Slashdot Log In
F-Secure Calls For "Internetpol" To Fight Crimeware
Posted by
kdawson
on Sun Oct 19, 2008 08:53 PM
from the you'll-have-to-come-with-me-sir dept.
from the you'll-have-to-come-with-me-sir dept.
KingofGnG points out F-Secure's Q3 2008 security summary, in which its Chief Research Officer Mikko Hypponen proposes establishing an "Internetpol," an international organization empowered to target and root out cybercrime anywhere in the world. Hypponen gives examples of why such a supernational force is needed — and these are not hard to find — but provides few details about how such an outfit could get started or how it would work. He does mention the wrinkle that in some countries malware writing, cracking, spamming, and phishing are not illegal or not prosecuted. Is an Internetpol even possible, let alone practical?
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
What kind of crime would it fight? (Score:5, Insightful)
I can see some use for this, but I fear like most things it would go after political dissidents and copyright infringers rather than actual criminals. Generally speaking I don't want the government to have /more/ power.
Re: (Score:2, Interesting)
You forget that this wouldn't be "a government". For it to function you'd have to have cooperation with ALL governments around the world. And while it's just fine and dandy and even desirable for the US to have this kind of no-borders-drawn approach, it would be give-and-take. Meaning if the other countries can't refuse demands made by the US to turn over citizens or whatever, then the US wouldn't be able to turn down it for other countries.
Of course they would always claim "sorry it's against our constitut
Re: (Score:3, Interesting)
Cooperation isn't required. All they need is common ground to allow common ideas through. The common ideas are what is best for people in power and how to maintain power over the people they rule over.
All governments around the world have hierarchical power structures. People who go into political power seek power over other people, in other words, they seek to dictate terms to other people. Seeking to dictate term
Re:What kind of crime would it fight? (Score:5, Insightful)
Whats wrong with simply using Interpol to fight cyber crime? As I understand it Interpol is mostly a co-ordination and information sharing organization used by local police forces to tackle crimes that exceed national boarders. Isn't that exactly what is needed?
Come to think of it, Interpol IS used to target these kinds of crime if all governments involved thinks it is evil. Online child porn for example - and from what we hear on the news, this is kind of successful, with arrests and convictions internationally, so whats the problem?
Perhaps the intention is to target "crimes" in a country where it isn't a crime, and the local government is not very sympathetic. An "international organization empowered to target and root out cybercrime" could well shut down Pirate Bay for example.
Parent
Re:What kind of crime would it fight? (Score:5, Insightful)
I share the feeling, but I'm sick and tired of receiving all the attempts to socially engineer their way into my bank account or similar, or get me to click on some malware, and no matter how obvious these things are, sooner or later they work ( How often have you clicked on "yes" instead of "no" just to make the stupid window go away, or had a poppup pop up just under where you're about to click?)
They don't need an internetpol - they just need the police.
The problem is that the police don't like dealing with it. It's too hard to understand and they don't get paid enough and they have to deal with stupid paperwork anyway because some kid got caught painting logos on someone's wall, and now some idiot computer user is calling saying "My bank account is being hacked, help me" and the poor cop can't even cope with getting his own email to work, let alone working out how to reverse engineer some genius hacker's work to help some lady who talks like she's on crack and doesn't know why her bank account is empty... And it's the fifth time this morning...
So to fix it, the police department need to get serious about computer crime and just simply establish a department that can deal with it... And keep them separate to fix the issue, and not be a part of the group that deals with local computer crime, etc.
Just one person per state who understands technology at a basic level (eg, like most people who read this forum) is enough.
And then this one person can spend some time networking with cops from around the world (heck, send them to some junket in a hotel once a year so they can meet all the others... Maybe blackhat or something) and then knows how to apply the laws correctly and how to go after these people...
And THEN the problem starts to get fixed.
Ranting aside, I know how the situation works. I've been on the prosecuting end of several cases, in which I did the legwork. I tracked down the evidence, and prepared a one-page brief for the police involved, including details on the exact crime committed, the evidence, who has the evidence and the phone numner to call to get it.
If you give the police a target they can understand, they usually are more than willing to take the case on.
When I last did that, they even sent a raiding party and siezed the guy, his computer and everything else within hours of my sending the details. They had a written confession out of him within two hours!
Most people who are still feeling the umbrage of having been owned don't understand this and it's not suprising the police don't want to help, especially when they don't know where to start.
My experience is that the existing laws are usually sufficient. It's the will and knowledge to implement them that are lacking.
