William H. Magill on Mon, 8 May 2000 13:44:41 -0400 (EDT) |
> I am used to giving presentations to law enforcement and have had to try > to develop this from scratch. I was wondering if anyone had any areas > that they would like me to cover in my talk. Topics that would be > beneficial to you in the private sector. I can't talk specifically > about how we conduct our investigations, and being a newbie to Linux I > won't be able to offer any real insight to Linux security. Any > suggestions would be appreciated. > Do you mean "Computer Crime" or "Computer Security?" The two topics are not very related. Lots of directions you could take the title. Computer crime implies the use of a computer in the commission of a crime. (Sorry, I don't consider SPAM a crime. Annoying, but not a crime.) Although, they don't call them "Automobile Crimes" when someone is killed by one in autombile crash -- they are called "accidents." So what does "computer crime" mean? Computer Security nominally has to do with preventing someone from doing something to your computer. And PLEASE - don't try to include "anti-virus" in the relm of Computer Security -- C2 material it ain't. You could disect the Orange Book (and put all but 3 people to sleep) if you want to get serious about Compuer Security. Computer Crime and Computer Privacy -- now there are two much more closely related topics. Computer Privacy goes directly to the identity issues directly related to the anonymity desired by the criminal. (Ha! And you only thought you were projecting personal privacy when you used that anonymous re-mailer.) Just consider the flap when Intel proposed providing machine readable serial numbers on their chips! Sun and others have had them for as long as I can remember. And then there was Microsoft's "information page" in Word documents. Stealing Credit Card numbers from CDnow gets lots of headlines, but that's a privacy issue - CDnow failed to protect the privacy of ther customers information. One could call it a computer security issue, but it is much, much more than that. CDnow simply failed to comprehend or otherwise implement sufficient business practices to control the privacy of their data. They failed to follow "common industry wide scurity practices." But "legally" a "Crime" was perpetrated AGAINST CD now, so it is up to the tort lawyers in civil court to prove how neglegant CDnow was. Similarly, HMOs and Insurance companies routinely share your medical histories via Computer -- Is that a Crime or a Privacy issue. Some things are crimes against Society, but are not "Legaly" prosecutable because they are not "against the law." The I Love You "virus" was clearly a plant by RIAA against Napster -- the only files it destroys on your system are Mpegs and Jpegs - Mp3 and Video files... hmmm. Is that a crime? The Philippine authorities, last I heard, couldn't get a search warrant because no laws had been broken. So define, what is a "computer crime?" or maybe, how do you go about committing one? Did you "borrow" your friend's copy of some piece of software?... Uh Oh, you have committed Software Piracy -- that's a prosecutable computer crime. Rhetorical Question - Is "Computer Crime" - "Context dependent?" Yes, simply because the Americal Legal system is a technical system. Did a website request "personal information" from you and then sell that to a third party without your knowledge or consent-- like the State of Pennsylvania does with your Driver's license information (including photo)? Both of those are clearly invasions of personal privacy which could not have been perpetrated without the use of a computer, a behaviour which most "right-thinking" (not just "Ditto-Heads") folks consider criminal... except that neither activity is "against the law." Then there IS the Napster battle -- Intellectual Property Rights -- frequently referred to as Copyright issues. The Federal Court rules that MP3.com violates Copyright law - suddenly the "common carrier" statutes which ISPs have hidden behind become a lot less shielding if that ISP happens to also provide "content" aka a portal. Then we can get into PKI and Digital Signatures -- techniques to authenticate that a given "entity" (not a person) "signed" something. (Biometrics might guarantee you that a given person really did do something, but a PGPkey doesn't. A PGPkey only guarantees that the computer was present at the scene of the accident -- doesn't give you a clue about who was driving it.) Computer Crime has nothing to do with Hacking. Never has and never will. Cracking maybe. Without Hacking, Linux and the entire "Internet Software" concept would not exist - period. (I avoid using GNU or "free software" terms here.) Without Hacking, the ARPAnet itself would never have germinated into the Internet as everyone knows it today. Sorry, Al, but "the Net" is older than you are. Trying to break into systems or networks is not hacking, it's cracking. Hacking is "thinking outside the box," fixing those things that are broken because the vendor never will, or adding features that the vendor never even though of. Law Enforcement vs Private sector - no difference in the Computer Crime area, other than the fact that the Private sector is probably about 4 or 5 years ahead of the Public sector in this area. Law Enforcement only knows what they get taught by the Private Sector. "Gum Shoe" persistence is about the biggest difference -- Law Enforcement tends to stay interested in the trail much longer than the private sector does. In many ways, "Law Enforcement" is severly restricted, proscribed and otherwise prohibited from many things which are routine in the private sector. Electronic survailance is done all the time by firewalls and other similar software. However, only in the Private Sector. That kind of global sweep is proscribed "the authorities." Oh yeah, Don't forget Law Enforcement's best friend -- backup! Please do your backups regularly, so that those files you erased can be obtained from your backup tapes. (See, doing backups IS a "good thing." What's good for Ollie North and the White House, is good enough for you.) So pick a direction, the "compuer crime" topic is wide and deep. (And everybody has their own expectations and definitions. There is no "consensus" view.) ...or, you could always just read excerpts from the "Cuckoos Nest" or "Buckaroo Banzi vs the World Crime League." -- www.tru64unix.compaq.com www.tru64.org comp.unix.tru64 T.T.F.N. William H. Magill Senior Systems Administrator Information Services and Computing (ISC) University of Pennsylvania Internet: magill@isc.upenn.edu magill@acm.org http://www.isc-net.upenn.edu/~magill/ ______________________________________________________________________ Philadelphia Linux Users Group - http://plug.nothinbut.net Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|