Policies affecting the Internet as a whole - Hitting where it hurts
There is a certain individual at a certain ISP in the .ro domain. I have yet to determine if this user is the owner of said ISP or if they are but a user. As it may be, this person has been responsible for many hacking attempts, including the destruction of several UNIX systems (rm -rf* after gaining root) in other ISP's. The person is also suspected to have been an initiator of Severl damaging SYN attacks, although the only solid proof is of the UNIX hacking. Anyway, to get to the point, I along with several others have been in contact with the ISP, which is aware of the individual's activity and refuses to deal with those activities since "there are no laws affecting his use of our system in this manner, and we have no recourse." So, my question to you folks is, would something like the intentional black holing of the source network for this user (he apparently sources all attacks from one swamp Class C address) be an appropriate incentive to the ISP to deal with the problem? If so, where would be a good place to announce such measures, their goal, evidence, etc? I can see how such a thing could easily get out of hand if it's not taken seriously. Chris A. Icide Nap.Net, L.L.C.
On Fri, 27 Dec 1996 09:47:25 -0600 "Chris A. Icide" <chris@nap.net> alleged:
Anyway, to get to the point, I along with several others have been in contact with the ISP, which is aware of the individual's activity and refuses to deal with those activities since "there are no laws affecting his use of our system in this manner, and we have no recourse." So, my question to you folks is, would something like the intentional black holing of the source network for this user (he apparently sources all attacks from one swamp Class C address) be an appropriate incentive to the ISP to deal with the problem? If so, where would be a good place to announce such measures, their goal, evidence, etc? I can see how such a thing could easily get out of hand if it's not taken seriously.
You're stepping on thin ice, I'd say you'd be best to cover your own arse and let people worry about their own in cases such as this. The last thing the Internet needs is some dodgy cartell deciding on who is allowed access and who isn't. Although I've had similair experience mostly from academic sites. Regards, Neil. -- Neil J. McRae. Alive and Kicking. E A S Y N E T G R O U P P L C neil@EASYNET.NET NetBSD/sparc: 100% SpF (Solaris protection Factor) Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>
On Fri, 27 Dec 1996, Neil J. McRae wrote:
The last thing the Internet needs is some dodgy cartell deciding on who is allowed access and who isn't. Although I've had similair experience mostly from academic sites.
I think a list of sites that refuse to deal with troublemakers (with details) would be extremely useful. If people want to use it to blackhole traffic, that would be their decision. Even more importantly, you could check it before choosing an ISP or provider to be sure that your provider is running a clean ship. That way you don't get inconvenienced by other provider's defensive acts against your provider. As an added bonus, you have some more assurance that your provider will come to your aid if you are mail bombed, ping flooded, or hacked in some other way. Providers that deal effectively with their own customers when they create trouble are much more likely to assist their own customers when they are attacked. David Schwartz WIZnet
On Fri, 27 Dec 1996 11:29:50 -0500 (EST) David Schwartz <davids@wiznet.net> alleged:
I think a list of sites that refuse to deal with troublemakers (with details) would be extremely useful. If people want to use it to blackhole traffic, that would be their decision.
Personally, I agree.
Even more importantly, you could check it before choosing an ISP or provider to be sure that your provider is running a clean ship. That way you don't get inconvenienced by other provider's defensive acts against your provider.
As an added bonus, you have some more assurance that your provider will come to your aid if you are mail bombed, ping flooded, or hacked in some other way. Providers that deal effectively with their own customers when they create trouble are much more likely to assist their own customers when they are attacked.
Indeed, Just get it right so that the press and anyone else doesn't get the wrong idea thats all I'm saying really! Neil. -- Neil J. McRae. Alive and Kicking. E A S Y N E T G R O U P P L C neil@EASYNET.NET NetBSD/sparc: 100% SpF (Solaris protection Factor) Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>
I think a list of sites that refuse to deal with troublemakers (with details) would be extremely useful. If people want to use it to blackhole traffic, that would be their decision.
http://www.vix.com/spam/ is one such, and contains pointers to others.
