"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:
Alan is right in pointing out that we should not overestimate
Sure it is very clever to set up 3-tier botnets. Our intervention
center discovers a lot of very clever stuff.
But no, these guys are not half as smart as they think they are.
It's a common fallacy to "romanticise" criminal activities. News
programs describe "daring robberies", and "skilled attacks". Movies
have exciting teams of interesting people working closely together in
a well-coordinated and professional manner.
In reality, criminals aren't as professional or exciting as the
popular media portrays. They're often losers who can muster up the
gumption to stick a gun in someones face, or break a window, but they
can't hold down a steady job, or interact well with others.
We shouldn't make the same mistake when describing spammers. The
skills required to set up a spam operation cannot compare to the
skills required to operate and maintain an ISP, or other legitimate
These guys can do stuff that is amazingly complex one minute and
then something really really stupid the next.
They make these mistakes for the same reason they chose to engage in
criminal behavior: certain psychological characteristics. Few
non-criminals, or non-spammers share those characteristics.