Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
Hi first of all I kinda picked the thread mid stream so apologies if what is here has been dealt with by others As an ISP if I receive a complaint of what may be illegal activity coming from a customer on my network I can respond to the complaint and say I will look into it but what action do I take. if someone on the internet is the complainant, do I have the right to ask for evidence of the said illegal activity ( I am not in law enforcement) Or do I forward the complaint to the relevant authorities , Cyber crime teams too busy dealing with the good old crimes of drugs, terrorism etc but using the internet to do their sleuthing and then leave it at that and until the relevant authorities come back to me do I leave the situation as is and does that mean I am turning a blind eye? assuming of course that I have taken the necessary measures of cleaning out malicious stuff, spam malware etc. On the other hand there is the issue of being what may be called responsible cyber citizen and do the needful and terminate the client if the illegal activity does not stop. There is also the issue that many ISPs networks cross geographic boundaries with different legislation so if complainant in country A says that ISP has customer (in country B) carrying on illegal activity, ISP may contact customer in country B and tell them the same but if in country B that activity is deemed normal how does the ISP proceed? Terminating that client would amount to breach of contract in country B and ISP may end being sued by client in Country B. Raymond Macharia JP Velders wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Date: Fri, 12 Oct 2007 21:23:15 GMT From: Paul Ferguson [EMAIL PROTECTED] Subject: Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity? [ ... ] Sometimes I think to myself that ...ISPs have Terms of Service and Acceptable Use Policies, so they have the scope and tools they need to boot a 'customer who break the rules. But all too often, it would appear, the potential loss of revenue seems to win out over enforcing those policies. This is something most CSIRTs/CERTs/Abuse/Security people run into. At some point they will have an issue with an entity they're providing service to that management will veto. In most cases having a good chat with management about it, before they're sweet-talked too much by the other side helps getting your point across, or - in business terms - makes it managements responsability. I've seen various scenarios played out like that, and others where the license to disconnect was squarely backed by management. And as you say, if the ISP boots them, they just set up shop elsewhere. Although I try to educate, this is a matter of life on the Internet. So, back to my original question: If you alert an ISP that bad and possibly criminal activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? Well, depends on the level of information and your contacts in the operational / security field. Being a member of an NREN CSIRT I can either directly or indirectly participate in local, regional and worldwide bodies where people like us come together. How that plays out, or how you *want* that to play out, is something you cannot predict. But sometimes other people will have advise about whom to contact within Law Enforcement, other people will chime in, other people have direct contact with clueful people etc. But first and foremost; you try to protect my constituents. (through technical, legal, procedural etc. means) Kind regards, JP Velders -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFHEiu0IHoRBHmf0YQRAnI/AKCQ2ZXCrWqXhNRFPWyW7XLjzbrn/gCfaXYY Ae24xpME0Q+hjU5tRRfie8g= =5JJH -END PGP SIGNATURE-
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
* Steve Bertrand: Anyway, if you've got a customer account that was created with a stolen credit card, and you get complaints about activity on that account from various parties, and you still don't act, this shows a rather significant level of carelessness. Further to carelessness, this may be pushing the boundary in many places of guilt by act of omission. I'm not familiar with the finer points of the US criminal code. I'm rather skeptical that such a risk actually exists (Foonet/CSI notwithstanding). If people actually cared about compromises, I would be more concerned that not handling abuse complaints would expose ISPs to liability from their own customers, who would have learnt earlier about their compromise if the ISP told them. Part of the reason why this discussion is somewhat heated is that there's zero incentive in most markets to deal with customer compromises. Otherwise, people would just lean back and think, yeah, right, let them try and see how it works for them.