The last thing the Internet needs is some dodgy cartell deciding on who is allowed access and who isn't. Although I've had similair experience mostly from academic sites.
I agree wholeheartedly with this statement. The problem is that you want people to use the Internet responsibly, but there are differing degrees of responsibility. We need to re-define or re-distribute proper use guidelines again. As an ISP we don't limit what people want to do on the Internet, as policy. However, we also have policies against various types of "Internet abuse". Spamming, cracking, etc. We take a very hard line of these types of activities. However, that didn't stop AOL from blacklisting us. (See below)
I think a list of sites that refuse to deal with troublemakers (with details) would be extremely useful. If people want to use it to blackhole traffic, that would be their decision. David Schwartz WIZnet
The problem is: who is defining the list? AOL placed fuse.net on their blacklist. This prevented all of our subscribers from mailing into AOL. We found out that the reason they blacklisted us was that they received 144 complaints from their users about junk mail from Fuse. The problem: they were all about the same mail message. One of my ex-users mailed a message to about 1500 AOL subscribers. So, because 0.00206% of their subscriber base complained, they placed our domain on their list ((144/7,000,000)*100). They didn't contact us, they didn't find out what our polcies were, they didn't even bother to find out if the user was actually posting from our site (they were, but AOL couldn't verify this). The moral. If you're going to create blacklists, make sure you have good definitions of how someone gets on, how they are notified that they are on (so they can respond), and how they can get off. AOL had none of this in place. My helpdesk just started to get flooded with calls of people who couldn't mail family members at AOL. Also, AOL was silently removing the messages. No bounces, just deletes. So, we had no way of knowing they were doing it, the mail just didn't show up. This incident has made me very wary of listmakers, and has opened my eyes on the receiver's point of view. Thoughts? If anyone's interested in reading our customer agreement, you're more than welcome. http://www.fuse.net/Fuse/customer/ca.html It's somewhat vague, but that gives us a lot of leeway as people come up with new and different ways to abuse the service. Today spamming, tomorrow iphone telemarketing? -- Robert A. Pickering Jr. Internet Services Manager Cincinnati Bell Telephone pickerin@fuse.net A Rough Whimper of Insanity (Information Superhighway) PGP key ID: 75CAFF7D 1995/05/09 PGP Fingerprint: B1 63 0C 09 D8 2E 5D 69 BB 61 A2 92 22 37 63 C3
On Fri, 27 Dec 1996, Robert A. Pickering Jr. wrote:
on (so they can respond), and how they can get off. AOL had none of this in place. My helpdesk just started to get flooded with calls of people who couldn't mail family members at AOL. Also, AOL was silently removing the messages. No bounces, just deletes. So, we had no way of knowing they were doing it, the mail just didn't show up.
You and your users should lay charges against AOL. They were in violation of the ECPA which forbids them from deleting email like that the same way the laws forbid a postal carrier from burning letters they don't want to deliver. And if anyone else is thinking of taking similar action to block email, make sure you either filter port 25 in the router or you bounce back all the email so that the sending party knows the mail is not going to be delivered. Once you accept an email message you have a legal obligation to deliver it to the addressee. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
You and your users should lay charges against AOL. They were in violation of the ECPA which forbids them from deleting email like that the same way the laws forbid a postal carrier from burning letters they don't want to deliver.
And if anyone else is thinking of taking similar action to block email, make sure you either filter port 25 in the router or you bounce back all the email so that the sending party knows the mail is not going to be delivered. Once you accept an email message you have a legal obligation to deliver it to the addressee.