GrpA
Parent
Re:What kind of crime would it fight? (Score:5, Informative)
No, 'the police' really can't deal with a lot of it. As soon as it crosses city lines, your local police won't touch it. As soon as it crosses state lines, it gets handed off to the FBI, who seem simply unable and unwilling to prosecute anything below a massive threshold, and seem chronically unable to charge people with the crimes they actually did commit, and tries to leverage people as 'informants' to get the 'big fish'. So they accomplish nearly nothing. Wire fraud should really be the Secret Service's jurisdiction, but they're less interested than the FBI. And when it goes international, as many of the phishing frauds do even if they're actually run from the US, then none of them will touch it.
So what it takes is an agency _willing_ to prosecute. The Secret Service could legally take on a lot of it, but after burning their fingers with the Operation Sun Devil and the resulting Steve Jackson case that led to the creation of the EFF, they seem pretty reluctant to even try.
Parent
Re:What kind of crime would it fight? (Score:4, Interesting)
You're thinking of the events that were detailed in "The Hacker Crackdown" aren't you?...
I'm not saying your wrong, but please re-read my post. I'm saying that a lot of the time, the police are expected to do this because it's their job, except they don't know where to start, which leads to the situation that they can't actually be certain it *is* their job. So they don't do anything.
It doesn't matter if it crosses state or even federal or international lines...
Only committing crimes in another state from your home state is an old trick to avoid the attention of law enforcement. It only works for a while - the police know how to deal with this.
Imagine this. Someone in your state is breaking the law. You report the details to your local police. They arrest them.
Now consider - Someone in another state is breaking the law. You report the details to *their* local police. They arrest them.
See the difference? You can achieve that without being a police officer - but it does knowing who to contact and what to tell them. Giving them an IP address isn't enough. What they are looking for in *evidence* of a crime they can understand. Send them details of which crime is being broken, so they don't have to work it out themselves, and they know it's something they are responsible for.
Speak to their ISP in advance, explain the situation, get the ISPs contact person and let him know his local police will be in contact to collect the evidence. Most ISPs will co-operate that far - to wait for a request from the local police for information.
Learn about evidence collection. Learn what police need to do their job.
That makes all the difference in the world.
And it is the local police's job to do this. Are you some multibillion dollar exec? No, well how can you seriously expect the secret service to do this for you? Seriously?
Do you think I go and call ASIO (I'm in Australia) or ASIS everytime I find graffiti on my car?
Finding my computer's been hacked is no different. Just because they employ people in secret intelligence organisations who understand the situation doesn't make it their problem... You're a small victim, that's what the local police are there for.
GrpA
Parent
Re:What kind of crime would it fight? (Score:5, Interesting)
You've apparently not dealt with the police nor the laws on fraud, because you state:
> It doesn't matter if it crosses state or even federal or international lines...
This is amazingly wrong. As soon as it crosses the borders of your local police force's jurisdiction, they *must* escalate it to the authority that covers both jurisdictions, or they have little hope of getting a prosecution. This is from my direct experience with spammer and phishing fraud, and DOS attacks against systems I've dealt with. The local police on each end say 'oohhhh, we can't do that' and pass it to the FBI who completely ignore it. This is with names, dates, times, places, and a careful list of exactly what records they need to subpoena to collect the evidence for conviction. The local police on each end simply will not act.
And I expect the Secret Service to do this, for example, because they are the enforcement arm of the US Treasury: fiscal fraud is what they do (or are supposed to do). Guarding VIP's like the President was added to their responsibilities in the 19th century, but their role as fiscal agents is older, and it remains part of their charter.
Parent
Re:What kind of crime would it fight? (Score:4, Interesting)
Yes, I have dealt with federal matters, and it's amazing how the same issues that affect whether or not police will take on your complaint occur at all levels.
I did speak to the federal authorities. I did track down the people whose task it was, and I found out what they needed.
It's a bit like chinese whispers. "I can't do anything if XXXX doesn't do their job." They will tell me that, but they won't tell XXXX directly. (XXXX Being a person, agency, official, whatever). I became the "connection" between them, relaying commitments.
So I did the rounds, learned what they required (specific only to my case) and got them all to agree to what was basically an open-ended commitment. THe problem is that they couldn't discuss anything with me - since they all recognized I had no authority and privacy laws got in the way, but wouldn't start bothering their counterparts to request help, because they couldn't tell their counterparts what was going - they didn't know how to.
However, I could get them to commit to speak to XXXX, if XXXX was prepared to help, so I called *all* the XXXXs and explained the situation, and sent the details through to all of them. The XXXX's were Federal Police, State Police and Telecommunications Regulations Enforcement authorities.