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Date: Fri, 12 Oct 2007 21:23:15 GMT From: Paul Ferguson [EMAIL PROTECTED] Subject: Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity? [ ... ] Sometimes I think to myself that ...ISPs have Terms of Service and Acceptable Use Policies, so they have the scope and tools they need to boot a 'customer who break the rules. But all too often, it would appear, the potential loss of revenue seems to win out over enforcing those policies. This is something most CSIRTs/CERTs/Abuse/Security people run into. At some point they will have an issue with an entity they're providing service to that management will veto. In most cases having a good chat with management about it, before they're sweet-talked too much by the other side helps getting your point across, or - in business terms - makes it managements responsability. I've seen various scenarios played out like that, and others where the license to disconnect was squarely backed by management. And as you say, if the ISP boots them, they just set up shop elsewhere. Although I try to educate, this is a matter of life on the Internet. So, back to my original question: If you alert an ISP that bad and possibly criminal activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? Well, depends on the level of information and your contacts in the operational / security field. Being a member of an NREN CSIRT I can either directly or indirectly participate in local, regional and worldwide bodies where people like us come together. How that plays out, or how you *want* that to play out, is something you cannot predict. But sometimes other people will have advise about whom to contact within Law Enforcement, other people will chime in, other people have direct contact with clueful people etc. But first and foremost; you try to protect my constituents. (through technical, legal, procedural etc. means) Kind regards, JP Velders -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFHEiu0IHoRBHmf0YQRAnI/AKCQ2ZXCrWqXhNRFPWyW7XLjzbrn/gCfaXYY Ae24xpME0Q+hjU5tRRfie8g= =5JJH -END PGP SIGNATURE-
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
On Fri, 12 Oct 2007, Paul Ferguson wrote: No, not necessarily. Given that there are Tier 1 ISPs, Tier 2, etc., so you can certainly have some small-ish ISP colluding with criminal activity, in effect, by ignoring it or claiming ignorance. However, it's kind of hard to plead ignorance when, say, people continually alert them to the issues and they persist. I don't know of any ISP that regularly (i.e. more than once) refuses to obey lawful orders of authorities in the relevant jurisdiction to take action. There are disputes about what is the correct jurisdiction, and what is a lawful order. I predict in a month or so, someone else will be ranting about ISPs censoring their First Amendment right to do something. There are lots of laws around the world, lots of courts, and lots of law enforcement agencies. Somewhere in the world, there seems to be a law against almost anything. People make lots of complaints about all sorts of stuff that may not be illegal. The FCC receives hundreds of thousands of complaints about television and radio programs frome people who have never seen or heard them. The number of complaints isn't proof. On one hand, there are the pundits that claim ISPs will never be able to stop whatever favored activity is prohibited by law in a jurisdiction: VOIP bypass, copyright infringement, encourging public disorder, etc. How long was The Pirate Bay shutdown after authorities seized their equipment, but didn't arrest the people? On the other hand, there are the pundits that claim ISPs are ignoring whatever disfavored activity: indecency, defamation, blasphemy, fraud, etc. Should ISPs be responsible for the network stuff (traceability, disruption of service, etc) and let the appropriate authorities enforce the laws of each jurisdiction? Is the complaint about ISPs, or about some the lack of law enforcement resources in some jurisdictions?
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
* Mike Lewinski: Florian Weimer wrote: I don't know what case prompted Ferg to post his message to NANOG, but I know that there are cases where failing to act is comparable to ignoring the screams for help of an alleged rape victim during the alleged crime. I'm reminded of this story from earlier this year: http://www.jsonline.com/story/index.aspx?id=568400 For his effort, Van Iveren was charged with criminal trespass while using a dangerous weapon, criminal damage to property while using a dangerous weapon and disorderly conduct while using a dangerous weapon, all criminal misdemeanors that carry a maximum total penalty of 33 months in jail. That guy was no foreigner to the local police, apparently. I couldn't find anything regarding the outcome of his court appearance. Of course, if you run to the help of those in apparent need, you always risk looking very stupid. Anyway, if you've got a customer account that was created with a stolen credit card, and you get complaints about activity on that account from various parties, and you still don't act, this shows a rather significant level of carelessness. The other side of the story is that it takes months to get local police to forward the criminal complaint to state police, and state police to issue an order for seizure, even in areas of Germany where I thought we had pretty good LE coverage.
