How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This question is part reality, part surreality. Let me ask you this: What would you do when you have alerted (via abuse@ contacts) a notable ISP in the U.S. (not a tier one, and not just one of them) about KNOWN, VERIFIABLE, and RECURRING criminal activity in their customer downstreams? And the downstream(s) do not respond? And the criminal activity continues? The most obvious answer is: Gather evidence, contact law enforcement. Right? I just wanted to reach out the NANOG on this and see what you thought... How would you handle it? - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHDx/Uq1pz9mNUZTMRAiUSAJ94uQvlaBLWb7gxkxz0I/448reBZwCeKSTb ibBQj5TSBlr0utNar9tD60Q= =NIhs -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Fri, 12 Oct 2007, Paul Ferguson wrote:
The most obvious answer is: Gather evidence, contact law enforcement.
Other than being provactively phrased, its often the same reason: e.g. what about anti-virus vendors who turn a blind eye to criminal activity by poor detection to new/old viruses, what about law enforcement who turn a blind eye to criminal activity by poor response to new/old scams, what about software programmers who turn a blind eye to criminal activity by poor response to new/old bugs, what about banks who turn a blind eye to criminal activity by poor response to new/old reports of fraud, etc. Law enforcement, security vendors, abuse departments try to move as fast as they can for as many cases as they can. Yes, there are some bad cops, bad security venders, bad abuse departments; but there are also a lot of people who are trying to help as many people as possible. And without knowing the full story, its sometimes difficult to figure out what is reallying happening: <http://news.zdnet.com/2100-1009_22-908647.html>
On Fri, 12 Oct 2007, Sean Donelan wrote:
On Fri, 12 Oct 2007, Paul Ferguson wrote:
The most obvious answer is: Gather evidence, contact law enforcement.
Other than being provactively phrased, its often the same reason:
e.g. what about anti-virus vendors who turn a blind eye to criminal activity by poor detection to new/old viruses, what about law enforcement who turn a blind eye to criminal activity by poor response to new/old scams, what about software programmers who turn a blind eye to criminal activity by poor response to new/old bugs, what about banks who turn a blind eye to criminal activity by poor response to new/old reports of fraud, etc.
Law enforcement, security vendors, abuse departments try to move as fast as they can for as many cases as they can. Yes, there are some bad cops, bad security venders, bad abuse departments; but there are also a lot of people who are trying to help as many people as possible.
For once, we are not talking about what good guys can do better, but about criminals.
And without knowing the full story, its sometimes difficult to figure out what is reallying happening: <http://news.zdnet.com/2100-1009_22-908647.html>
* Sean Donelan:
Law enforcement, security vendors, abuse departments try to move as fast as they can for as many cases as they can.
While this might be true in general, there are always specific exceptions. ISPs are not immune to criminal activity from their employees. Perhaps ferg is facing such a situation, and getting it resolved is in our interest. We can't know.
And without knowing the full story, its sometimes difficult to figure out what is reallying happening: <http://news.zdnet.com/2100-1009_22-908647.html>
There are also other problems. Judging what's actually criminal and what isn't is something best left to the legal system. Consider the following, inadvertently stumbled across, by a mail server admin: User A sends User B, a friend, an e-mail message. The e-mail states, "We're going to teach Tom a lesson, we're going to ambush him behind Dick's gas station, Harry's bringing an AK47 and we're going to turn him into hamburger." Well, this seems fairly unambiguous. Do you call the cops? Or would it turn out to be a bad thing when they discovered that this was just some friends looking to gang up and frag another friend in an online shooter game? There can be a lot of ambiguity. Just because something appears to be a crime does not make it so. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Fri, 12 Oct 2007, Joe Greco wrote:
There can be a lot of ambiguity. Just because something appears to be a crime does not make it so.
This thread is about criminal activity, not supposed criminal activity.
Well, in many parts of the world, criminal activity becomes such once a judge determines it to be. Until that happens, it is "alleged". If the specific issue in question was already found by a judge to be criminal, then I offer my apologies, for I completely missed that. Otherwise, I would tend to read your messages as being "something which [you] believe to be criminal". Some people, for example, believe - incorrectly - that certain types of e-mail spam are {legal, illegal, pick one}. Their opinions are irrelevant. If the "criminal activity" in question is such that the OP feels a need to gather evidence and report it to the police, then I suspect that this issue hasn't been before a judge, and is instead "alleged criminal activity that I wish abuse@$foo would take care of on the basis of the allegations and their own analysis of the situation." That doesn't make it any less serious, of course, but does change the way you need to look at the situation. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
* Joe Greco:
Some people, for example, believe - incorrectly - that certain types of e-mail spam are {legal, illegal, pick one}. Their opinions are irrelevant.
I don't know what case prompted Ferg to post his message to NANOG, but I know that there are cases where failing to act is comparable to ignoring the screams for help of an "alleged" rape victim during the "alleged" crime. There might be some reasons not to do anything (fear of DoS, concerns for personal safety etc.), but I can assure you that ambiguity is not one of them.
Florian Weimer wrote:
I don't know what case prompted Ferg to post his message to NANOG, but I know that there are cases where failing to act is comparable to ignoring the screams for help of an "alleged" rape victim during the "alleged" crime.
I'm reminded of this story from earlier this year: http://www.jsonline.com/story/index.aspx?id=568400 "For his effort, Van Iveren was charged with criminal trespass while using a dangerous weapon, criminal damage to property while using a dangerous weapon and disorderly conduct while using a dangerous weapon, all criminal misdemeanors that carry a maximum total penalty of 33 months in jail." On a side note, now that I've gotten back on -post.... I will say that I've had pretty dismal experiences working with Law Enforcement over the years as a service provider. When you have to explain to the Feds just what IRC (for example) is, you've lost the battle :( After repeated attempts at getting what seems to be blatant criminal activity investigated, a provider might start to think "If Law Enforcement doesn't care, why should I?" (I've avoided falling into that trap, but it is frustrating to boot someone for illegal activities and see them go on to pull the same thing at another provider even after providing evidence to authorities.).
