Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Mike Lewinski <mikerockynet.com> wrote:

>On a side note, now that I've gotten back on -post.... I
will say that 
I've had pretty dismal experiences working with Law
Enforcement over the 
years as a service provider. When you have to explain to the
Feds just 
what IRC (for example) is, you've lost the battle :( After
repeated 
attempts at getting what seems to be blatant criminal
activity 
investigated, a provider might start to think "If Law
Enforcement 
doesn't care, why should I?" (I've avoided falling into
that trap, but 
it is frustrating to boot someone for illegal activities and
see them go 
on to pull the same thing at another provider even after
providing 
evidence to authorities.).
>

Exactly.

Sometimes I think to myself that "...ISPs have Terms of
Service and
Acceptable Use Policies, so they have the scope and tools
they need
to boot a 'customer" who break the rules."

But all too often, it would appear, the potential loss of
revenue
seems to win out over enforcing those policies.

And as you say, if the ISP boots them, they just set up shop
elsewhere.

So, back to my original question: If you alert an ISP that
"bad and
possibly criminal" activity is taking place by one of
their customer,
and they do not take corrective action (even after a year),
what do
you do?

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHD+XAq1pz9mNUZTMRAub9AKDGpuf2fwYYS2Q1rF/v4EtB76wr5wCc
DSFY
Ya7MTzjQcUJ+qL5UfSe5gw0=
=2pba
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspo
t.com/

Paul Ferguson wrote:

> So, back to my original question: If you alert an ISP
that "bad and
> possibly criminal" activity is taking place by one
of their customer,
> and they do not take corrective action (even after a
year), what do
> you do?

In at least one case, where I knew the offender had been
booted off his 
last provider, I actually stalled disconnecting him for
three months 
while I tried getting help from law enforcement. I felt we
had a better 
chance of getting him permanently removed from the Internet
by keeping 
him around long enough to get court orders to investigate
his most 
likely illegal actions that were generating abuse reports. I
started out 
with the feds, went on to the state and finally the local
sheriff before 
giving up and just cutting him off for lack of any other
hope.

But a year is too long. If it were impacting my network, I'd
probably 
drop their routes (or blackhole the offending hosts
anyway).

On Fri, 12 Oct 2007, Paul Ferguson wrote:
>
>
> So, back to my original question: If you alert an ISP
that "bad and
> possibly criminal" activity is taking place by one
of their customer,
> and they do not take corrective action (even after a
year), what do
> you do?

That's a different question all together, not about criminal
ISPs, which I 
am sure non of the members of NANOG, are.

SpamHaus has been known to eventually block their mail
servers, which gets 
quick results, and law suits.

 	Gadi.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Date: Fri, 12 Oct 2007 21:23:15 GMT
> From: Paul Ferguson <fergdawgnetzero.net>
> Subject: Re: How to Handle ISPs Who Turn a Blind Eye to
Criminal Activity?

> [ ... ]
> Sometimes I think to myself that "...ISPs have
Terms of Service and
> Acceptable Use Policies, so they have the scope and
tools they need
> to boot a 'customer" who break the rules."

> But all too often, it would appear, the potential loss
of revenue
> seems to win out over enforcing those policies.

This is something most CSIRTs/CERTs/Abuse/Security people
run into. At 
some point they will have an issue with an entity they're
providing 
service to that management will veto. In most cases having a
good chat 
with management about it, before they're sweet-talked too
much by the 
other side helps getting your point across, or - in business
terms - 
makes it managements responsability. I've seen various
scenarios 
played out like that, and others where the "license to
disconnect" was 
squarely backed by management.

> And as you say, if the ISP boots them, they just set up
shop elsewhere.

Although I try to educate, this is a matter of life on the
Internet.

> So, back to my original question: If you alert an ISP
that "bad and
> possibly criminal" activity is taking place by one
of their customer,
> and they do not take corrective action (even after a
year), what do
> you do?

Well, depends on the level of information and your contacts
in the 
operational / security field. Being a member of an NREN
CSIRT I can 
either directly or indirectly participate in local, regional
and 
worldwide bodies where people "like us" come
together. How that plays 
out, or how you *want* that to play out, is something you
cannot 
predict. But sometimes other people will have advise about
whom to 
contact within Law Enforcement, other people will chime in,
other 
people have direct contact with clueful people etc.

