F-Secure Calls For "Internetpol" To Fight Crimeware

KingofGnG points out F-Secure's Q3 2008 security summary, in which its Chief Research Officer Mikko Hypponen proposes establishing an "Internetpol," an international organization empowered to target and root out cybercrime anywhere in the world. Hypponen gives examples of why such a supernational force is needed — and these are not hard to find — but provides few details about how such an outfit could get started or how it would work. He does mention the wrinkle that in some countries malware writing, cracking, spamming, and phishing are not illegal or not prosecuted. Is an Internetpol even possible, let alone practical?

What kind of crime would it fight?

[calmofthestorm]

I can see some use for this, but I fear like most things it would go after political dissidents and copyright infringers rather than actual criminals. Generally speaking I don't want the government to have /more/ power.

Re:What kind of crime would it fight?

[Rennt]

Whats wrong with simply using Interpol to fight cyber crime? As I understand it Interpol is mostly a co-ordination and information sharing organization used by local police forces to tackle crimes that exceed national boarders. Isn't that exactly what is needed?

Come to think of it, Interpol IS used to target these kinds of crime if all governments involved thinks it is evil. Online child porn for example - and from what we hear on the news, this is kind of successful, with arrests and convictions internationally, so whats the problem?

Perhaps the intention is to target "crimes" in a country where it isn't a crime, and the local government is not very sympathetic. An "international organization empowered to target and root out cybercrime" could well shut down Pirate Bay for example.

Re:What kind of crime would it fight?

[GrpA]

I share the feeling, but I'm sick and tired of receiving all the attempts to socially engineer their way into my bank account or similar, or get me to click on some malware, and no matter how obvious these things are, sooner or later they work ( How often have you clicked on "yes" instead of "no" just to make the stupid window go away, or had a poppup pop up just under where you're about to click?)

They don't need an internetpol - they just need the police.

The problem is that the police don't like dealing with it. It's too hard to understand and they don't get paid enough and they have to deal with stupid paperwork anyway because some kid got caught painting logos on someone's wall, and now some idiot computer user is calling saying "My bank account is being hacked, help me" and the poor cop can't even cope with getting his own email to work, let alone working out how to reverse engineer some genius hacker's work to help some lady who talks like she's on crack and doesn't know why her bank account is empty... And it's the fifth time this morning...

So to fix it, the police department need to get serious about computer crime and just simply establish a department that can deal with it... And keep them separate to fix the issue, and not be a part of the group that deals with local computer crime, etc.

Just one person per state who understands technology at a basic level (eg, like most people who read this forum) is enough.

And then this one person can spend some time networking with cops from around the world (heck, send them to some junket in a hotel once a year so they can meet all the others... Maybe blackhat or something) and then knows how to apply the laws correctly and how to go after these people...

And THEN the problem starts to get fixed.

Ranting aside, I know how the situation works. I've been on the prosecuting end of several cases, in which I did the legwork. I tracked down the evidence, and prepared a one-page brief for the police involved, including details on the exact crime committed, the evidence, who has the evidence and the phone numner to call to get it.

If you give the police a target they can understand, they usually are more than willing to take the case on.

When I last did that, they even sent a raiding party and siezed the guy, his computer and everything else within hours of my sending the details. They had a written confession out of him within two hours!

Most people who are still feeling the umbrage of having been owned don't understand this and it's not suprising the police don't want to help, especially when they don't know where to start.

My experience is that the existing laws are usually sufficient. It's the will and knowledge to implement them that are lacking.

GrpA

Re:What kind of crime would it fight?

[Antique+Geekmeister]

No, 'the police' really can't deal with a lot of it. As soon as it crosses city lines, your local police won't touch it. As soon as it crosses state lines, it gets handed off to the FBI, who seem simply unable and unwilling to prosecute anything below a massive threshold, and seem chronically unable to charge people with the crimes they actually did commit, and tries to leverage people as 'informants' to get the 'big fish'. So they accomplish nearly nothing. Wire fraud should really be the Secret Service's jurisdiction, but they're less interested than the FBI. And when it goes international, as many of the phishing frauds do even if they're actually run from the US, then none of them will touch it.

