this standpoint, not even all UNIXen may be considered compatible with each other, nevermind compatibility between any two versions of Linux.

Lighten up. No on cares.

Posted by: anti-antibozo | August 18, 2008 1:19 PM | Report abuse

antibozo: You're just picking nits.

After all, this is the Washington Post, not some technical forum like one of the Ziff-NET properties. One cannot probably expect the typical Post reader to have any appreciation for (or even understand) the nuanced differences between UNIX and Linux, let alone between any specific versions of either.

Let's be honest, calling Linux a flavor of UNIX might be viewed from a lay perspective as referring to some form of compatibility. Which I would further venture to guess most (lay) people would take to mean taking a program (binary executable) from one environment and running in another without rebuilding (i.e., no compilation).

From this standpoint, not even all UNIXen may be considered compatible with each other, nevermind compatibility between any two versions of Linux.

Lighten up. No one cares.

Posted by: anti-antibozo | August 18, 2008 1:20 PM | Report abuse

"Back then, the required courses were Fortran, Cobalt, Pascal..."

I think "Cobalt" should be "COBOL".

Posted by: PSolus | August 18, 2008 1:40 PM | Report abuse

@PSolus -- haha! Gotta love spell checkers. I'll fix, thanks.

Posted by: Bk | August 18, 2008 1:51 PM | Report abuse

Two comments based on Mr. Finch's statements.

1. "There are people who are targeting online bank accounts on a regular basis, but not to the point where it's going to cause me to stop using it."

Brian - I agree with Mr. Finch's rationale to conduct online banking, in spite of the threats that exist. I appreciate your healthy paranoia and your refusal to do banking online, but short of a global financial meltdown, online banking is here to stay. I think you might give it a shot, as a computer security columnist, so that you can at least stay on top of the issue as a regular online banker yourself. When you tell us that you refuse to bank online, period, it tells me that you're not engaged in the activities that many tech-savvy people do every day, and that your advice on how to deal with online banking issues may not be as grounded in our reality as it could be.

2. However, when Mr. Finch says that greater oversight of consumer transactions by the financial industry is "a business decision," I think he is mistaken. Financial corporations should definitely take greater responsibility for the security of their consumers' financial information. The "wait-and-see" attitude can have serious implications for consumers who get ripped off in the meantime. The time and effort needed to recover your financial identity is tremendous for individual consumers. The chances should be minimized whenever possible, even at the expense of corporate bottom lines.

Posted by: SSMD | August 18, 2008 1:54 PM | Report abuse

Anonymous Coward> From this standpoint, not even all UNIXen may be considered compatible with each other, nevermind compatibility between any two versions of Linux.

I think you just disproved your own point. Nicely done.

I acknowledged the technical nature of my observation when I wrote, "It's a technical and trademark distinction, but I should think someone in his position would at least be aware of it." As I pointed out in the same sentence, regardless of what "lay" people might think, I would expect our cyborg overlords to understand the difference. That Finch appears not to is evidence for concern. That's all. I didn't claim that every lay person should understand it--just that the people at the top of the organization that supposedly fights piracy should.

Anonymous Coward> Lighten up. No one cares.

The Open Group does. And it's rather arrogant of you to presume to speak for everyone, isn't it?

And really--take responsibility for your words and use your own moniker, not some cheap derivative.

Posted by: antibozo | August 18, 2008 2:16 PM | Report abuse

No one mentioned the presumably mistaken reference to the "Cobalt" programming language. I guess that proves the point: it really is a dead language.

Posted by: Terry Wrist | August 18, 2008 2:17 PM | Report abuse

Dang - I waited just long enough for someone to disprove my point. That's what I get for trying to multi-task rather than my usual laser-like focus on goofing off.

Posted by: Terry Wrist | August 18, 2008 2:19 PM | Report abuse

@Terry: Someone did mention it actually, and it was my mistake, not Mr. Finch's.

Posted by: Bk | August 18, 2008 2:20 PM | Report abuse

One of the hilarious side issues in the California budget crisis is the governor's order to reduce the pay of state employees. The State Controller has refused to do so; among his many reasons is the problem that the payroll is done in COBOL and there aren't enough programmers of COBOL to make the changes needed to reduce paychecks. For more info, there are several articles about the COBOL problem in today's SacBee.com.

Posted by: JBV | August 18, 2008 2:46 PM | Report abuse

@SSMD,

Great points, thanks for writing. Bear in mind that, at least in this post, I didn't say that I avoid online banking; I just said I get a little freaked out by what I see everyday happening to other people who bank online.