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
Sean Donelan wrote: I don't know of any ISP that regularly (i.e. more than once) refuses to obey lawful orders of authorities in the relevant jurisdiction to take action. No disagreement there, but take a look at the wording. orders of authorities. Inference: It's ok if someone I'm leasing bandwidth to is spamming, sending out DoS attacks, child pornography. I don't have any subpoenas, therefore I won't take any actions. The number of complaints isn't proof. Should ISPs be responsible for the network stuff (traceability, disruption of service, etc) and let the appropriate authorities enforce the laws of each jurisdiction? Scenario: I run silsdomain.com which is leasing facilities in donelanNetworks.com My infrastructure consists of insecure servers which have been compromised and are now: 1) sending spam 2) housing malware 3) running botnets 4) hosting child porn Concerned networker, individual, anyone contacts [EMAIL PROTECTED]: -- Dear Donelan Network Admins, We've been trying to get in touch with someone at silsdomain.com which is being hosted from your IP space. It has come to our attention that silsdomain has been carrying out illicit and illegal activities. We've attempted to contact someone directly at silsdomain to no avail and we have yet to receive resolution, we are now attempting to contact you in hopes of curtailing some of these activities. Sincerely, Someone else on the Internet -- My inference from your message is, the appropriate response to an email or letter like this would be: -- Dear Someone else on the Internet, What you may see as child porn, others may see as art. What you may think of botnet traffic, we've labeled academic penetration testing. What you may view as spam, we view as opt-out redirection to opt-in. What you view as malware, we view as enhanced features in Windows that offers you advertisements and the weather. We appreciate you contacting us however we are only a network provider and not an authority on law enforcement. So while child porn may be illegal in the US let us not forget in Japan it is ok to bed underage children. Please contact overwhelmed law enforcement authorities chasing terrorists and provide them with the information necessary to assess your claim. Sincerely DonelanNetworks Staff. -- So let me not distort this any more than my own interpretation of your message. I understand the need for certain traffic to go through networks as evil as some traffic may be, perhaps there is an investigation already under way and sites are being left opened in hopes of catching bigger fish. I also know factually that there are individuals in this industry who care about nothing more than making quarterly earnings and keeping their accounts in order. Personally, if I were a business owner, I would attempt my best to keep my networks in order and ensure that traffic being sent *from* my network to the world wasn't tainted in any shape form or fashion. What goes around comes around... Keep turning a blind eye to issues like botnets and spam... When the poop hits the fan and you are forced to curtail these activities when you've knowingly allowed them, they'll turn right back around and haunt you. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent. Daniel Defoe
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
Florian Weimer wrote: Anyway, if you've got a customer account that was created with a stolen credit card, and you get complaints about activity on that account from various parties, and you still don't act, this shows a rather significant level of carelessness. The other side of the story is that it takes months to get local police to forward the criminal complaint to state police, and state police to issue an order for seizure, even in areas of Germany where I thought we had pretty good LE coverage. We also can't discount the possibility the unresponsive ISP is cooperating (willfully or not) with a police sting operation and can't respond in any way at all, for fear of jeopardizing it. Though I still say a year is likely too long.
