[AusNOG] Victorian Police - internal assistance??

Nikolai Lusan nikolai at lusan.id.au
Wed Aug 30 13:27:08 EST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

In the past I have been asked by solicitors, and people involved in
representing employees in disputes, to provide similar kinds of information
(general in nature) as to how certain types of things could be proven -
normally things like "how could an organisation be tracking a persons
internet browsing habits". Although in all those situations the person
asking me for advice knew me personally, so there was a personal
relationship there. To receive a call for advice from a third party is most
certainly odd.

On Wed, 2017-08-30 at 11:41 +1000, Ross Wheeler wrote:
> 
> On Wed, 30 Aug 2017, Brad Gould wrote:
> 
> > Seems like the only problem he had was that he interchanged the term
> > "ISP number" with "IP address".
> > But his concept (and base understanding) was sound - wifi users share
> > an IP address.
> 
> Umm... sorry Brad, but no.
> The users will typically have their own IP address on the "inside" of 
> their network, so looking at what address another computer in the same 
> house has.. is not going to tell you the IP address someone like
> lifeline 
> would see a request from.

This is true - also the use of the term "ISP Number" would cause me to take
a beat to try to figure out what exactly he wanted (especially given that
there has been more than enough publicity recently around what an IP
address is within the scope of the data retention stuff). Also if the
person was using a device (tablet, phone, etc) that was connected to a
houses wifi network, and the mobile telephony/data network, doesn't mean
that the connection came via the IP that is shared by a standard home
internet connection. There are a number of assumptions being made there
that could be incorrect - the ISP connection might not have been a
"standard" home connection with a single IPv4 address being shared via NAT,
it may have been a connection with an IPv4 /29 (or larger) network, so it
is possible that the "house" had more than one real IP in use.

One would also think that with the introduction of the data retention laws
there had been enough information in the public domain (i.e. the media)
that the officer may have generally had more of a clue, also that there
should have been some sort of training around this area. You would also
expect a certain amount of general knowledge from personal experience with
the officers internet connection at home.


> Also, he successfully chose to call someone with more experience and 
> > tried to confirm his reasoning.
> 
> Yes, hence my question. Surely there's some internal police resource
> that 
> could help him in an appropriate manner. To to it with evidenciary 
> considerations, to explain perhaps how it works and what else he needs
> to 
> do.

Given that most police forces have competent computer crimes units with
knowledge sufficient to, at least, point an investigating officer in the
right direction (or running it past a "scenes of crimes officer" - SOCO -
probably would have been easier/faster for him) it is surprising that an
investigating officer would look to an external party for basic information
on how an internet connection works.


> > So - well done to the officer for exceeding the average Jane/Joe in 
> > basic internet knowledge (before the call), and for asking questions 
> > rather than assuming.
> 
> Not sure I agree with you. He demonstrated more of a "dangerous level of 
> ignorance" even if he did have the bright idea of "asking questions".
> 
> > What is the problem exactly?
> 
> Well, in no particular order:
> * Why call me?
>    1. I'm not the provider
>    2. I'm not in any way involved
>    3. I'm not even in the same state.
>    4. I have no past history with this officer or station.
> 
> * With this level of aparant incompetence, I fear whatever investigation 
> he's working on will be severely compromised.
> 
> * From a "doing the right thing" perspective, if I could find a suitable 
> internal resource for him, I'd attempt to put him in contact.
> 
> He did say that he called me because, basically, he found my number as
> "a 
> local internet provider and thought he'd call for some help".
> 
> Thanks also to the many who have contacted me off-list with your various 
> war-stories of LEA-incompetence and ignorance. Seems it's widespread and 
> probably incurable.


Without knowing the exact details of the investigation, or what stage it
was at, it's not entirely fair to call it "incompetence". The officer may
have just been trying to ensure when he talked to his internal tech people
(computer crimes/SOCO) that he was asking the right questions. As we all
know from investigating technical issues any kind of investigation can be a
complex beast, you need to ensure you are asking the right questions to
begin with. LEO's do a tough job, and can't be across all aspects of all
things - they may have to investigate any number of issues with multiple
legal, operational, and technical information bridging all areas life.

Given the information you have shared I'd say that any information you
provided him with was simply helping kickstart his investigation, and would
not be part of his evidence collection stage. It sounds very much like he
was trying to figure out where he needed to start looking, and what
questions he needed to be asking of his technical colleagues as the
investigation proceeded. 


The LEO community consists of a large group of people who would rarely have
to delve into the technical side of IT issues, and most organisations do
have competent groups for when that is needed. That said if this officer
was in a small station, in an area outside a major centre, access to those
resources may be difficult for them to access in a timely manner - hence
seeking outside advice. I would suspect that with the advent of the data
retention laws there does need to be some base level training on these
issues provided to serving LEO's, the are more frequently being put in
situations where they need to have more knowledge of these things than the
general end user (currently that is about the level of knowledge you would
expect any general LEO to have).


- -- 
Nikolai Lusan <nikolai at lusan.id.au>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlmmMIwACgkQ4ZaDRV2V
L6RAsw//RALdABvuheHdqaDdeKmONtpmWATegNMgcnkTQFTZiVZyX+49AqjJll7A
OmN03nCJb1gHMYHrMoONQUDhTyOMxLcxo1kE721b6u20BvTncnlftPSsra4OiFIn
FjcpaigxCC2rU7j2zaoluDvwZTmGtFHD0YL6Wki4RR1jG06yhFUv0/P6lgNZ4Vpb
rXyaYIOVdVmIKknjSstuH/zNatbZoZK36sfh6aanTZmhuJAjWtMsnp+DPETqIdLl
uAW+E0p2iDxyg+wBXMOMb7pf/V9GjnYhM7uMXBr5yu5+CgVEKMOKVWxADel23s7F
FG4mjMnV/U7Mx0urnzUFhUYBVQbHg/LZQbDKePKgo9dzhWclJB7S+YPjw3nZzTFC
Cpq1F98TtHodEZQ05JePVcaTnGjnu+QScIdYFUMT4UGttFfuug5PIqs3H6sM5CBb
cP9Fhc9mLVgdJsU89PalXlb9RontabCGSRPt2WJjwIr8C8mC8sak26gSpMOy1BJS
tPi2kNjm7z4brzoyi9XZJPowc1Z4N0gEQnEdpMi3KbMQYQjPCFJAQfX86grKBLPB
5CNmppfTcwliKeuoGeBQRdh7AqtPGLbiNTSLiCNG6+EU8L/GQwCupwe9ezsXcuUw
/Fw8AzsJFcMBwVzMeCps7i+tZVsizdECpnN6UXWOHxKArDyKUJI=
=almk
-----END PGP SIGNATURE-----



More information about the AusNOG mailing list