I used to swear off banking online completely. Nowadays, I do check one of my account balances online, and the wife and I have even recently paid a few credit card bills with some online bank transfers. We still don't do online bill paying, per se. But of course I buy things online using a credit card (not debit card) nearly every week.

Posted by: Bk | August 18, 2008 3:02 PM | Report abuse

This guy isn't a trained geek, He's an agent who climbed his way up the ladder. Think of him as management. He doesn't really have a strong understanding of what he is managing, just another agent really. A more interesting interview would have been to talk to the agents who do the work. They might have been able to answer some of those questions James excused away as 'can't talk about that because of security issues'

look he's been a geek for 2 years.

'In 2001, Mr. Finch was appointed as Assistant Special Agent in Charge of the Knoxville Division, where he assumed management responsibility for all investigative and administrative programs. In 2003, Mr. Finch was promoted to Inspector at FBI Headquarters, where he was responsible for managing the inspections of FBI field offices, FBI Headquarters divisions, and FBI Legal Attaché offices outside the United States.

On November 25, 2004, Director Mueller selected Inspector Finch to be Special Agent in Charge of the Milwaukee Field Office.

On May 5, 2006, Mr. Finch was designated Assistant Director, Cyber Division.'

Posted by: tom | August 18, 2008 3:24 PM | Report abuse

@ JBV

Dude, that is hilarious.

Posted by: Edsger Dijkstra | August 18, 2008 4:19 PM | Report abuse

For everyone who thinks COBOL is dead - try your last phone bill from any major telco, your last electric bill from any DC area power company, your last water bill from any DC area water supplier, your last mutual fund purchase from a very large bank, your cable bill, and on and on...

Posted by: DC consultant | August 18, 2008 4:41 PM | Report abuse

For a partial list of crimes committed by FBI agents over 300 pages long see
campusactivism.org
click on home
click on forum
scroll down to FBI WATCH

Posted by: mafreeh | August 18, 2008 10:20 PM | Report abuse

In response to your question about whether financial institutions (and others, I might add,like software companies) should do more to protect their users, Mr. Finch says: "And I think, as with any business, if they don't offer a service that is attractive, they will cease to exist. It's a competitive environment."

Now this is the more or less standard mantra of the laissez-faire conservative, that the market will correct all problems. But there are many instances where we clearly don't believe that, or act as if we do: we have, just to pick a few examples, the FDIC, the SEC, licensing of MDs and pharmacists, the CPSC, the FASB ... I won't belabor the point further, except to note that even Mr. Finch doesn't seem to really believe it, since he acknowledges in the immediately previous answer that, "Many people just don't have the level of knowledge needed to safeguard themselves."

There may have been a time, in a predominantly agrarian society, where most people could reasonably evaluate most products that they might need to purchase. But we have come rather a long way since the time when a butter churn was relatively advanced technology; and, in a society where peoples' knowledge is inevitably more specialized, some rules to ensure fair play are in order.

Posted by: Rich Gibbs | August 18, 2008 11:26 PM | Report abuse

How can Finch say that people shouldn't be too concerned if their computers are part of a botnet? As the FBI Cyber AD, that thinking is appalling considering the massive amount of criminal activity that are associated to botnets, not to mention the many government computers that are part of botnets (think infrastructure protection/security).

With this kind of thinking, I hope Finch never lands another job in Cyber-anything, in government or private industry.

Pretty poor thinking from the USG's so called top cyber guy. No wonder the Secret Service are years ahead of the FBI in their investigations.

Posted by: What is Finch smoking? | August 19, 2008 12:32 AM | Report abuse

tracelracdar

Posted by: cnalie | August 19, 2008 2:13 AM | Report abuse

Does Mr Finch consider the possibility of consenting to your machine being used for criminal activity by friends of yours from a hacking forum....simply because "i will not be prosecuted for that"

Hmm. I wonder.

Posted by: Munyaradzi | August 19, 2008 3:52 AM | Report abuse


I'm in law enforcement on the local level for a town. Every week we get cyber-crime related complaints, most of which we can't investigate because the culprits are from other countries (Canada and Nigeria the leading offenders). The answer HAS to be detection and prevention, because right now there is no chance to prosecute a large majority of the offenders. (And the federal government won't/can't adopt the small, individual cases).

Posted by: jobx | August 19, 2008 9:12 AM | Report abuse

where do you see in the Q&A that Finch says people shouldn't be too concerned if their computers are part of a botnet? he more or less says they may not know how to even tell, or what to do about it even if they do know for sure.

