F-Secure Calls For "Internetpol" To Fight Crimeware

KingofGnG points out F-Secure's Q3 2008 security summary, in which its Chief Research Officer Mikko Hypponen proposes establishing an "Internetpol," an international organization empowered to target and root out cybercrime anywhere in the world. Hypponen gives examples of why such a supernational force is needed — and these are not hard to find — but provides few details about how such an outfit could get started or how it would work. He does mention the wrinkle that in some countries malware writing, cracking, spamming, and phishing are not illegal or not prosecuted. Is an Internetpol even possible, let alone practical?

What kind of crime would it fight?

[calmofthestorm]

I can see some use for this, but I fear like most things it would go after political dissidents and copyright infringers rather than actual criminals. Generally speaking I don't want the government to have /more/ power.

Re:What kind of crime would it fight?

You forget that this wouldn't be "a government". For it to function you'd have to have cooperation with ALL governments around the world. And while it's just fine and dandy and even desirable for the US to have this kind of no-borders-drawn approach, it would be give-and-take. Meaning if the other countries can't refuse demands made by the US to turn over citizens or whatever, then the US wouldn't be able to turn down it for other countries.

Of course they would always claim "sorry it's against our constitution." (funny how they'll use that the second it's needed, but use it as toilet paper when it's in their way.) But that would harbour distrust (like it isn't already there anyway) and they'd find that the other countries simply will refuse their own demands anyway.

Net effect. Lots of money wasted (again.) and nothing productive being done.

Re:What kind of crime would it fight?

[Rennt]

Whats wrong with simply using Interpol to fight cyber crime? As I understand it Interpol is mostly a co-ordination and information sharing organization used by local police forces to tackle crimes that exceed national boarders. Isn't that exactly what is needed?

Come to think of it, Interpol IS used to target these kinds of crime if all governments involved thinks it is evil. Online child porn for example - and from what we hear on the news, this is kind of successful, with arrests and convictions internationally, so whats the problem?

Perhaps the intention is to target "crimes" in a country where it isn't a crime, and the local government is not very sympathetic. An "international organization empowered to target and root out cybercrime" could well shut down Pirate Bay for example.

Re:What kind of crime would it fight?

[GrpA]

I share the feeling, but I'm sick and tired of receiving all the attempts to socially engineer their way into my bank account or similar, or get me to click on some malware, and no matter how obvious these things are, sooner or later they work ( How often have you clicked on "yes" instead of "no" just to make the stupid window go away, or had a poppup pop up just under where you're about to click?)

They don't need an internetpol - they just need the police.

The problem is that the police don't like dealing with it. It's too hard to understand and they don't get paid enough and they have to deal with stupid paperwork anyway because some kid got caught painting logos on someone's wall, and now some idiot computer user is calling saying "My bank account is being hacked, help me" and the poor cop can't even cope with getting his own email to work, let alone working out how to reverse engineer some genius hacker's work to help some lady who talks like she's on crack and doesn't know why her bank account is empty... And it's the fifth time this morning...

So to fix it, the police department need to get serious about computer crime and just simply establish a department that can deal with it... And keep them separate to fix the issue, and not be a part of the group that deals with local computer crime, etc.

Just one person per state who understands technology at a basic level (eg, like most people who read this forum) is enough.

And then this one person can spend some time networking with cops from around the world (heck, send them to some junket in a hotel once a year so they can meet all the others... Maybe blackhat or something) and then knows how to apply the laws correctly and how to go after these people...

And THEN the problem starts to get fixed.

Ranting aside, I know how the situation works. I've been on the prosecuting end of several cases, in which I did the legwork. I tracked down the evidence, and prepared a one-page brief for the police involved, including details on the exact crime committed, the evidence, who has the evidence and the phone numner to call to get it.

If you give the police a target they can understand, they usually are more than willing to take the case on.

When I last did that, they even sent a raiding party and siezed the guy, his computer and everything else within hours of my sending the details. They had a written confession out of him within two hours!

Most people who are still feeling the umbrage of having been owned don't understand this and it's not suprising the police don't want to help, especially when they don't know where to start.

My experience is that the existing laws are usually sufficient. It's the will and knowledge to implement them that are lacking.

GrpA

Re:What kind of crime would it fight?

