Not found-- the problem with ISPs and security web sites
CyberChrist
"Sapere Aude"
Over the last few months, there have been a rash of security-related web
sites taken offline for a peculiar reason-- It seems that Internet
Service Providers cave in to the demands of people objecting to the
content of the site, or at times, the alledged content. Sites such as
Packetstorm Security have been victim of people claiming that material
that is posted on the web site is libelous and try to hold the service
provider of the web site, such as the web hosting organization, for
ransom by threatening them with lawsuits if they do not force the
webmaster to change the content. Companies are more willing to just
toss the offending site off of its servers and avoid any kind of threat
of a lawsuit. However, this is not the way to deal with this problem,
as there have been precedents set in American courts that deal
specifically with these issues.
First, let's examine a bit as to how a "security expert" or a "hacker"
is viewed by a typical ISP. Most ISPs have a service agreement, where
one agrees to abide by their rules. These rules often lay out the rules
as to what content is acceptable and not acceptable. Many of these ISPs
forbid the posting of security information on their web servers, lumping
"hacking" in with "pornography" and other perceived underground
activities. This lumping of hacking with other, seedier activities is
prevalent and is part of the problem. No matter what the credentials
are of the person that is constructing the web site and no matter what
his stated intentions are, and no matter how many disclaimers are posted
on the site, web hosting companies and ISPs generally frown upon that
kind of content. So part of the problem is that ISPs and web hosting
companies are generally undereducated about the entire hacker culture,
their brains fattened by the massive FUD articles posted in the media.
In their minds, security consultants==hackers=bad.
This leads to another problem-- there is always going to be someone out
there that is jealous or mad about the content of another web site. The
site may contain information such as "xyz said this and xyz is wrong and
this is why." Sites such as these either start posting about each
other, or worse, one webmaster just gets fed up with it and contacts
someone that they feel can remedy the situation. Often this person
forgets about the chain of command as far as reporting questionable
material and goes straight for the throat by contacting the web site's
upstream provider. This is becoming an increasing problem and the
problem again lies in the fact that many of these fly-by-night web
masters were not around during the infancy of the Internet (no, that
does not mean that the infancy was when then web got started). There
ARE rules of engagement and chains of command, and these have been
outlined since the early 80s and perhaps beyond, both in the form of
RFCs and tradition. The way that complaints used to be handled are
roughly as follows:
- send email to the system administrator of the offending system,
calmly explaining the situation and maybe offer some evidence as to how
this is causing harm. This could be due to content or due to other
activity coming from the site, such as port scanning. Attaching logs
usually helps a lot.
- if you don't get a response in a reasonable amount of time, try
re-sending the email. It may seem hard to believe, but sometimes mail
gets lost.
- if there is still no response, try doing a 'whois' on their domain
name, and then try contacting them via the information provided.
Usually you get names and telephone numbers and addresses at this
point.
- it is only when you have exhausted all of these measures and are
getting no cooperation or hostile responses that you try to contact the
upstream service provider. To find out who their upstream service
provider is, try looking at the nameservers that are registered for the
domain in the 'whois' command or try doing a traceroute and seeing who
they have their connection from.
This is really common sense more than anything. Common sense apparently
has gone out the window in the point-and-click world of the 1990s.
The last part of the puzzle is what happens when these two uneducated
sides get together to decide what to do about someone that seems to know
more than they do. More often than not, what happens is the illogical
in that the offending party is tossed off the system or his upstream
provider threatens to shut down the service. The cycle usually goes
like this:
- siteA.com posts information that shows that information by lamerA is
wrong. siteA.com pokes fun at him, generally ridicules him, and the
cycle usually renews itself when lamerA says something else stupid (or
publishes an idiotic book).
- lamerA feels stung by all these statements and usually responds with
weak defenses. Finally, the whole thing becomes unbearable and in the
search of trying to get the activity to stop, he dashes to siteA.com's
service provider and tells them that siteA.com has libelous material.
lamerA threatens the service provider with a lawsuit or thereabouts.