* Mike Lewinski:
Florian Weimer wrote:
I don't know what case prompted Ferg to post his message to NANOG, but I know that there are cases where failing to act is comparable to ignoring the screams for help of an "alleged" rape victim during the "alleged" crime.
I'm reminded of this story from earlier this year:
http://www.jsonline.com/story/index.aspx?id=568400
"For his effort, Van Iveren was charged with criminal trespass while using a dangerous weapon, criminal damage to property while using a dangerous weapon and disorderly conduct while using a dangerous weapon, all criminal misdemeanors that carry a maximum total penalty of 33 months in jail."
That guy was no foreigner to the local police, apparently. I couldn't find anything regarding the outcome of his court appearance. Of course, if you run to the help of those in apparent need, you always risk looking very stupid. Anyway, if you've got a customer account that was created with a stolen credit card, and you get complaints about activity on that account from various parties, and you still don't act, this shows a rather significant level of carelessness. The other side of the story is that it takes months to get local police to forward the criminal complaint to state police, and state police to issue an order for seizure, even in areas of Germany where I thought we had pretty good LE coverage.
Florian Weimer wrote:
Anyway, if you've got a customer account that was created with a stolen credit card, and you get complaints about activity on that account from various parties, and you still don't act, this shows a rather significant level of carelessness. The other side of the story is that it takes months to get local police to forward the criminal complaint to state police, and state police to issue an order for seizure, even in areas of Germany where I thought we had pretty good LE coverage.
We also can't discount the possibility the "unresponsive" ISP is cooperating (willfully or not) with a police sting operation and can't respond in any way at all, for fear of jeopardizing it. Though I still say a year is likely too long.
* Joe Greco:
Some people, for example, believe - incorrectly - that certain types of e-mail spam are {legal, illegal, pick one}. Their opinions are irrelevant.
I don't know what case prompted Ferg to post his message to NANOG, but I know that there are cases where failing to act is comparable to ignoring the screams for help of an "alleged" rape victim during the "alleged" crime. There might be some reasons not to do anything (fear of DoS, concerns for personal safety etc.), but I can assure you that ambiguity is not one of them.
Yes, but you'll find that for every instance where you could be expected to assist someone in such a situation, there are a hundred situations where you are not. The existence of cases where the need to render assistance is obvious does not mean that you must render assistance in all cases. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Fri, 12 Oct 2007, Gadi Evron wrote:
On Fri, 12 Oct 2007, Joe Greco wrote:
There can be a lot of ambiguity. Just because something appears to be a crime does not make it so.
This thread is about criminal activity, not supposed criminal activity.
I do not know of many (any) ISPs offering service to inmates in prison. Other than the provocative subject line, the thread is basically a complaint that some ISPs do not respond quickly enough to his allegations of criminal activity.
On Fri, 12 Oct 2007, Sean Donelan wrote:
On Fri, 12 Oct 2007, Gadi Evron wrote:
On Fri, 12 Oct 2007, Joe Greco wrote:
There can be a lot of ambiguity. Just because something appears to be a crime does not make it so.
This thread is about criminal activity, not supposed criminal activity.
I do not know of many (any) ISPs offering service to inmates in prison. Other than the provocative subject line, the thread is basically a complaint that some ISPs do not respond quickly enough to his allegations of criminal activity.
I am not Paul but I feel what he is saying. The question is what to do when they harbour criminal activity. Let's talk about what the question means a bit more.
On Oct 12, 2007, at 7:18 AM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This question is part reality, part surreality.
Let me ask you this: What would you do when you have alerted (via abuse@ contacts) a notable ISP in the U.S. (not a tier one, and not just one of them) about KNOWN, VERIFIABLE, and RECURRING criminal activity in their customer downstreams?
And the downstream(s) do not respond? And the criminal activity continues?
The most obvious answer is: Gather evidence, contact law enforcement.
Right?
I just wanted to reach out the NANOG on this and see what you thought... How would you handle it?
- - ferg
We did exactly that with a similar incident and the local FBI Cyber Crimes folks told us that they couldn't help us because they were entirely dedicated to potential terrorist activities. So, I would say "contact local authorities and play it up as a terrorist act" if you want any help at all. Regards, Mike
We did exactly that with a similar incident and the local FBI Cyber Crimes folks told us that they couldn't help us because they were entirely dedicated to potential terrorist activities. So, I would say "contact local authorities and play it up as a terrorist act" if you want any help at all.
Or, you can somehow work into your complaint about how you are just trying to "protect the children". Our local Cyber Crime agent, while stating something similar regarding terrorism, also told us that in order for them to even begin to investigate, the total damages would have to add up to $10K or more. I'm not entirely sure how every type of perceived criminal activity translates into such high monetary loss, but this is what we were told. Earlier this year, we were instructed to submit information to the IC3: http://www.ic3.gov I've not yet had the need to use this site, so I can't vouch for its usefulness. I imagine that if Joe Consumer knows about this site, they get a lot of the aforementioned crackpots filling out complaint forms. Does anyone else happen to have experience with the IC3? -evt
participants (8)
-
Eric Van Tol
-
Florian Weimer
-
Gadi Evron
-
Joe Greco
-
Michael Smith
-
Mike Lewinski
-
Paul Ferguson
-
Sean Donelan