https://bz.apache.org/bugzilla/show_bug.cgi?id=64099
Bug ID: 64099
Summary: Support for HTTP server police investigations
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: All
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Use cases:
1. HTTP server is being used for scam / non-existent companies to fraud people
- Non existent money investments, other mechanism to cheat people
2. HTTP server is being used by terrorists to advertise their viewpoint
Problematics related to HTTP server investigation:
- Person, who get frauded, located in one country (E.g. Finland)
- HTTP Server or HTTP hosting service is located in another contry (E.g. US)
- People behind fraud might be located in 3rd contry.
To get to person, who performs fraud, need to have tight cooperation between
police
offices.
- If invested money is not big, police does not consider even
to investigate that particular case.
It should be possible to simplify police work, so locating people behind fraud
would be easier and simpler.
This is also question about whether there should be some sort of international
police (organizational changes), but I think more important that http server is
able to have technical capability to perform police investigation.
http server by default logs all transactions into local server logs, meanwhile
there should be some sort of elevated authority access (e.g. police,
international police, crime investigator, fraud investigator) - in this case
elevated authority should be
able to get full access to server without anything being logged into local
server logs.
Log could be centralized - e.g. Finnish police might have it's own log server,
where
all elevated access would be recorded.
Elevated authority / police officer should be able to get all access to http
server,
including http logs, http configuration, login information, web site files,
maybe
also local databases.
There is always a risk that access will be gained by someone, who is not police
officer or elevated authority (hacker, etc) - that's why authorized access
logging needs to have it's own means to perform "internal investigations".
I by myself haven't got into fraud situation, but one of my family relatives
did,
but I will not disclose any further details on this, just to keep information
confidential.
I'm also not working for police and don't have any means to speed up or support
police investigation - but to my best understanding police offices can
influence or support this requirement.
For my own case, I would prefer that you would contact Finnish police so they
can list more strict requirements on this ticket, but as I see it - all http
servers in future might get covered by this requirement via local laws,
obligating software requirements.
You can also contact your own local police, where http developers live and
collect requirements from them.
If anyone from police offices supports this requirement, please add your
comments here - otherwise the need of this requirement is not so clear and
development team would not be able to commit to it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