Posted by: um | August 19, 2008 9:31 AM | Report abuse

Thanks for the great interview, Brian. As a computer consultant, web designer, and blogger at skylarking.us I frequently write about home computer security issues. It's great to hear the words and thought on the subject from someone like James Finch who's out there on the front lines fighting the cybercrime battle. I am recommending all my clients and readers take a look at this article. Thanks again!

Posted by: skylarknetworks | August 19, 2008 10:49 AM | Report abuse

If we can't create policy which requires foreign governments to assist us in forcing their citizens to comply with the laws of our land when they access resources which are part of our government and economy, then we should be flat out blocking the netblocks of those countries. Especially Russia--as the cold war restarts and relations continue to cool with Russia over the issues of Georgia and Poland, how much worse do you think the abuse of our internet resources will get? Imagine if the internet existed during the actual cold war. Would we have blocked the USSR, or would we have had the leverage to pursue diplomatic compliance and extraditions? More likely the former. Clandestine enmity will always outpace open enmity. If a significantly sheltered (or even sanctioned) mass of technologically advanced attackers gains enough political motivation to start REALLY attacking US business and infrastructure, we are going to have some tough decisions to make. Good luck allowing "market forces" to play that one out. Currently the Chinese don't even really hate us, they are merely "competitive" with us, and they attack the living hell out of us. How much worse will it get during the internet era when our true enemies are more technologically advanced than the third world dirtheaps we currently alienate? What if Iran had 100 million nodes and a deep computer science infrastructure? We'd be screwed.

Posted by: Eponymous | August 19, 2008 11:40 AM | Report abuse

the information available to children on tv and net is partly commecial dirt. i'm happy wpost is seatled in the us, where freedom of speech is possible and i'm allowed to tell that the eoa, disney and taratino dirt don't help youngsters to make a wealthy legal living by learning by seeing or interacting. sometimes fbi has to cope with behavior gathered from commercial criminal borderliners.

Posted by: critical bundy fan | August 19, 2008 12:50 PM | Report abuse

"Q: Are you a coder, or...?

"A: No, I'm not... And, so any programming experience I have is obsolete."

Very interesting! Any CS major is a "coder" at heart.

Posted by: coder | August 19, 2008 1:09 PM | Report abuse

#1 since when is it the government job or the FBI's job to educate people on how to stay safe? Are we a communist nation? Must we hold everyone’s hand? The best way to get someone savvy on the internet is to let them get taken advantage of. There is no better motivator than losing money.

#2 "many of the techniques are using standard network tools. We apply those in the same way a systems administrator would apply those tools."

- This is the reason that the FBI is the LAST place you should contact to resolve an issue in a timely manner. All hardcore criminals use several layers of security and the FBI wouldn’t have a prayer in catching them. What the FBI DOES DO is go after those that are stupid enough to communicate in Clear-Text or use government encryption to try and protect their stuff.

If you want secure computing, the LAST PLACE you should be taking advice from is the FBI LOL.


Posted by: OGod | August 19, 2008 1:54 PM | Report abuse

Mr. Finch really appears clueless about the amount of fraud going on using the internet and communications systems. I have had my credit cards ripped off 3 times in less than 5 years and I do IT as my job so I understand the tech side. This is a problem that will only get worse because it's so lucrative and the people rarely get caught. The banks have no reason to do something serious about it as long as they can pass the costs back to consumers as fees for "services". I applaud Mr. Krebs for bringing up this issue a number of times during the interview. All Mr. Finch does is sidestep it because he knows there is no fix for it the way things now stand and he doesn't want to admit it.

Posted by: jwh | August 19, 2008 3:35 PM | Report abuse

Everybody thinks that Fortran is dead. Well, it isn't.

Fortran is quite alive, and still used for most big science and engineering computationally intense applications.

The first standard for FORTRAN, as it was spelled then, was in 1966. The standards committee is still at work, and yet another standard will appear later this year or next.

Fortran (as it is spelled today) is very very much alive.

But, what does the FBI know?

Posted by: rchrd | August 19, 2008 6:26 PM | Report abuse

"Back then, the required courses were Fortran, Cobalt, Pascal..."

I think "Cobalt" should be "COBOL".

Posted by: PSolus | August 18, 2008 1:40 PM

@PSolus -- haha! Gotta love spell checkers. I'll fix, thanks.

Posted by: Bk | August 18, 2008 1:51 PM

CS Majors live on Pizza and could probably use a shot of B12 from time to time, but I suppose there is a chance he meant COBAL.

