Re: Congress may require ISPs to block fraud sites H.R.3817
In message 75cb24520911060747x3556e01tbb80be8c9e0d5...@mail.gmail.com, Christ opher Morrow writes: On Thu, Nov 5, 2009 at 5:56 PM, valdis.kletni...@vt.edu wrote: On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said: Did I miss a thread on this? Has anyone looked at this yet? `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation of the kind prohibited in paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider-- routes sounds the most dangerous part there. =A0Does this mean that if we have a BGP peering session with somebody, we need to filter it? Fortunately, there's the conditions: `(A) has actual knowledge that the material contains a misrepresentation of the kind prohibited in paragraph (1), or `(B) in the absence of actual knowledge, is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation of the kind prohibited in paragraph (1), and upon obtaining such knowledge or awareness, fails to act expeditiously to remove, or disable access to, the material. So the big players that just provide bandwidth to the smaller players are mostly off the hook - AS701 has no reason to be aware that some website i= n Tortuga is in violation (which raises an intresting point - what if the site *is* offshore?) mail to: ab...@uu.net Subject: Fraud through your network Hi! someone in tortuga on ip address 1.2.3.4 which I accessed through your network is fraudulently claiming to be the state-bank-of-elbonia. Just though you should know! Also, I think that HR3817 expects you'll now stop this from happening! -concerned-internet-user oops, now they have actual knowledge... I suppose this is a good reason though to: vi /etc/aliases - abuse: /dev/null There are still plenty of way to inform a company. Ring up the support line. Registered mail. I suspect a court would see the practice of sending abuse@ to /dev/null in a very poor light especially once the court learns that this is the standard address. A consumer should be able to reasonably assume that the message was delivered. If you bounce then they should be aware that it didn't get through and they can take other steps to inform you. so, is this bill helping? or hurting? :( And the immediate usptreams will fail to obtain knowledge or awareness of their customer's actions, the same way they always have. Move along, nothing to see.. ;) to my mind this is the exact same set of problems that the PA state anti-CP law brought forth... -chris -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Congress may require ISPs to block fraud sites H.R.3817
If you're a consumer broadband provider, and you use a DNS blackhole list so that any of your subscribers who tries to reach bigbank1.fakebanks.example.com gets redirected to fakebankwebsitelist.sipc.gov, you might be able to claim that you complied with the law, though the law's aggressive enough that it could be argued otherwise. If you're a transit ISP providing upstream bandwidth the the broadband provider, and some packets are addressed to 1.1.1.257, which is the IP address of a hosting site in Elbonia that carries bigbank1.fakebanks.example.com and innocent.bystander.example.com, the fact that the broadband ISP was using a DNS blackhole list doesn't protect you, because you're still routing packets to 1.1.0.0/16. You could set up a /32 route to send that traffic to null0, censoring innocent.bystander.example.com, or you could get fancy and route it to some squid proxy that cleans up the traffic. But of course the phisher could be using fast-flux, so 5 minutes later that trick no longer works, and by tomorrow the 100,000 phishing websites on the list have added 1,000,000 routes to your peering routers... Not pleasant, but you don't really have much alternative. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Congress may require ISPs to block fraud sites H.R.3817
On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said: Did I miss a thread on this? Has anyone looked at this yet? `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation of the kind prohibited in paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider-- routes sounds the most dangerous part there. Does this mean that if we have a BGP peering session with somebody, we need to filter it? Fortunately, there's the conditions: `(A) has actual knowledge that the material contains a misrepresentation of the kind prohibited in paragraph (1), or `(B) in the absence of actual knowledge, is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation of the kind prohibited in paragraph (1), and upon obtaining such knowledge or awareness, fails to act expeditiously to remove, or disable access to, the material. So the big players that just provide bandwidth to the smaller players are mostly off the hook - AS701 has no reason to be aware that some website in Tortuga is in violation (which raises an intresting point - what if the site *is* offshore?) And the immediate usptreams will fail to obtain knowledge or awareness of their customer's actions, the same way they always have. Move along, nothing to see.. ;) pgpD0ygxR79Ml.pgp Description: PGP signature
Re: Congress may require ISPs to block fraud sites H.R.3817
