On Sat, 2004-08-07 at 09:41, Jeff Kinz wrote: > On Fri, Aug 06, 2004 at 11:00:15PM -0400, Fred wrote: > > On Fri, 2004-08-06 at 11:52, Jeff Kinz wrote: > > ... > > > That said, however, definitely file a report with the Police or FBI. > > > Adding more numbers to that category of crime will raises the budgetary > > > value of enforcing those laws at all levels and so eventually law > > > enforcement will get more resources to follow up, but only if we report > > > the crimes. > > > > The last thing I would want to see is the FBI or the Police grow > > *stronger* from stuff like this. They are bad enough as it is. > > I understand concerns about taking liberties with liberty, but you > hurt yourself in that area too, by not reporting these crimes.
> By reporting these crimes you help generate data that raises these types > of crimes importance in enforcement mindset, which will eventually > result in resources being allocated away from taking "liberties with > liberty", (if that is your concern), and putting them into tracking > down attackers. (It is understood that these two areas are not > totally exclusive.) There has been so many problems with the FBI, ATF, and other law overenforcement agencies in the past we must be wary of giving them even more power if we can only do the *simple steps* to protect ourselves first. Recall Operation Sundevil -- where the FBI raided many homes and seized many computers -- all because of a silly 911 administrative document that was available via mail order for not even $50 to anyone who wanted it? Or what happened to Steve Jackson Games over a role-playing game that the FBI "thought" was "a handbook for cybercrime?" -- I've actually took a look at that RPG myself, an only a moron could think it had anything to do with *real* cybercrime. The allure is that the FBI will "protect" us, give us a "sense of security", and yet even thought they are a bit brighter than they were since the Steve Jackson days, they are still not too bright. The plain truth is -- and expecially in the case of *real* cybercrime -- they *cannot* protect us, and they only offer a false sense of security, if even that much. YET, the extra power they would get they will ultimately use it against *us* down the road. The roving wiretap bill they snuck in under the radar screen gives the FBI the power to tap nearly all your communication on the sole basis of a mere "suspect" entering your home. And they can do this without knowledge to you. And that was before 9/11. Funny thing is, they did not use their power to stop and prevent the real tragedy, even thought they were fully aware of truly suspicious activities afoot. But they would bag you or I in a heartbeat if we were to show up on their radar. > > All in all, I wonder if there is anything meaningful to do to stop such > > attacks, other than securing the system. If the script kiddie lives > > across the street, maybe. If he lives on the other side of this planet, > > probably not. > > The same technology which makes it easy for a script kiddie to attack > across the globe with ease can eventually be leveraged to track them > down anywhere on the planet. "Script detectives". It can only lead to the node they launched the attack from, not so much to the actual perpetrator, unless said perpetrator is so stupid as to do this from his or her home or place of work or other easily trackable venue. > This leveraging, > combined with international agreements (some already on place) on cyber > crimes will eventually make it possible to prosecute such global script > kiddies. This won't discourage the professional cyber criminal who is > actually stealing money much, but it should significantly reduce the > number of casual incidents which simply deface or disable a site, No it won't. That is the hope, but not reality. Law Overenforcement would lead you to believe that so you can give them the extra power they crave. Well, they'll take that power and do nothing to help you, but may use that very power against you in the future. > All reputation is local. If a person is identified as a cyber criminal > on the internet, their geographic neighbors can become aware of their > proclivities. Especially if an effort is made to transmit information > about their activities to those geographic neighbors. Do you think, say, law enforcement in Russia, would care so much about a script kiddie who attacks a site in the United States? Maybe I'm wrong, but I have a hard time believing they would really care. Like, what's in it for them to care about someone attacking their former enemy? > ("Madam Google, knows all, tells all, please put $2 in the box.") > > In most communities that will result in some damage to their local > reputation. (In a few others it may enhance it, of course). > > Eventually, due to the speed and ease with which this info can reach > local neighbors and have a person identified to his/her real community > as a criminal. That can cause a change in behavior after a few examples. You are thinking by Western (really, US) standards of law enforcement and community relations. One cannot assume the rest of the world operates the same as we do or would even have the same concerns. Besides, the efforts it would take to get some local police in some town near Moscow to go after a suspect would be great, and again I am not convinced they would care. > > The chances said attacker is local is quite remote. Probably some bored > > person in Russia or South Africa or Taiwan or who knows