[Antique+Geekmeister]

No, 'the police' really can't deal with a lot of it. As soon as it crosses city lines, your local police won't touch it. As soon as it crosses state lines, it gets handed off to the FBI, who seem simply unable and unwilling to prosecute anything below a massive threshold, and seem chronically unable to charge people with the crimes they actually did commit, and tries to leverage people as 'informants' to get the 'big fish'. So they accomplish nearly nothing. Wire fraud should really be the Secret Service's jurisdiction, but they're less interested than the FBI. And when it goes international, as many of the phishing frauds do even if they're actually run from the US, then none of them will touch it.

So what it takes is an agency _willing_ to prosecute. The Secret Service could legally take on a lot of it, but after burning their fingers with the Operation Sun Devil and the resulting Steve Jackson case that led to the creation of the EFF, they seem pretty reluctant to even try.

Re:What kind of crime would it fight?

[GrpA]

You're thinking of the events that were detailed in "The Hacker Crackdown" aren't you?...

I'm not saying your wrong, but please re-read my post. I'm saying that a lot of the time, the police are expected to do this because it's their job, except they don't know where to start, which leads to the situation that they can't actually be certain it *is* their job. So they don't do anything.

It doesn't matter if it crosses state or even federal or international lines...

Only committing crimes in another state from your home state is an old trick to avoid the attention of law enforcement. It only works for a while - the police know how to deal with this.

Imagine this. Someone in your state is breaking the law. You report the details to your local police. They arrest them.

Now consider - Someone in another state is breaking the law. You report the details to *their* local police. They arrest them.

See the difference? You can achieve that without being a police officer - but it does knowing who to contact and what to tell them. Giving them an IP address isn't enough. What they are looking for in *evidence* of a crime they can understand. Send them details of which crime is being broken, so they don't have to work it out themselves, and they know it's something they are responsible for.

Speak to their ISP in advance, explain the situation, get the ISPs contact person and let him know his local police will be in contact to collect the evidence. Most ISPs will co-operate that far - to wait for a request from the local police for information.

Learn about evidence collection. Learn what police need to do their job.

That makes all the difference in the world.

And it is the local police's job to do this. Are you some multibillion dollar exec? No, well how can you seriously expect the secret service to do this for you? Seriously?

Do you think I go and call ASIO (I'm in Australia) or ASIS everytime I find graffiti on my car?

Finding my computer's been hacked is no different. Just because they employ people in secret intelligence organisations who understand the situation doesn't make it their problem... You're a small victim, that's what the local police are there for.

GrpA

Re:What kind of crime would it fight?

[Antique+Geekmeister]

You've apparently not dealt with the police nor the laws on fraud, because you state:

> It doesn't matter if it crosses state or even federal or international lines...

This is amazingly wrong. As soon as it crosses the borders of your local police force's jurisdiction, they *must* escalate it to the authority that covers both jurisdictions, or they have little hope of getting a prosecution. This is from my direct experience with spammer and phishing fraud, and DOS attacks against systems I've dealt with. The local police on each end say 'oohhhh, we can't do that' and pass it to the FBI who completely ignore it. This is with names, dates, times, places, and a careful list of exactly what records they need to subpoena to collect the evidence for conviction. The local police on each end simply will not act.

And I expect the Secret Service to do this, for example, because they are the enforcement arm of the US Treasury: fiscal fraud is what they do (or are supposed to do). Guarding VIP's like the President was added to their responsibilities in the 19th century, but their role as fiscal agents is older, and it remains part of their charter.

Re:What kind of crime would it fight?

[GrpA]

Yes, I have dealt with federal matters, and it's amazing how the same issues that affect whether or not police will take on your complaint occur at all levels.

I did speak to the federal authorities. I did track down the people whose task it was, and I found out what they needed.

It's a bit like chinese whispers. "I can't do anything if XXXX doesn't do their job." They will tell me that, but they won't tell XXXX directly. (XXXX Being a person, agency, official, whatever). I became the "connection" between them, relaying commitments.

So I did the rounds, learned what they required (specific only to my case) and got them all to agree to what was basically an open-ended commitment. THe problem is that they couldn't discuss anything with me - since they all recognized I had no authority and privacy laws got in the way, but wouldn't start bothering their counterparts to request help, because they couldn't tell their counterparts what was going - they didn't know how to.

However, I could get them to commit to speak to XXXX, if XXXX was prepared to help, so I called *all* the XXXXs and explained the situation, and sent the details through to all of them. The XXXX's were Federal Police, State Police and Telecommunications Regulations Enforcement authorities.

Once I had them all committed, I simply became the "co-ordination" point for the exercise. I learned everyone else's role and broke the task down and sent the appropriate information to each person that was relevant to their job.

