Kaspersky Calls For 'Internet Interpol'

angry tapir writes "With cybercrime now the second largest criminal activity in the world, measures such as the creation of an 'Internet Interpol' and better cooperation between international law enforcement agencies are needed if criminals are to be curtailed in the future, Kaspersky Labs founder and security expert Eugene Kaspersky has argued. He said, 'We were talking about that 10 years ago and almost nothing has happened. Sooner or later we will have one. I am also talking about Internet passports and having an online ID. Some countries are introducing this idea, so maybe in 15 years we will all have it.'"

He dun goofed

[0racle]

The consequences will never be the same.

would that means a bright future for his company?

[Azmodan]

I really wonder how someone who sells protection would really benefits from having a more secure internet...

joy.

we all lose privacy so that the fucktards can pretend they're a little bit 'safer' from their own idiocy.

fuck 'internet passports' and 'online ids'. it's time for citizens to quit being chickenshits or eventually everything you do will be tracked back to this. this is different than the past because electronic surveillance completely erodes the natural privacy one has in the physical world. I don't want my every click, every download, every page hit recorded for some bored cop to puruse 20 years after the fact so it can be judged on current standards...all to meet a quota.

Re:joy.

[blair1q]

Then make it illegal for bored cops to peruse it, and illegal for any evidence gathered that way to be used against you, but don't make it illegal to track down criminals based on evidence of crimes.

Re:joy.

[flaming+error]

>Then make it illegal
Yeah. We could even add a constitutional amendment! Something like:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Then all we'll need is to figure out who will enforce this fine law.

Re:joy.

[epyT-R]

Are you that naive? governments make exceptions to due process all the time.. even laws that are well drafted, honed, and focused to begin with get their scopes widened over time by opportunistic politicians selling out to law enforcement and economic lobbies.

Re:joy.

[Mikkeles]

Laws can be changed or ignored. Also, everybody can be found guilty of something.

Re:joy.

[blair1q]

who will enforce this fine law

We will. That's how it works.

Re:joy.

[blair1q]

Then find the people you fear in government, and charge them with the something you say you have on them.

Re:joy.

[cayenne8]

who will enforce this fine law?

We will. That's how it works.

Trouble is...we HAD a nice 4th amendment in the US constitution, however, the Supreme Court just kind fscked us on this one a day or two ago.

I'm worried when they can blow off the constitution so readily...if they can do that, well, they'll certainly NOT have a 2nd thought about blowing off an internet mandate about using info collected from it ....if the tool is there, the authorities WILL abuse it at some time in the future.

Their track record shows this....over and over again.

Remember how RICO was only supposed to be used to go after the mafia? Hmm...well, its being used in new and creative ways all the time.

If they can now kick down your door without a warrant just because they hear some (non-threatening sounds) and smell weed outside a bunch of apt. doors...they'll have no compunction about tracking your ass down by forced internet ID marked transactions, why wait for using it for criminal investigation, just continuously fishing for information on everyone...someone will slip and we'll get them, even if we have to change the laws and go after them retroactively.

Re:joy.

[blair1q]

Then you'd better vote harder.

Re:joy.

[cdrguru]

It isn't the cops you should be worried about. Everything thing you do online has value to someone. It will provide them valuable market information. The fact that you don't click on the CNN link but do click on the Stormfront link is saleable to someone. The fact that you sort things in a list of items on Amazon by "best selling" rather than "lowest price" is worth something.

Now maybe individually these actions aren't worth much, but if a company can assemble many people's habits and actions together and offer them as a package so that trend analysis and forecasting can be done ... well, how much do you think Google was able to sell the brands of the routers actually be used in Chicago for? Better yet, how much do you think the brand names of routers in Highland Park (an affluent suburb) vs. brand names of routers in Wheeling (a mostly low-income suburb with trailer parks) is worth to DLink or Belkin?

This information is going to be collected and sold and there is nothing anyone can do about it.

Re:joy.

[flaming+error]

If "we" includes you, you're slacking off. Go arrest the surveillance state. And hurry.

Re:joy.

[RobDude]

I think a lot of people are arguing against a false dilemma here. Some people would suggest *not* giving up privacy but would welcome a more unified front from law enforcement.

As it stands now, most cyber 'crime' is only a crime in the technical sense of the world. Call the police when your computer gets hacked and see how seriously the pursue it. Unless you are a large company, dealing with millions of dollars or customer information absolutely nothing will come of it. And that's 10X true when the criminal is outside of the US.

The FBI provides tips on how to avoid being a victim of online fraud. But I sure couldn't find a place to *report it*. Just yesterday (seriously) a friend of mine had his old Hotmail account compromised and a hacker (whose IP address originated in Nigeria) send out e-mails to everyone on the list requesting money be wired. If a guy were going door-to-door in the US, and pulling a similar scam you *could* call the cops and they'd probably show up and investigate. But, the guy in Nigeria....it's pretty risk free as long as he continues to target individuals.

It's not just 'computer crime', but anything less tangible than a stereo or a car. I had my debit card number used fraudulently at a mail-order catalog. I was able to get the company to tell me it was being shipped to my town (but they refused to give any more information). I went to my bank, who refunded the charge and said they would launch an 'investigation'. I went to the police who told me to fill out a piece of paper.

