ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues: 1. Should ISPs be responsible for abuse from within their customer base? 1a. If so, how? 2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner? 2.a If so, how? I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no? If that also holds true, then why doesn't it happen? Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFMDzEsq1pz9mNUZTMRAofEAKDsKxNL+5GT0ztuuqq4LpK/i3TFmACeJ4mc wfZppwxJYkvW1vS6cacuuX0= =Xs0E -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote:
1. Should ISPs be responsible for abuse from within their customer base?
Yes -- if they wish to be considered at least minimally professional. The principle is "if it comes from your host/network on your watch, it's your abuse". Given that many common forms of abuse are easily identified, and in many cases, easily prevented with cursory due diligence upfront, there's really no excuse for what we see on a regular basis. Abusers have learned that they don't have to make the slightest effort at concealment or subtlety; even the most egregious and obvious instances can operate with impunity for extended periods of time. [1] As I've often said, spam (to pick one form out of abuse) does not just magically fall out of the sky. If I can see it arriving on one of my networks, then surely someone else can see it leaving theirs...if only they bother to look. And of course in many cases they need not even do that, because others have already done it for them and generously published the results or furnished them to the RFC2142-designated contact address for abuse issues. ---Rsk [1] One would think, for example, that many ISPs and web hosts would have learned by now that when a new customer fills a /24 with nonsensically named domains or with sequentially numbered domains that the spam will start any minute now. But fresh evidence arrives every day suggesting that this is still well beyond their capabilities.
On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues:
1. Should ISPs be responsible for abuse from within their customer base?
Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report).
1a. If so, how?
Unless exempt as I suggested above, they should be financially liable for the cleanup costs and damages to all affected systems. They should be entitled to recover these costs from the responsible customer through a process like subrogation.
2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner?
Absolutely, with the same exemptions specified above.
2.a If so, how?
See my answer to 1a above.
I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no?
Yes.
If that also holds true, then why doesn't it happen?
Because we don't inflict any form of liability or penalty when they fail to do so. Owen
On 6/9/2010 06:14, Owen DeLong wrote:
On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues:
1. Should ISPs be responsible for abuse from within their customer base?
Yes, but, there should be an exemption from liability for ISPs that take action to resolve the situation within 24 hours of first awareness (by either internal detection or external report).
What happened to the acronyms "AUP" and "TOS"? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
1. Should ISPs be responsible for abuse from within their customer base?
Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime. If I call your home every five minutes to harass you over the phone is AT&T responsible ?
1a. If so, how?
Pull the plug without looking at how much you are billing.
2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner?
Same as 1,
2.a If so, how?
Same as 1a.
I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no?
If that also holds true, then why doesn't it happen?
What incentive they have to do so ? and how liable they become if do something without a court order or such ?
Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period.
Probably true, here money talks. Cheers Jorge
On 6/9/2010 07:39, Jorge Amodio wrote:
1. Should ISPs be responsible for abuse from within their customer base?
Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime.
If I call your home every five minutes to harass you over the phone is AT&T responsible ?
1a. If so, how?
Pull the plug without looking at how much you are billing.
I'd say pull the plug while watching the balance sheet. I have no idea how many providers of netnews service there are left--not many because they waited for somebody else to solve the problems. I subscribe to one that rigorously polices spam and troll traffic (from their own customers _and_from_the_world). And for less than some of the other services. (They are associated with a German University, I think, so there may be a subsidy issue. I would pay several times as much as I do for the service--maybe an order of magnitude more.)
What incentive they have to do so ? and how liable they become if do something without a court order or such ?
Is "survival" an incentive?
Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period.
Probably true, here money talks.
But it doesn't listen. It waits for the bailout. -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On 6/9/2010 07:39, Jorge Amodio wrote:
1. Should ISPs be responsible for abuse from within their customer base?
Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime.
If I call your home every five minutes to harass you over the phone is AT&T responsible ?
How does the question change with a "regulator" telling them they are? And does it matter if I refuse all calls from ATT because they don't? -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On June 9, 2010 at 07:39 jmamodio@gmail.com (Jorge Amodio) wrote:
1. Should ISPs be responsible for abuse from within their customer base?
Not sure, ISPs role is just to move packets from A to B, you need to clearly define what constitutes abuse and how much of it is considered a crime.
If I call your home every five minutes to harass you over the phone is AT&T responsible ?
Actually, that might be in their purview. The example I would use is if someone called you to sell you swamp land in Florida or otherwise try to swindle you is that the phone company's responsibility, to ensure the honesty of all phone transactions? -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
:I think anyone in their right mind would agree that if a provider see :criminal activity, they should take action, no? What a provider "should" do and what makes sense under the law of the land are two different things. :If that also holds true, then why doesn't it happen? The laws pertaining to what's required of people when witnessing a crime vary by locality within the U.S. I dunno how they work for the rest of the NANOG audience. What is required of people versus what's required of corporate entities varies, too. "Good Samaritan" laws are hardly universal, and don't always play well with the other laws of the land. Things can get ugly when some murky behavior gets retroactively deemed a crime (perhaps by some tech-challenged judge or jury) and a provider becomes an accessory after the fact. "You mean, the DMCA makes THAT illegal?!?" Or, perhaps a provider tries to take some small action in the face of a crime, then is deemed to have a "special relationship" making them liable for not being quite helpful enough. "You mean, I have to rebuild my entire network because my customer support rep has reported bad behavior to the authorities?" Ultimately, acting on crime is a rat's nest. Some providers have enough trouble dealing with attacks from Pax0rland, extracting sane prices for last-mile service, evaluating/deploying new technology, keeping up with all the off-topic emails on NANOG, etc. Raise the bar so the least-paid front-line rep requires a "customer support within the law" class. Create a legal climate where the only way it makes sense to provide bits involves a big army of attorneys and lobbyists to define the regulatory climate. Let's make total provider consolidation a reality... then we won't need those pesky 32-bit ASNs. :) Back to work... -- Michael J. O'Connor mjo@dojo.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Not baked goods, professor... baked BADS!" -The Tick
On 6/9/2010 01:14, Paul Ferguson wrote:
To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues:
If I may offer a few edits and comments .....