I agree that this is the letter, and the intent, of the ECPA. However, as a matter of enforceable practice, none of the above matters. First off, most actual spam does not have a meaningful return address -- indeed, making spam unreturnable is considered a high art by those who engage in the practice. Second and more telling, all we are required to do is make a "reasonable best effort" at returning the mail. For the U. S. Postal Service, that means they have to do with it what they do with every other letter of that postal class. Same for e-mail. What we do with e-mail when disks crash is: drop it. What we do when our network is congested is: delay it. What we do when we see a large amount of junk in a mail queue that appears to be the result of some automated process gone wild is (listen carefully) expunge it with no notice to anybody. The law will not hold you to a higher standard than "reasonable best effort". For spam, that means a black hole. I happen to black hole in the router, so that the mail never enters my system at all. But if I chose to receive the mail -- which is sometimes necessary given that not all spam comes from known addresses -- there is *nothing* the justice department would do about it, since I would be making the "reasonable best effort" for the kind of traffic that it is. The "postal class" for returned mail is "bulk". Wow, a network discussion on NANOG that is actually north american in nature.
On Fri, 27 Dec 1996, Paul A Vixie wrote:
Wow, a network discussion on NANOG that is actually north american in nature.
Basically, but not entirely; issues such as junk email, blocking networks in routers, silently deleting/dropping email, and/or launching "attacks" against other sites seem to always start in the U.S., then slowly migrate across the Internet (which is, of course, global in nature). As you will recall, this thread started because of someone in the ".ro" domain. Something a lot of people forget, is that these issues are not as simple as "contact your local law enforcement office" - the Internet knows no boundaries, so it becomes quite common for problems to spread across jurisdictions (which in the "real world", leads to slower response from multiple law enforcement agencies due to required "due process" - after all, who was killed, what millions were lost?). For example, many people in Australia (".au") are hit with junk email from the U.S. (mostly ".com", it seems); in cases where the subject of the junk email relates to pornographic material for sale, the matter becomes one of breaching the laws in Australia relating to censorship/labelling of such material (and indeed, commercial advertising without the required company identifying information). What can Australian law enforcement agencies do? Not much. Do they really expect to achieve anything by extraditing someone from the U.S. to face charges of breaching numerous Commonwealth statutes? Not really. This "reality" (nothing to gain from "small fry", so nothing done) actually works in the Internet's favour, because it means law-makers and law enforcement generally stays out of the way, leaving the Internet "community" to deal with the matters themselves. Problem? Many people in the Internet "community" refuse to do anything (for whatever reason), be they small-time ISPs, or large national/international backbone providers. Sure, some people walk the walk and talk the talk - some even actually follow-through .. but by-and-large, these problems are growing, and with less and less co-operation within the "community", the calls for law-makers and law enforcement agencies to get involved grows louder and stronger. Is that really what everyone wants? (Serious question.) The Internet was once a *co-operative* network; whilst the Internet of today is clearly more commercial in nature compared to its academic and research origins, is it really all that much *less* co-operative? Questions were raised about "blacklists" and "cartels", and all manner of mechanisms whereby individuals and groups could be made to "toe the line" of co-operation; it was also mentioned that allowing everyone to be their own judge, jury and executioner can lead to seemingly unjust labelling of sites as "rogue", without any attempt to verify this with the sites in question. I submit that the reason a lot of this is happening is frustration - frustration that there is not enough co-operation to have stopped the problems before they got this far (let alone any further). I know that I've reached the stage whereby I don't care if I add a whole domain to an email "blacklist" (don't receive any messages from said domain) due to only a few miscreants - it's become far easier to do that, than hit my head against the proverbial brick wall, trying to get ISPs in the U.S. to do something (despite providing all evidence available). Do you realise that these sorts of lists are now becoming akin to trophy cabinets? "I have 200 entries in my list." "Oh yeah? Mine has over 500!" "Wow, gimme a copy!" This is *not* a good evolution of the Internet, surely! :-( If groups insist on adopting a passive stance in the face all this rubbish, then it's no wonder that "blacklists" and "cartels" develop, taking matters into their own hands. If many people blocking traffic from the same site help to wake that site up to its own lack of co-operation, then maybe the end justifies the means? (Rhetorical.) It was suggested that using the populist media can aid in raising awareness in the "real world", to shake an ISP into action; with the ever-increasing number of incidents, and their global nature, how many people here have the time (or indeed, the money) to keep putting into this sort of activity? I know I sure as hell don't. Read that some site is not co-operating to deal with troublemakers at the site? No messing about, straight into the email blacklist. It's not always possible for an organisation to provider 100% protection, either for its users or from its users, but at least *co-operating* to do *something* is a sign of willingness - and that has to be good for everyone. Think about it - we have nothing to lose, and everything to gain by solving the problem ourselves as members of the one global community. Cheers.. David J. N. Begley Network Analyst, UWS Nepean, Australia [ Suspected "respectable" clearinghouse: http://www.vix.com/spam/ :-) ]
On Sat, 28 Dec 1996, David J N Begley wrote: [snip]
I submit that the reason a lot of this is happening is frustration - frustration that there is not enough co-operation to have stopped the problems before they got this far (let alone any further).