The result? As soon as they realised I had handed them a case ready to close, with all the contacts agreeing to their role, they moved immediately. The whole thing took about an hour.

In that case, I had made a slight error with regards to the law that was broken, and they called me back to let me know they couldn't actually prosecute and were helpful enough to provide additional information I needed to know to close that loophole with the way my network was set up ( Guest access can be a real issue - if you let people in, proving tresspass is impossible ).

They also provided a committment to back me up in the future if it ever happened again.

True to their word, they did the next time and I caught the guy. He was prosecuted successfully, although the next time, it was local, so I didn't need to coordinate as many people.

So please, consider my point. You need to co-ordinate *everyone* and make sure they know you have a reasonable chance of prosecution and that you've lined up your ducks, or they won't get involved.

It's no different for a cop doing that job. They need to get everyone involved too. Basically they still have to go through the same process.

Most people will do their job and help you if you remove all the obstacles first. In a perfect world, they would move their own obstacles as well, but hey, if it's your problem and affects you, it's up to you to decide how committed you are to solving it.

GrpA

Re:What kind of crime would it fight?

[MindKata]

"For it to function you'd have to have cooperation with ALL governments around the world"

Cooperation isn't required. All they need is common ground to allow common ideas through. The common ideas are what is best for people in power and how to maintain power over the people they rule over.

All governments around the world have hierarchical power structures. People who go into political power seek power over other people, in other words, they seek to dictate terms to other people. Seeking to dictate terms to someone else means they seek to push others down below them, so they are in the position of power. The political process acts like a process of natural selection, selecting the most driven power seekers, who seek dominance over others.

Therefore on this basis, the ones in power in each country have in common the desire to seek to maintain control over their people. They do not want their people to threaten their position of power. This means bring in ways to monitor and censor any threat to their power. The people in power seek this, as a good thing, as they see their own actions as good and in their best interests.

This is why moves towards Big Brother are happening across the world, now they are gaining the technology they need, to maintain power. But then each generation of power seekers, have always sought power over people. Its just now they have the technology to do it. But the point is, that desire for power over others, has always been there, with a minority of people seeking to control the majority. In hindsight, this is why George Orwell was able to predict this kind of behaviour. Because what he was describing was human nature and not simply technology. Its not about technology, its about Psychology. No matter how technology evolves and changes, the desire to maintain power will always be there, for a minority of people, who go into a career of seeking power over others. (Either seeking political power, or if they fail at that, they go into Big Business and seek high positions of power in that area instead).

This is why cooperation isn't required. They already have common ground to seek power over others and simply need to bring in technology and ways to allow them to more easily maintain power. Any attempt to tell them they are wrong, is interpreted by them as wrong and they then label it as near terrorist like behaviour. Ironically terrorists are themselves power seekers. They seek to dominate all with their views.

But is this a Dystopia or a Utopia? ... what's even more disturbing, is that a world which is free and equal is a Dystopia to people who seek power over others. They seek more power than others. They seek more money than others. They seek to be the centre of attention. So a world which is free and equal is a dystopia to the ones who seek power and their Utopia is Big Brother where they are the ones in control of Big Brother.

Its interesting how one person's Dystopia is another person's Utopia... Sadly it explains why the world is so unfair for everyone. No one will get a total utopia or a total dystopia, as the other side will not allow it. But while the people who seek power are the minority in society, (and they are put in power by the majority), this minority is now gaining the upper hand through technology, used to push the world towards their Utopia. This is why democracy is always under threat of being undermined. I had thought that as my ancestors and people like them had fought so long and hard to finally win Democracy. Then surely as we now have Democracy, we therefore much now just keep Democracy. I didn't realize there are people constantly trying to undermine Democracy for their own gain and so over time, Democracy has to be constantly defended against these people. The people trying to undermine Democracy for their own gain are almost by definition people without empathy towards others. They actually choose to violate Democracy for their own gain.

Democracy only exists if balance is m

One World Government

[MindlessAutomata]

No, don't write me off as a NEW WORLD ORDER!!!! guy.

Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you.

But if you're afraid of big, monolithic governments as much as I am, then you'll be deathly afraid of any international police body, as Internet Police isn't just a bad idea, it's also a very dangerous slippery slope to be treading on.

Still not convinced it's not a good idea? A lot of nations have insufferable politically-correct speech laws. Germany, for example; there they censor politically undesirable viewpoints (yes, Nazis, but if you believe that freedom of speech of the individual transcends whatever the masses may think...) and in Australia, they censor games like GTAIV and other 'socially undesirable' expression.