Months later, my bank sent me a letter saying that they'd completed their investigation and had found that the charge *was fraudulent*. That's it. They were investigating *me*. They decided that *I* didn't do it; so they refunded my money. *NOBODY* cared or went after the people who used the card.

You'd really have to be retarded to get caught doing any of these things. No wonder it's growing.

Re:joy.

[epyT-R]

what the system says one can do and what can actually be done are two different things.

Re:joy.

[cheekyjohnson]

You could, but that wouldn't necessarily stop them. They might even alter the law later. I'd rather not ever give them this ability in the first place to minimize the risks. Sure, it might be more difficult to catch these 'criminals', but that is how it should be, in my opinion.

Re:joy.

[blair1q]

No, they aren't. You're limited only by the law and your ethics. And as long as we have a law that allows the criminals to follow their ethics, that's where our society's dialogue will reside.

Re:joy.

[DriedClexler]

I like the general idea, but what the fuck is up with the random Capitalization of Words?

Re:joy.

[e9th]

In the same vein, the Indiana Supreme Court ruled on Friday that its citizens have no right to resist even unlawful police entry into their homes.

"We believe ... a right to resist an unlawful police entry into a home is against public policy and is incompatible with modern Fourth Amendment jurisprudence," [Justice] David said, [writing for the 3-2 majority].

Re:joy.

[blair1q]

They already have "this ability".

Technically it's impossible to stop the government from tapping your wires. All you're saying is you don't want them to be able to do it in an app on their iPhones just because you pwned them on /.

The point is, because we have legal protections against their use of the ability, it doesn't matter if they have the ability.

It's the same deal with standing in front of a phalanx of police with their riot sticks out, wearing a "fuck you pig" T-shirt. They certainly have the ability to crack your skull like the dumbass you are, but they don't, because then they'd be in trouble. The answer is to make sure the law that says they'd be in trouble stays intact, not to make sure they are never issued riot sticks.

It isn't about the tools. It's about whether you can keep your freedom despite the government having the tools. If they were capable of eroding your freedom they could do that with or without the tools.

Re:joy.

[epyT-R]

I'm not sure there's anything I can say to that other than to open your eyes and have a look around at what's going on in this world. Hypocrites abound man.. law is only as good as the ethics of those who write and those who enforce..and their track records these days are pretty shitty.

Re:joy.

[lexsird]

Wow! Just WOW!!!

I can't believe they have the balls to do that! Or the stupidity, this sets a precedence that will allow pigs to do as they please. It makes moot any case against an illegal entry by law enforcement because now there IS NO ILLEGAL entry by law enforcement.

These judges need replaced now. We have a choice, we can amend our Constitution so that we can remove them either personally with amendments just for each one, or we make provisions to remove judges that cross Constitutional lines. This being a case where the Judges have urinated all over the Constitution and sit there defiant of it.

We cannot let this stand, if we do, we are cursed. I think collectively we are screwed, we have no sense of community enough to stand up against this kind of tyranny, so it's going to take individuals to fight this.

Let's just hope they get heavy handed with it right off the bat. That way they fuck with the wrong person and we get at last some brave soul to kick off the 2nd American Revolutionary War.

Re:joy.

[Pseudonym+Authority]

well i guess he should have voted harder LOL

Re:joy.

[Teancum]

In terms of "kicking off the 2nd American Revolutionary War", I think folks at Waco, Texas and Ruby Ridge certainly did plenty to try and get that going earlier. Neither one worked out all that well for those who tried to fight the system through the force of arms.

I do hope that reason and sanity can prevail, and make sure that you use the four boxes of freedom in the order they were indended:

The four boxes of freedom: Soap, Ballot, Jury, and Ammo. Please use them in that order. I keep hoping that the Ballot box can still be effective for awhile longer in America.

Re:joy.

[Legion303]

"They certainly have the ability to crack your skull like the dumbass you are, but they don't, because then they'd be in trouble."

Only if someone catches it on tape, and they don't then brutalize that person and steal the tape. Until that happens, you were "resisting arrest."

Re:joy.

[cheekyjohnson]

That's true. They can do it. But they should not be able to. They shouldn't even have the tools to do so as far as I'm concerned (to minimize the number of mistakes and malicious behavior, which can be hidden at times). That is the problem.

Re:joy.

[blair1q]

The police are your avatar in the world of crime-fighting. You need to give them the ability to beat the criminals, or there will be no point, and you will have to have your own weapons and take your own personal risk. The criminals will have whatever tools they wish.

Arm the police better than the criminals, then prohibit them from using those weapons on anyone other than criminals. If the police develop a culture of ignoring that prohibition, that's because you failed to do your due diligence in managing your employees, which requires no weapons and no personal risk at all.

Re:joy.

[Forty+Two+Tenfold]

I do hope that reason and sanity can prevail

Read 1984, especially the last chapters.

Re:joy.

[Lanteran]

Fwaaaaaaaaaah!
(A woosh that went so far over your head, it wooshed a woosh)

Re:joy.

[cheekyjohnson]

The police are your avatar in the world of crime-fighting.

And? That doesn't mean that they never have hostile intent or make mistakes. The point of warrants and limiting their powers (and abilities) is to limit the chances of either happening.

You need to give them the ability to beat the criminals

They have more than enough power without having some ridiculous ability that invades my privacy. Privacy or power to the police with a great risk of corruption? I'd much rather have the former.

I'd much rather let criminals escape than have an innocent be treated as a criminal because of one policeman's agenda or mistake.

Resources

Didn't the FBI recently admit that almost 50% of their electronic crime capabilities are spent rooting around in child porn?

So, if Internet crime is the largest category, and half of it is child porn?...

wtf?!

Someone is lying.

Think there is an agenda here?

Won't someone please think of the children?

Re:Resources

[Schadrach]

They'd like that -- if we were all thinking of the children it'd *waaaaaay* easier to bust us for child porn. How about you and your pervert buddies just stop thinking about the children and have a seat, while I call in Chris Hansen...

Re:Resources

As someone who's livelihood comes from the prosecution of child porn, you have no idea.

First off, child porn is something that can be prosecuted. The botnet creator in Romania cannot be prosecuted and is actively being protected by their government. No point in trying to go after them.

Then there are the credit card theives. They get your number and use it and you have to ... cancel the card. Well, because you're not out anything, the merchant has insurance and the credit card companies don't want to prosecute there is no point. So nobody is going after them either.

Then there are the folks selling fake pills and claiming to be in Canada when they are really in Indonesia. Well, if the Indonesian government isn't interested and is likely going to shield them, there isn't any way to go after them.

It goes on an on. Either there is nobody to prosecute or it is happening across borders with a disinterested government at the other end. The FBI has plenty of weight to throw around, but before they bring all of their focus on some international perp everyone needs to be on board with it being the "right" target - and that is very difficult to achieve. Unless of course the guy is out there on IRC bragging.

Well, I guess that leaves child porn and a few other things, like massive copyright violation. That is the day for an FBI forensic examiner. Mostly it is child porn because there is so much of it out there and nobody wants to stand up for someone involved in it. Especially when they start taking pictures and distributing them, which is how many people are caught. Forgetting to turn off the geotagging on your iPhone can be really, really embarassing. Especially when you answer the doorbell and find an FBI agent with a GPS receiver saying "Yes, it was right here" to his partner.

Re:Resources

[RubberDuckie]

Too bad you posted anonymously (though I understand why you did), as some may miss this post. Until we get everyone on the same page as to who should be prosecuted, it's just going to be too easy to hide.

Re:Resources

[Legion303]

These are good points, and they were brought up a year ago when Dan Molina from Kaspersky Labs gave his BSides Denver 2010 presentation on just this subject. The heckling was so harsh I felt a little bad for the guy, but it looks like the company decided to push the idea anyway.

Re:would that means a bright future for his compan

[zippthorne]

what are you talking about? The "internet ID" and "internet passport" become items of intense personal value that must be protected. The stakes will be even higher to protect your papers under a "papers, please." internet.

How about not?

[plover]

Instead of continually beating our heads on securing systems and people, let's remove the profit motive. If we fundamentally change how financial transactions are executed, security will becomes less of a problem.

Get the requirements for security out of Windows, and put it into trusted bank-issued smart cards. Separate authentication from authorization from identification. Build system that humans can manually verify without a Windows box being the portal through which this verification happens.

Re:How about not?

[denis-The-menace]

But then how will the rich elite know when and how the lower classes will try to change the status quo? /sarcasm

Re:How about not?

[drb226]

Separate authentication from authorization from identification.

Doesn't authentication generally mean your identification is authentic? Not sure how you separate those two.

Re:How about not?

[epyT-R]

authentication verifies you are who you say you are.. authorization grants or revokes privileges.

Re:How about not?

[mlts]

Nail, head hit:

This is how the IBM ZTIC works, although it essentially shows up a confirmation "you seriously want to move $25,000 of your cash from checking to Elbonia?"

Realistically, the best solution may be an app for the phone. You get a one time key from the app on the phone, use that to log in on the PC, then use the phone to confirm transactions. For a blackhat to get access to the account fully, they would need to compromise both the PC (so they can log in), as well as the cellphone (to approve and generate cards) at the same time.

Of course, there will be ways around this, but it is a heck of a lot harder to get a rogue app onto an Android or iOS device, make the app get in sync with the user's compromised PC in order to do an account theft. Not impossible, but it would make the average user's bank records attackable via malware, other than the fact that malware sitting passively with screenshots may be able to send off what lies in the account to a remote site.

Re:How about not?

[gstoddart]

Realistically, the best solution may be an app for the phone. You get a one time key from the app on the phone

All you've done is created another single point of failure ... and, presume that in order to do anything in a secure manner, I need to have a smart phone.

You might as well just decide that I need a facebook login as well.

Re:How about not?

[drb226]

plover said to separate 3 things. You noted 2 that are separate; I noted 2 that are not.

Re:How about not?

[mlts]

The smart phone's task is to be a separate authentication device. A SecurID card also works, or a ZTIC-like device can handle authentication and confirmations.

The reason I was mentioning a smart phone is that they are becoming quite common, and have the functionality as a computer. So, having the ability to use that device as opposed to having a dedicated dongle for access would save money and hassle for most people.

You are right, lose the device, and lose access to the account. However, places like eBay and PayPal support multiple phones or authentication tokens.

No, this isn't a perfect solution, but in this case, something is better than nothing, and for the most part, it should be considered as preferred (though still optional) for the user. No phone, no need to set phone based authentication up. Heck, just a scratch off TAN system that they have in Europe is far better than keeping the status quo.

