On Sat, 2004-08-07 at 09:41, Jeff Kinz wrote:
> On Fri, Aug 06, 2004 at 11:00:15PM -0400, Fred wrote:
> > On Fri, 2004-08-06 at 11:52, Jeff Kinz wrote:
> > ...
> > > That said, however, definitely file a report with the Police or FBI.
> > > Adding more numbers to that category of crime will raises the budgetary
> > > value of enforcing those laws at all levels and so eventually law
> > > enforcement will get more resources to follow up, but only if we report
> > > the crimes.
> >
> > The last thing I would want to see is the FBI or the Police grow
> > *stronger* from stuff like this. They are bad enough as it is.
>
> I understand concerns about taking liberties with liberty, but you
> hurt yourself in that area too, by not reporting these crimes.
> By reporting these crimes you help generate data that raises these types
> of crimes importance in enforcement mindset, which will eventually
> result in resources being allocated away from taking "liberties with
> liberty", (if that is your concern), and putting them into tracking
> down attackers. (It is understood that these two areas are not
> totally exclusive.)
There has been so many problems with the FBI, ATF, and other law
overenforcement agencies in the past we must be wary of giving them even
more power if we can only do the *simple steps* to protect ourselves
first.
Recall Operation Sundevil -- where the FBI raided many homes and seized
many computers -- all because of a silly 911 administrative document
that was available via mail order for not even $50 to anyone who wanted
it? Or what happened to Steve Jackson Games over a role-playing game
that the FBI "thought" was "a handbook for cybercrime?" -- I've actually
took a look at that RPG myself, an only a moron could think it had
anything to do with *real* cybercrime.
The allure is that the FBI will "protect" us, give us a "sense of
security", and yet even thought they are a bit brighter than they were
since the Steve Jackson days, they are still not too bright.
The plain truth is -- and expecially in the case of *real* cybercrime --
they *cannot* protect us, and they only offer a false sense of security,
if even that much. YET, the extra power they would get they will
ultimately use it against *us* down the road. The roving wiretap bill
they snuck in under the radar screen gives the FBI the power to tap
nearly all your communication on the sole basis of a mere "suspect"
entering your home. And they can do this without knowledge to you. And
that was before 9/11.
Funny thing is, they did not use their power to stop and prevent the
real tragedy, even thought they were fully aware of truly suspicious
activities afoot.
But they would bag you or I in a heartbeat if we were to show up on
their radar.
> > All in all, I wonder if there is anything meaningful to do to stop such
> > attacks, other than securing the system. If the script kiddie lives
> > across the street, maybe. If he lives on the other side of this planet,
> > probably not.
>
> The same technology which makes it easy for a script kiddie to attack
> across the globe with ease can eventually be leveraged to track them
> down anywhere on the planet. "Script detectives".
It can only lead to the node they launched the attack from, not so much
to the actual perpetrator, unless said perpetrator is so stupid as to do
this from his or her home or place of work or other easily trackable
venue.
> This leveraging,
> combined with international agreements (some already on place) on cyber
> crimes will eventually make it possible to prosecute such global script
> kiddies. This won't discourage the professional cyber criminal who is
> actually stealing money much, but it should significantly reduce the
> number of casual incidents which simply deface or disable a site,
No it won't. That is the hope, but not reality. Law Overenforcement
would lead you to believe that so you can give them the extra power they
crave. Well, they'll take that power and do nothing to help you, but may
use that very power against you in the future.
> All reputation is local. If a person is identified as a cyber criminal
> on the internet, their geographic neighbors can become aware of their
> proclivities. Especially if an effort is made to transmit information
> about their activities to those geographic neighbors.
Do you think, say, law enforcement in Russia, would care so much about a
script kiddie who attacks a site in the United States? Maybe I'm wrong,
but I have a hard time believing they would really care. Like, what's in
it for them to care about someone attacking their former enemy?
> ("Madam Google, knows all, tells all, please put $2 in the box.")
>
> In most communities that will result in some damage to their local
> reputation. (In a few others it may enhance it, of course).
>
> Eventually, due to the speed and ease with which this info can reach
> local neighbors and have a person identified to his/her real community
> as a criminal. That can cause a change in behavior after a few examples.
You are thinking by Western (really, US) standards of law enforcement
and community relations. One cannot assume the rest of the world
operates the same as we do or would even have the same concerns.
Besides, the efforts it would take to get some local police in some town
near Moscow to go after a suspect would be great, and again I am not
convinced they would care.
> > The chances said attacker is local is quite remote. Probably some bored
> > person in Russia or South Africa or Taiwan or who knows where.