- siteA.com's provider panicks, as they do not wish to be sued for libel
(awards for this are usually extravagant and ISPs barely break even as
it is). So they either remove the site or forcibly remove the content
and sends stern rebukes to siteA.com's administrator/user.
There are a lot of problems with this cycle. Obviously the chain of
command is broken. But more importantly, due to lack of education on
the ISP's part, they are not aware that U.S. courts have decided that
ISPs are NOT liable for the content of its users. In November of 1998,
The United States Court of Appeals in Florida ruled against a woman who
sued America Online when one of its subscribers, a convicted sex
offender, approached her 11-year-old son via an America Online chat
group. The appeals court upheld a federal law that protects Internet
service providers and online services from inappropriate online
transmittals by subscribers. The verdict is being appealed to the United
States Supreme Court. This decision also extends to web content. Rather
than cite the case to the accuser, the service provider usually caves in
quickly and pulls the plug.
There are many other cases that ISPs can cite in their defense. Zeran
vs.
America Online in 1998 was upheld by the U.S. Supreme Court. It stated
simply that ISPs such as America Online are free from liabilitynover
material that is carried on their network. Furthermore, the Supreme
Court
stated that ISPs do not have a duty nor an obligation to remove material
found to be offensive. The decision cited the Communications Decency
Act
of 1996, where ISPs are shown not to be publishers and thus are not
treated as such by the law.
Another case is Cubby vs. Compuserve. In this case, the ruling cleared
CompuServe of any wrongdoing based on the content of one of its
subscribers, stating that ISPs such as CompuServe are secondary
publishers, merely providing the means by which documents may be viewed
and had no editorial control over any of the content published on its
public web servers. At the most, it removes any kind of offensive
material after conplaints. Hence, it cannot be held liable for content
since it had no previous knowledge of the content.
Interestingly enough, one of the key elements that can help protect
security consultants from being run off from a service provider or that
can help a service provider to deal with complaints is the
Communications
Decency Act of 1996. It contains clear language that clearly states
that
"no provider or user of an interactive computer service shall be treated
as a publisher or speaker of any information provided by another." The
key is to realize that as a service provider being threatened with
lawsuits over content that is found to be defamatory, your company is
NOT
liable for the content being published by one of your users. That is
the
law of the land and by citing these cases to any irate callers, you may
be
able to diffuse the situation in a more diplomatic manner than just
booting the offending site off your server or off your router. Remember
that these laws also theoretically work in inverse-- if you boot users
from your system without warning and you state that the material could
get
the ISP sued, you could be sued by the user you just booted for wrongful
termination. And if the user can show loss of business over this
wrongful
termination, the ISP could have more problems in its hands than it
bargained for.
I should be noticed that although ISPs cannot be held liable, users of
the
system that are publishing the questionable information CAN be held
liable. However, a clear case must be made in court to show that the
information is erroneous and has caused emotional and financial distress
to the plaintiff.
In conclusion, it has been shown that the problems that arise in today's
trend of booting "questionable" security sites from servers or from
routers arises mainly from a complete lack of education on all sides as
to
the way that these problems are to be approached. The problems are not
only in the complete diregard of the chain-of-command in reporting a
problem, but ultimately also lies in the total lack of education on the
part of the ISP in knowing what its rights are as defined by the
American
Judicial System. ISPs of any kind seem quick to cave in to the demands
of
an irate complaint and do not seem to fully think of the situation at
hand
and think of the legal precedents of these kinds of complaints without
executing a rash decision that does nothing but give other
would-be-complainers hope that they can also get a web site or web
server
removed if they complain long enough to their provider. If the rash of
sites being taken down by these uneducated people is to stop, then all
sides need to be aware of the protocols that are involved in dealing
with
these problems and the legal cases that support their decisions.
--
CyberChrist cc@h0use.org
"Sapere Aude"