Once I had them all committed, I simply became the "co-ordination" point for the exercise. I learned everyone else's role and broke the task down and sent the appropriate information to each person that was relevant to their job.
The result? As soon as they realised I had handed them a case ready to close, with all the contacts agreeing to their role, they moved immediately. The whole thing took about an hour.
In that case, I had made a slight error with regards to the law that was broken, and they called me back to let me know they couldn't actually prosecute and were helpful enough to provide additional information I needed to know to close that loophole with the way my network was set up ( Guest access can be a real issue - if you let people in, proving tresspass is impossible ).
They also provided a committment to back me up in the future if it ever happened again.
True to their word, they did the next time and I caught the guy. He was prosecuted successfully, although the next time, it was local, so I didn't need to coordinate as many people.
So please, consider my point. You need to co-ordinate *everyone* and make sure they know you have a reasonable chance of prosecution and that you've lined up your ducks, or they won't get involved.
It's no different for a cop doing that job. They need to get everyone involved too. Basically they still have to go through the same process.
Most people will do their job and help you if you remove all the obstacles first. In a perfect world, they would move their own obstacles as well, but hey, if it's your problem and affects you, it's up to you to decide how committed you are to solving it.
GrpA
Parent
Re: (Score:2)
We ought to have a poll to see how many of us have read that. Some time ago I found a small, yellow paperback copy tucked away in my library and read it, and then I find out that it's practically required reading in geek-land.
Re: (Score:2)
It's a stupid idea.
On the one hand, I wish they would pass me the bong/crack pipe they're smoking from, on the other hand, I can laugh at systems that are most vulnerable to attacks like this, on the gripping hand, recall that it was Microsoft that popularized the long discredited idea of executing anything coming across a wire.
The sad thing is that something like this appears to be more or less inevitable.
Re: (Score:2)
Well what do you expect from the geniuses who invented autorun?
Re: (Score:2)
It's a reasonable point. More what I'm asking for is that laws be either enforced:
A) Equally regardless of the law. If it's on the books enforce it
B) Proportional to the damage it causes.
It's like going after people swapping kiddie porn instead of those making it (I recognize there is huge overlap and you often catch the first while chasing the second). I see laws intended to stop the viewing of child porn, but what I want to see is laws preventing the exploitation of children.
Of course you do have a point.
One World Government (Score:5, Insightful)
No, don't write me off as a NEW WORLD ORDER!!!! guy.
Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you.
But if you're afraid of big, monolithic governments as much as I am, then you'll be deathly afraid of any international police body, as Internet Police isn't just a bad idea, it's also a very dangerous slippery slope to be treading on.
Still not convinced it's not a good idea? A lot of nations have insufferable politically-correct speech laws. Germany, for example; there they censor politically undesirable viewpoints (yes, Nazis, but if you believe that freedom of speech of the individual transcends whatever the masses may think...) and in Australia, they censor games like GTAIV and other 'socially undesirable' expression.
And maybe some people aren't bothered by that. Some people think, "hey, if some majority accepted that, then tough luck for the minority, democracy prevails!" but I am just not one of them and I'll never be comfortable with governments treading on individual freedom whether a single ruler or the many stepping on them.
Re: (Score:2)
Replace "Interpol" with "InternetPol there, I mistyped.
Re: (Score:2)
I think the wisest words ever written in a code of law were when the US Constitution stated that anything not specifically allowed by that Constitution was not allowed for the Government to legislate upon.
Government is much more powerful than an individual citizen, therefore i
Re: (Score:2)
Re:One World Government (Score:5, Insightful)
Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you.
Yeah, look, sorry, I can't disagree more. Interpol is not remotely close to a one-world-government deal at all. Those guys are lucky to be able to help a handful of governments catch a handful of criminals when all parties want them in prison.
/. seems to have missed as the "oh gawd, the government is after my rights" folks jumped right out onto the bandwagon here first. Think about these tasks that I would love to see internet police on the case for:
While I think that an "internet police" is a laughable idea in that it would be impossible to unify all the countries with access to the internet under one police umbrella, I think doing so could have some fantastic opportunities that
1) Spam.
2) Spam.
3) Trojans on websites
4) Browser Hijacking
5) Fleecing through fake Paypal/Bank/Money websites
I am aware that point one and two may look the same, but I feel it would be in most people's minds enough to warrant those two places. If I could have a "report this as spam" button in my email client and know that it would actually go somewhere to someone to do something, man, that would be a sweet thing indeed. What's this? A website that opens a bazzilion popup windows and refuses to let me close my windows? BAM! Hit that police button right there!