But first and foremost; you try to protect my constituents.
(through technical, legal, procedural etc. means)

Kind regards,
JP Velders
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFHEiu0IHoRBHmf0YQRAnI/AKCQ2ZXCrWqXhNRFPWyW7XLjzbrn/gCf
aXYY
Ae24xpME0Q+hjU5tRRfie8g=
=5JJH
-----END PGP SIGNATURE-----

Hi
first  of all I kinda picked the thread mid stream so
apologies if what 
is here has been dealt with by others
As an ISP if I receive a complaint of what may be illegal
activity 
coming  from a customer on my network  I can respond to the
complaint 
and say I will look into it but what action do I take.
if "someone on the internet" is the complainant,
do I have the right to 
ask for evidence of the said illegal activity ( I am not in
law enforcement)
Or do I forward the complaint to the "relevant
authorities"  , Cyber 
crime teams too busy dealing with the good old crimes of
drugs, 
terrorism etc but using the internet to do their sleuthing
and then 
leave it at that and until the "relevant
authorities" come back to me do 
I leave the situation as is and does that mean I am turning
a blind eye? 
assuming of course that I  have taken the necessary measures
of 
"cleaning out" malicious stuff, spam malware etc.

On the other hand there is the issue of being what may be
called 
responsible "cyber citizen" and do the needful and
terminate the client 
if the illegal activity does not stop.

There is also the issue that many ISPs networks cross
geographic 
boundaries with different legislation so if complainant in
country A 
says that ISP has customer (in country B) carrying on
illegal activity, 
ISP may contact customer in country B and tell them the same
but if in 
country B that activity is deemed "normal"  how
does the ISP proceed? 
Terminating that client would amount to breach of contract
in country B 
and ISP may end being sued by client in Country B.

Raymond Macharia


JP Velders wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>   
>> Date: Fri, 12 Oct 2007 21:23:15 GMT
>> From: Paul Ferguson <fergdawgnetzero.net>
>> Subject: Re: How to Handle ISPs Who Turn a Blind
Eye to Criminal Activity?
>>     
>
>   
>> [ ... ]
>> Sometimes I think to myself that "...ISPs have
Terms of Service and
>> Acceptable Use Policies, so they have the scope and
tools they need
>> to boot a 'customer" who break the
rules."
>>     
>
>   
>> But all too often, it would appear, the potential
loss of revenue
>> seems to win out over enforcing those policies.
>>     
>
> This is something most CSIRTs/CERTs/Abuse/Security
people run into. At 
> some point they will have an issue with an entity
they're providing 
> service to that management will veto. In most cases
having a good chat 
> with management about it, before they're sweet-talked
too much by the 
> other side helps getting your point across, or - in
business terms - 
> makes it managements responsability. I've seen various
scenarios 
> played out like that, and others where the
"license to disconnect" was 
> squarely backed by management.
>
>   
>> And as you say, if the ISP boots them, they just
set up shop elsewhere.
>>     
>
> Although I try to educate, this is a matter of life on
the Internet.
>
>   
>> So, back to my original question: If you alert an
ISP that "bad and
>> possibly criminal" activity is taking place by
one of their customer,
>> and they do not take corrective action (even after
a year), what do
>> you do?
>>     
>
> Well, depends on the level of information and your
contacts in the 
> operational / security field. Being a member of an NREN
CSIRT I can 
> either directly or indirectly participate in local,
regional and 
> worldwide bodies where people "like us" come
together. How that plays 
> out, or how you *want* that to play out, is something
you cannot 
> predict. But sometimes other people will have advise
about whom to 
> contact within Law Enforcement, other people will chime
in, other 
> people have direct contact with clueful people etc.
>
> But first and foremost; you try to protect my
constituents.
> (through technical, legal, procedural etc. means)
>
> Kind regards,
> JP Velders
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
>
iD8DBQFHEiu0IHoRBHmf0YQRAnI/AKCQ2ZXCrWqXhNRFPWyW7XLjzbrn/gCf
aXYY
> Ae24xpME0Q+hjU5tRRfie8g=
> =5JJH
> -----END PGP SIGNATURE-----
>
>
>