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
On Sat, 13 Oct 2007, J. Oquendo wrote: Personally, if I were a business owner, I would attempt my best to keep my networks in order and ensure that traffic being sent *from* my network to the world wasn't tainted in any shape form or fashion. This is basically the clause for terminating service which may damage the reputation that several bloggers found objectionable last week in some ISP's terms of service. You can propose many provocative statements, groups which murder unborn children, engage in illegal drug trafficking, corrupting the morals of youth, and so on. As I said before, I expect next month some group will be protesting that an evil ISP blocked their activities. If you want to turn the Internet into a broadcaster style environment, where only content the network owner considers acceptable to their reputation is allowed, that's probably not the Internet anymore. Just because a particular group uses an ISP to transmit something doesn't mean the ISP approves of the activities of that group or its content. In the UK, ISPs helped create the Internet Watch Foundation to block illegal material on the Internet. BT blocked those web sites from all its downstream networks. That didn't stop the biggest child porn group in the world to date operating from the UK, and it took the Canadian RCMP to crack the case since UK law enforcement apparently wasn't aware of the group operating in the UK. Arresting the members of the group was needed, because the network blocks simply made it harder to find. In the USA, the Wire Act allows law enforcement to issue orders to disconnect gambling operations. Several other countries have filed international complaints against the USA for blocking their countries' gambling operations. The US has also arrested the executives of several gambling operations, and companies that assisted those gambling operations. Out of sight, out of mind may help politicians show they are doing something because the voters stop complaining. But trying to suppress communications usually isn't that effective at stopping criminals. On the other hand, what can we do about the victims?
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
Florian Weimer wrote: I don't know what case prompted Ferg to post his message to NANOG, but I know that there are cases where failing to act is comparable to ignoring the screams for help of an alleged rape victim during the alleged crime. I'm reminded of this story from earlier this year: http://www.jsonline.com/story/index.aspx?id=568400 For his effort, Van Iveren was charged with criminal trespass while using a dangerous weapon, criminal damage to property while using a dangerous weapon and disorderly conduct while using a dangerous weapon, all criminal misdemeanors that carry a maximum total penalty of 33 months in jail. On a side note, now that I've gotten back on -post I will say that I've had pretty dismal experiences working with Law Enforcement over the years as a service provider. When you have to explain to the Feds just what IRC (for example) is, you've lost the battle :( After repeated attempts at getting what seems to be blatant criminal activity investigated, a provider might start to think If Law Enforcement doesn't care, why should I? (I've avoided falling into that trap, but it is frustrating to boot someone for illegal activities and see them go on to pull the same thing at another provider even after providing evidence to authorities.).
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
Paul Ferguson wrote: So, back to my original question: If you alert an ISP that bad and possibly criminal activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? In at least one case, where I knew the offender had been booted off his last provider, I actually stalled disconnecting him for three months while I tried getting help from law enforcement. I felt we had a better chance of getting him permanently removed from the Internet by keeping him around long enough to get court orders to investigate his most likely illegal actions that were generating abuse reports. I started out with the feds, went on to the state and finally the local sheriff before giving up and just cutting him off for lack of any other hope. But a year is too long. If it were impacting my network, I'd probably drop their routes (or blackhole the offending hosts anyway).
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Mike Lewinski [EMAIL PROTECTED] wrote: On a side note, now that I've gotten back on -post I will say that I've had pretty dismal experiences working with Law Enforcement over the years as a service provider. When you have to explain to the Feds just what IRC (for example) is, you've lost the battle :( After repeated attempts at getting what seems to be blatant criminal activity investigated, a provider might start to think If Law Enforcement doesn't care, why should I? (I've avoided falling into that trap, but it is frustrating to boot someone for illegal activities and see them go on to pull the same thing at another provider even after providing evidence to authorities.). Exactly. Sometimes I think to myself that ...ISPs have Terms of Service and Acceptable Use Policies, so they have the scope and tools they need to boot a 'customer who break the rules. But all too often, it would appear, the potential loss of revenue seems to win out over enforcing those policies. And as you say, if the ISP boots them, they just set up shop elsewhere. So, back to my original question: If you alert an ISP that bad and possibly criminal activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHD+XAq1pz9mNUZTMRAub9AKDGpuf2fwYYS2Q1rF/v4EtB76wr5wCcDSFY Ya7MTzjQcUJ+qL5UfSe5gw0= =2pba -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
On Fri, 12 Oct 2007, Paul Ferguson wrote: So, back to my original question: If you alert an ISP that bad and possibly criminal activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? That's a different question all together, not about criminal ISPs, which I am sure non of the members of NANOG, are. SpamHaus has been known to eventually block their mail servers, which gets quick results, and law suits. Gadi.
