I think the way to go would be a not-for-profit, open-logs, open-standards group that actively counter-secured, preserved evidence, and notified the proper authorities when compromised machines were dealt with. Salient points:

Since all of their activity would be documented and available for anyone to see, it would be hard for the group to go bad. If they did, it would be relatively easy to put them in jail (but see note below about Sealand -- might cause an issue with this). This creates a positive pressure to do good, instead of bad, and accusations of impropriety would be easily disproven. Making sure that the logs weren't tampered with would be a technical issue to be resolved, as well as a personnel issue -- likely the best way to deal with even the suspicion of tampering would be to remove the suspect from activity. Regulations specifying teams of two or three operating together would also reduce the chance of a "lone-gunman" attempting to subvert the organization.

The standards created would be under pressure to be very high and very redundant, because the reputation of the team and the viability of the enterprise rides on how well they execute their "goodwill" activities. If their reputation wasn't spotless, or was damaged by a series of dubious incidents, they could be dealt with -- or, most likely, would simply vanish, as no one would support them.

Sealand/HavenCo might be a good place for this group to operate from, which would deal with most of the legal liabilities. International politics might come into play, but I can't think of a better place to deal with that than Sealand. Still, a policy of strict admittance of fault, apology, and reparations would be advised for the team.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/98/15955#15955