I know that I've reached the stage whereby I don't care if I add a whole domain to an email "blacklist" (don't receive any messages from said domain) due to only a few miscreants - it's become far easier to do that, than hit my head against the proverbial brick wall, trying to get ISPs in the U.S. to do something (despite providing all evidence available). [snip] Read that some site is not co-operating to deal with troublemakers at the site? No messing about, straight into the email blacklist. It's not always possible for an organisation to provider 100% protection, either for its users or from its users, but at least *co-operating* to do *something* is a sign of willingness - and that has to be good for everyone..
Think about it - we have nothing to lose, and everything to gain by solving the problem ourselves as members of the one global community.
Much to think about, for sure. So how about a creating a "white"list? How about creating some organization for which the pre-requisite of membership would be adherence to a charter which outlined some standards and policies for dealing with other ISPs when giving complaints and standards for dealing with complaints received? The membership list could be published and serve as a list of providers worth using, rather than publishing a "bad" list (which, it has already been shown, is problematic). I'd be willing to put some time and effort into making something like this work... thoughts? peace jenni baier jenni@grmi.org
On Fri, 27 Dec 1996, jenni baier wrote:
So how about a creating a "white"list?
[...snip...]
I'd be willing to put some time and effort into making something like this work...
This is a much better approach. Reward those who operate responsibly and in a sense of cooperation. I'd certainly be willing to help on a draft of such a charter. -- Robert A. Pickering Jr. Internet Services Manager Cincinnati Bell Telephone pickerin@fuse.net A Rough Whimper of Insanity (Information Superhighway) PGP key ID: 75CAFF7D 1995/05/09 PGP Fingerprint: B1 63 0C 09 D8 2E 5D 69 BB 61 A2 92 22 37 63 C3
On Fri, 27 Dec 1996, jenni baier wrote:
How about creating some organization for which the pre-requisite of membership would be adherence to a charter which outlined some standards and policies for dealing with other ISPs when giving complaints and standards for dealing with complaints received? The membership list could be published and serve as a list of providers worth using, rather than publishing a "bad" list (which, it has already been shown, is problematic).
I'd be willing to put some time and effort into making something like this work...
Have a look at http://www.ispc.org This is still a young organization but some sort of program like you are suggesting is on the to-do list there, awaiting only demand and participation of others to make it happen. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
On Sat, 28 Dec 1996, David J N Begley wrote:
The Internet was once a *co-operative* network; whilst the Internet of today is clearly more commercial in nature compared to its academic and research origins, is it really all that much *less* co-operative? I know that I've reached the stage whereby I don't care if I add a whole domain to an email "blacklist" (don't receive any messages from said domain) due to only a few miscreants - it's become far easier to do that, than hit my head against the proverbial brick wall, trying to get ISPs in the U.S. to do something (despite providing all evidence available).