Come on slashies, have a look at some of the positive possibilities here. Don't make me have to use a car analogy!
Parent
Re: (Score:2)
Gee, if people knew for certainty that only the really heinous things would be enforced, and that nothing shady or anathema to people's rights would happen, then sure, nobody would oppose it.
But this is fantasy land, utopian idealism. Saying "See, well, it's not supposed to work like that..." doesn't matter. "The road to Hell is paved with good intentions" and all that. Just because it is *supposed* to work great and follow a certain protocol does not always mean it will. Hell, my country, the USA, does
Re: (Score:2)
The counter to this of course is that in representative democracy vote-buying is the most important thing. Which means that things that are good for the country overall, but unpopular, are a lot less likely to happen around election time. You can argue of course that if it's unpopular it's not good for the country, and that's a valid argument. But when massive amounts of money are spent on vocal minority groups to buy votes, I don't see how that's representative of the majority at all. Which isn't to say th
Re: (Score:2)
And I say, even listening to the majority is not a good thing. It's not inconceivable to imagine a situation, past, present, or future where the masses, through their own stupidity or bigotry, want to oppress harmless people for something stupid, perhaps "practicing witchcraft" in the past or something.
Nothing really works "well", not a democracy, not a republic, not a monarchy or dictatorship, highly unlikely even anarchy. Everything is a system of tradeoffs. This is why we cannot have one government an
Re:One World Government (Score:4, Insightful)
The 'one world government' lip fart is a distractive ruse designed to debase thinking that effects all of us. It's a distraction that goes back in origin to the John Birch Society, a ultra-radical right-wing batch of people that also aided the anti-flouride rouse, tried to impeach Earl Warren, and so on. It's a BS contention that's carefully calculated to debase the thought of international controls.
Parent
Re: (Score:2)
Well, if you sympathize the idea of a single world government or view it as possibly positive, just say so! No need to hide behind any ad hominems or guilt-by-associations!
Re: (Score:2)
1) Every human on earth is an equal citizen of the world with a right to education, freedom and peace.
2) The third world wouldn't be kept in perpetual debt for the benefit
Re: (Score:2)
I agree in spirit that everyone should have an education, and that people should (voluntarily) make that happen, but I do not agree with the idea that it is a "right" in the sense that people have a right not to be murdered or so on. It's obvious where my political leanings are; however, I just think that these things people really should have just shouldn't be within the same scope as the entity that enforces the laws. I don't think the means justify the ends, even though I really and truly do agree with
Re: (Score:3, Interesting)
Let's start with this one:
1) Every human on earth is an equal citizen of the world with a right to education, freedom and peace.
Oh, really? What will that 'educaton' be? And what kind of 'freedom'? Freedome to drink alcohol? An education that teaches that the Q'uran or the Bible or the Talmud are the ultimate reference? Freedom for women to wear a chadoor in class, even in a public school, or freedom to practice clitorectomies on girls for religious reasons?
Freedom is too tricky to trust to a single overrid
Re: (Score:2)
2) The third world wouldn't be kept in perpetual debt for the benefit of the first world.
[citation needed]
Re: (Score:2)
2) The third world wouldn't be kept in perpetual debt for the benefit of the first world.
[citation needed]
Are you kidding? Fine.
Citation [tni.org]
Quote from the link:
Debtor countries have deprived their people of basic necessities in order to provide the private banks and the public agencies of the rich countries with the equivalent of six Marshall Plans (the programme of assistance offered by the US to Europe after the Second World War). Have these extraordinary outflows served to reduce the absolute size of the debt burden? Not a bit: in spite of paying out more than $1,300 billion between 1982 and 1990, the deb
Re: (Score:2)
Re: (Score:2)
Do you have anything besides ad hominems?
Re: (Score:2)
And you say, "garbage in, garbage out". Since I was responding to your post, I'd suppose that it was your post that was the "garbage in?"
Re: (Score:2)
Nevermind, wrong person.
Re: (Score:2)
The one-world-government rubric is in a way, hate speech, and is designed to polarize. International governance is something quite different. That the US refuses to participate in international laws of many kind, and uses world trade onerously, I'd say that the rubric has infected many, perhaps yourself.
As far as ad hominems are concerned, the fact that I speak directly to your character as a seeming defender of rightist inflamatory diatribe, seems to disturb you. If I'm wrong about that, I apologize, but I
Re: (Score:2)
No, it would be a completely useless thing. Spam comes with forged headers, remember ? And even if it didn't, it would simply trace back to some poor bastards hijacked machine, rather than the spamming mastermind.
Re: (Score:3, Interesting)
You are not a tin foil hat guy, trust me.
Countries have established law against computer crime. An internetpol is not required. The fact that F-Secure is asking for one is quite suspicious to me. You would think they would be in the forefront of telling the police where and who the bad guys are. Maybe they're just jockeying for a fat global contract?
More law enforcement is not needed, more security is. The problem is insecure OS and software platforms, insecure operations processes and policies, insecure us
Re: (Score:2)
Lets just go full tilt into asshatteriness: Make it a capital crime to have an insecure pc operating in your house or under your control. That will ensure it all stops... right?
You might be on to something here ... but instead of a capital crime of the consumer, make it affect the ISP. If someone's is *detectably* (i.e. they don't have a decent firewall) running a computer that is easily compromised, limit their internet link to the ISP's personal network. All HTTP requests go to the same webpage with the following (translated into marketing-speak of course): "You are an idiot. Fix your computer."
Re: (Score:2)
Interpol is dangerously close to a one-world-government type deal.
Don't worry. Just jot their names on the sheets i'm going to give to you, and they'll mysteriously die from heart attacks.
Sincerely,
Kira.
P.S. Do you know the Shinigami who likes apples?
One World Acronym (Score:2)
"Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you."
UNATCO [wikipedia.org]
Who cares? (Score:2, Insightful)
Is Interpol even relevant? I mean, the only thing I ever know that even mentions Interpol are those stoopid warnings on DVDs. If Interpol has essentially become a copyright enforcement organization, then who even cares?
If this were to happen (Score:5, Funny)
They should wear uniforms made from lycra, wear bright red codpieces and a cape. That much power should come with a high level of public humiliation.
Re: (Score:3, Funny)
Why do you hate Cory? http://xkcd.com/239/ [xkcd.com] ;)
What ye sow, so shall ye reap (Score:2)
The Attorney General's Office in Washington, United States, and Microsoft recently announced that they are filing new lawsuits targeting scareware purveyors. One of the cases is against James Reed McCreary IV, who is accused with sending incessant pop-ups resembling system warnings to consumers' personal computers. The messages read "CRITICAL ERROR MESSAGE! â" REGISTRY DAMAGED AND CORRUPTED," and instructed users to visit a Web site to download Registry Cleaner XP.
"Consumers who visited the Web site were offered a free scan to check their computer â" but the program found 'critical' errors every time," said Senior Counsel Paula Selis, who leads the Attorney General's Consumer Protection High-Tech Unit. "Users were then told to pay USD 39.95 to repair these dubious problems." Microsoft has said that 50 percent of its customer support calls related to computer crashes can be blamed on spyware.
F-Secure notes that Registry Cleaner XP is just one of the increasing number of rogue security applications which also include Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender.
Um, maybe if Microsoft hadn't "innovated" the long discredited idea of execute anything downloaded over a wire, this would never have been a problem?
Re: (Score:2)
Problem isn't execution, problem is access. If I run whatever code the net gives me, I should have fine-grained control over what that code can touch on my computer. That's not yet well implemented on any OS. Don't say SELinux or ridiculous modifications to the Windows user/file access rights are 'well implemented.' No, I mean that by default, I should be able to install a program that thinks it has administrator rights, see what it does, and then say, "Gotcha, you're gone." and delete it.
Re: (Score:2)
If I run whatever code the net gives me, I should have fine-grained control over what that code can touch on my computer.
You have been brainwashed. The Real World has never worked that way. No matter what Microsoft has told you.
SafeTCL (and later Java) tried to do sandboxing, but ...
You have only a big ON/OFF switch of which the only sensible setting is OFF. No amount of marketing either from Microsoft or Sun will EVER make it safe.
Re: (Score:2)
Let's not forget the id10t behind the keyboard that has to click on yes for it to actually run.......
Let's not forget that it was the idiot behind Microsoft Windows 95 that made this an industry standard long after the idea had been discredited.
What could possibly go wrong? (Score:2)
... or I'll digitally sign a ticket! (Score:4, Funny)
you babies (Score:2)
Re:We've already lost (Score:4, Insightful)
If you fire rifles at US soldiers in Afghanistan, you stand a small chance of ending up at Gitmo. Statistically, you have a better chance getting a 5.56mm sucking chest wound in the process.
No one ever ended up in a military detention facility for l33t haxor5 that don't involve military targets or v1@gra spam.
We've lost because Americans prefer creature comforts and speach-codes over liberty; social security and medicare over limited government as a social contract to secure life, liberty, and property. And no one will rebel, because they are dependent on the system. Thomas Jefferson tried to warn you.
Parent
Re: (Score:2)