Friday, October 23, 2009

Cops go for Regional Internet Registry

The FBI and UK Serious Organised Crime Agency are getting heavy with RIPE (thanks, Lilian!):
Andy Auld, head of intelligence at SOCA’s e-crime department… used the Russian Business Network (RBN) cybercrime network as an example of the type of criminal enterprise they were targeting. The now disbanded group used an IP network allocated by RIPE, a European body that allocates IP resources, to host scam sites, malware and child porn.

RIPE actions might lend themselves to interpretation, viewed in the harshest terms, as being complicit with cybercriminals and "involved in money laundering offences".

"We are not interpreting it that way. Instead we are working in partnership to make internet governance a less permissive environment," Auld said.

This explains some recent EU discussions about blocking "criminal IP address spaces". RIPE is unimpressed:
Press coverage this week portrayed the RIPE NCC as being involved with the criminal network provider Russian Business Network (RBN). Any connection with criminal activity, or with RBN itself, is completely unfounded.

The press coverage arose from a speech given by the Serious Organised Crime Agency (SOCA) in the UK. SOCA has since contacted the RIPE NCC with an apology. The RIPE NCC will continue to work with SOCA and other bodies to ensure criminal investigations can be carried out in an efficient manner within established laws and guidelines.


Fearghas said...

SOCA have apologised for their intemperate language to the RIPE NCC.

Just a quick clarification the RIPE is the community, the RIPE NCC is the executive/membership organisation that delivers the policy set by the community. Policy is set by the community which is open to all, the NCC is a membership organisation but the policy it deploys is set by the community. The NCC is governed by Dutch law, so court orders have to comply with the local jurisdiction.

The only people who can cut off a rogue ISP are the upstream ISPs, removing the numbers in a database doesn't stop them using the numbers, it just means that when they are reissued there will be a clash and the new registrants will have to deal with "dirty numbers" that the community may refuse to handle.

In this case my understanding from discussions on other lists is that upstream ISPs refused to route the RBN traffic. The NCC used its normal processes to ensure that the RBN was a registered business in its local jurisdiction, if Law Enforcement has a different view then it needs to use the legal processes to change the status of the organisation for the NCC to act differently. However see above... the only way to stop the RBN et al is for other ISPs to refuse to route the traffic and to blackhole it so that they do not deploy proxies on their networks.

Ian Brown said...

See also the Spamhaus DROP list.

Ian Brown said...

And, an apology from SOCA.