Re:How about not?

[epyT-R]

yup. my bad.

Re:How about not?

[plover]

The problem with the phone is that it becomes a target, and it's on the network. If I want to start stealing, I just have to hack your phone. Convince you to download my "facepalm" app and it infects your payment app, or it paints a fake payment app picture. We shouldn't keep trying to trust these devices.

We're already in the boat of "something is better than nothing" and all we've got is water up to our knees making an incoherent mess.

Re:How about not?

[guybrush3pwood]

Identification = Username + ID card + chip implanted at birth

Authentication = DNA + Iris pattern + fingerprint

Authorization = none without explicit per-operation grant by competent authority

Done, I've solved it! Not the internet interpol can perfom a fine job.

Re:How about not?

[aix+tom]

How my Online banking now work. ( The next step up from the "hard coded" TAN system: )

1) I have to log in with a password
2) I enter the transaction I want to do
3) Then there is a flashing bar code type thing displayed on the screen. I then have to hold a "cheap" gadget from my bank up to it, with my Banking Card in it. That gadget is synchronized to only that one account and only that card, and reads the flashing bar-code.
4) The gadget then displays the destination bank account and the amount, which I have to confirm.
5) The gadget generates a one-time TAN ased on cryptography in combination with my banking card that I have to enter to authorize that transaction.

The advantage I see here:

This little gadget does NOTHING else. It's never actually "connected" electronically to the PC, there are no "apps" or anything that anyone can install on it that might contain back doors. Which I would actually see as the major disadvantage of using a smartphone to do it. And if I lose the device, my bank will just issue me another one. You of course one also needs the gadget AND the bank card. Usually the gadget is at home, and I have my banking card with me so there is little chance of both of them being stolen.

Re:How about not?

[mlts]

I would say that app security on phones is light years ahead of security on general computers.

For example, Android. A malicious app can install with a lot of permissions, but if it wants to get into the banking app's files, it will require breaking out of the Dalvik VM, rooting the phone, then trying to find a way to pull the data encryption key from the context of the other application.

iOS has similar security. A malicious app would have to figure out how to get out of the BSD jail, get root, find the encryption keys used for storing the data in the context of the bank app.

Because apps are very isolated from each other on phones, it is a lot harder to make undetectable malware as it is on PCs.

Plus, smartphones are a lot more resistant to drive-by browser attacks, which install the majority of malware on PCs.

To boot, since smartphones take some doing to root/jailbreak, a dumb user will be protected from an app that tries to su to root on Android.

So, smartphones are not perfect, but dual factor authentication is better than the username/password, or username/password/"show user if this is the right goat" stuff we have now.

Re:How about not?

[mlts]

That is similar to how the ZTIC system from IBM works. The only weakness in that is the fact that a blackhat can capture your authentication token (the cookie the bank uses, SSL state, etc.) Then while you are looking at your statements, the Web browser is actually making some bank transfers to Elbonia without showing you.

With the ZTIC, as it has a completely separate, secure connection to the bank, it will show you the transactions before allowing approving, so someone trying to pull money from the account would be stopped in their tracks, unless they are good enough with social engineering to get someone to ignore what their little keyfob says.

Re:How about not?

[plover]

If I say "My name is John", that's identification. Identification can be public or private. Authentication is the proof between two parties that my identification is valid. In other words, during the course of a transaction you can learn that my identity is John, and that my account number is 123, but you shouldn't be able to use that knowledge to prove to someone else that you're John or charge a purchase against account # 123. Requiring separate authentication would eliminate identity theft.

During the purchase, we should be able to authenticate each other, so I know I'm buying a $100 widget from DRB's House of Bits. I should be able to tell my bank to send $100 to DRB's House of Bits. You should be able to draw $100 from account 123. I should get a receipt that says "DRB promises to send a widget to John". Maybe there's even the involvement of an escrow agent such as a "licensed shipping company" that releases the transfer of funds upon receipt of a widget for shipment.

The proof of authorization to transfer $100, the proof of the authentication that you're DRB, that you're talking to my bank, and that I'm John, all should happen on sealed payment devices that can't be updated or hooked to the network.

The bank should supply me with the smart card that has the crypto operations and private keys already inside it. They should also send me a personal authenticator terminal, that is tamper evident, has a 10 key pad and camera for input, and a small display. They're about the size of a credit card. (There are already credit card form factor smart cards with built in 10 key pads that would be ideal, but a bit more costly.)

The camera and 10 key pad would provide the air-gapped input. I would point the camera at your corporate name or logo until my screen displayed the name of who I was going to pay. Bar codes are probably out because a human can't verify them, and people could be fooled by similar names (VVestern Bank is not the same as Western Bank), but a logo (or even just text) would be human recognizable and could be made unambiguous by use of a central registry. I'd use the 10 key pad to enter the amount, perhaps select the bank account, then add my secret PIN. The display would be a number to enter into the retailer's screen or terminal. That authorization number would be cryptographically generated on the card to permit only the transfer of $100 from my account 123 to DRB's House of Bits one time. Or there might be a second entry for approval: after I see the invoice, I enter my PIN to generate a different number to approve the transfer, but that's getting pretty complex.

Re:How about not?

