|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Computer Crime Talk
|
"William H. Magill" wrote:
> > I am used to giving presentations to law enforcement and have had to try
> > to develop this from scratch. I was wondering if anyone had any areas
> > that they would like me to cover in my talk. Topics that would be
> > beneficial to you in the private sector. I can't talk specifically
> > about how we conduct our investigations, and being a newbie to Linux I
> > won't be able to offer any real insight to Linux security. Any
> > suggestions would be appreciated.
> >
> Do you mean "Computer Crime" or "Computer Security?"
>
> The two topics are not very related.
>
> Lots of directions you could take the title.
>
> Computer crime implies the use of a computer in the commission of a crime.
> (Sorry, I don't consider SPAM a crime. Annoying, but not a crime.)
> Although, they don't call them "Automobile Crimes" when someone is killed
> by one in autombile crash -- they are called "accidents."
> So what does "computer crime" mean?
>
> Computer Security nominally has to do with preventing someone from doing
> something to your computer. And PLEASE - don't try to include "anti-virus"
> in the relm of Computer Security -- C2 material it ain't. You could disect
> the Orange Book (and put all but 3 people to sleep) if you want to get
> serious about Compuer Security.
>
> Computer Crime and Computer Privacy -- now there are two much more closely
> related topics.
>
> Computer Privacy goes directly to the identity issues directly related to
> the anonymity desired by the criminal. (Ha! And you only thought you were
> projecting personal privacy when you used that anonymous re-mailer.)
> Just consider the flap when Intel proposed providing machine readable
> serial numbers on their chips! Sun and others have had them for as long as
> I can remember. And then there was Microsoft's "information page" in Word
> documents.
>
> Stealing Credit Card numbers from CDnow gets lots of headlines, but that's
> a privacy issue - CDnow failed to protect the privacy of ther customers
> information. One could call it a computer security issue, but it is much,
> much more than that. CDnow simply failed to comprehend or otherwise
> implement sufficient business practices to control the privacy of their
> data. They failed to follow "common industry wide scurity practices."
> But "legally" a "Crime" was perpetrated AGAINST CD now, so it is up to the
> tort lawyers in civil court to prove how neglegant CDnow was. Similarly,
> HMOs and Insurance companies routinely share your medical histories via
> Computer -- Is that a Crime or a Privacy issue. Some things are crimes
> against Society, but are not "Legaly" prosecutable because they are not
> "against the law."
>
> The I Love You "virus" was clearly a plant by RIAA against Napster -- the
> only files it destroys on your system are Mpegs and Jpegs - Mp3 and Video
> files... hmmm. Is that a crime? The Philippine authorities, last I heard,
> couldn't get a search warrant because no laws had been broken.
>
> So define, what is a "computer crime?"
> or maybe, how do you go about committing one?
>
> Did you "borrow" your friend's copy of some piece of software?... Uh Oh,
> you have committed Software Piracy -- that's a prosecutable computer crime.
>
> Rhetorical Question - Is "Computer Crime" - "Context dependent?"
> Yes, simply because the Americal Legal system is a technical system.
>
> Did a website request "personal information" from you and then sell that to
> a third party without your knowledge or consent-- like the State of
> Pennsylvania does with your Driver's license information (including photo)?
> Both of those are clearly invasions of personal privacy which could not
> have been perpetrated without the use of a computer, a behaviour which most
> "right-thinking" (not just "Ditto-Heads") folks consider criminal... except
> that neither activity is "against the law."
>
> Then there IS the Napster battle -- Intellectual Property Rights --
> frequently referred to as Copyright issues.
>
> The Federal Court rules that MP3.com violates Copyright law - suddenly the
> "common carrier" statutes which ISPs have hidden behind become a lot less
> shielding if that ISP happens to also provide "content" aka a portal.
>
> Then we can get into PKI and Digital Signatures -- techniques to
> authenticate that a given "entity" (not a person) "signed" something.
> (Biometrics might guarantee you that a given person really did do
> something, but a PGPkey doesn't. A PGPkey only guarantees that the
> computer was present at the scene of the accident -- doesn't give you a
> clue about who was driving it.)
>
> Computer Crime has nothing to do with Hacking. Never has and never will.
> Cracking maybe. Without Hacking, Linux and the entire "Internet Software"
> concept would not exist - period. (I avoid using GNU or "free software"
> terms here.) Without Hacking, the ARPAnet itself would never have
> germinated into the Internet as everyone knows it today. Sorry, Al, but
> "the Net" is older than you are. Trying to break into systems or networks
> is not hacking, it's cracking. Hacking is "thinking outside the box,"
> fixing those things that are broken because the vendor never will, or
> adding features that the vendor never even though of.
>
> Law Enforcement vs Private sector - no difference in the Computer Crime
> area, other than the fact that the Private sector is probably about 4 or 5
> years ahead of the Public sector in this area. Law Enforcement only knows
> what they get taught by the Private Sector. "Gum Shoe" persistence is
> about the biggest difference -- Law Enforcement tends to stay interested
> in the trail much longer than the private sector does. In many ways, "Law
> Enforcement" is severly restricted, proscribed and otherwise prohibited
> from many things which are routine in the private sector. Electronic
> survailance is done all the time by firewalls and other similar software.
> However, only in the Private Sector. That kind of global sweep is
> proscribed "the authorities."
>
> Oh yeah, Don't forget Law Enforcement's best friend -- backup!
> Please do your backups regularly, so that those files you erased can be
> obtained from your backup tapes. (See, doing backups IS a "good thing."
> What's good for Ollie North and the White House, is good enough for you.)
>
> So pick a direction, the "compuer crime" topic is wide and deep. (And
> everybody has their own expectations and definitions. There is no
> "consensus" view.)
>
> ...or, you could always just read excerpts from the "Cuckoos Nest"
> or "Buckaroo Banzi vs the World Crime League."
>
> --
> www.tru64unix.compaq.com
> www.tru64.org
> comp.unix.tru64
>
> T.T.F.N.
> William H. Magill Senior Systems Administrator
> Information Services and Computing (ISC) University of Pennsylvania
> Internet: magill@isc.upenn.edu magill@acm.org
> http://www.isc-net.upenn.edu/~magill/
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://plug.nothinbut.net
> Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
> General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
Thanks Will that was a big help!!
Darxus suggested that I tell you guys exactly what I do and that might help the
discussion.
As Will put so elliquently, Computer Crime and Computer Security are apples and
oranges. I have only a limited knowledge of security issues. A far as what I
do, it's a little of everything. I have worked homicide, child porn,
prostitution, credit card fraud, theft, counterfeiting (software & money),
cracking...I was planing on talking about PA law and what constitutes a crime,
what we can offer the private sector, and ways of protecting your children
online.
As far as the technical issues I would like to quote Will, "Private sector is
probably about 4 or 5 years ahead of the Public sector in this area. Law
Enforcement only knows what they get taught by the Private Sector." He is 100%
correct. Everyone in PLUG knows how we conduct our investigations and track
down the bad guys, even if you think you don't. You just need to think about
it.
Thanks for the input,
Jon
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|