So what it takes is an agency _willing_ to prosecute. The Secret Service could legally take on a lot of it, but after burning their fingers with the Operation Sun Devil and the resulting Steve Jackson case that led to the creation of the EFF, they seem pretty reluctant to even try.

Re:What kind of crime would it fight?

[GrpA]

You're thinking of the events that were detailed in "The Hacker Crackdown" aren't you?...

I'm not saying your wrong, but please re-read my post. I'm saying that a lot of the time, the police are expected to do this because it's their job, except they don't know where to start, which leads to the situation that they can't actually be certain it *is* their job. So they don't do anything.

It doesn't matter if it crosses state or even federal or international lines...

Only committing crimes in another state from your home state is an old trick to avoid the attention of law enforcement. It only works for a while - the police know how to deal with this.

Imagine this. Someone in your state is breaking the law. You report the details to your local police. They arrest them.

Now consider - Someone in another state is breaking the law. You report the details to *their* local police. They arrest them.

See the difference? You can achieve that without being a police officer - but it does knowing who to contact and what to tell them. Giving them an IP address isn't enough. What they are looking for in *evidence* of a crime they can understand. Send them details of which crime is being broken, so they don't have to work it out themselves, and they know it's something they are responsible for.

Speak to their ISP in advance, explain the situation, get the ISPs contact person and let him know his local police will be in contact to collect the evidence. Most ISPs will co-operate that far - to wait for a request from the local police for information.

Learn about evidence collection. Learn what police need to do their job.

That makes all the difference in the world.

And it is the local police's job to do this. Are you some multibillion dollar exec? No, well how can you seriously expect the secret service to do this for you? Seriously?

Do you think I go and call ASIO (I'm in Australia) or ASIS everytime I find graffiti on my car?

Finding my computer's been hacked is no different. Just because they employ people in secret intelligence organisations who understand the situation doesn't make it their problem... You're a small victim, that's what the local police are there for.

GrpA

Re:What kind of crime would it fight?

[Antique+Geekmeister]

You've apparently not dealt with the police nor the laws on fraud, because you state:

> It doesn't matter if it crosses state or even federal or international lines...

This is amazingly wrong. As soon as it crosses the borders of your local police force's jurisdiction, they *must* escalate it to the authority that covers both jurisdictions, or they have little hope of getting a prosecution. This is from my direct experience with spammer and phishing fraud, and DOS attacks against systems I've dealt with. The local police on each end say 'oohhhh, we can't do that' and pass it to the FBI who completely ignore it. This is with names, dates, times, places, and a careful list of exactly what records they need to subpoena to collect the evidence for conviction. The local police on each end simply will not act.

And I expect the Secret Service to do this, for example, because they are the enforcement arm of the US Treasury: fiscal fraud is what they do (or are supposed to do). Guarding VIP's like the President was added to their responsibilities in the 19th century, but their role as fiscal agents is older, and it remains part of their charter.

Re:What kind of crime would it fight?

[GrpA]

Yes, I have dealt with federal matters, and it's amazing how the same issues that affect whether or not police will take on your complaint occur at all levels.

I did speak to the federal authorities. I did track down the people whose task it was, and I found out what they needed.

It's a bit like chinese whispers. "I can't do anything if XXXX doesn't do their job." They will tell me that, but they won't tell XXXX directly. (XXXX Being a person, agency, official, whatever). I became the "connection" between them, relaying commitments.

So I did the rounds, learned what they required (specific only to my case) and got them all to agree to what was basically an open-ended commitment. THe problem is that they couldn't discuss anything with me - since they all recognized I had no authority and privacy laws got in the way, but wouldn't start bothering their counterparts to request help, because they couldn't tell their counterparts what was going - they didn't know how to.

However, I could get them to commit to speak to XXXX, if XXXX was prepared to help, so I called *all* the XXXXs and explained the situation, and sent the details through to all of them. The XXXX's were Federal Police, State Police and Telecommunications Regulations Enforcement authorities.

Once I had them all committed, I simply became the "co-ordination" point for the exercise. I learned everyone else's role and broke the task down and sent the appropriate information to each person that was relevant to their job.

The result? As soon as they realised I had handed them a case ready to close, with all the contacts agreeing to their role, they moved immediately. The whole thing took about an hour.