And it can continue to be a co-operative network. But, if you eliminate domains and people based on heresay, or because it's easier, then you yourself are stifling that co-operation. The sites in question have no way to respond (they certainly can't send you email, and they don't even know their on the list now).
Read that some site is not co-operating to deal with troublemakers at the site? No messing about, straight into the email blacklist. It's not always possible for an organisation to provider 100% protection, either for its users or from its users, but at least *co-operating* to do *something* is a sign of willingness - and that has to be good for everyone.
I agree that this will wake up non-cooperative sites. I don't have any problem "blacklisting" a site that has shown that they take no action or even encourage such behavior. However, I'm very much against doing so haphazardly, without notification or a chance to comply. This is what happened to my domain, and we have always acted responsibly (in my opinion) and promptly to rogue users. The problem is you can't really stop the behavior beforehand, without impacting other users. All you can do is publish the customer agreements, get people to agree to them, and then make damn sure you enforce them, so as not to attract the type of people that behave in this manner.
Think about it - we have nothing to lose, and everything to gain by solving the problem ourselves as members of the one global community.
Sure you do. You have the very sense of cooperation that your trying to re-instill in the Internet. I certainly have a far smaller opinion of AOl now (not that it was too high to begin with). I'm certainly less willing to cooperate with them if they have a problem in the future. THEY are the ones that acted irresponsibly. By blacklisting without notification, definition, or ways to come into compliance with a policy you limit my, and others, ability to cooperate.
Cheers..
Ciao. -- Robert A. Pickering Jr. Internet Services Manager Cincinnati Bell Telephone pickerin@fuse.net A Rough Whimper of Insanity (Information Superhighway) PGP key ID: 75CAFF7D 1995/05/09 PGP Fingerprint: B1 63 0C 09 D8 2E 5D 69 BB 61 A2 92 22 37 63 C3
On Fri, 27 Dec 1996, Robert A. Pickering Jr. wrote:
And it can continue to be a co-operative network. But, if you eliminate domains and people based on heresay, or because it's easier, then you yourself are stifling that co-operation.
I'm not advocating the elimination of domains or people (could spammers be terminated, though? Oh, never mind..) on "heresay", but on evidence; I'm not saying that blockages are better, only saying that they're appearing because of the lack of co-operation in the first place (after hitting your head against a brick wall a few times, it becomes far less painful just to block a site and be done with the issue). Take "iq-internet.com" for example - not because they've been hammering Barry's site specifically, but in general because they've caused a lot of people a lot of grief and despite requests, complaints and demands, neither they nor their network provider (SprintLink) have done anything to "solve the issue". They've even broken Sprint's own AUP, which (you would think) gives Sprint more "ammunition" to do something, but it seems not. It was stated that people can't terminate accounts/contracts without "due process" - true, very true, and even if for legal reasons you can't say anything to the public, you can still indicate that "the wheels are turning" between the lines of whatever you do say; for example, saying "I am afraid we can say nothing more on the matter at the moment and ask that you be patient" is far better than something closer to, "It's obviously your fault and so we're not going to do diddly." See? :-) So in the end, people start to block "iq-internet.com" and try desparately to ignore it (if possible). If things get so tight, entire netblocks might end up being blocked from Sprint's address ranges, having more far-reaching effects. Think it'll never happen? Why then are people already considering this very same tactic against IBM/Advantis?
The sites in question have no way to respond (they certainly can't send you email, and they don't even know their on the list now).
That's why providers should *co-operate* in the first place, so that blocks (either with, or without notification) don't happen; they're only appearing at the moment due to a break-down in that co-operation, not because they're the best means of solving the problem. Increase the level of co-operation and you decrease the need for "blacklists" and "blocks". Think I'm too idealistic? Think about it commercially for a second; if you upset so many people that they decide to block any connection from your site, and you're an ISP, then that could harm your business as customers discover they have to go to another ISP to get access to those sites again. It's idealistic, yes. It's also good business sense to co-operate.
