                               [Click Here]

[H a c k e r N e w s N e t w o r k]
[Image]             [Image]                                           [Image]
      08-16-99       Not found-- the problem with ISPs and security   [buffer overflow]
[Image]              web sites                                        [Image]
     [Image]
                                                                         [HNN Store]
                     CyberChrist
HNN Affiliates       "Sapere Aude"
                                                                      [Image]
Affiliate            Over the last few months, there have been a rash
Resources            of security-related web sites taken offline for  [c o n s]
                                                                      [a b o u t]
                     a peculiar reason-- It seems that Internet       [p r e s s]
Cracked Pages        Service Providers cave in to the demands of
Archive              people objecting to the content of the site, or  [s u b m i t]
                                                                      [s e a r c h]
                     at times, the alledged content. Sites such as    [c o n t a c t]
Write For HNN        Packetstorm Security have been victim of people
                     claiming that material that is posted on the web [Image]
HNN Privacy          site is libelous and try to hold the service
Statement            provider of the web site, such as the web
                                                                         Recent News
                     hosting organization, for ransom by threatening
Who Is HNN?          them with lawsuits if they do not force the       Mitnick
[Image]              webmaster to change the content. Companies are    Sentenced
                     more willing to just toss the offending site off
                                                                       Mitnick CA
[Get Freedom today!] of its servers and avoid any kind of threat of a  Charges Dropped
                     lawsuit. However, this is not the way to deal
                     with this problem, as there have been precedents
      [Image]        set in American courts that deal specifically     Cybercrime
                     with these issues.                                Rising
      [Image]                                                          LinuxPPC
                     First, let's examine a bit as to how a "security
                     expert" or a "hacker" is viewed by a typical      Challenge
      [Image]        ISP. Most ISPs have a service agreement, where
                     one agrees to abide by their rules. These rules   MS Issues
                                                                       Challenge
       [Image]       often lay out the rules as to what content is
                     acceptable and not acceptable. Many of these
                                                                       L0pht BO2K
HNN T-Shirts         ISPs forbid the posting of security information   Plugins
HNN SETI@Home Team   on their web servers, lumping "hacking" in with
                     "pornography" and other perceived underground
                     activities. This lumping of hacking with other,   FIDNet Moves
                     seedier activities is prevalent and is part of    Ahead
                     the problem. No matter what the credentials are
                     of the person that is constructing the web site   UCITA Approved
                     and no matter what his stated intentions are,
                     and no matter how many disclaimers are posted on  Drug Info Off
                     the site, web hosting companies and ISPs          the Net
                     generally frown upon that kind of content. So
                     part of the problem is that ISPs and web hosting [Image]
                     companies are generally undereducated about the
Freedom of the press entire hacker culture, their brains fattened by      Translate
is limited to those  the massive FUD articles posted in the media.     French
who own one.                                                           German
- A.J. Liebling      In their minds, security                          Italian
                     consultants==hackers=bad.                         Portuguese
                                                                       Spanish
                     This leads to another problem-- there is always  [Image]
                     going to be someone out there that is jealous or
                     mad about the content of another web site. The    Today
                     site may contain information such as "xyz said    Yesterday
                     this and xyz is wrong and this is why." Sites     08/14/99
                     such as these either start posting about each     08/13/99
                     other, or worse, one webmaster just gets fed up   08/12/99
                     with it and contacts someone that they feel can   08/11/99
                     remedy the situation. Often this person forgets   08/10/99
                     about the chain of command as far as reporting    08/09/99
                     questionable material and goes straight for the
                     throat by contacting the web site's upstream
                     provider. This is becoming an increasing problem
                     and the problem again lies in the fact that many
                     of these fly-by-night web masters were not
                     around during the infancy of the Internet (no,
                     that does not mean that the infancy was when
                     then web got started). There ARE rules of
                     engagement and chains of command, and these have
                     been outlined since the early 80s and perhaps
                     beyond, both in the form of RFCs and tradition.
                     The way that complaints used to be handled are
                     roughly as follows:

                     - send email to the system administrator of the
                     offending system, calmly explaining the
                     situation and maybe offer some evidence as to
                     how this is causing harm. This could be due to
                     content or due to other activity coming from the
                     site, such as port scanning. Attaching logs
                     usually helps a lot.
                     - if you don't get a response in a reasonable
                     amount of time, try re-sending the email. It may
                     seem hard to believe, but sometimes mail gets
                     lost.
                     - if there is still no response, try doing a
                     'whois' on their domain name, and then try
                     contacting them via the information provided.
                     Usually you get names and telephone numbers and
                     addresses at this point.
                     - it is only when you have exhausted all of
                     these measures and are getting no cooperation or
                     hostile responses that you try to contact the
                     upstream service provider. To find out who their
                     upstream service provider is, try looking at the
                     nameservers that are registered for the domain
                     in the 'whois' command or try doing a traceroute
                     and seeing who they have their connection from.

                     This is really common sense more than anything.
                     Common sense apparently has gone out the window
                     in the point-and-click world of the 1990s.

