So, what about Cybercrime in Switzerland? Swiss Cybercrime Coordination Unit (KOBIK) Yesterday, I joined some people from Chaos Computer Club ZC<rich (CCCZH) to visit the Cybercrime Coordination Unit (KOBIK) in Bern. The background was a Freedom of Information Act based request by the CCCZH: KOBIK provides a list of domain names that host child pornography. It is seen as a voluntary DNS blacklist for ISPs (and all the large Swiss ISPs apply this list). Naturally, groups like the CCCZH are worried given the non-public and intransparent nature of this list, lack of independent monitoring, and its possible implications for future expansion to other areas. This is not a theoretical danger, given that a court ordered Swiss ISPs to block swissjustice.net for b defamatory statementsb. $ dig @8.8.8.8 swissjustice.net any +short # google dns "v=spf1 a mx ip4:72.34.40.81 ?all" 0 swissjustice.net. ns1.mh.tc. accounts.elinuxservers.com. 2011102801 86400 7200 3600000 86400 ns1.mh.tc. ns2.mh.tc. 72.34.40.86 $ dig @62.2.24.162 swissjustice.net any +short # cablecom.ch dns $ KOBIK, the Cybercrime Unit, invited us to look at the list. The head of the organization and his assistant gave a presentation on the background of the unit and their main activities. We asked several questions, and were repeatedly encouraged to write more questions or come for another visit any time. Down to Earth in Switzerland The atmosphere was very friendly, and we felt welcome. In some way they even wanted us to be there, to hear their side of the story. I have no reason not to believe what they told us, and I did not sense any hidden agenda. In contrast to other law enforcement agents I had contact with in the past, they did not seem to be much depressed about external influences or wrong decisions being made b above themb. In some way, Switzerland seems to be successful in buying its freedom in some areas, and, due to this independence and size, does not appear to be under the same non-stop heat of lobbyism as I am used to in Germany. Knowing about our background, they constantly tried to assure us that they were against all sorts of b otherb blocking activities, and that the lists were provided more as a side project to providers who asked about them, not because anyone would believe it is a particularly useful measure against child pornography, but to b spare children and families from accidentially stumbling across the contentb. At the same time, they contact ISP and local law enforcement. They are well aware that DNS level blocks are no defense mechanism at all, and argue against IP level blocks for their coarse granularity and side effects (and any other categories of blocking for that matter). Cybercrimebs Just Images I reckon itbs still not much different in other European countries, but it still came as a surpise to us to experience that the whole Switzerland Cybercrime Coordination Unit, the (quote) b center of excellence for the public, authorities and Internet service providers about legal, technical and criminological issues on Internet crimesb plus b contact for foreign cybercrime authoritiesb (my emphases), has only 10 employees at a ~$1m budget. Maybe a somewhat special situation in Switzerland and for historical reasons, it still almost completely focusses on child pornography and display of violence (hard pornography illegal in Switzerland). They will slowly expand into other directions in the future, but specifically grew out of a working group around a large child pornography case in the 90s, Operation Genesis. Also, they themselves argue that most crimes involve the real world and are better suited to be dealt with in the traditional departments. Yes, Porn How do they find the sites in the first place? They have three main sources: a form where anyone can report suspicious websites banonymouslyb (they do log IPs and donbt offer HTTPS!). Secondly, INTERPOL seems to maintain a somewhat broader list, but KOBIK verifies each site again for specific violations of Swiss law. They also seem to conduct a limited number of own investigations. The head of department didnbt go into detail about this area, not only because they cannot talk too much about their operational strategies, but also because the whole event was more focussed on blacklist creation, distribution and verification. I donbt believe the budget allows for many investigations after all. (a few numbers are at the end of this post) Once the sites are added to the list, they are regularly checked again to see if content has changed. It sounded like a low number of countries and ISPs donbt cooperate well (but most do), and there isnbt much else they can do in such cases. The situation is different with pictures that directly involve Swiss citizens. In those cases they work together with the traditional pedocrime unit and try to seize the server. Independent monitoring So far there is no external inspection. Some ISPs seem to verify the content themselves before redirecting DNS (not all ISPs block all hostnames), which according to the KOBIK lawyer is perfectly legal to do in Switzerland. You get to see the website depicted in the screenshot, which ISPs can either self-host or use one hosted by KOBIK. Alledgely, IPs hitting the blocked sites are not stored/analyzed in any way, nor does KOBIK operate any honeypots or have legal or technical access to visitor information (no DPI/logging at ISPs). Most of the sites they deal with, at least concerning the blocks, are public websites full of advertisements and clearly not b insider exchangesb, and tend to move quickly. The turnaround time for the full list is only a few days (until most or all sites are either taken down or moved somewhere else), and most sites and pictures pop up again under a different name. Need some hash? Another growing area for KOBIK is the maintenance of a database of b 100% illegal child pornographyb hashes for various commercial forensic tools used by the different Kantons (states). Looking for (or at) evidence in child pornography cases is arguably not a very delightful job, so investigators more and more turn to automatic tools for that. KOBIK stated that they are careful about only including definitive matches and pick out only 100% clear-cut child pornography images for this. Encryption and Tor Given my background, I was naturally quite interested in their take on Tor, and how often they come across encryption. While they are not involved in the seizure or forensic analysis of machines very much, they did say that b apparently most pedo criminals have their blood somewhere elseb. KOBIK uses Tor in their investigations. Technical Once ISPs subscribe to the service and sign some paperwork, they get SFTP access to a daily updated and zipped textfiles of hostnames. KOBIK seemed genuinely interested in extending the cooperation towards research institutes, especially since they donbt have the manpower to properly follow up on developing trends (what kind of ISPs and ASNs are more involved than others in this business etc). Conclusion The current staff seems to have its heart at the right place. The list serves a well-intentioned purpose and was not introduced by external pressure, but as an internal idea, not alone to save the investigators the trouble to have to justify that some websites might still be up b days after a report came in.b Still, changes in political climate can come faster than KOBIK expects. Even if they can hold powers back for a while, in the end either heads will roll or, more likely, some people will want to keep their job. What if, some day rather sooner than later, something like Cleanfeed UK repeats in Switzerland? Will KOBIK stand against a court order? Not likely. And Torproject.org is already listed in several b civilizedb blocklists around the globe. This is real. Some numbers * 5000-7000 reports coming in from the public p.a. * at the time of our visit, the blocklist contained 148 hostnames * the Interpol list was said to be a bit larger, but the same order of magnitude * 10 employees (including head of department) * budget around CHF 1m ($USD 1.1m) * ~200 access providers exist in Switzerland, around 10% use the list (large ISPs, cover 90% of the population) http://www.hackerbus.eu/blog/2012/03/27/so-what-about-cybercrime-in-switzerl... -- Moritz Bartl https://www.torservers.net/ _______________________________________________ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE