Spaf, thank you for your in-depth reply. I don't agree with all of your views as you are no doubt already aware, but at least your message was detailed. I am going to make a rather large number of generlizations, because they happened to fit the vast majority of events and persons involved. I am in a undiplomatic mood, so I'm going to be fairly harsh. There are exceptions on both sides of the fence; some of which I have the greatest respect for and am proud to have had an involvement with. > First of all, there are some environments where the security admin is > required, as a matter of law, to report the incident and cooperate > with law enforcement personnel. For instance, computers that are part > of a government operation (esp. military), or certain forms of > regulated financial institution may require reporting. That may sometimes be the case. However original post which sparked this dialog suggested that the computer manager concerned had quite some discretion over the matter. Indeed he had asked his associate who forwarded the question to the IDS list on exactly how he should proceed. i.e how that discretion should be exercised. If the manager was mandated to escalate the penetration into an law enforcement backed investigation then there would be no question as to how he should conduct his response. [...] > or espionage). For example, if I discover that hackerX has > compromised my system and is using it to hack into Bankk of America, > and I do nothing, then I might possibly be the target of a civil suit > by the bank as it attempts to recoup some losses...or set some > examples. I don't believe there is any such precendent for this; though it may be a theoretical legal attack. Political realities always more important legal ones. Though, be warned. My current opinion of the legal profession is at an all time low. I have yet to encounter more rigid and uncreative set of individuals (with some notable, but unfortuantely rare exceptions). Now for the flip side of the coin. I am aware of many institutions that have nievely contacted law enforcement investigators about their systems being used as a "launch pad" or routing point for further penetration into other systems. In one particular case the police forced the penetrated institution to allow the intruders to have free reign of their systems for over three months, in order to conduct extensive packet logging. The disingenuous `care factor is low' attitude shown to the hackers by the administrators only served encouraged them. Unfetted use the institutions computer systems was a great boon to the hackers. In otherwords, the instiution knowingly AIDED the hackers illegal activities. After several months, the hackers had penetrated literally thousands of sites via the institution's machines. They had used those machines to develop various security penetration programs. The instution developed a bad reputation amoung the network community as it was seen as the source of a increasing number of attacks. They eventually saw the light and severed their involvement with the police - who immediately went to up to the highest level of management and applied strong political preassure to force their continued association. Feed the devil with a short spoon and you just may loose your whole arm. Police are like journolists. They want the BIG bust. It gets them promoted. It gets their section/unit (in this case computer crime) publicity, status and FUNDING. Why bust a couple of "teenage computer hobbists" for penetrating one or two sites, which won't even make the papers, when you can wait three, four, six months or a year and bust "a international ring of computer thieves who broke into thousands of sites around the globe". If a crime is occuring then it should be stopped immediately. Though real world analogies are dangerous in this field lets look at one for a moment, concentrating only on the law enforcement aspect. I think most people would find this kind of police "logic" obscene: Why bust a rapest when you can bust a SERIAL rapest! Normal rapests hardly even make the papers these days. Convicting/arresting one won't bring you much status or funding. Its not something one can brag about to other police, or wear with pride on your lapel. It probably won't even get an opperation name. Our suspect raped someone in Exhibition park. We will make it a bit easier for him, by turning off the overhead lighting. We will force the park management to help us. Then we will set up an infra-red surveillance behind the size 19 green waste bin. We will tap his phone and videotape him walking from and to his residence following each rape. When he has raped a few hundred women over the course of a year, we will bust him big time. It will be a garla event. Our evidence will be fantastic! We will have arrested one of the worst serial rapests in the history of this country! The trial will be HUGE. > Given all that, how do you decide what to do? Well, like anything > else in computer security, you need to do some cost-benefit analysis > based on threat, loss, and effect. Here are some of the things you > need to take into account with such an analysis: Exactly. > + successful investigations and prosecutions help decrease the overall > threat by taking some hackers off the wires, and by discouraging > others. I strongly disagree. I believe it only serves to glamorise and stimulate the potential body of hackers in the wider community. As for active hackers, the majority will merely become (and indeed have become) far more occulted in their behavior. It may look as if the hackery in your part of the world has decreased, but only because your eyes are not good enough to see what is under your nose. You can forget trying to talk unix_junky-unix_junky (etc) with them in any country where there is a climate of immediate legal retaliation. You can forget wooing them into telling you what they were doing in your system, or telling you what the security holes were. > + successful investigations etc. may cut down on threat to you from > hackers (or at least the wannabes) by making you a more dangerous > target to mess with. (Example: on our campus, it is well known that > some departments aggressively investigate and prosecute misuse, > including expulsion from the university and arrest. Those > departments have less security incidents than those with a "let it > be" attitude.) I'd rather spend my time on making my network secure than persecuting my students. Isn't this really just another form of STO? Where the O