William H. Magill on Mon, 8 May 2000 13:44:41 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Computer Crime Talk


>   I am used to giving presentations to law enforcement and have had to try
>   to develop this from scratch.  I was wondering if anyone had any areas
>   that they would like me to cover in my talk.  Topics that would be
>   beneficial to you in the private sector.  I can't talk specifically
>   about how we conduct our investigations, and being a newbie to Linux I
>   won't be able to offer any real insight to Linux security.  Any
>   suggestions would be appreciated.
>
Do you mean "Computer Crime" or "Computer Security?"

The two topics are not very related.

Lots of directions you could take the title.

Computer crime implies the use of a computer in the commission of a crime.
(Sorry, I don't consider SPAM a crime. Annoying, but not a crime.) 
Although, they don't call them "Automobile Crimes" when someone is killed
by one in autombile crash -- they are called "accidents." 
So what does "computer crime"  mean?

Computer Security nominally has to do with preventing someone from doing
something to your computer. And PLEASE - don't try to include "anti-virus"
in the relm of Computer Security -- C2 material it ain't. You could disect
the Orange Book (and put all but 3 people to sleep) if you want to get
serious about Compuer Security. 

Computer Crime and Computer Privacy -- now there are two much more closely
related topics.

Computer Privacy goes directly to the identity issues directly related to
the anonymity desired by the criminal. (Ha! And you only thought you were
projecting personal privacy when you used that anonymous re-mailer.)
Just consider the flap when Intel proposed providing machine readable
serial numbers on their chips! Sun and others have had them for as long as
I can remember. And then there was Microsoft's "information page" in Word
documents.

Stealing Credit Card numbers from CDnow gets lots of headlines, but that's
a privacy issue - CDnow failed to protect the privacy of ther customers
information. One could call it a computer security issue, but it is much,
much more than that. CDnow simply failed to comprehend or otherwise
implement sufficient business practices to control the privacy of their
data. They failed to follow "common industry wide scurity practices." 
But "legally" a "Crime" was perpetrated AGAINST CD now, so it is up to the
tort lawyers in civil court to prove how neglegant CDnow was. Similarly, 
HMOs and Insurance companies routinely share your medical histories via
Computer -- Is that a Crime or a Privacy issue. Some things are crimes
against Society, but are not "Legaly" prosecutable because they are not
"against the law."

The I Love You "virus" was clearly a plant by RIAA against Napster -- the
only files it destroys on your system are Mpegs and Jpegs - Mp3 and Video 
files... hmmm. Is that a crime? The Philippine authorities, last I heard,
couldn't get a search warrant because no laws had been broken.

So define, what is a "computer crime?"
or maybe, how do you go about committing one?

Did you "borrow" your friend's copy of some piece of software?... Uh Oh,
you have committed Software Piracy -- that's a prosecutable computer crime.

Rhetorical Question - Is "Computer Crime" - "Context dependent?" 
Yes, simply because the Americal Legal system is a technical system.

Did a website request "personal information" from you and then sell that to
a third party without your knowledge or consent-- like the State of
Pennsylvania does with your Driver's license information (including photo)?
Both of those are clearly invasions of personal privacy which could not
have been perpetrated without the use of a computer, a behaviour which most
"right-thinking" (not just "Ditto-Heads") folks consider criminal... except
that neither activity is "against the law."  

Then there IS the Napster battle -- Intellectual Property Rights --
frequently referred to as Copyright issues.

The Federal Court rules that MP3.com violates Copyright law - suddenly the
"common carrier" statutes which ISPs have hidden behind become a lot less
shielding if that ISP happens to also provide "content" aka a portal.

Then we can get into PKI and Digital Signatures -- techniques to
authenticate that a given "entity" (not a person) "signed" something.
(Biometrics might guarantee you that a given person really did do
something, but a PGPkey doesn't. A PGPkey only guarantees that the
computer was present at the scene of the accident -- doesn't give you a
clue about who was driving it.)

Computer Crime has nothing to do with Hacking. Never has and never will.
Cracking maybe. Without Hacking, Linux and the entire "Internet Software"
concept would not exist - period. (I avoid using GNU or "free software"
terms here.) Without Hacking, the ARPAnet itself would never have
germinated into the Internet as everyone knows it today. Sorry, Al, but
"the Net" is older than you are. Trying to break into systems or networks
is not hacking, it's cracking. Hacking is "thinking outside the box,"
fixing those things that are broken because the vendor never will, or
adding features that the vendor never even though of.

Law Enforcement vs Private sector - no difference in the Computer Crime
area, other than the fact that the Private sector is probably about 4 or 5 
years ahead of the Public sector in this area. Law Enforcement only knows
what they get taught by the Private Sector. "Gum Shoe" persistence is
about the biggest difference -- Law Enforcement tends to stay interested
in the trail much longer than the private sector does. In many ways, "Law
Enforcement" is severly restricted, proscribed and otherwise prohibited
from many things which are routine in the private sector. Electronic
survailance is done all the time by firewalls and other similar software.
However, only in the Private Sector. That kind of global sweep is
proscribed "the authorities."

Oh yeah, Don't forget Law Enforcement's best friend -- backup! 
Please do your backups regularly, so that those files you erased can be
obtained from your backup tapes. (See, doing backups IS a "good thing."
What's good for Ollie North and the White House, is good enough for you.)

So pick a direction, the "compuer crime" topic is wide and deep. (And
everybody has their own expectations and definitions. There is no
"consensus" view.) 

...or, you could always just read excerpts from the "Cuckoos Nest"
        or "Buckaroo Banzi vs the World Crime League."

-- 
                        www.tru64unix.compaq.com
                              www.tru64.org
                             comp.unix.tru64
                        
T.T.F.N.
William H. Magill                          Senior Systems Administrator
Information Services and Computing (ISC)   University of Pennsylvania
Internet: magill@isc.upenn.edu             magill@acm.org
http://www.isc-net.upenn.edu/~magill/

______________________________________________________________________
Philadelphia Linux Users Group       -       http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion   -   http://lists.nothinbut.net/mail/listinfo/plug