I don't think you want to do that. It has been done in Germany, and there's been, for example, a chilling effect on legitimate security research that just makes *everyone* worse off. Precisely in that case because, as you noted, dual use tools exist - and as you made note as an unpleasant possibility in your message, they got caught up in the middle of this sort of legislation. Trying to regulate distribution of something on the Internet is both futile and dangerous, in general, IMO. It is certainly not going to make a dent on what malicious people do (they're probably breaking the law already or out of jurisdiction anyway). The only real side effect of such action that I can see is much pain and angst by legitimate people trying to do their job and wondering if they are going to risk having their lives ruined by running afoul of ill-conceived legislature trying to ban distribution of "tools". This is not the correct path, I think. Whatever the correct path is is likely to be a much more complex target, but many attempts at legislating the Internet often come out as so broad that you could find a way to use them against any ordinary sysadmin. I thik that given past attempts, it is unlikly that there will be legislature that is both effective at criminalizing McColo and avoids the sort of environment where basic general Internet use is risky from a legal perspective. (And we're perhaps a tad too close to that now. One does not wish to consider what'd happen if one got link-bombed with a shady site hosting "illegal" content that showers you in a badness pop-up deluge, and then got pulled over for a full computer search by the border patrol. Does trying to explain the concept of that situation before a jury as a defense for having a porn pic sitting around in your browser cache sound appealing?) Now, I'm not trying to say that the correct laws cannot be made. But you had better be damn sure they're the right laws before they get passed. Many of the issues here are subtle and significant, ones that traditionally Internet-facing laws hve glossed over to th public detriment. Explaining such things to legislators is hard enough; you don't want to be stuck trying to fend off wrong charges from an overzealous prosecutor on subtle and highly technical grounds if you find yourself. Because the danger from making the *wrong* laws is so great here, we really need to be very careful what we're calling for. - S -----Original Message----- From: John Bambenek <bambenek@gmail.com> Sent: Thursday, November 13, 2008 06:31 To: Charles Wyble <charles@thewybles.com> Cc: NANOG list <nanog@nanog.org> Subject: Re: [funsec] McColo: Major Source of Online Scams andSpams KnockedOffline (fwd) Something to keep in mind. I don't believe it was McColo that was the end provider of "badware" per se (and I could be proven wrong), they simply played the enabling role by hosting it and looked the other way. Now don't get me wrong, they ought to be kicked offline for externalizing their costs on the rest of us, but what criminal charges could be filed here? I'm not a lawyer but the person actually committing the crime and a person who willing provides tools to someone committing a crime are in completely different boats. We could criminalize hosting malicious tools, but then what of nessus, nmap, wireshark and the host of security tools that are effectively "dual use"? Child porn being an obvious exception of course, but the point remains. Negligence is bad and perhaps there are criminal remedies that can be brought to bear (I'm not a lawyer, I don't play one on the intarwebs) but I would imagine they would be minor in comparison. That said, of course this information should be turned over to law enforcement. It often is. j Charles Wyble wrote:
On to the question about how network operators can help LE: *Collect the data that proves a company such as Intercage/McColo is harboring cybercriminals* and get with your local FBI/Secret Service field office (or your state's Attorney General's office) (or both) and submit a complaint at IC3's website (www.ic3.gov) because we have an excellent team of analysts that track information like that. Package up the evidence you have and send it out.
Excellent point. Something like the fine folks at http://hostexploit.com/ are doing.
I also believe SANS has some excellent courses on forensics, and things like chain of custody etc. Not sure how much that applies to these sort of scenarios but it can't hurt to package/handle the evidence in as compliant a manner as possible.