law enforcement contacts

J_Oquendo3 · November 11, 2003, 7:13am

> I have several clueful LEO contacts, but this information will be of

no use

> to you unless the crime was committed within their respective
> jurisdictions. LEOs get paid to act on crimes within their

jurisdiction,

> not on crimes within their expertise.

<rant>

Uhm... Correct me if I missed something, but LEO's get paid to uphold the
law BY ACTING on crime in their expertise and if it's out of their range
(juridstiction) an `LEO` should have better contacts than someone on the
outside.

On the flip side, if the LEO in question is at the state level, and it's
a DDoS zombie network, there's a good chance that at least one of the
zombies is in the state and therefor fair game.

You make it seems as if the typical LEO will even know what a zombie
network is. I don't want to take anything away from those decent LEO's
that know a thing or two, but I've seen an unnamed `LEO` for an agency in
`a` government testify that he didn't understand what an IP address on a
witness stand.

One thing to keep in mind when calling in LEO's, and if you search in
Security Focus' arhives you may find it, is the cost of it all. Does it
outweigh the benefit. Meaning are you willing to have an LEA come into
your business unhook machines to replicate disks, etal, in order to stop
something you could easily assess with some good configuring of a network?
Think about it, if by giving permission to an LEA to come in to your data
center to do what they have to do is going to cost you more in the long
run, then why not see what you can do on your own via looking for the
contacts (owners of the `zombie` machines) on your own.

Even quite a good chance for LEO at the city/county level, for some of

the

larger cities/counties....

Many people in the compsec -- well computing industry in general -- tend
to think that LEA's are super equipped for most things in relevance to
cybercrime. The fact is they're not, and I'm sure many have seen articles
showing this. LEA's train with guns not computers, and for those who are
already in the field, I'm sure they are a fraction of what someone's
personal perception thinks the ratio is.

To make a long rambling short, if an attacker with a zombie network is
coming in from different ranges, you're better off contacting the DoJ here
in the US, as it is an interstate matter, I'm sure they'll love to get
another example this time of year. LEA's locally are likely to do the same
(contact other agencies) if it's a given that the attacker(s) are acting
as I perceive them to be (different hosts, different networks, states,
etc.), the feds have more money to deal with that, and if they can't find
the culprit, then I'm sure they'll find someone who will pay for the
crime. (a culprit or course I wouldn't insinuate anything).

</rant>

Dave_Stewart · November 11, 2003, 7:23am

Perhaps they will have contacts, but c'mon... how many of 'em do you really believe care?

Basically, if it isn't child porn/sexual abuse, most law enforcement agencies have bigger fish to fry... or at least, think they do. They don't care to get involved in a problem that could potentially involve multiple jurisdictions... it's just too much hassle, and they have plenty going on locally.

I *have* had encouraging results from the local folk, but that's the exception rather than the rule

JC_Dill3 · November 12, 2003, 2:03am

Uhm... Correct me if I missed something, but LEO's get paid to uphold the
law BY ACTING on crime in their expertise and if it's out of their range
(juridstiction) an `LEO` should have better contacts than someone on the
outside.

Perhaps they will have contacts, but c'mon... how many of 'em do you really believe care?

And even if they do care, (and have clue) if it's not obviously within their jurisdiction they can't justify working on the case.

They don't care to get involved in a problem that could potentially involve multiple jurisdictions... it's just too much hassle, and they have plenty going on locally.

Some do care, but generally they can only become involved in one of two ways:

A) They have clear reason to believe a crime was committed in their jurisdiction (and thus reason to "open" a case and investigate), or

B) A LEO in another jurisdiction has done A, and calls them in because the crime crosses jurisdiction boundaries.

For instance, I have a friend in the SFPD who would care, but if you call him from Tulsa OK and want him to help investigate a DDoS on servers hosted at Equinix in Ashburn VA, he's not going to be able to do a thing, unless you can give him a "clear reason" to suspect that part of the crime took place within SF and thus that investigating *that part of the crime* is within his job description as a SFPD. And as much as he may care and have contacts, he's not likely to have contacts in Ashburn.

jc