Re: law enforcement contacts
On Mon, Nov 10, 2003 at 10:36:03PM -0500, Valdis.Kletnieks@vt.edu wrote:
On Mon, 10 Nov 2003 13:55:40 PST, JC Dill <nanog@vo.cnchost.com> said:
I have several clueful LEO contacts, but this information will be of no use to you unless the crime was committed within their respective jurisdictions. LEOs get paid to act on crimes within their jurisdiction, not on crimes within their expertise.
<rant> Uhm... Correct me if I missed something, but LEO's get paid to uphold the law BY ACTING on crime in their expertise and if it's out of their range (juridstiction) an `LEO` should have better contacts than someone on the outside.
On the flip side, if the LEO in question is at the state level, and it's a DDoS zombie network, there's a good chance that at least one of the zombies is in the state and therefor fair game.
Even quite a good chance for LEO at the city/county level, for some of
You make it seems as if the typical LEO will even know what a zombie network is. I don't want to take anything away from those decent LEO's that know a thing or two, but I've seen an unnamed `LEO` for an agency in `a` government testify that he didn't understand what an IP address on a witness stand. One thing to keep in mind when calling in LEO's, and if you search in Security Focus' arhives you may find it, is the cost of it all. Does it outweigh the benefit. Meaning are you willing to have an LEA come into your business unhook machines to replicate disks, etal, in order to stop something you could easily assess with some good configuring of a network? Think about it, if by giving permission to an LEA to come in to your data center to do what they have to do is going to cost you more in the long run, then why not see what you can do on your own via looking for the contacts (owners of the `zombie` machines) on your own. the
larger cities/counties....
Many people in the compsec -- well computing industry in general -- tend to think that LEA's are super equipped for most things in relevance to cybercrime. The fact is they're not, and I'm sure many have seen articles showing this. LEA's train with guns not computers, and for those who are already in the field, I'm sure they are a fraction of what someone's personal perception thinks the ratio is. To make a long rambling short, if an attacker with a zombie network is coming in from different ranges, you're better off contacting the DoJ here in the US, as it is an interstate matter, I'm sure they'll love to get another example this time of year. LEA's locally are likely to do the same (contact other agencies) if it's a given that the attacker(s) are acting as I perceive them to be (different hosts, different networks, states, etc.), the feds have more money to deal with that, and if they can't find the culprit, then I'm sure they'll find someone who will pay for the crime. (a culprit or course I wouldn't insinuate anything). </rant> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= wget -qO - kungfunix.net/fatality|sed -n '1!G;h;$p' J. Oquendo sil @ politrix . org http://www.politrix.org sil @ kungfunix . net http://www.kungfunix.net sil @ perfidious . org http://www.perfidious.org
At 02:13 AM 11/11/2003, J. Oquendo wrote:
Uhm... Correct me if I missed something, but LEO's get paid to uphold the law BY ACTING on crime in their expertise and if it's out of their range (juridstiction) an `LEO` should have better contacts than someone on the outside.
Perhaps they will have contacts, but c'mon... how many of 'em do you really believe care? Basically, if it isn't child porn/sexual abuse, most law enforcement agencies have bigger fish to fry... or at least, think they do. They don't care to get involved in a problem that could potentially involve multiple jurisdictions... it's just too much hassle, and they have plenty going on locally. I *have* had encouraging results from the local folk, but that's the exception rather than the rule
At 11:23 PM 11/10/2003, Dave Stewart wrote:
At 02:13 AM 11/11/2003, J. Oquendo wrote:
Uhm... Correct me if I missed something, but LEO's get paid to uphold the law BY ACTING on crime in their expertise and if it's out of their range (juridstiction) an `LEO` should have better contacts than someone on the outside.
Perhaps they will have contacts, but c'mon... how many of 'em do you really believe care?
And even if they do care, (and have clue) if it's not obviously within their jurisdiction they can't justify working on the case.
They don't care to get involved in a problem that could potentially involve multiple jurisdictions... it's just too much hassle, and they have plenty going on locally.
Some do care, but generally they can only become involved in one of two ways: A) They have clear reason to believe a crime was committed in their jurisdiction (and thus reason to "open" a case and investigate), or B) A LEO in another jurisdiction has done A, and calls them in because the crime crosses jurisdiction boundaries. For instance, I have a friend in the SFPD who would care, but if you call him from Tulsa OK and want him to help investigate a DDoS on servers hosted at Equinix in Ashburn VA, he's not going to be able to do a thing, unless you can give him a "clear reason" to suspect that part of the crime took place within SF and thus that investigating *that part of the crime* is within his job description as a SFPD. And as much as he may care and have contacts, he's not likely to have contacts in Ashburn. jc
participants (3)
-
Dave Stewart -
J. Oquendo -
JC Dill