is really "Retaliation after the event"? At which department would you rather be a student? I recall many moons ago being at one like you describe. I mistyped "du" as "su", only to find my account suspended the next day. It did not aid my studies or serve to further my respect for the computers managers who ran the computing facilities. Incidentially over several years, they they were involved in major police investigations t least dozen times. They continue to have numerous security incidents, which undoubtably has more to do with their continued reliance on unshadowed passwords, YP and NFS than their draconian dicipline policy. > + successful investigations can sometimes be a prelude to recovering > losses via a civil judgement It is extraordinarly unlikely that any such civil judgement for compensation, years after the event, will cover anything like the costs of such an entanglement, and even if it did the likely hood is that it will be never by paid by the defendent who has no doubt spent all his money and then some on his defence. > + successful investigations can result in better security. For > instance, I know of several cases where firms found that they had > other, undiscovered security problems. The way they found this was > when they had search warrants executed against suspects in security > cases and the authorities discovered evidence of other problems. Your are correct in stating this has happened. However I have never heard of a more idiotic way to secure a network. Relying on evidence obtained from some individual of dubious qualifications, who in all likelyhood was only interested in a small part of your network for a specific purpose over a short period months or years before you recieve a copy of the siezed information is indescribably foolhardly. Hire a professional and get the job done properly. > + investigations may result in reduced insurance rates, and certainly > in helping reduce your liability profile. I'm ill informed on how the insurance industry operates. However having a car accident (and of course learning from the very memorable experiance) tends only to increase your insurance fees. Get a professional security group to assses your security. Surely its more avisable to tell your insurance fund "We have had an independent expert security professional assess our security liabilities. He made 38 recomendations and we have implimented 37 of them", as opposed to "Our security was so bad it was breached. We suffered some losses. The police were called in. And international law enforcement investigation was started; it maybe years before the matter makes it out of the criminal jurisdiction. We have performed an internal audit, and we now rate ourselves as been A-OK." > - investigations may be time and labor intensive. Your not wrong. [...] > - investigations may result in negative publicity about the incident > (however, a good PR person can often spin this to a positive) I'd prefer not to take the risk in the first place. If you have the choice between an already good reputation, a partially soiled reputation or a slightly better reputation I'd advise to choose the former (call me conservative). [...] [...some good points about not knowing a penetrators motivations, or the depth of their penetration...] If your computer systems need to be secure, and you find out they are not secure, then they should be secured. That securing process may take considerable time and energy. That an intruder was in your systems is to some extent irrelevant. If you did not have good security/auditing/intrusion detection/binary signatures at any point in the past and you were connected to an untrusted network then you must assume that not only has your network been penetrated but that all manner of backdoors were installed. This has been a difficult issue for me and other security people and one that clients certainly do not want to hear. I agree that an investigation may be required to assertain what the intruder's detailed actions and motivations were; at a level proportional to the value and confidentiality of the material stored on the breached network. Police rarely have the expertise or motivation to aid in this procedure to any significant degree. If you don't have the expertise in-house then hire someone who does. Once you have analysied what has happened, present the information you have to senior management. Let them decide if its worth the risk and expense of taking it further. > 3) The field of computer crime investgation is new. Law enforcement > personnel are learning as they go. They need good cases and > cooperation to get that experience, though. Not every case will > work. But more will as time goes on. And more resources will become I'm sorry to say it, but computer crime police take the easy way out. They go after kids not professionals. If someone thinks they are a part time secret agent because they do the digital equiviant of helping the FBI bust graffiti artists and pranksters they are very deluded. What's worse is a bizarre vicious circle forms, where the hackers like to believe they are international data commandos because they are generally immature, introverted personalities with fragile ego's and the police and their informants like to believe they are CI operatives on some mission from God. The hackers want to believe the police line, and the police want to believe the hacker line. Together they have a pact, of which neither would be proud. These self-delusions act in unison to increase their respecive status to themselves and amoung their piers and the broader community. Many people in this industry do not want to hear this sort of thing, it devalues their work and I'm sure I shall win no friends by stating it. However I find the current climate of self-hype and lack of rigorous objectivity altogether dispalatable. It is one thing to create publicity to recruit clients or garnish next year's funding; its another when you actually start believing it. The latest dogmatic neurosis over internet credit card transactions is very symptomatic. Credit card transactions never were secure. They didn't suddenly become insecure when people started using them on the 'net. -- +----------------------------------+-----------------------------------------+ |Julian Assange | "if you think the United States has | |FAX: +61-3-9819-9066 | has stood still, who built the largest | |EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon | +----------------------------------+-----------------------------------------+