[Click Here] [H a c k e r N e w s N e t w o r k] [Image] [Image] [Image] 08-16-99 Not found-- the problem with ISPs and security [buffer overflow] [Image] web sites [Image] [Image] [HNN Store] CyberChrist HNN Affiliates "Sapere Aude" [Image] Affiliate Over the last few months, there have been a rash Resources of security-related web sites taken offline for [c o n s] [a b o u t] a peculiar reason-- It seems that Internet [p r e s s] Cracked Pages Service Providers cave in to the demands of Archive people objecting to the content of the site, or [s u b m i t] [s e a r c h] at times, the alledged content. Sites such as [c o n t a c t] Write For HNN Packetstorm Security have been victim of people claiming that material that is posted on the web [Image] HNN Privacy site is libelous and try to hold the service Statement provider of the web site, such as the web Recent News hosting organization, for ransom by threatening Who Is HNN? them with lawsuits if they do not force the Mitnick [Image] webmaster to change the content. Companies are Sentenced more willing to just toss the offending site off Mitnick CA [Get Freedom today!] of its servers and avoid any kind of threat of a Charges Dropped lawsuit. However, this is not the way to deal with this problem, as there have been precedents [Image] set in American courts that deal specifically Cybercrime with these issues. Rising [Image] LinuxPPC First, let's examine a bit as to how a "security expert" or a "hacker" is viewed by a typical Challenge [Image] ISP. Most ISPs have a service agreement, where one agrees to abide by their rules. These rules MS Issues Challenge [Image] often lay out the rules as to what content is acceptable and not acceptable. Many of these L0pht BO2K HNN T-Shirts ISPs forbid the posting of security information Plugins HNN SETI@Home Team on their web servers, lumping "hacking" in with "pornography" and other perceived underground activities. This lumping of hacking with other, FIDNet Moves seedier activities is prevalent and is part of Ahead the problem. No matter what the credentials are of the person that is constructing the web site UCITA Approved and no matter what his stated intentions are, and no matter how many disclaimers are posted on Drug Info Off the site, web hosting companies and ISPs the Net generally frown upon that kind of content. So part of the problem is that ISPs and web hosting [Image] companies are generally undereducated about the Freedom of the press entire hacker culture, their brains fattened by Translate is limited to those the massive FUD articles posted in the media. French who own one. German - A.J. Liebling In their minds, security Italian consultants==hackers=bad. Portuguese Spanish This leads to another problem-- there is always [Image] going to be someone out there that is jealous or mad about the content of another web site. The Today site may contain information such as "xyz said Yesterday this and xyz is wrong and this is why." Sites 08/14/99 such as these either start posting about each 08/13/99 other, or worse, one webmaster just gets fed up 08/12/99 with it and contacts someone that they feel can 08/11/99 remedy the situation. Often this person forgets 08/10/99 about the chain of command as far as reporting 08/09/99 questionable material and goes straight for the throat by contacting the web site's upstream provider. This is becoming an increasing problem and the problem again lies in the fact that many of these fly-by-night web masters were not around during the infancy of the Internet (no, that does not mean that the infancy was when then web got started). There ARE rules of engagement and chains of command, and these have been outlined since the early 80s and perhaps beyond, both in the form of RFCs and tradition. The way that complaints used to be handled are roughly as follows: - send email to the system administrator of the offending system, calmly explaining the situation and maybe offer some evidence as to how this is causing harm. This could be due to content or due to other activity coming from the site, such as port scanning. Attaching logs usually helps a lot. - if you don't get a response in a reasonable amount of time, try re-sending the email. It may seem hard to believe, but sometimes mail gets lost. - if there is still no response, try doing a 'whois' on their domain name, and then try contacting them via the information provided. Usually you get names and telephone numbers and addresses at this point. - it is only when you have exhausted all of these measures and are getting no cooperation or hostile responses that you try to contact the upstream service provider. To find out who their upstream service provider is, try looking at the nameservers that are registered for the domain in the 'whois' command or try doing a traceroute and seeing who they have their connection from. This is really common sense more than anything. Common sense apparently has gone out the window in the point-and-click world of the 1990s. The last part of the puzzle is what happens when these two uneducated sides get together to decide what to do about someone that seems to know more than they do. More often than not, what happens is the illogical in that the offending party is tossed off the system or his upstream provider threatens to shut down the service. The cycle usually goes like this: - siteA.com posts information that shows that information by lamerA is