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron [EMAIL PROTECTED] wrote: That's a different question all together, not about criminal ISPs, which [...] No, not necessarily. Given that there are Tier 1 ISPs, Tier 2, etc., so you can certainly have some small-ish ISP colluding with criminal activity, in effect, by ignoring it or claiming ignorance. However, it's kind of hard to plead ignorance when, say, people continually alert them to the issues and they persist. That's just one example... I can come up with more. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHD/N0q1pz9mNUZTMRAqtkAKCLJifYupBbpjmqVfVGUND95NVGNwCdFYp8 SM37ObYbO88K2iCkd99fp7c= =DjDg -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?
From [EMAIL PROTECTED] Fri Oct 12 16:26:36 2007 Date: Fri, 12 Oct 2007 21:23:15 GMT Subject: Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity? So, back to my original question: If you alert an ISP that bad and possibly criminal activity is taking place by one of their customer, and they do not take corrective action (even after a year), what do you do? This is straying somewhat afield from 'network operations', but it is at least tangentially relevant, so 'What do you do?' conceals a raft of other issues that have to be identified and answered before the 'obvious' quesiton cn be addressed. First off -- not to belabor (well, not too much, anyway) the obvious -- you have to identify what your 'goals' are. Both tactical (short term), and strategic (long term). And what level of resources you are willing to commit toward supporting those goals. A desirable state of affairs is that every network operator _does_ actively police its user base, and makes 'former customers' out of anyone who egages in activities deemed not acceptable by a large portion of the rest of the 'net world. Unfortuntely, commercial providers are driven by 'economic self-interest', rather than the good of the 'community' as their _primary_ motivation. They _will_ consider the 'good of the community' when it is not in conflict (or at _most_, represents a *minor* conflict) with their self-interest, but if the two are diametrically opposed, there is no doubt as to which viewpoint _will_ prevail. So, when you ask them to _do_something_, quote for the good of the community unquote, and 'nothing happens' it is reasonable to conclude that 'economic self interest' is controlling -- either it is 'not worth the effort/expense', or it would cost revenues that they're not willing to give up. I'm sure this is no surprise to anyone. In fact, Isuspect everybody has seen these exact sysmptoms in _their_own_ management, in varying degree. There are only two things one can change to influence that decision -- either one 'somehow' makes 'the good of the community' more inportant, *or* one finds a way to invoke their 'economic self-interest' on the 'right' side of the issue. One possible way to do the latter is to look or 'sensitive' departments, *other* than the 'abuse' contacts, who have 'hot buttons' that can be pushed. Some possiilities for this approach include legal, investor relations, and Public Relations. All the folks who have to 'deal with the mess' when something 'embarassing' becomes public knowledge. contacting such departments, with an 'early warning' about what could become 'very messy' public attention to policies/practices that could easily be mis-understood, if done carefully, can be very effetive. And, as a final alternative, there is public embarrassment, to shame them into taking action. One 'option' that has *never* been successfully employed would be to organize 'the community' for co-operative action in 'shunning' those provider who do not keep a clean house. I'd _love_ to see such an approach implemented, but it requires ignoring short-term self-interest for the long-term 'good of the community' -- even though the long-term good of the community _is_ in the self- interest of each and every provider. Back to original what do you do? 'Viable' options are rather limited -- If you have _hard_ evidence, reporting to law enforcement, *WITH* notice of 'apparent provider compliciy' -- including 'what was given to the provider _when_' to establish their 'actual knowledge' of the criminal activity and hence provider liability for allowing it to continue. You can try 'public humiliation' -- calling in the press. And, of course, you *DO* -- if you haven't already (comment: if not, _why_ not?) -- take 'defensive measures' to block communications in either direction involving those 'bad guys' and your customers.