In that case, I had made a slight error with regards to the law that was broken, and they called me back to let me know they couldn't actually prosecute and were helpful enough to provide additional information I needed to know to close that loophole with the way my network was set up ( Guest access can be a real issue - if you let people in, proving tresspass is impossible ).

They also provided a committment to back me up in the future if it ever happened again.

True to their word, they did the next time and I caught the guy. He was prosecuted successfully, although the next time, it was local, so I didn't need to coordinate as many people.

So please, consider my point. You need to co-ordinate *everyone* and make sure they know you have a reasonable chance of prosecution and that you've lined up your ducks, or they won't get involved.

It's no different for a cop doing that job. They need to get everyone involved too. Basically they still have to go through the same process.

Most people will do their job and help you if you remove all the obstacles first. In a perfect world, they would move their own obstacles as well, but hey, if it's your problem and affects you, it's up to you to decide how committed you are to solving it.

GrpA

One World Government

[MindlessAutomata]

No, don't write me off as a NEW WORLD ORDER!!!! guy.

Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you.

But if you're afraid of big, monolithic governments as much as I am, then you'll be deathly afraid of any international police body, as Internet Police isn't just a bad idea, it's also a very dangerous slippery slope to be treading on.

Still not convinced it's not a good idea? A lot of nations have insufferable politically-correct speech laws. Germany, for example; there they censor politically undesirable viewpoints (yes, Nazis, but if you believe that freedom of speech of the individual transcends whatever the masses may think...) and in Australia, they censor games like GTAIV and other 'socially undesirable' expression.

And maybe some people aren't bothered by that. Some people think, "hey, if some majority accepted that, then tough luck for the minority, democracy prevails!" but I am just not one of them and I'll never be comfortable with governments treading on individual freedom whether a single ruler or the many stepping on them.

Re:One World Government

[Fluffeh]

Interpol is dangerously close to a one-world-government type deal. If you're into "global democracy" and the entire world under one flag, then an international police on the internet is probably no big deal to you.

Yeah, look, sorry, I can't disagree more. Interpol is not remotely close to a one-world-government deal at all. Those guys are lucky to be able to help a handful of governments catch a handful of criminals when all parties want them in prison.

While I think that an "internet police" is a laughable idea in that it would be impossible to unify all the countries with access to the internet under one police umbrella, I think doing so could have some fantastic opportunities that /. seems to have missed as the "oh gawd, the government is after my rights" folks jumped right out onto the bandwagon here first. Think about these tasks that I would love to see internet police on the case for:

1) Spam.
2) Spam.
3) Trojans on websites
4) Browser Hijacking
5) Fleecing through fake Paypal/Bank/Money websites

I am aware that point one and two may look the same, but I feel it would be in most people's minds enough to warrant those two places. If I could have a "report this as spam" button in my email client and know that it would actually go somewhere to someone to do something, man, that would be a sweet thing indeed. What's this? A website that opens a bazzilion popup windows and refuses to let me close my windows? BAM! Hit that police button right there!

Come on slashies, have a look at some of the positive possibilities here. Don't make me have to use a car analogy!

Re:One World Government

[postbigbang]

The 'one world government' lip fart is a distractive ruse designed to debase thinking that effects all of us. It's a distraction that goes back in origin to the John Birch Society, a ultra-radical right-wing batch of people that also aided the anti-flouride rouse, tried to impeach Earl Warren, and so on. It's a BS contention that's carefully calculated to debase the thought of international controls.

If this were to happen

[Centurix]

They should wear uniforms made from lycra, wear bright red codpieces and a cape. That much power should come with a high level of public humiliation.

Re:We've already lost

[gandhi_2]

Are you joking?

If you fire rifles at US soldiers in Afghanistan, you stand a small chance of ending up at Gitmo. Statistically, you have a better chance getting a 5.56mm sucking chest wound in the process.

No one ever ended up in a military detention facility for l33t haxor5 that don't involve military targets or v1@gra spam.

We've lost because Americans prefer creature comforts and speach-codes over liberty; social security and medicare over limited government as a social contract to secure life, liberty, and property. And no one will rebel, because they are dependent on the system. Thomas Jefferson tried to warn you.

... or I'll digitally sign a ticket!

[SEWilco]

Stop, I'm an Internetpol polinetwork interperson!