[jonwil]

Forget about needing expensive hardware. Just use a system like PassWindow
http://www.passwindow.com/

Would work on any device from a mobile phone through to that shiny new 100" plasma TV you bought (the one with the inbuilt web browser)

No I dont have any connection to these guys, I just think their product is a brilliant idea and it could eliminate phishing almost entirely with far less cost to the banks than any of the electronic devices (SecurID, little calculators to generate special hashes etc) currently being used by some institutions.

Re:How about not?

[plover]

You're still thinking "old school" security, which is only slightly better than what we have today. We need a radically different approach, one that removes the motivation to hack by removing the value-carrying-apps from the network. Attacks will always be made on any point that has a presence on the network. Put payments on the phone, and phones become a target. Weird, crazy impersonation attacks that seem highly improbable today would become the XSS of tomorrow's hackers. We need a real difference in order to have a real change.

We also only get to do it once. It's a big change that promises big security improvements, and if we screw it up by overlooking even the tiniest crack in the armor, we don't get to redistribute new hardware, or retrain shoppers.

Imagine if we went with a cell phone solution. A hacker might distribute a Trojaned version of Angry Birds that usurps the "menu button" and then pretends to be your shopping app. It all looks the same to the end user, but it doesn't even take a security violation of any sort to make it happen. Or maybe it only infects jailbroken phones. Maybe it easily affects every Windows 7 Mobile platform, or iOS5, or Android 4.1.085 sometime in 2017. Every phone OS ever piloted to end users will be the target of every criminal hacker. By removing the possibility of making payments from it, it's no longer attacked. By removing the payment system from the network, it's not attackable. It's that simple.

An isolated payment device would be something people would keep track of differently than their phone. I might let a casual acquaintance borrow my phone to make a call, but I wouldn't let anyone borrow my payment device. Even if I did, it'd be sealed shut (like those RSA token keytag things.) For convenience, maybe they can be made in the shape of an iPhone cradle and stuck on the back of the phone with double-sided tape or something. But they can't share the screen or the keyboard with the phone, or the phone simply becomes the next target.

Re:How about not?

[plover]

That's it! That's exactly the kind of system I'm trying to describe!

The way you described it there may be one exploitable flaw: you said it shows you the destination bank account. That's ideal for online banking, but it would be useless to go shopping with: I don't know the bank account number of the store. I only know the store's name. I'd need to confirm on the device that the store I'm paying is HOME DEPOT, and not "account 12345"; just because the web site says "This is HOME DEPOT and our account # is 12345" puts too much trust in the PC. That part could be faked by a criminal.

Re:How about not?

[plover]

1. This may be an advantage, because they can have custom-built devices that exactly meet their specific needs. The device itself is quite simple, and it only needs to provide a trusted display and keyboard. The only trust in it a user really needs is to know that it's not skimming their PIN, and it's displaying exactly what it's supposed to display. The crypto all happens in their bank card's chip.

2. Agreed that homogeneity is bad (look at Windows) but it's worked for 10 years for RSA tokens. Sealed, tamper resistant / tamper evident units that can never be externally connected to anything are really, really strong. The key is isolation.

3. The LEOs can still arrange that with the banks, the way they are supposed to do it today. Walk up to the bank manager, say "here's a warrant, track John." The bank manager authenticates the warrant, then cooperates. For that matter, the identity of neither party in a transaction has to be kept private for this to work, so network sniffing could be done surreptitiously . The protocol can be structured to hide the authentication details, but they can see that I'm exchanging money with Amazon, or Target, or Dopey Darryl's Drug Depot.

4. I think your autocorrect is kind of screwed up. Most of us don't have a " fleshlight (NSFW)" integrated with our cell phones! :-) I agree that integration seems nice, but for security purposes the users have to understand them to be separate devices, and that the phone screen NEVER authorizes the money.

Internet passports???

[gstoddart]

Wow, I'm afraid I have to conclude this guys is possibly a little too full of himself.

If we ever get anywhere near a "single secure cyberspace", we're pretty much all screwed.

Governments will use this to stifle your privacy, your rights, and every other thing they can think of. They'll make sure they monitor everything you do, and ensure you don't do anything they don't approve of.

Anybody who thinks the solution to cybercrime is to more or less lock down the internet like this ... well, I think they deserve a series of well placed kicks to the groin. I can only see this as more or less fascism -- though I'm sure I'll be accused of hyperbole.

Privacy concerns

[digitaldc]

I understand his concern, especially after Kaspersky son's kidnapping, but this would erode online privacy to say the least.

'described himself as an “optimistic paranoid” when it came to online security'
I guess an optimistic paranoid is hoping that the next security technology is better than the one before, but never really trusting anything or anyone.

Re:Privacy concerns

[MickyTheIdiot]

In the idiot-filled corporate world it is the job of people like Kaspersky to scare empty-headed CEOs and Congrespeople by puffing themselves up as an "expert" and making wild predictions and promises in the hope of getting some money for products that will work marginally at best. He's just doing his job... so hate the system AND the idiots behind it.

Re:Privacy concerns

[vlm]

I guess an optimistic paranoid is hoping that the next security technology is better than the one before, but never really trusting anything or anyone.

There are numerous unknown enemies out there trying to get me, and my known enemies (such as the merger of govt and big business being given 1984 style tools of oppression) would of course do awful things, but its always possible to optimistically define something worse that isn't (yet) happening.

Re:this could all be moot

[AdamThor]

I really want a button ... that brings up a full trace to the person who initiated the message...

