Reply From: Chris Wilson <cmw32@hermes.cam.ac.uk>
> Cops see little hope in controlling computer crime
This title strikes me as rather inappropriate. They're not trying to
control computer crime generally, just crime against themselves - attacks
on the [In]justice Department.
> Invisible criminals Law enforcement officers say one of their biggest
> challenges paradoxically remains knowing when a crime is committed.
Because of the nature of cyber crime, the definition of where a crime has
been "committed" needs to be reviewed. A crime is actually committed in
two places at once, the location of the cracker and the location of the
victim. While this may seem obvious to us, it seems that it wasn't to the
"journalist" who wrote the piece. God, I hate bad journalism.
Mea Culpa, can I make a request that perhaps you might be able to filter
off some of the really poor stuff you receive?
> According to the DOJ's Charney, the number of cases involving encrypted
> data climbed from three percent in 1996 to seven percent in 1997. If that
> trend continues, he said, the only tactic left for law enforcement is to
> increase its surveillance capabilities.
Maybe Mr Charney can tell me what on earth the connection is between
encryption and the break-ins to the DOJ's computers? The teenage crackers
arrested earlier this year as part of the "most sophisticated attack" on
military computers ever (if I recall correctly the agency's own remarks at
the time) didn't use encryption. I very much doubt whether encryption has
EVER been involved in an attack on government computer systems.
> "If privacy advocates get their way on encryption," said Charney, "they
> may not be happy."
>
> With no way to read into encrypted electronic documents, he added, the FBI
> and others will have to rely on capturing the evidence at the source. "And
> that could really decrease privacy."
This must be a mistake. If I understand correctly then "capturing evidence
at source" means logging all packets going into or out of the Government's
computers (unless of course the Government is going to take on the noble
but impossible cause of trying to fight all crime on the Internet, not
just crime against itself, by monitoring everything).This is what most
major banks do anyway, for their own protection, and it's what the
Government ought to have been doing in the first place if they cared about
security. I don't see what impact this has on the privacy of Internet
users.
However, my main point is this: if privacy advocates DON'T get their way
then we will all be sorry. Crackers are penetrating the Internet and other
networks more and more all the time. There is no defence against them
because no computer security is perrfect any more than perfect physical
security exists (although an electronic equivalent of Alcatraz is maybe
not impossible). Another point to consider is that it is considerably
easier to keep people (or information) INSIDE than it is to keep them (it)
outside. Breaking into Alcatraz would be an awful lot easier than breaking
out of it.
The best we can hope for (in the absence of any complete solution) is to
protect ourselves with security, and security requires encryption. Even
the meager encryption we are allowed to export for use in password files
on Unix systems can be cracked in a few days in most cases. (Incidentally,
Windows password files are worse). With a $200,000 machine, the EFF
cracked an encrypted DES message in 2.5 days. Communications using DES are
not secure, because a cracker with a $20,000 machine could probably crack
the encryption key which protects ALL your data in 25 days and you
wouldn't even know that he can now read all your documents, past, present
and future.
> Luck, or a trend? It's too early to tell, but Gardner, for one, seems
> positive on the FBI's ability to prosecute. "If we know about it," she
> said, "we can usually prosecute it."
That doesn't sound very reassuring to me. How often has the FBI "known"
incorrect "facts"? And what happened to "innocence until proven guilty"?
Ciao, Chris.
___ __ _
/'__// / ,__(_)_ Wilson <Chris.Wilson@fitz.cam.ac.uk>
/ (_ / ,\/ _/ /_ \ Webmaster/SysAdmin/Timelord/BOFH/Programmer
\__//_/_/_//_/___/ "1998 isn't MCMXCVIII. The Romans would have used MIIM"
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Sat Aug 8 15:09:04 1998