wrong. siteA.com pokes fun at him, generally ridicules him, and the cycle usually renews itself when lamerA says something else stupid (or publishes an idiotic book). - lamerA feels stung by all these statements and usually responds with weak defenses. Finally, the whole thing becomes unbearable and in the search of trying to get the activity to stop, he dashes to siteA.com's service provider and tells them that siteA.com has libelous material. lamerA threatens the service provider with a lawsuit or thereabouts. - siteA.com's provider panicks, as they do not wish to be sued for libel (awards for this are usually extravagant and ISPs barely break even as it is). So they either remove the site or forcibly remove the content and sends stern rebukes to siteA.com's administrator/user. There are a lot of problems with this cycle. Obviously the chain of command is broken. But more importantly, due to lack of education on the ISP's part, they are not aware that U.S. courts have decided that ISPs are NOT liable for the content of its users. In November of 1998, The United States Court of Appeals in Florida ruled against a woman who sued America Online when one of its subscribers, a convicted sex offender, approached her 11-year-old son via an America Online chat group. The appeals court upheld a federal law that protects Internet service providers and online services from inappropriate online transmittals by subscribers. The verdict is being appealed to the United States Supreme Court. This decision also extends to web content. Rather than cite the case to the accuser, the service provider usually caves in quickly and pulls the plug. There are many other cases that ISPs can cite in their defense. Zeran vs. America Online in 1998 was upheld by the U.S. Supreme Court. It stated simply that ISPs such as America Online are free from liabilitynover material that is carried on their network. Furthermore, the Supreme Court stated that ISPs do not have a duty nor an obligation to remove material found to be offensive. The decision cited the Communications Decency Act of 1996, where ISPs are shown not to be publishers and thus are not treated as such by the law. Another case is Cubby vs. Compuserve. In this case, the ruling cleared CompuServe of any wrongdoing based on the content of one of its subscribers, stating that ISPs such as CompuServe are secondary publishers, merely providing the means by which documents may be viewed and had no editorial control over any of the content published on its public web servers. At the most, it removes any kind of offensive material after conplaints. Hence, it cannot be held liable for content since it had no previous knowledge of the content. Interestingly enough, one of the key elements that can help protect security consultants from being run off from a service provider or that can help a service provider to deal with complaints is the Communications Decency Act of 1996. It contains clear language that clearly states that "no provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another." The key is to realize that as a service provider being threatened with lawsuits over content that is found to be defamatory, your company is NOT liable for the content being published by one of your users. That is the law of the land and by citing these cases to any irate callers, you may be able to diffuse the situation in a more diplomatic manner than just booting the offending site off your server or off your router. Remember that these laws also theoretically work in inverse-- if you boot users from your system without warning and you state that the material could get the ISP sued, you could be sued by the user you just booted for wrongful termination. And if the user can show loss of business over this wrongful termination, the ISP could have more problems in its hands than it bargained for. I should be noticed that although ISPs cannot be held liable, users of the system that are publishing the questionable information CAN be held liable. However, a clear case must be made in court to show that the information is erroneous and has caused emotional and financial distress to the plaintiff. In conclusion, it has been shown that the problems that arise in today's trend of booting "questionable" security sites from servers or from routers arises mainly from a complete lack of education on all sides as to the way that these problems are to be approached. The problems are not only in the complete diregard of the chain-of-command in reporting a problem, but ultimately also lies in the total lack of education on the part of the ISP in knowing what its rights are as defined by the American Judicial System. ISPs of any kind seem quick to cave in to the demands of an irate complaint and do not seem to fully think of the situation at hand and think of the legal precedents of these kinds of complaints without executing a rash decision that does nothing but give other would-be-complainers hope that they can also get a web site or web server removed if they complain long enough to their provider. If the rash of sites being taken down by these uneducated people is to stop, then all sides need to be aware of the protocols that are involved in dealing with these problems and the legal cases that support their decisions. -- CyberChrist cc@h0use.org "Sapere Aude" [Image] [Image] These pages are Copyright © 1999 Hacker News Network All Rights Reserved. [Image] [Image]