Your Feedback Is Requested For ‘Act Locally, Pwn Globally’
Last Updated on Saturday, 28 March 2009 06:24 Written by admin Saturday, 28 March 2009 06:24
I’m happy to announce that I’m going to be writing a monthly column for Security Focus. My first one was published yesterday entitled ‘Act Locally, Pwn Globally‘ in which I raise some of the tough questions about prosecuting cross border cyber attacks and what might be needed to initiate such action.
One of the things that I love about writing this blog are the smart responses that some of my posts generate, both pro and con. It makes the whole experience more enriching for everyone, in my opinion, and I hope that readers will do more of it with the columns that I write for Security Focus.
Not sure where you wanted the comments posted, so I am putting it here.
I went to your article and found it interesting (I also found the hacker nicknames/jargon entertaining as well).
I found this line, “the Pakistani Whackerz Cr3w defaced a part of India’s critical infrastructure, the Eastern Railway system Web site”, somewhat troublesome. How is the web site part of India’s critical infrastructure? Did defacing the web site stop the trains from running? Mess up operations in some way? If someone defaced the website of American Airlines, I am not sure it would do anything to their ability to function. If someone took their ticket sales server completely offline and kept it that way for a day or more, then that might be different. Perhaps I am rambling off on a tangent…
I guess your first question on how Indian law enforcement could prosecute the attack is puzzling to me as well (but I lack detailed knowledge of international law). I was under the impression that many countries had extradition treaties that would allow them to indict an individual and then ask for that person to be handed over to the complaining country. I assume that each of these treaties is unique and probably has limits on which crimes merit extradition, etc. Are crimes committed on the internet not covered by these treaties? If not, then they have no direct legal recourse against the individuals. I can envisage several other options. One is to provide the information about these individuals to their local governments, their internet service providers, and their employers. If these organizations do not take desired actions against the perps, then you could go one step further and publish the results widely (including names, usernames, addresses, etc). This might cause the governments, ISPs, or employers to take action. It could all backfire though. Information operations are tricky. If this were a cyberpunk novel, I would say that Eastern Railways should hire local gangbangers (perhaps even Indian ex-pats) to take direct action against the suspects (i.e., assault them physically). It might be faster, easier, cheaper and more satisfying than a lawsuit (and it doesn’t require you to detail exactly how bad you got pwned–face saving is important in many cultures). It would be illegal, but with enough cutouts, it might be hard to trace back.
It is hard to tell from your article whether you think the Pakistani Whackerz Cr3w (how l33t is that name?) are actually independent actors or proxies for the Pakistani government. If they are working for Pakistan, then a wide variety of more traditional tools of statecraft could be brought into play, assuming the damage warranted such action. From what I read, it doesn’t sound like the damage warrants such a response, since they have yet to take overt action in response to the Mumbai attacks (a more significant event IMHO) and other kinteic attacks in India.
The Georgian incident is more complicated. I will have to read some more and think on it a little while.