You and Gaddafi both.

What nonsense

[Mashiki]

That's what interpol's job is supposed to do in the first place in all forms. Coordinate police dept's and services around the world. The real problem isn't so much that police don't talk, it's that the governments don't give them the resources to deal with internet related crime. In Canada, financial crimes under $200k are done on a case by case basis, by local dept's or by the provincial police, if there's enough officers available to take them off traditional crimes. Financial crimes over $250k are looked at only by the RCMP, and the RCMP will not take any case under $200k due to the lack of manpower and resources. And financial crimes under $40k are pretty much written off unless there are officers available. That's not even touching on the training.

It's a sad state, but the problem is three fold. First people don't think you need more police. The average citizen to cop ratio is between 100:1 and 750:1, though in some parts of the US it's 4000:1. Second, while a lot of younger cops(that's under 40 as the average age here is around 45), see this as an issue but not a pressing one(too much traditional crime, and staff sgt's who have too few resources, or too few inspectors for the job and are on other cases). Third, politics and bureaucratic BS. There are either weak laws, no laws, a mishmash of laws, or politicians and chiefs stuck in 30-40 year old thinking.

Re:What nonsense

[Wyatt+Earp]

1:452 to 1:427 for the United States on average in 2009

For big cities its 1:426 for LAPD. 1:228 for NYPD, 1:216 for Chicago, 1:219 for Philadelphia.

Where I live, its 1:724.

Re:What nonsense

[hedwards]

No, the big issue is that Russia, China and a handful of other nations don't prosecute those crimes unless they take place completely on their soil. As long as some nations out there don't prosecute suspected crackers, there's unlikely to ever be much changed.

On top of that, in the US we failed to prosecute the corporations that were benefiting from spam while turning a blind eye to how the messages were being sent. It would be naive to say the least of them not to put two and two together when spam messages started showing up showing their goods and services being advertised. Spammers don't provide such services without some sort of profit motive.

Re:What nonsense

[cdrguru]

Anything that is "local" is going to be up to the local police with no knowledge of how to deal with an "Internet crime". That means any crime that involves use of the Internet at all - like a bank robber sending an email saying "give me all your money or I will kill people."

Anything that crosses international borders requires a great deal of cooperation and a great deal of interest. Frankly, most 2nd-world governments think they have much better things to do than prevent 1st-worlders from getting defrauded and ripped off. If someone in their country can sell fake meds to people in the USA well, more power to them. It is bringing money into their country and it isn't hurting anyone there. Maybe it is creating jobs in their little part of the world as well so it is a benefit. So (comparatively) rich Americans are losing their money? Boo hoo.

There is no way there is going to be any cooperation on an international level because of the perception that it isn't a crime and the requirement that people be trained for crimes that are a little more complicated than sticking a gun in someone's face and demanding money.

No, thank you.

[pla]

We were talking about that 10 years ago and almost nothing has happened. Sooner or later we will have one.

Nothing has happened because we the fucking people don't want it to happen. We the Geeks responsible for implementing these BS control-freak fantasies for Big Brother don't want it to happen. We the citizens of a planet rapidly coming to recognize the meaninglessness of national borders don't want our rights to depend on those available in the most restrictive theocratic dictatorship on the planet.

Nothing will happen because, for all its flaws, we designed the internet to survive government attempts to control it.

Re:No, thank you.

[NeutronCowboy]

Nothing will happen because, for all its flaws, we designed the internet to survive government attempts to control it.

But we didn't design it to survive corporate attempts to control it. And that's where it will fall apart.

Re:No, thank you.

[epyT-R]

I used to believe that latter part, but today I'm not so sure.. Unfortunately voting doesn't take into account relative intelligence and wisdom. Thus, the drooling head babbling soccer moms beat out the geeks every time. As far as implementation goes, there are always a few sellouts.

Based on a ridiculous premise

"With cybercrime now the second largest criminal activity in the world"

I call bullshit. Anything that follows is irrelevant.

Burn in hell

[EmperorOfCanada]

My detailed jargon filled response to this idea is "BURN IN HELL KASPERSKY!!!"

If that happens,...

[Inyu]

people will be publishing their IDs and passwords for everybody, and streaming encoded information through whoever's ID they like... and maybe we could even try that ontop of Facebook.

Re:this could all be moot

[epyT-R]

you want the rest of us to give up privacy AND take on the mantle of defending an online id that will automatically be considered legitimate by governmental bureaucracies just so you don't have a large spam folder? Wow..

Right now, any safety we have online is the fact that online ids are not taken seriously..

rant-like responses to TFS

[drb226]

With cybercrime now the second largest criminal activity in the world

Seriously? Way to use vague, scary words to say absolutely nothing.

better cooperation between international law enforcement agencies are needed if criminals are to be curtailed

Why do I get the feeling that large American and European corporations will be the ones to benefit most from this "international law enforcement"?

Re:rant-like responses to TFS

[gstoddart]

Why do I get the feeling that large American and European corporations will be the ones to benefit most from this "international law enforcement"?

And the citizens of pretty much everywhere will be the ones who lose the most.

The democracies will become even more like surveillance societies. The places with questionable human rights records will be sold this stuff so they can further control their people (by companies who only care about the bottom line). And, the outright dictators will think it's just grand as they can lock down dissent.