where. > > The chances the attacker is any particular place is quite remote. The > chances that they are local is biased by the fact that the USA has one > of the largest bodies of computer users on the globe. Distance is > pretty much irrelevant. Access to an internet cnxn is what matters. Local, of course, for matters of legal jurisdiction. Unless the US has an international treaty with the country in question over this matter, I just don't see much happening without exerting a greater effort than it's worth. > > > If they are not local, the community which they live in is probably > > > interested in knowing who they are and what they do as well. > > > > location. Perhaps he did it anonymously at an Internet Cafe somewhere -- > > tons of them in Europe and other parts of the world, and *no security* > > on most of those systems whatsoever. A attacker could very easily stick > > in a floppy or cdrom and upload his attack not leaving a trace. > This does not prevent them from getting caught: > http://www.linux.ie/pipermail/ilug/2004-April/013049.html Fetching story indeed. It is nice they caught the spammer in this case, but that recalls the drug busts in this country -- they get so tickled they bust someone with drugs with a "street value" of $millions, but fail to acknowledge it does *nothing* to stem the influx of drugs, let alone clogging up our prison system with legions of non-violent and victimless offenders. But the drug bust story makes good copy. As does the "I fought the spammer." One down, 100,000 more to go, and 100 more to replace this one. Oh, they didn't mention that in the story. Darn. > > > Also - would you consider putting up a honeypot? If they attacked once, > > > they may try again and it would be much easier to find out who it is > > > if a honeypot is active. > > > > Maybe, but why waste the effort? Just secure the system so it can't be > > compromised again. > hmmm - "We shouldn't try to identify attackers." ? Interesting > philosophy. I wonder ...... It's a cost vs. benefits issue. What does it cost to identify the attacker, locate him, bring him to justice? And what are the *real* benefits when there are a hundred more looking to replace him? Now, what does it cost to secure the server so that no script kiddie can get in in the first place? And once done, you don't have to worry about it again for some time. In the first scenario, you have lots of cost in time, money, and aggravation. Benefit is zero -- aside from a *feeling* of vindictiveness. In the second scenario, the costs may well be as substantial, but the benefits are far more solid. Which, pray tell, do you choose? Unless you have time and money to burn doing both scenarios, how do you choose? > > It's a Wild, Wild, Wild Internet. Despite the problems with viruses, > > worms, DoS attacks and spam, I like the fact that it is still free and > > wild, despite the best efforts of governments and corporations. Let's > > seek technological solutions to protect ourselves, not legalistic or > > Any solution will HAVE to be technological, but technology alone will > not be sufficient. We will need to use police type agencies to do the > actual apprehension and prosecution. Just like they do in the so-called "war on drugs?" The US has 25% or so of the world's prison population -- most apparently are in for drug related charges -- yet drugs *still* flock into this country by the tons annually. And now we want the same mess in cyberspace? I would think not! The technological solution is our *only _real_ option*. The legal/law enforcement option is only an *after the fact* measure that may actually make the problem worse, as now those who love a challenge of not being caught will be lured into cracking. History has taught us -- and painfully so -- that "cracking down" does little to deter crime, and actually may enhance crime rates, as "violence begets violence." Even the threat of medieval torture did not stop crime in the past. What makes anyone think that today's much softer forms of "deterrence" will be anymore effective? > Thats what we pay them for after > all. The folks on this list may be up to securing their systems on > their own, but the general public is not. Blame Redmond for the travails the general public is going though now. And I will flat out state that no level of "crack down" will deter those who write viruses and spew forth spam and crack systems. It may feel satisfying to catch the occasional cracker who slips up and cut his balls off, but it will do nothing to stem the real problem, and if anything it could make it worse. For sure it will drive these types further underground and fore them to become more creative at not being caught. Yet we may see innocent legit users of the technology wrongfully put in jail, etc., simply because law enforcement and law makers have no real understanding of the technology, not to mention the technology changes far more quickly than they are able to keep up with. On the other hand, we can -- if we wish -- lead the "general public" into implementing effective technological approaches to protect themselves, the easiest out of this is to simply not use Outlook and IE. And perhaps if someone can come up with a decent Linux distro, we can get them not to use Windows, either! -- Fred -- [EMAIL PROTECTED] -- place "[hey]" in your subject. There are inflows and outflows -- and you're just a little node. Know then, what transcendental sets have you. _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss