On Mon, Nov 10, 2003 at 10:36:03PM -0500, Valdis.Kletnieks@vt.edu wrote:
On Mon, 10 Nov 2003 13:55:40 PST, JC Dill <nanog@vo.cnchost.com> said:
I have several clueful LEO contacts, but this information will be of no use to you unless the crime was committed within their respective jurisdictions. LEOs get paid to act on crimes within their jurisdiction, not on crimes within their expertise.
<rant> Uhm... Correct me if I missed something, but LEO's get paid to uphold the law BY ACTING on crime in their expertise and if it's out of their range (juridstiction) an `LEO` should have better contacts than someone on the outside.
On the flip side, if the LEO in question is at the state level, and it's a DDoS zombie network, there's a good chance that at least one of the zombies is in the state and therefor fair game.
Even quite a good chance for LEO at the city/county level, for some of
You make it seems as if the typical LEO will even know what a zombie network is. I don't want to take anything away from those decent LEO's that know a thing or two, but I've seen an unnamed `LEO` for an agency in `a` government testify that he didn't understand what an IP address on a witness stand. One thing to keep in mind when calling in LEO's, and if you search in Security Focus' arhives you may find it, is the cost of it all. Does it outweigh the benefit. Meaning are you willing to have an LEA come into your business unhook machines to replicate disks, etal, in order to stop something you could easily assess with some good configuring of a network? Think about it, if by giving permission to an LEA to come in to your data center to do what they have to do is going to cost you more in the long run, then why not see what you can do on your own via looking for the contacts (owners of the `zombie` machines) on your own. the
larger cities/counties....
Many people in the compsec -- well computing industry in general -- tend to think that LEA's are super equipped for most things in relevance to cybercrime. The fact is they're not, and I'm sure many have seen articles showing this. LEA's train with guns not computers, and for those who are already in the field, I'm sure they are a fraction of what someone's personal perception thinks the ratio is. To make a long rambling short, if an attacker with a zombie network is coming in from different ranges, you're better off contacting the DoJ here in the US, as it is an interstate matter, I'm sure they'll love to get another example this time of year. LEA's locally are likely to do the same (contact other agencies) if it's a given that the attacker(s) are acting as I perceive them to be (different hosts, different networks, states, etc.), the feds have more money to deal with that, and if they can't find the culprit, then I'm sure they'll find someone who will pay for the crime. (a culprit or course I wouldn't insinuate anything). </rant> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= wget -qO - kungfunix.net/fatality|sed -n '1!G;h;$p' J. Oquendo sil @ politrix . org http://www.politrix.org sil @ kungfunix . net http://www.kungfunix.net sil @ perfidious . org http://www.perfidious.org