The problem is you can't really stop the behavior beforehand, without impacting other users. All you can do is publish the customer agreements, get people to agree to them, and then make damn sure you enforce them...
Bingo - that last part is the most important: "make damn sure you enforce them". Agree wholeheartedly. Cheers.. dave
On Fri, 27 Dec 1996, David Schwartz wrote:
I think a list of sites that refuse to deal with troublemakers (with details) would be extremely useful. If people want to use it to blackhole traffic, that would be their decision.
Ok. I nominate UUNet to be the first on the list. (No, this isn't a UUNet flame, read on.) Recently one of their customers decided the incoming directory on our FTP server would be a good place to start a warez site. We mailed help@uu.net and noc@uu.net. Our mail included the src IP address and the times that the uploading of the warez occurred. They were fairly quick to respond with UUNet's policy on these matters. Basically they will only take action when told to do so by a law-enforcement agency. Ok, fine. I understand that they have to protect their interests and that there are legal implications to all of this. I tend to agree that this position is the safest one to take. This raises important issues, though. What do we expect providers to do? Do we expect them to take action based on email received from unknown people? It seems from some of the other posts on this topic that we do expect that. Getting back to the post that started this thread, the culprit appears to be from Romania. Since we've all read _The Cuckoo's Egg_, we know that getting anything done about international cracking is very difficult (or has this changed?). So it is a catch-22. I think very few people on this list have the time/resources to pursue prosecution for attacks, unless the attacks are extremely damaging (ie you can prove to the authorities that it cost you a LOT of money). Yet, just letting this stuff slide by is not only frustrating, it does nothing to solve the problem. I think if you are getting attacked from a specific IP or block of IPs, you have every right to filter those packets. I question the prudence of a 'blacklist', though. Just some random thoughts... -BD
Recently one of their customers decided the incoming directory on our FTP server would be a good place to start a warez site. We mailed help@uu.net and noc@uu.net. Our mail included the src IP address and the times that the uploading of the warez occurred. They were fairly quick to respond with UUNet's policy on these matters. Basically they will only take action when told to do so by a law-enforcement agency.
This is a bad idea. Once they were informed, by anyone including a private citizen, that they were an accomplice to theft, it became their responsibility to report it AND take reasonable steps to avoid having it happen again. The all-holy "common carrier" mantra does not excuse outright illegality after notice has been given.
Ok, fine. I understand that they have to protect their interests and that there are legal implications to all of this. I tend to agree that this position is the safest one to take.
I don't agree, and it wasn't (isn't) safe.
This raises important issues, though. What do we expect providers to do? Do we expect them to take action based on email received from unknown people? It seems from some of the other posts on this topic that we do expect that.
They are expected (by law, and by me) to do the "best reasonable effort" thing I was talking about before. If someone says "you are helping person X to break the law" then UUNET -- or any of us -- has to make at least a cursory investigation, and if anything comes of it a report has to be made to the law enforcement people and "reasonable steps" have to be taken to prevent a reoccurance. I wish I could quote the title and verse of this but I had it quoted to me when I was involved in the events that were later written up in Markoff's book and I remember it pretty clearly. (The law applies to the employee in this case, not to the corporation or its officers.)
I think if you are getting attacked from a specific IP or block of IPs, you have every right to filter those packets. I question the prudence of a 'blacklist', though.
I have not yet been threatened for hosting the http://www.vix.com/spam/ page. I fully expect to be threatened at some point, but since I'm not in the ISP business it's rather hard to argue restraint of trade.
This raises important issues, though. What do we expect providers to do? Do we expect them to take action based on email received from unknown people? It seems from some of the other posts on this topic that we do expect that.