>
> The chances the attacker is any particular place is quite remote. The
> chances that they are local is biased by the fact that the USA has one
> of the largest bodies of computer users on the globe. Distance is
> pretty much irrelevant. Access to an internet cnxn is what matters.
Local, of course, for matters of legal jurisdiction. Unless the US has
an international treaty with the country in question over this matter, I
just don't see much happening without exerting a greater effort than
it's worth.
> > > If they are not local, the community which they live in is probably
> > > interested in knowing who they are and what they do as well.
> >
> > location. Perhaps he did it anonymously at an Internet Cafe somewhere --
> > tons of them in Europe and other parts of the world, and *no security*
> > on most of those systems whatsoever. A attacker could very easily stick
> > in a floppy or cdrom and upload his attack not leaving a trace.
> This does not prevent them from getting caught:
> http://www.linux.ie/pipermail/ilug/2004-April/013049.html
Fetching story indeed. It is nice they caught the spammer in this case,
but that recalls the drug busts in this country -- they get so tickled
they bust someone with drugs with a "street value" of $millions, but
fail to acknowledge it does *nothing* to stem the influx of drugs, let
alone clogging up our prison system with legions of non-violent and
victimless offenders.
But the drug bust story makes good copy. As does the "I fought the
spammer." One down, 100,000 more to go, and 100 more to replace this
one. Oh, they didn't mention that in the story. Darn.
> > > Also - would you consider putting up a honeypot? If they attacked once,
> > > they may try again and it would be much easier to find out who it is
> > > if a honeypot is active.
> >
> > Maybe, but why waste the effort? Just secure the system so it can't be
> > compromised again.
> hmmm - "We shouldn't try to identify attackers." ? Interesting
> philosophy. I wonder ......
It's a cost vs. benefits issue. What does it cost to identify the
attacker, locate him, bring him to justice? And what are the *real*
benefits when there are a hundred more looking to replace him?
Now, what does it cost to secure the server so that no script kiddie can
get in in the first place? And once done, you don't have to worry about
it again for some time.
In the first scenario, you have lots of cost in time, money, and
aggravation. Benefit is zero -- aside from a *feeling* of
vindictiveness. In the second scenario, the costs may well be as
substantial, but the benefits are far more solid.
Which, pray tell, do you choose? Unless you have time and money to burn
doing both scenarios, how do you choose?
> > It's a Wild, Wild, Wild Internet. Despite the problems with viruses,
> > worms, DoS attacks and spam, I like the fact that it is still free and
> > wild, despite the best efforts of governments and corporations. Let's
> > seek technological solutions to protect ourselves, not legalistic or
>
> Any solution will HAVE to be technological, but technology alone will
> not be sufficient. We will need to use police type agencies to do the
> actual apprehension and prosecution.
Just like they do in the so-called "war on drugs?" The US has 25% or so
of the world's prison population -- most apparently are in for drug
related charges -- yet drugs *still* flock into this country by the tons
annually.
And now we want the same mess in cyberspace? I would think not! The
technological solution is our *only _real_ option*. The legal/law
enforcement option is only an *after the fact* measure that may actually
make the problem worse, as now those who love a challenge of not being
caught will be lured into cracking.
History has taught us -- and painfully so -- that "cracking down" does
little to deter crime, and actually may enhance crime rates, as
"violence begets violence." Even the threat of medieval torture did not
stop crime in the past. What makes anyone think that today's much softer
forms of "deterrence" will be anymore effective?
> Thats what we pay them for after
> all. The folks on this list may be up to securing their systems on
> their own, but the general public is not.
Blame Redmond for the travails the general public is going though now.
And I will flat out state that no level of "crack down" will deter those
who write viruses and spew forth spam and crack systems. It may feel
satisfying to catch the occasional cracker who slips up and cut his
balls off, but it will do nothing to stem the real problem, and if
anything it could make it worse. For sure it will drive these types
further underground and fore them to become more creative at not being
caught. Yet we may see innocent legit users of the technology wrongfully
put in jail, etc., simply because law enforcement and law makers have no
real understanding of the technology, not to mention the technology
changes far more quickly than they are able to keep up with.
On the other hand, we can -- if we wish -- lead the "general public"
into implementing effective technological approaches to protect
themselves, the easiest out of this is to simply not use Outlook and IE.
And perhaps if someone can come up with a decent Linux distro, we can
get them not to use Windows, either!
--
Fred -- [EMAIL PROTECTED] -- place "[hey]" in your subject.
There are inflows and outflows -- and you're just a little node.
Know then, what transcendental sets have you.
_______________________________________________
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