And maybe some people aren't bothered by that. Some people think, "hey, if some majority accepted that, then tough luck for the minority, democracy prevails!" but I am just not one of them and I'll never be comfortable with governments treading on individual freedom whether a single ruler or the many stepping on them.

Re:One World Government

[Fluffeh]

Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you.

Yeah, look, sorry, I can't disagree more. Interpol is not remotely close to a one-world-government deal at all. Those guys are lucky to be able to help a handful of governments catch a handful of criminals when all parties want them in prison.

While I think that an "internet police" is a laughable idea in that it would be impossible to unify all the countries with access to the internet under one police umbrella, I think doing so could have some fantastic opportunities that /. seems to have missed as the "oh gawd, the government is after my rights" folks jumped right out onto the bandwagon here first. Think about these tasks that I would love to see internet police on the case for:

1) Spam.
2) Spam.
3) Trojans on websites
4) Browser Hijacking
5) Fleecing through fake Paypal/Bank/Money websites

I am aware that point one and two may look the same, but I feel it would be in most people's minds enough to warrant those two places. If I could have a "report this as spam" button in my email client and know that it would actually go somewhere to someone to do something, man, that would be a sweet thing indeed. What's this? A website that opens a bazzilion popup windows and refuses to let me close my windows? BAM! Hit that police button right there!

Come on slashies, have a look at some of the positive possibilities here. Don't make me have to use a car analogy!

Re:One World Government

[zappepcs]

You are not a tin foil hat guy, trust me.

Countries have established law against computer crime. An internetpol is not required. The fact that F-Secure is asking for one is quite suspicious to me. You would think they would be in the forefront of telling the police where and who the bad guys are. Maybe they're just jockeying for a fat global contract?

More law enforcement is not needed, more security is. The problem is insecure OS and software platforms, insecure operations processes and policies, insecure user habits and other such things. No manner of Internet police forces will be able to cure those things.

Come to think of it, no manner of thought police would be able to stop me calling F-Secure asshats, and Mr Hypponen chief asshat among them. See how well those thought police work? That's how good Internetpol would work. Just more wasted money, more lost rights, more inconvenience for the good guys, and more fun for the bad guys.

Geez, the DHS at least has physical goals. The Internetpol wouldn't even be able to do that much. How much of the really bad guys on the Internet are hired by governments? by corporations? By people who would thwart the efforts of Internetpol through political means?

Lets just go full tilt into asshatteriness: Make it a capital crime to have an insecure pc operating in your house or under your control. That will ensure it all stops... right?

Re:One World Government

[postbigbang]

The 'one world government' lip fart is a distractive ruse designed to debase thinking that effects all of us. It's a distraction that goes back in origin to the John Birch Society, a ultra-radical right-wing batch of people that also aided the anti-flouride rouse, tried to impeach Earl Warren, and so on. It's a BS contention that's carefully calculated to debase the thought of international controls.

Re:One World Government

[Antique+Geekmeister]

Let's start with this one:

1) Every human on earth is an equal citizen of the world with a right to education, freedom and peace.

Oh, really? What will that 'educaton' be? And what kind of 'freedom'? Freedome to drink alcohol? An education that teaches that the Q'uran or the Bible or the Talmud are the ultimate reference? Freedom for women to wear a chadoor in class, even in a public school, or freedom to practice clitorectomies on girls for religious reasons?

Freedom is too tricky to trust to a single overriding authority. So is peace, when violent resistance is the only way to protect oneself or one's pweople from the abuses of that authority.

If this were to happen

[Centurix]

They should wear uniforms made from lycra, wear bright red codpieces and a cape. That much power should come with a high level of public humiliation.

Re:If this were to happen

[jonaskoelker]

Why do you hate Cory? http://xkcd.com/239/ ;)

Re:We've already lost

[gandhi_2]

Are you joking?

If you fire rifles at US soldiers in Afghanistan, you stand a small chance of ending up at Gitmo. Statistically, you have a better chance getting a 5.56mm sucking chest wound in the process.

No one ever ended up in a military detention facility for l33t haxor5 that don't involve military targets or v1@gra spam.

We've lost because Americans prefer creature comforts and speach-codes over liberty; social security and medicare over limited government as a social contract to secure life, liberty, and property. And no one will rebel, because they are dependent on the system. Thomas Jefferson tried to warn you.

... or I'll digitally sign a ticket!

[SEWilco]

Stop, I'm an Internetpol polinetwork interperson!