In message 23895.1257461...@turing-police.cc.vt.edu, valdis.kletni...@vt.edu writes: --==_Exmh_1257461806_2581P Content-Type: text/plain; charset=us-ascii On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said: Did I miss a thread on this? Has anyone looked at this yet? `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation of the kind prohibited in paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider-- routes sounds the most dangerous part there. Does this mean that if we have a BGP peering session with somebody, we need to filter it? Fortunately, there's the conditions: `(A) has actual knowledge that the material contains a misrepresentation of the kind prohibited in paragraph (1), or `(B) in the absence of actual knowledge, is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation of the kind prohibited in paragraph (1), and upon obtaining such knowledge or awareness, fails to act expeditiously to remove, or disable access to, the material. So the big players that just provide bandwidth to the smaller players are mostly off the hook - AS701 has no reason to be aware that some website in Tortuga is in violation (which raises an intresting point - what if the site *is* offshore?) Unless it is informed. Once it is informed it has to take action. Turning the informer off, luckily, doesn't meet the requirements for taking action as you need to protect all of your customers or make yourself liable for prosecution. I suspect informing a closer peer that is also subject to the act would be seen as taking reasonable action as it could be reasonably assumed that they will take appropriate steps, but one would have to check that the material was removed/blocked. If you run a residential network, it appears to me that, you are now responsible for seeing that all material that is subject to the act that is reported to you by your customers is addressed. INAL. And the immediate usptreams will fail to obtain knowledge or awareness of their customer's actions, the same way they always have. Move along, nothing to see.. ;) --==_Exmh_1257461806_2581P Content-Type: application/pgp-signature -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFK81gucC3lWbTT17ARAjaeAJ9Snqyq/z7qeF/Z+ag+xluKfUQAdwCgrJ4V LyG+0P2RJeLA9VRrzgejyiE= =Mxbr -END PGP SIGNATURE- --==_Exmh_1257461806_2581P-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Congress may require ISPs to block fraud sites H.R.3817
On Nov 5, 2009, at 5:56 PM, valdis.kletni...@vt.edu wrote: On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said: Did I miss a thread on this? Has anyone looked at this yet? `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation of the kind prohibited in paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider-- routes sounds the most dangerous part there. Does this mean that if we have a BGP peering session with somebody, we need to filter it? Also transmits. (I'm impressed that someone in Congress knows the word routes) Fortunately, there's the conditions: `(A) has actual knowledge that the material contains a misrepresentation of the kind prohibited in paragraph (1), or `(B) in the absence of actual knowledge, is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation of the kind prohibited in paragraph (1), and upon obtaining such knowledge or awareness, fails to act expeditiously to remove, or disable access to, the material. So the big players that just provide bandwidth to the smaller players are mostly off the hook - AS701 has no reason to be aware that some website in Tortuga is in violation (which raises an intresting point - what if the site *is* offshore?) And the immediate usptreams will fail to obtain knowledge or awareness of their customer's actions, the same way they always have. Note the word circumstances... Move along, nothing to see.. ;) Until, of course, some Assistant U.S. Attorney or some attorney in a civil lawsuit decides you were or should have been aware and takes you to court. You may win, but after spending O(\alph_0) zorkmids on lawyers defending yourself --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Congress may require ISPs to block fraud sites H.R.3817
I think the idea is for the government to create an official blacklist of the offending sites, and for ISPs to consult it before routing a packet to the fraud site. The common implementation would be an ACL on the ISPs border router. The Congress doesn't yet understand the distinction between ISPs and transit providers, of course, and typically says that proposed ISP regulations (including the net neutrality regulations) apply only to consumer-facing service providers. If this measure passes, you can expect expansion of blocking mandates for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws. RB Steven Bellovin wrote: On Nov 5, 2009, at 5:56 PM, valdis.kletni...@vt.edu wrote: On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said: Did I miss a thread on this? Has anyone looked at this yet? `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation of the kind prohibited in paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider-- routes sounds the most dangerous part there. Does this mean that if we have a BGP peering session with somebody, we need to filter it? Also transmits. (I'm impressed that someone in Congress knows the word routes) Fortunately, there's the conditions: `(A) has actual knowledge that the material contains a misrepresentation of the kind prohibited in paragraph (1), or `(B) in the absence of actual knowledge, is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation of the kind prohibited in paragraph (1), and upon obtaining such knowledge or awareness, fails to act expeditiously to remove, or disable access to, the material. So the big players that just provide bandwidth to the smaller players are mostly off the hook - AS701 has no reason to be aware that some website in Tortuga is in violation (which raises an intresting point - what if the site *is* offshore?) And the immediate usptreams will fail to obtain knowledge or awareness of their customer's actions, the same way they always have. Note the word circumstances... Move along, nothing to see.. ;) Until, of course, some Assistant U.S. Attorney or some attorney in a civil lawsuit decides you were or should have been aware and takes you to court. You may win, but after spending O(\alph_0) zorkmids on lawyers defending yourself --Steve Bellovin, http://www.cs.columbia.edu/~smb -- Richard Bennett Research Fellow Information Technology and Innovation Foundation Washington, DC
Re: Congress may require ISPs to block fraud sites H.R.3817
On Nov 5, 2009, at 7:44 PM, Richard Bennett wrote: I think the idea is for the government to create an official blacklist of the offending sites, and for ISPs to consult it before routing a packet to the fraud site. The common implementation would be an ACL on the ISPs border router. The Congress doesn't yet understand the distinction between ISPs and transit providers, of course, and typically says that proposed ISP regulations (including the net neutrality regulations) apply only to consumer-facing service providers. If this measure passes, you can expect expansion of blocking mandates for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws. It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a Federal court struck down a law requiring web site blocking because of child pornography. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Congress may require ISPs to block fraud sites H.R.3817
IANAL, but I wouldn't set too much stock by that order - there are numerous errors of fact in the opinion, and much of it relates to the lack of due process in the maintenance of a secret blacklist. It was also a state law, not a federal one, so there was a large jurisdictional question (the Commerce Clause concern.) As people in Washington are saying around the net neutrality debate these days: anything goes is not a serious argument. RB Steven Bellovin wrote: On Nov 5, 2009, at 7:44 PM, Richard Bennett wrote: I think the idea is for the government to create an official blacklist of the offending sites, and for ISPs to consult it before routing a packet to the fraud site. The common implementation would be an ACL on the ISPs border router. The Congress doesn't yet understand the distinction between ISPs and transit providers, of course, and typically says that proposed ISP regulations (including the net neutrality regulations) apply only to consumer-facing service providers. If this measure passes, you can expect expansion of blocking mandates for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws. It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a Federal court struck down a law requiring web site blocking because of child pornography. --Steve Bellovin, http://www.cs.columbia.edu/~smb -- Richard Bennett Research Fellow Information Technology and Innovation Foundation Washington, DC
Re: Congress may require ISPs to block fraud sites H.R.3817
Net neutrality suffers another blow. I liked Congress when they had no idea what the internet was, now they've progressed to still have no idea but like to pretend. Jeff On Thu, Nov 5, 2009 at 7:58 PM, Steven Bellovin s...@cs.columbia.edu wrote: On Nov 5, 2009, at 7:44 PM, Richard Bennett wrote: I think the idea is for the government to create an official blacklist of the offending sites, and for ISPs to consult it before routing a packet to the fraud site. The common implementation would be an ACL on the ISPs border router. The Congress doesn't yet understand the distinction between ISPs and transit providers, of course, and typically says that proposed ISP regulations (including the net neutrality regulations) apply only to consumer-facing service providers. If this measure passes, you can expect expansion of blocking mandates for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws. It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a Federal court struck down a law requiring web site blocking because of child pornography. --Steve Bellovin, http://www.cs.columbia.edu/~smb -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to protect your booty.
Re: Congress may require ISPs to block fraud sites H.R.3817
Barry Shein wrote: I was at an IP (as in intellectual property), um, constituency I think, IPC, meeting at ICANN which basically consisted of 99 lawyers and me in the room. By the Montevideo ICANN meeting '01 the Internet Service Providers Constituency (ISPC) had dwindled down to the corporate trademarks portfolio managers for the few remaining ISPs. At the Paris ICANN meeting a year ago we corrolated the votes of the Intellectual Property, Business, and ISP Constituencies and found that there was no discernable independence amongst them, another way of sayins the IPC had captured the BC and ISPC. Of course, now we have GNSO reform, and Stakeholder Groups replacing the Constituencies. Bottom line. ISPs are f**ked by their own sonombulism. In a slightly different and partially overlapping policy and operational scope, the Address Supporting Organization originates no policy development of note, and has been somnolent for most of the ICANN trajectory, so BCP 38 and sBGP and so on have no real presence in the ICANN toolkit. So IP lawyers are doing pretty good in the oughts, and more time and bandwidth goes to retail cops and robbers than goes to any critical infrastructure vulnerability, outside of ICANN's DNS mafia, post-Kaminsky. Any ISP that want's to spend some resources on operational issues, having some relevance to resource identifiers, feel free to drop me a line. I could just as well give process clue to Ops folk as ops clue to IP lawyers. There was a fair amount of grousing about how ISPs give them the run-around when they inform them of a violation looking for a takedown, and don't take down the site or whatever demanding (sneer sneer) paper from a court of competent jurisdiction as a dodge. I explained that they should try it from the other side, we get a fair amount of spurious stuff. I gave the example of a spouse in an ugly divorce demanding we do something or other with the web site they developed together in happier days IMMEDIATELY OR ELSE!!! (typically change the password to one only they know). How can we as ISPs possibly sort that out? Court orders are your friend, they're not that hard to get if you're legitimate. The way this reg is written it has that feel, it seems to promote the fantasy that if J. Random Voice calls me and says a site you host, creepsrus.com, violates HR3817, YOU HAVE BEEN INFORMED! then we have been informed and therefore culpable/liable. Well, perhaps there's enough precedent that it doesn't have to be spelled out in that text what's meant by knowingly and a call like that wouldn't be sufficient. At the very least I'd require a clear transfer of liability. That is, if the claim (and hence, takedown) turns out to be unsupportable then any damages etc are indemnified by the complaining (informing) party.