Most providers that I have dealt with will take action against a user who is originating spam when the information mailed to them from this unknown person can be coroborated with information they gleen from system logs and the users activities etc. Although you can't realistically persue most hack attempts with legal action, the host provider, from my observations, is more than willing to kick the SOB off their systems. The question remains though, "Whats reasonable?" Each provider has a different view of what they should or should not do when presented with a report of "abuse" from one of their customers. I'm almost certain this has already been done in some fasion but I'm not aware of where it might be housed so... It would be nice if some group (Hey, wait a minute.. we're something of a group..) could come up with an "Acceptable Use Policy" that people could subscribe to or use as a base for building their own policy. Keeping a list of people who have agreed to this policy or a varient of it might help new services to get the hint that this sort of stuff just doesn't go very well with many people on the net. -Wayne
Did you contact a law enforcement agency? Did we comply with their wishes? It seems that you are asking for vigilantism, not cooperation. -alan ] ] On Fri, 27 Dec 1996, David Schwartz wrote: ] ] > I think a list of sites that refuse to deal with troublemakers ] > (with details) would be extremely useful. If people want to use it to ] > blackhole traffic, that would be their decision. ] ] Ok. I nominate UUNet to be the first on the list. (No, this isn't a UUNet ] flame, read on.) ] ] Recently one of their customers decided the incoming directory on our FTP ] server would be a good place to start a warez site. We mailed help@uu.net ] and noc@uu.net. Our mail included the src IP address and the times that ] the uploading of the warez occurred. They were fairly quick to respond ] with UUNet's policy on these matters. Basically they will only take action ] when told to do so by a law-enforcement agency. ] ] Ok, fine. I understand that they have to protect their interests and that ] there are legal implications to all of this. I tend to agree that this ] position is the safest one to take. ] ] This raises important issues, though. What do we expect providers to do? ] Do we expect them to take action based on email received from ] unknown people? It seems from some of the other posts on this topic that ] we do expect that. ] ] Getting back to the post that started this thread, the culprit appears to ] be from Romania. Since we've all read _The Cuckoo's Egg_, we know that ] getting anything done about international cracking is very difficult (or ] has this changed?). So it is a catch-22. I think very few people on this ] list have the time/resources to pursue prosecution for attacks, unless the ] attacks are extremely damaging (ie you can prove to the authorities that ] it cost you a LOT of money). Yet, just letting this stuff slide by is not ] only frustrating, it does nothing to solve the problem. ] ] I think if you are getting attacked from a specific IP or block of IPs, ] you have every right to filter those packets. I question the prudence of a ] 'blacklist', though. ] ] Just some random thoughts... ] ] -BD ]
It seems that you are asking for vigilantism, not cooperation.
Indeed. We don't neen no steenkin' legal system, we can just hang 'em right here. Maybe this whole thread could be moved to inet-excess or somewhere? I'm just a poor Ops geek trying to move packets reliably, and that's hard enough. randy
No offense intended here but this smacks of a pathetic cop out. When supplied with various logs, supplements, and statements it doesn't take much effort or thought to start doing some checking of your own logs. The fact that you won't even go so far as to do that tells me that UU.net is too ?busy? doing other things than to follow up on their own problem users. No-one said you had to do anything more than at least send the user a notice informing them that their activities were illegal and could result in termination of their account and/or legal procedings. More often than not, this won't stop the warezpup from trying to be even more secretive but you've made your point, you've documented the fact, and you've helped another ISP in lowering their resultant problems. Later on, if you find the same user continuing along their less-than-legal path, you have documentation to back you up when you cancel them. On Fri, 27 Dec 1996, Alan Hannan wrote:
Did you contact a law enforcement agency? Did we comply with their wishes?
It seems that you are asking for vigilantism, not cooperation.
