On Wed, Jul 27, 2016 at 03:09:51PM +0000, Steve Mikulasik wrote:
I am sure a lawyer would see it very differently, [...]
For what it's worth I agree, but I'm not an attorney (and neither are most of us), so I'll write from the perspective of an operator. The healthy functioning of the Internet community relies on mutual cooperation. It always has. Part of that cooperation is ensuring that one's own operation, whether it's a single server or a worldwide collection of data centers, is not an operational hazard to the rest of the Internet. That is our first, our primary, our over-arching responsibility at all times. Understanding it, embracing it, and practicing it is something required of all of us. This isn't a question of what's legal and what's not -- after all, that varies by jurisdiction and it's a moving target and the machinery of jurisprudence moves a few orders of magnitude more slowly than does Internet technology. It's a question of what's right. We should all know that hosting spammers or phishers, DoS-attackers or carders, or anyone/anything like that is wrong. (Yes, there are gray areas where reasonable people can differ about what's right/wrong. But these are not among them.) We should all be doing everything we can to avoid giving them services, and if we fail in that, if they get by our screening, we should be cutting them off the moment we're aware of their presence, and banning them permanently, AND informing other operators in order to forestall their relocation. This doesn't require legal involvement: it requires ToS that stipulate it, and if, in 2016, any service *doesn't* have ToS that stipulate these things: you need to get new attorneys and fix that today. It also requires having a functioning abuse@ address (per RFC 2142 and decades of best practices) that connects to a functioning abuse department that is empowered to investigate and act on everything that shows up there. In a better world, this wouldn't be necessary: abuse sources/sinks/facilitators would already know of their own involvement and nobody would need to tell them. But we don't live in that world and in some cases, it's arguably difficult to tell even for very diligent operators. So if third parties are doing you the incredibly gracious favor of reporting abuse to you, thus making *your* job easier despite the fact that *your* operation is making their job harder...you should listen. You should investigate. You should say thank you. You should report the outcome. This isn't hard. It's really not. (And to those who say "we get too many abuse complaints", there is a very simple fix for that: stop facilitating so much abuse. The complaints will drop proportionately.) The alternative to this is an Internet of escalating attacks and abuse -- which is where we find ourselves after a few decades of incompetence and negligence (those who can't be bothered) and deliberate support (those who choose to take dirty money and cash in on abuse). It's already pretty bad, which is why there are now entire sectors built on mitigating it. We can either continue to light stacks of money on fire (and that's one of the smaller costs of this) trying to stave this off or we can do what we should have been doing all along: be *personally* responsible for what our technology is doing. No excuses. No stonewalling. No blowoffs with a nod to the legal department. Just step up and do the right thing for the good of the community -- because without that community, even the biggest, richest operation is of no importance and value whatsoever. ---rsk