Posted by: GTexas | August 19, 2008 7:04 PM | Report abuse

I am spoke witht he attorney handling the RICO case in Tyson Foods in Tenessee. He said contac tthe FBI. I have some information I would like to discuss with the director here in private. I may have the Denver case solved linked to 1 pound of cyaninde and a dead somalian. Please send the request to max1mos111@yahoo.com I ahve some more digital cell data for review tot he director. I may have found a homegrown recruiting effort here stateside led by somalians in somalia who link tothe closing plant in Maine and the chicken poisonings in maine denver and ottowa canada.

Posted by: Max Anderson | August 19, 2008 8:26 PM | Report abuse

Tom is absolutely correct. Are you SUSPRISED? Mr Finch is a wantabe GEEK. He is a FBI Agent.! I was responsible for FBI IT Audits internally for 12 years and inspected all 56 Field Offices many times til 2003 and I never came across an agent who knew the first thing about CS Technology. It always amazed me that the FBI NEVER went outside to hire a first class computer scientist. They always pick an AGENT or an non geek ex VP of a tech corp. Look at the track record of the FBI as far as IT is concerned. They continue to fail! Mr.Freeh andm then now MR. MULLER have no conception of information science or how to pick someone who does. The FBI does not have a CYBER Fraud plan. I was not a agent but I knew all the obsolete stuff including Assembly Language, and I know Java. I still loved working for the FBI. The Agents are mostly the greatest.!

Posted by: JPR | August 19, 2008 9:16 PM | Report abuse

Excellent Article and excellent comments. I started on a home assembled PC in 1986 with a self-designed power supply with Iron-core transformer and +- 5 & 12V voltage regulato IC. I started with MSDOS 2.1 and BASIC. Now I have Broad Band, XP, Dual Core Viedeo Streaming and Editing. Learnt COBOL, Pascal, FORTRAN, C C++

Now I do not need to these languages & am only doing net-surfing to collect information and verifing its truthfulness.

Security always a problem for keeping my computer free from attacks.

Posted by: D CHATTERJEE | August 19, 2008 9:27 PM | Report abuse

As a founder of one of the original Internet Service providers, I think it is good FBI has a person heading up the Cybercrimes division who is law enforcement, management and has a working understanding of the Internet.

To the naysayers: I say bravo anyway.

I founded an ISP (Internet Service Provider) company in 1993 which I sold in 2003. We had over 13000 subscribers at our peak, and WANs, LANs, SANs, VOIP and video networks long before the general public knew what they were and our own DSL over copper before it was commercially available.

During my "tenure" in the Internet, law enforcement did not have much competence in the area.

IMO, local and state L.E. are generally still clueless when it comes to "sophisticated" cybercrime because they cannot afford to hire the kind of people to solve those crimes. Criminal Justice (psych and sociology) types are not the types to solve these crimes. Using a utility to analyze a disk or a local network may expose the simple "cybercriminal", but not a complex cyber crime. Running pre-packaged tools does NOT require a geek. Almost anyone can be taught how to use a utility as these companies do in a couple of days.

At least Federal agencies appear to be addressing the problems, or starting to at least.

There is a need for more because of the growing problem of "hackers" or script writers.

This is at least a start in the right direction.

Again, bravo!

Posted by: Ed Deppe | August 20, 2008 8:33 AM | Report abuse

Wow. Here's a VERY IMPORTANT DOCUMENT. And look how bozos react. Is there any wonder things are as bad as they are? Wonder no more - read the comments. Bk: great work again. You're outdoing yourself these days. Which is no mean feat.

Posted by: Rick | August 21, 2008 6:53 AM | Report abuse

Common Business Oriented Language, Bk. Grace Hopper. You know her, right? ;)

Posted by: Rick | August 21, 2008 6:56 AM | Report abuse

'but then the Internet wasn't created with security in mind'

Oh goodness. Someone named Finch has to open those history books again - and read them this time.

Posted by: Rick | August 21, 2008 6:58 AM | Report abuse

Wow,

Finch got nasty quick.

Posted by: SeanC | August 21, 2008 12:23 PM | Report abuse

I agree, BK, what's the harm in inserting reciprocal language in international trade agreements that make it easier to pursue cyber criminals? I think his defensiveness on this subject was uncalled for and unenlightened.

Posted by: Pete from Arlington | August 21, 2008 1:18 PM | Report abuse

I thought it was really cool that Finch has a libertarian/free-market bent to him. I was encouraged by that.

Made Krebs look like your garden variety newspaper union Democrat lobbying for a bigger gov't.

Posted by: Sean from Alexandria | August 22, 2008 2:35 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company