July 25, 2005 10:50 AM PDT

U.K. cops want to attack terrorism Web sites

British chief police officers are asking the U.K. government for new powers that would allow them to attack terrorist Web sites.

A list of antiterror recommendations from the Association of Chief Police Officers has been handed to Members of Parliament in the wake of the London bombings this month, as the government reviews laws on how to tackle terrorism.

Under the proposals, it would become an offense to fail to disclose encryption keys and to use the Internet to facilitate acts of terrorism.

In a press statement last week, Ken Jones, chairman of the ACPO Terrorism and Allied Matters Committee, said: "(The) evolving nature of the current threat from international terrorism demands that those charged with countering the threat have the tools they need to do the job. Often there is a need to intervene and disrupt at an early stage those who are intent on terrorist activity in order to protect the public. Clearly our legislation must reflect the importance of such disruptive action."

The list of recommendations does not detail how police would attack Web sites, but in many cases remotely disabling a Web server involves a denial-of-service attack, in which floods of data are sent to the server to overwhelm it.

The organization said that the measure would help police stop the spread of child abuse images on the Web. "This power has significant benefits for counter terrorism and overlaps with other police priorities namely domestic extremism and paedophilia," ACPO said in its proposals. "This issue goes beyond national borders and requires significant international co-operation. The need for appropriate authority and warranty is implicit."

One former policeman who now works in computer forensics was concerned about the international implications of making cyberattacks legitimate. Simon Janes, international operations manager at Ibas, said: "It's no different to parachuting officers into another country to investigate something. There would have to be some international consent, but I can't see a way around it. It does pose the question, what if that (target) is another government Web site?"

A representative for Spy.org.uk, a civil-liberties advocacy Web site, also warned that attacks on foreign Web sites could backfire.

In an e-mail to CNET News.com sister site Silicon.com, the representative wrote: "Who exactly is going to define what a 'terrorist Web site' is? There are none of these hosted in the U.K., so the targets must be abroad. Will a blog or discussion forum be attacked because one or more of the posters puts up a message gleefully praising some terrorist atrocity or other?"

"The only people who seem to have a legal hacking law at the moment are the Australians, but it does not appear that they have dared to use it against overseas targets," the representative continued. "Hackers will delight in faking their IP addresses, or using U.K. government systems which they have compromised to launch 'legal' cyberattacks on their victims--how is anybody going to tell the difference?"

While the police have admitted that the time it takes to break some encryption standards has slowed investigations, moves to stop people hiding encryption keys have already been included in the Regulation of Investigatory Powers Act. However, this has yet to be approved by the Home Office, the U.K. government agency that oversees law enforcement, and the police have asked for further updates on its progress.

ACPO said: "Recent investigations have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc. An amendment to part three of the Regulation of Investigatory Powers Act to make it an offence to fail to disclose such items would provide some sanction against suspects failing to co-operate with investigations."

But Ibas' Janes said this law could overlook cases where people forget their passwords. "It only works if you make the penalty the same for that which you are being investigated. Why would you be compelled to hand over an encryption key unless you were performing acts of terrorism? But people do forget their passwords, of course," he said.

Spy.org.uk challenged this point. The representative wrote: "Presumably what ACPO are trying to do is to remove the existing defence of 'I have genuinely forgotten my PGP pass-phrase', which is simply unfair, and it still does not acknowledge the existing weaknesses of the part three regulations with regard to opportunistic encryption keys."

Dan Ilett of Silicon.com reported from London.

4 comments

Join the conversation!
Add your comment
More brilliance from government....
How about letting the sites stay open and tracing the computers and people that log on, or exchange information on the sites?

Isn't the idea to catch them, and not simply send them scurrying into the night?

And what of the traffic that will clog the internet as a result of perfoming these DoS attacks? How many bystanders must have their internet capabilities diminished or denied because governments would rather attack the sites than the people responsible for them?
Posted by Jim Hubbard (326 comments )
Reply Link Flag
Nope...
The idea is not to catch the terrorists. The idea is to stretch their legal power on the Internet by using fear of terrorism as the vehicle for their fight against privacy and free will.
Posted by zaznet (1138 comments )
Link Flag
They're are begging to get attacked
They're just asking hackers to DDoS them right back or as the article suggest exploit the system to attack targets for them by faking IP addresses. Using such tatics is irresponsible on the part of law enforcment. I for one will have no sympathy for them when a hacker shuts down their operation or worse as retaliation.
Posted by unknown unknown (1951 comments )
Reply Link Flag
Cost Benefit Ratio?
If they do plan to use DDoS methods, it will impact many innocent users. The bandwidth required to disable a website is a bit more than the total available bandwidth to that website. Many websites and other services share that total available bandwidth, not only at the initial provider but along the entire network leading up to the website host. The costs to innocent users will be high. Other unintended targets will be taken offline or slowed to an unusable state. Customers who pay for bandwidth used could end up with extra and unexpected charges. It would be about like arming all the police officers on the streat with gatling cannons and firing off as many rounds as possible at a suspect in a crowded area.

It would cost $10 or less to evade a DDoS attack with a minimal downtime. Change of DNS records, new host uploaded, done. The manpower required to pull of a "legitimate" DDoS (with no illegal compromised hosts in the DDoS network) would cost far more than the cost of evading it.

It will likely be difficult and expensive to find multiple network providers who are willing to host the DDoS attacker machines. There is very little profit in giving bandwidth to the cause of saturating another machines bandwidth. Since that would be the purpose of such connectivity, the provider would have every right to charge a huge fee or deny service all together.

Terrorists could use the above costs to pop up hundreds of "terrorist" websites, then abandon them to be "attacked" by police. This baiting of law enforcement into copulating an attack that drains valuable police resources would allow the terrorists a cost effective way of harming those law enforcement officials in at least a financial way. This is much like a fient attack used in war to draw away enemy forces or force the enemy to expend ammunition or reveal it's strength.

It would probably just be cheaper to carpet bomb the buildings where the servers are located...
Posted by zaznet (1138 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.