law enforcement contacts

J. Oquendo sil at
Tue Nov 11 07:13:51 UTC 2003

On Mon, Nov 10, 2003 at 10:36:03PM -0500, Valdis.Kletnieks at wrote:
> On Mon, 10 Nov 2003 13:55:40 PST, JC Dill <nanog at>  said:
> > I have several clueful LEO contacts, but this information will be of
no use
> > to you unless the crime was committed within their respective
> > jurisdictions.  LEOs get paid to act on crimes within their
> > not on crimes within their expertise.


Uhm... Correct me if I missed something, but LEO's get paid to uphold the
law BY ACTING on crime in their expertise and if it's out of their range
(juridstiction) an `LEO` should have better contacts than someone on the

> On the flip side, if the LEO in question is at the state level, and it's
> a DDoS zombie network, there's a good chance that at least one of the
> zombies is in the state and therefor fair game.

You make it seems as if the typical LEO will even know what a zombie
network is. I don't want to take anything away from those decent LEO's
that know a thing or two, but I've seen an unnamed `LEO` for an agency in
`a` government testify that he didn't understand what an IP address on a
witness stand.

One thing to keep in mind when calling in LEO's, and if you search in
Security Focus' arhives you may find it, is the cost of it all. Does it
outweigh the benefit. Meaning are you willing to have an LEA come into
your business unhook machines to replicate disks, etal, in order to stop
something you could easily assess with some good configuring of a network?
Think about it, if by giving permission to an LEA to come in to your data
center to do what they have to do is going to cost you more in the long
run, then why not see what you can do on your own via looking for the
contacts (owners of the `zombie` machines) on your own.

> Even quite a good chance for LEO at the city/county level, for some of
> larger cities/counties....

Many people in the compsec -- well computing industry in general -- tend
to think that LEA's are super equipped for most things in relevance to
cybercrime. The fact is they're not, and I'm sure many have seen articles
showing this. LEA's train with guns not computers, and for those who are
already in the field, I'm sure they are a fraction of what someone's
personal perception thinks the ratio is.

To make a long rambling short, if an attacker with a zombie network is
coming in from different ranges, you're better off contacting the DoJ here
in the US, as it is an interstate matter, I'm sure they'll love to get
another example this time of year. LEA's locally are likely to do the same
(contact other agencies) if it's a given that the attacker(s) are acting
as I perceive them to be (different hosts, different networks, states,
etc.), the feds have more money to deal with that, and if they can't find
the culprit, then I'm sure they'll find someone who will pay for the
crime.  (a culprit or course I wouldn't insinuate anything).


wget -qO -|sed -n '1!G;h;$p'

J. Oquendo

sil @ politrix . org
sil @ kungfunix . net
sil @ perfidious . org

More information about the NANOG mailing list