We all lose in a scenario like this ... having everything you do on the internet tied to a single, government issued network ID won't work. And, in fact, it will probably mean that innocent people become even more targeted by cybercrime -- think how valuable of a target those ids will become, and think of how difficult it will be to fix it when they're compromised.

Not only won't this alleviate crime, it will erode our rights and freedoms. Nothing good will come of this -- this is trying to legislate a solution to a problem which legislation can't possibly hope to find a solution.

Kaspersky's History

[Stormy+Dragon]

Anytime Yevgeny Kaspersky profers his advice on how internet security should work, it should be remembered that he is a former KGB officer.

This is really allow about making it easier for States to control what people do online.

Re:Kaspersky's History

[Wyatt+Earp]

All I can find on this is - "Kaspersky graduated from the Institute of Cryptography, Telecommunications and Computer Science, an institute co-sponsored by the Russian Ministry of Defence and the KGB."

And - http://www.theregister.co.uk/2008/02/15/kaspersky_profile_mixup/
http://www.guardian.co.uk/theguardian/2008/feb/13/4
"The Guardian has apologised to Eugene Kaspersky after mistakingly naming the anti-virus guru as a former KGB officer. Eugene Kaspersky, co-founder and chief exec of the internet security company Kaspersky Lab, was described as a "KGB man" and a lieutenant in the KGB in an otherwise accurate article (The ex-KGB man stalking the cybercriminals since renamed The Russian defence against global cybercrime)."

Re:Kaspersky's History

[Stormy+Dragon]

Yes, clearly the guy who want to KGB funded school and then worked in a KGB funded research lab has NOTHING to do with KGB. If you even read the Guardian correction, they don't actually say what they said is wrong, just that it was a mistake to say it (compare the wishy washy wording in that correction to the far more definite wording in the following two corrections).

Re:Kaspersky's History

[Wyatt+Earp]

If I go to a BIA school and then work for the BIA that doesn't make me an Indian Police Officer does it?

If you read the correction you'll see that the school was a joint KGB/Soviet defense ministry school and he went on to a defense ministry agency doing scientific research, not a KGB funded research laboratory.

"He got into the business by accident - he started collecting viruses as a hobby, in 1989, after his PC at the Ministry of Defence became infected with Cascade."

Soviet Ministry of Defense was not the KGB, even if he had worked in a research agency that was KGB, it wouldn't make him an officer in the KGB.

Re:Will he accept responsibility when....

[mlts]

Or even worse, the dictators would have a monitoring service that just would scan for keywords. If one of their subjects states too much stuff or passes a threshold, the program sends a memo to a secret police to make the person disappear, perhaps if the threshold of "revolution speech" is high enough, the person's family disappears too.

Can you picture someone like Stalin or Pol Pot with this ability to monitor technology in their nation? Even outside their nation, they can find who dislikes their country the most and send some goons to take care of the problem.

Of course, this will do jack shit to stop hackers. They will find a way to "borrow" someone else's identity to do their dirty work.

interpolnet

[islon]

their logo will be a cat

Re:Needed to fight botnets

[epyT-R]

the only reason the botnets are a threat is because the organizations they attack are used to having big daddy government protect them from everyone else. they don't want to take on the time and expense of designing better systems.. they buy shitty middleware and get hacked, and they think ink on paper is going to protect them.. the single best way to mitigate the botnet problem is to take windows off the market, but of course that'll never happen.

Re:Will he accept responsibility when....

[Drooling+Iguana]

Will he accept responsibility when the first atrocities happen because of a having ID and Passports on the net?

No, because neither he no anyone else not directly involved in said attrocity (as either the perpetrator or the victim) will ever hear about it.

Re:would that means a bright future for his compan

[mlts]

Bingo. Someone manages to get ahold of someone's "internet credentials" can go to town, and the owner of the creds would be nailed, both civilly and criminally for this.

Remember, we have people who are unable to tell the difference between an IP address and a person. Think about the havoc someone can reach with forged credentials.

Of course, this would make the AV company fear campaigns be able to go up a notch by telling people the consequences of someone stealing their "internet passport", and how consumers need their CPU-hogging, OS-crashing, I/O intercepting, expensive [1] crap, when in reality, something like AdBlock is what actually will get the job done.

[1]: $30 to $50 per computer per year. There is just no real point to paying that, unless you have a business, and if you have a business, you should use ForeFront or SEP which doesn't care about subscriptions.

Re:this could all be moot

[blair1q]

You think Gaddafi isn't trolling and spamming? You want that button too.

Re:this could all be moot

[blair1q]

Tell you what.

You turn in your license plates and I'll think about what I said.

Checks & Balances

[jimmerz28]

Why would ICE & DHS give up their god given rights to pull anything they wanted off the net?

This sounds like there's way too much room for possible checks and balances...

In Soviet Russia...

[Kamiza+Ikioi]

...we bring the Information into the Government Age!

Re:this could all be moot

[jhoegl]

License plates only ID your car. Your analogy is flawed.

I dunno

[Charliemopps]

Last time I checked, the majority of the criminal activity on the internet was perpetrated by Governments... what good would creating an international agency to patrol criminal activity when it would have to report to the criminals themselves?

Re:ban the use of credit cards online

[marnues]

We don't need a secondary economy inflating online prices. Screw that.