                     The last part of the puzzle is what happens when
                     these two uneducated sides get together to
                     decide what to do about someone that seems to
                     know more than they do. More often than not,
                     what happens is the illogical in that the
                     offending party is tossed off the system or his
                     upstream provider threatens to shut down the
                     service. The cycle usually goes like this:

                     - siteA.com posts information that shows that
                     information by lamerA is wrong. siteA.com pokes
                     fun at him, generally ridicules him, and the
                     cycle usually renews itself when lamerA says
                     something else stupid (or publishes an idiotic
                     book).
                     - lamerA feels stung by all these statements and
                     usually responds with weak defenses. Finally,
                     the whole thing becomes unbearable and in the
                     search of trying to get the activity to stop, he
                     dashes to siteA.com's service provider and tells
                     them that siteA.com has libelous material.
                     lamerA threatens the service provider with a
                     lawsuit or thereabouts.
                     - siteA.com's provider panicks, as they do not
                     wish to be sued for libel (awards for this are
                     usually extravagant and ISPs barely break even
                     as it is). So they either remove the site or
                     forcibly remove the content and sends stern
                     rebukes to siteA.com's administrator/user.

                     There are a lot of problems with this cycle.
                     Obviously the chain of command is broken. But
                     more importantly, due to lack of education on
                     the ISP's part, they are not aware that U.S.
                     courts have decided that ISPs are NOT liable for
                     the content of its users. In November of 1998,
                     The United States Court of Appeals in Florida
                     ruled against a woman who sued America Online
                     when one of its subscribers, a convicted sex
                     offender, approached her 11-year-old son via an
                     America Online chat group. The appeals court
                     upheld a federal law that protects Internet
                     service providers and online services from
                     inappropriate online transmittals by
                     subscribers. The verdict is being appealed to
                     the United States Supreme Court. This decision
                     also extends to web content. Rather than cite
                     the case to the accuser, the service provider
                     usually caves in quickly and pulls the plug.

                     There are many other cases that ISPs can cite in
                     their defense. Zeran vs. America Online in 1998
                     was upheld by the U.S. Supreme Court. It stated
                     simply that ISPs such as America Online are free
                     from liabilitynover material that is carried on
                     their network. Furthermore, the Supreme Court
                     stated that ISPs do not have a duty nor an
                     obligation to remove material found to be
                     offensive. The decision cited the Communications
                     Decency Act of 1996, where ISPs are shown not to
                     be publishers and thus are not treated as such
                     by the law.

                     Another case is Cubby vs. Compuserve. In this
                     case, the ruling cleared CompuServe of any
                     wrongdoing based on the content of one of its
                     subscribers, stating that ISPs such as
                     CompuServe are secondary publishers, merely
                     providing the means by which documents may be
                     viewed and had no editorial control over any of
                     the content published on its public web servers.
                     At the most, it removes any kind of offensive
                     material after conplaints. Hence, it cannot be
                     held liable for content since it had no previous
                     knowledge of the content.

                     Interestingly enough, one of the key elements
                     that can help protect security consultants from
                     being run off from a service provider or that
                     can help a service provider to deal with
                     complaints is the Communications Decency Act of
                     1996. It contains clear language that clearly
                     states that "no provider or user of an
                     interactive computer service shall be treated as
                     a publisher or speaker of any information
                     provided by another." The key is to realize that
                     as a service provider being threatened with
                     lawsuits over content that is found to be
                     defamatory, your company is NOT liable for the
                     content being published by one of your users.
                     That is the law of the land and by citing these
                     cases to any irate callers, you may be able to
                     diffuse the situation in a more diplomatic
                     manner than just booting the offending site off
                     your server or off your router. Remember that
                     these laws also theoretically work in inverse--
                     if you boot users from your system without
                     warning and you state that the material could
                     get the ISP sued, you could be sued by the user
                     you just booted for wrongful termination. And if
                     the user can show loss of business over this
                     wrongful termination, the ISP could have more
                     problems in its hands than it bargained for.

                     I should be noticed that although ISPs cannot be
                     held liable, users of the system that are
                     publishing the questionable information CAN be
                     held liable. However, a clear case must be made
                     in court to show that the information is
                     erroneous and has caused emotional and financial
                     distress to the plaintiff.

                     In conclusion, it has been shown that the
                     problems that arise in today's trend of booting
                     "questionable" security sites from servers or
                     from routers arises mainly from a complete lack
                     of education on all sides as to the way that
                     these problems are to be approached. The
                     problems are not only in the complete diregard
                     of the chain-of-command in reporting a problem,
                     but ultimately also lies in the total lack of
                     education on the part of the ISP in knowing what
                     its rights are as defined by the American
                     Judicial System. ISPs of any kind seem quick to
                     cave in to the demands of an irate complaint and
                     do not seem to fully think of the situation at
                     hand and think of the legal precedents of these
                     kinds of complaints without executing a rash
                     decision that does nothing but give other
                     would-be-complainers hope that they can also get
                     a web site or web server removed if they
                     complain long enough to their provider. If the
                     rash of sites being taken down by these
                     uneducated people is to stop, then all sides
                     need to be aware of the protocols that are
                     involved in dealing with these problems and the
                     legal cases that support their decisions.

                     -- CyberChrist cc@h0use.org
                     "Sapere Aude"

                  [Image]
                                       [Image]

                     These pages are Copyright  1999 Hacker News
                            Network All Rights Reserved.
[Image]                                                                  [Image]