-alan
] ] On Fri, 27 Dec 1996, David Schwartz wrote: ] ] > I think a list of sites that refuse to deal with troublemakers ] > (with details) would be extremely useful. If people want to use it to ] > blackhole traffic, that would be their decision. ] ] Ok. I nominate UUNet to be the first on the list. (No, this isn't a UUNet ] flame, read on.) ] ] Recently one of their customers decided the incoming directory on our FTP ] server would be a good place to start a warez site. We mailed help@uu.net ] and noc@uu.net. Our mail included the src IP address and the times that ] the uploading of the warez occurred. They were fairly quick to respond ] with UUNet's policy on these matters. Basically they will only take action ] when told to do so by a law-enforcement agency.
[-] Brett L. Hawn (blh @ nol dot net) [-] [-] Networks On-Line - Houston, Texas [-] [-] 713-467-7100 [-]
On Fri, 27 Dec 1996, Alan Hannan wrote:
Did you contact a law enforcement agency? Did we comply with their wishes?
It seems that you are asking for vigilantism, not cooperation.
Alan- What sort of law enforcement agency would contact uunet ? How about my local township police department ? kim -- kimc@w8hd.org
From: "Alan Hannan" <hannan@UU.NET>
It seems that you are asking for vigilantism, not cooperation.
Unfortunately there's truth to this comment. Too often when an issue like this is discussed we are all mesmerized by an image of getting a real bad guy. Unfortunately, as many who actually deal with this stuff know, people lie shamelessly and inflate complaints for various reasons, other times they just don't provide enough information to verify what they claim, yet may get threatening and nasty if you don't just believe every single word they say and go kill this person they feel has wronged them, on their wish. I'd say around half of the complaints I see range from "there's nothing wrong with that behavior, what's your point?", to "there's absolutely no evidence what you describe happened, but I can't help but notice the two of you have been exchanging obscenities in alt.politics.no.i.am.right, could that possibly have something to do with your accusation?" So, investigation and process are important considerations. The other problem, in any system of governance, is what is a proper sanction? In the physical world even murderers can do their time and eventually get out. Maybe you don't agree with that but just as one extreme example. Perhaps put better, in the outside world if you're caught, say, running a stop sign or some similar infraction you get a ticket which might cost you $100 and some increase in insurance etc. Get enough, and you lose your license and so on, don't do it again and it fades away after a few years. One gets the feeling that at our current level of sophistication in internet governance no matter what the infraction we'd either ignore it or crush the person's car, mostly depending on which action was more convenient at the moment. Put simply: Governance is hard. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989
On Fri, 27 Dec 1996, Chris A. Icide wrote:
There is a certain individual at a certain ISP in the .ro domain. I
So, my question to you folks is, would something like the intentional black holing of the source network for this user (he apparently sources all attacks from one swamp Class C address) be an appropriate incentive to the ISP to deal with the problem? If so, where would be a good place to announce such measures, their goal, evidence, etc?
If I were in your shoes I would write a press release explaining in layman's terms what you are doing. Then hire a Romanian translator to translate this and get the translation doublechecked by another Romanian speaker who has some technical background. Make sure the press release names the ISP clearly, i.e. MyISP Services of Lulu, Transylvania. Then fax this press release to every newspaper, radio and TV station that you can find in Romania. Try to include an inflammatory statement in the press release like "If Romanians will not police themselves then we will simply block them from the network". You can see how the press might misinterpret such a statement as meaning that Romania is about to be blocked from the entire Internet. This is good because it's what gets lots of press coverage and that's what will wake up this ISP and the other local ISP's to realize that they have to do something. Simply blocking the one ISP will accomplish nothing because the hacker will either switch ISP's or they will hack some other machine to use as the launchboard for their attacks. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
participants (15)
-
Alan Hannan
-
Barry Shein
-
Bradley Dunn
-
Brett L. Hawn
-
Chris A. Icide
-
David J N Begley
-
David Schwartz
-
jenni baier
-
Kim Culhan
-
Michael Dillon
-
Neil J. McRae
-
Paul A Vixie
-
randy@psg.com
-
Robert A. Pickering Jr.
-
Wayne Bouchard