Re:Needed to fight botnets

[epyT-R]

why? it's not that other os's don't have flaws, it's that windows is straddled with use-interface expectations that are not compatible with even basic security (user processes kept separate from base system). yes windows has the capability, but the software infrastructure that supports the os does not tolerate it well. the OOTB security configuration is a joke as well,.. all it does is annoy the user into turning them off. governments and their agencies (and banks and corporations) use windows everywhere.. that's why botnets are so effective.

Re:this could all be moot

[epyT-R]

great.. I'd do that instantly. also, do away with expensive taxes-disguised-as-registration-fees...

Interpol redundancy

[chicago_scott]

Hmm... maybe there should be a telephone Interpol too.

Re:Interpol redundancy

[Zontar+The+Mindless]

Some of us might recall that, back in the Seventies, before they started the CB Radio Interpol, people were using those things for thumbing their noses at highway speed limits en masse—not to mention for arranging from time to time to score weed, speed, or dirty deeds.

Thank goodness the authorities acted quickly in that case, and were able to nip the thing in the bud!

Re:this could all be moot

[icebraining]

A government issued ID hardly violates my privacy. Mine sits at home, since I only have to show it in very specific occasions, and most aren't logged. It's completely different from having an identifiable address that everyone can see and log.

It would be like having a name plate with your SSN when you walk around.

The one thing worse than Cyber Crime...

[Vitriol+Angst]

... that I can certainly guarantee;

Is a system so secure and able to identify you, that it CANNOT allow for crimes to be committed.

Reasonable security is good. But we want a system that NEEDS the will of the governed. If people are treated fairly -- and there is a system in place where Identity can MANUALLY be ascertained, than real security is through the GOOD WILL of the people.

Also, you need people who react, rather than waiting for some authority to come by -- but that's another discussion.

Re:this could all be moot

[blair1q]

When you're out on the public roads in your 1500-lb child-smashing machine, you should be identifiable.

When you're on the public internets on your 1.5-GHz rootkit-depositing machine, you should be identifiable.

If you want to go out on the roads without ID, leave the car at home.

If you want to communicate without ID, leave the internet at home.

See how that works?

Re:this could all be moot

[blair1q]

Those taxes are rarely enough to pay for what you get. Road is a couple of million dollars a mile these days.

What we need is for Interpol to have the tools

[RobertLTux]

We already have a structure in place for law enforcement across borders we just need for them to have the tools they need to work in "cyberspace"

I just wonder why Interpol does not have
1 a facebook group
2 a set of twitter accounts
3 a region in SecondLife

im sure that the companies involved would be more than happy to certify that these accounts are actually held by the REAL agents.

Re:this could all be moot

[epyT-R]

if roads were all we were paying for, we wouldn't be trillions in debt. there's no reason to tag people's cars unless you want to track where they go and grief them while driving...you know, to bring in more money to the bloated state.

Product Placement

[Kittenman]

Lady Gaga commented that cybercrime also is one of her concerns. There you go, that will pull in a few more search-engine hits.

Re:this could all be moot

[icebraining]

I suppose you're also in favor of the mandatory name tags at all times, since anyone could be carrying a knife in their pockets and stab someone.
Maybe we should also put body and retina scanners at every building entrance? Security above all!

A PC is nothing like a car. A rootkit doesn't kill or harm physically anyone - if it can, it's the attacked machine's owner at fault, since you should never connected such machines to the Internet.
Privacy is a condition sine qua non for political freedom and the occasional theft is completely worth it.

Not to mention that this ID system would be largely irrelevant, since 1) it could be faked or stolen, just like any ID and 2) not every country would implement it and criminals would just proxy through them.

i'm sure they won't screw this up

[jsepeta]

just let me punch the guy who says "you may have won" on a thousand and one annoying popup ads

Re:would that means a bright future for his compan

[anubi]

I'll run this up the flagpole and see if anyone salutes.

Say, some large entity ( which can't easily be sued out of existence ) keeps log of all IP addresses, and if some IP addresses are dispensing problems on the web, their activites are noted, kinda like the credit reporting agencies keep track of all of us.

A web application, much like a PING, could be distributed which would query this repository. Hit it with a packet containing the IP being queried, and it would return with either a clean bill-of-health, or a pointer to news of that IP's misbehaviour if that IP has a record of dispensing problems.

Its not a guarantee of safety, but it would give one a heads-up is that IP or subnet has a history of leaving messes on the net.

First person they should arrest

[Nyder]

is the person making their commercials.

Re:ban the use of credit cards online

[doperative]

Do you work for one of the investment banks, the ones that ' invested ` us all into the toilet?

"We don't need a secondary economy inflating online prices. Screw that", marnues

Yea, that's the job of the primary economy, and you're right we are getting screwed. I notice you have nothing to say about the ability to steal product online with nothing more secure than a sequence of digits, the same ones printed on the front of the card. A bit like giving away a make-your-own-money-kit with ever desktop computer. Something only beaten in the dumbest idea ever by putting the ATM card data on a magnetic strip. Making it so much easier to extract the card info using skimmers.

Burning Down The House

"This video .. discusses policy changes 13 years ago that unleashed the sub-prime mortgage-backed securities market, which accelerated prices erratically, inviting speculation and loose lending practices which were both condoned and encouraged by existing regulation and carried out by risk-blind executives and Fannie Mae and Freddie Mac.