1. Should ISPs be responsible for abuse from within their customer base? 1. Should ISPs be responsible for every thing from within their customer base?>
1a. If so, how?
[Good question. The answers will be hard, and some of the answers will seem to some to be against their own "self interest. How does a toll-road operator do it? An inn-keeper?]
2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner?
[A legal question--is the inn keeper responsible for the harm to you of a meth lab he allows to operate in the room next to yours?]
2.a If so, how?
See above.
I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no?
In some US states the law requires it.
If that also holds true, then why doesn't it happen?
It's hard. It costs to much (actually false in my opinion--see "trashed hotel rooms"). Somebody else should be doing it. Personal (see also "corporations as persons") responsibility is now an undefined term.
Providers in the U.S. are the worst offenders of hosting/accommodating criminal activities by Eastern European criminals. Period.
All the crap I get, I get from a (nominally[1]) US provider. [1] China probably holds the mortgage, which is another problem for discussion another day (and somewhere else). -- Somebody should have said: A democracy is two wolves and a lamb voting on what to have for dinner. Freedom under a constitutional republic is a well armed lamb contesting the vote. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
On Tue, Jun 08, 2010 at 11:14:10PM -0700, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
To cut through the noise and non-relevant discussion, let's see if we can boil this down to a couple of issues:
1. Should ISPs be responsible for abuse from within their customer base?
No and no. The first no being legally, the second, morally. The user is responsible for the abuse. Now, if the question had been whether the ISP should be responsible for dealing with it appropriately, then the answer would be yes. Of course, when it comes to the legal aspect, it would probably vary from country to country. No, let me rephrase that: It _does_ vary from country to country, and probably also state to state. However, to hold someone else responsible for a person's criminal activity would be just plain wrong, as long as the ISP's part in the activity is only to give their customer access to networks and services that every other customer also gets access to.
2. Should hosting providers also be held responsible for customers who abuse their services in a criminal manner?
No. For several reasons. First, the hosting provider normally does not have too much control over what the customers actually do. If someone complains, or they detect something through audits or similar, that is different. But even then, there will be certain problems. How does the hosting provider know that something is, in fact, criminal? In some cases, that may be obvious, but there will be cases where the case is not so clear. If the provider might be held responsible for something their customers do, they might decide to remove legal content 'just in case'. Also, who would determine whether something is illegal or not? Tech support? The admin? I doubt that any of those are able to determine something that courts tend to spend a lot of time and resources on.
I think anyone in their right mind would agree that if a provider see criminal activity, they should take action, no?
Not necessarily. Again, this would of course depend on the laws in the given state or country. However, people disagree on what is considered legal or not. If everyone _had_ agreed on this, the courts would have had less work. It is the responsibility of the judicial system to determine whether someone is breaking the law or not. For commercial companies to start making that sort of judgements is, at least in my opinion, _not_ a good thing. -- Ina Faye-Lund
From recent article at MIT Technology Review:
How ISPs Could Combat Botnets Focusing on the top 50 infected networks could eliminate half of all compromised machines. Convincing Internet service providers to pinpoint infected computers on their networks could eliminate the lion's share of zombie computers responsible for churning out spam and initiating other online threats, according to a new analysis. The researchers analyzed more than 63 billion unsolicited e-mail messages sent over a four-year period and found more than 138 million unique internet addresses linked to sending out the spam. Typically such machines have been hijacked by hackers and are corralled into a vast network of remote-controlled system known as a "botnet." By correlating the Internet protocol addresses of these spam-sending machines with the networks maintained by Internet service providers, the researchers found that about two-thirds of them were located in the networks managed by the 200 largest ISPs from 40 countries. The top-50 networks responsible accounted for more than half of all compromised IP addresses. If these ISPs were to shut down, or block, the malicious machines on their networks, it could cut worldwide spam by half. "Those 50 ISPs are not the [dubious] ones we hear about," says Michel van Eeten, professor of public administration at the Delft University of Technology in the Netherlands and one of the authors of a paper on the research, which will be presented next month at the Workshop on the Economics of Information Security at Harvard University. "They are the ones we deal with every day, and so are more approachable and are in the reach of government." Rest here: http://www.technologyreview.com/computing/25245/
participants (9)
-
Barry Shein -
Ina Faye-Lund -
Jorge Amodio -
Larry Sheldon -
Michael Painter -
Mike O'Connor -
Owen DeLong -
Paul Ferguson -
Rich Kulawiec