Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Mike Lewinski <mike@rockynet.com> wrote:
On a side note, now that I've gotten back on -post.... I will say that I've had pretty dismal experiences working with Law Enforcement over the years as a service provider. When you have to explain to the Feds just what IRC (for example) is, you've lost the battle :( After repeated attempts at getting what seems to be blatant criminal activity investigated, a provider might start to think "If Law Enforcement doesn't care, why should I?" (I've avoided falling into that trap, but it is frustrating to boot someone for illegal activities and see them go on to pull the same thing at another provider even after providing evidence to authorities.).
Exactly. Sometimes I think to myself that "...ISPs have Terms of Service and Acceptable Use Policies, so they have the scope and tools they need to boot a 'customer" who break the rules." But all too often, it would appear, the potential loss of revenue seems to win out over enforcing those policies. And as you say, if the ISP boots them, they just set up shop elsewhere. So, back to my original question: If you alert an ISP that "bad and possibly criminal" activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHD+XAq1pz9mNUZTMRAub9AKDGpuf2fwYYS2Q1rF/v4EtB76wr5wCcDSFY Ya7MTzjQcUJ+qL5UfSe5gw0= =2pba -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Paul Ferguson wrote:
So, back to my original question: If you alert an ISP that "bad and possibly criminal" activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do?
In at least one case, where I knew the offender had been booted off his last provider, I actually stalled disconnecting him for three months while I tried getting help from law enforcement. I felt we had a better chance of getting him permanently removed from the Internet by keeping him around long enough to get court orders to investigate his most likely illegal actions that were generating abuse reports. I started out with the feds, went on to the state and finally the local sheriff before giving up and just cutting him off for lack of any other hope. But a year is too long. If it were impacting my network, I'd probably drop their routes (or blackhole the offending hosts anyway).
On Fri, 12 Oct 2007, Paul Ferguson wrote:
So, back to my original question: If you alert an ISP that "bad and possibly criminal" activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do?
That's a different question all together, not about criminal ISPs, which I am sure non of the members of NANOG, are. SpamHaus has been known to eventually block their mail servers, which gets quick results, and law suits. Gadi.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Date: Fri, 12 Oct 2007 21:23:15 GMT From: Paul Ferguson <fergdawg@netzero.net> Subject: Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
[ ... ] Sometimes I think to myself that "...ISPs have Terms of Service and Acceptable Use Policies, so they have the scope and tools they need to boot a 'customer" who break the rules."
But all too often, it would appear, the potential loss of revenue seems to win out over enforcing those policies.
This is something most CSIRTs/CERTs/Abuse/Security people run into. At some point they will have an issue with an entity they're providing service to that management will veto. In most cases having a good chat with management about it, before they're sweet-talked too much by the other side helps getting your point across, or - in business terms - makes it managements responsability. I've seen various scenarios played out like that, and others where the "license to disconnect" was squarely backed by management.
And as you say, if the ISP boots them, they just set up shop elsewhere.
Although I try to educate, this is a matter of life on the Internet.
So, back to my original question: If you alert an ISP that "bad and possibly criminal" activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do?
Well, depends on the level of information and your contacts in the operational / security field. Being a member of an NREN CSIRT I can either directly or indirectly participate in local, regional and worldwide bodies where people "like us" come together. How that plays out, or how you *want* that to play out, is something you cannot predict. But sometimes other people will have advise about whom to contact within Law Enforcement, other people will chime in, other people have direct contact with clueful people etc. But first and foremost; you try to protect my constituents. (through technical, legal, procedural etc. means) Kind regards, JP Velders -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFHEiu0IHoRBHmf0YQRAnI/AKCQ2ZXCrWqXhNRFPWyW7XLjzbrn/gCfaXYY Ae24xpME0Q+hjU5tRRfie8g= =5JJH -----END PGP SIGNATURE-----
Hi first of all I kinda picked the thread mid stream so apologies if what is here has been dealt with by others As an ISP if I receive a complaint of what may be illegal activity coming from a customer on my network I can respond to the complaint and say I will look into it but what action do I take. if "someone on the internet" is the complainant, do I have the right to ask for evidence of the said illegal activity ( I am not in law enforcement) Or do I forward the complaint to the "relevant authorities" , Cyber crime teams too busy dealing with the good old crimes of drugs, terrorism etc but using the internet to do their sleuthing and then leave it at that and until the "relevant authorities" come back to me do I leave the situation as is and does that mean I am turning a blind eye? assuming of course that I have taken the necessary measures of "cleaning out" malicious stuff, spam malware etc. On the other hand there is the issue of being what may be called responsible "cyber citizen" and do the needful and terminate the client if the illegal activity does not stop. There is also the issue that many ISPs networks cross geographic boundaries with different legislation so if complainant in country A says that ISP has customer (in country B) carrying on illegal activity, ISP may contact customer in country B and tell them the same but if in country B that activity is deemed "normal" how does the ISP proceed? Terminating that client would amount to breach of contract in country B and ISP may end being sued by client in Country B. Raymond Macharia JP Velders wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Date: Fri, 12 Oct 2007 21:23:15 GMT From: Paul Ferguson <fergdawg@netzero.net> Subject: Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
[ ... ] Sometimes I think to myself that "...ISPs have Terms of Service and Acceptable Use Policies, so they have the scope and tools they need to boot a 'customer" who break the rules."
But all too often, it would appear, the potential loss of revenue seems to win out over enforcing those policies.
This is something most CSIRTs/CERTs/Abuse/Security people run into. At some point they will have an issue with an entity they're providing service to that management will veto. In most cases having a good chat with management about it, before they're sweet-talked too much by the other side helps getting your point across, or - in business terms - makes it managements responsability. I've seen various scenarios played out like that, and others where the "license to disconnect" was squarely backed by management.
And as you say, if the ISP boots them, they just set up shop elsewhere.
Although I try to educate, this is a matter of life on the Internet.
So, back to my original question: If you alert an ISP that "bad and possibly criminal" activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do?
Well, depends on the level of information and your contacts in the operational / security field. Being a member of an NREN CSIRT I can either directly or indirectly participate in local, regional and worldwide bodies where people "like us" come together. How that plays out, or how you *want* that to play out, is something you cannot predict. But sometimes other people will have advise about whom to contact within Law Enforcement, other people will chime in, other people have direct contact with clueful people etc.
But first and foremost; you try to protect my constituents. (through technical, legal, procedural etc. means)
Kind regards, JP Velders -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFHEiu0IHoRBHmf0YQRAnI/AKCQ2ZXCrWqXhNRFPWyW7XLjzbrn/gCfaXYY Ae24xpME0Q+hjU5tRRfie8g= =5JJH -----END PGP SIGNATURE-----
participants (5)
-
Gadi Evron
-
JP Velders
-
Mike Lewinski
-
Paul Ferguson
-
Raymond Macharia