Donors Choose - Grizzly's Giving Page

RSS Subscribe via Feedburner

Friday, September 21, 2007

How long is too long?

An interesting topic has come up in one of the email lists I follow, and
in which I occasionally participate. I run my own mailserver and a couple
other web-based outlets (like this one), and spent several years as a BBS
Sysop, so I figured I earned it. I thought I knew the answer to this one,
and then I thought, "Waitaminute, is this really that obvious?"

Anyway, let's suppose you're an ISP. Let's suppose that someone is
alleged to have a "Phishing" website hosted on some of your hardware, say
on a piece contracted out to one of your clients (perhaps a client of a
client, even).

How long is a reasonable time to expect you to at least block access to
that phishing site?

Phishing is a way of defrauding clients of various banks and credit card
companies and such, by fooling them into giving you their usernames and
passwords and whatnot, possibly credit card numbers, expiration dates and
Mother's Maiden Names and such.

Often I receive emails, for example, telling me my account at US Bank or
Citibank has been compromised, and I need to click on a link and enter my
identification info to revalidate. (Since I have accounts at neither
bank, and I know how this stuff works, I don't respond, and send the email
off to the appropriate complaint address.)

The links need to connect to a particular website hosted somewhere.
Sometimes, these websites are subversively injected into pw0ned sites.
Sometimes they just buy space and put it up. Somebody owns and is
responsible for the hardware hosting those phishing sites.

If it were on your hardware, how long should it take you to take it
offline from the time you're notified it's there? How about if it's on
equipment you're providing to a client? Or a client of a client? Or a
client of a client of...? How authoritative does the source of a
complaint have to be?

My initial take was, well, phishing is a crime. If you're a landlord and
you know somebody's committing a crime, say selling crack from their
apartment, you call the cops, the SWAT team shows up, you wash your hands
and get to work cleaning up the apartment for the next tenant.

But how sure do you have to be they -are- committing a crime? What if
somebody just told you they were, but you never saw that? What if you own
a dozen buildings on a block, lease each building to a different landlord,
and that landlord rents out to various tenants, and someone you've never
heard of, and who you can't be sure is actually who they say they are,
claims that one tenant of one of the landlords is committing a crime? Do
you close down the block (given metaphorically you could)? Close down
that landlord? Figure out how to get that particular tenant isolated?

What if someone wearing a cheap suit showed what claimed to be FBI I.D.,
and made the same claim? (Do FBI agents have more expensive suits these
days? Agent Starling in "Silence of the Lambs" dressed rather well.)

So the answer isn't quite as obvious as I thought it was initially. How
do you set a "burden of proof" for such a complaint? How much action do
you take IMMEDIATELY to block the alleged criminal activity?

And even if it's the Gubmint claiming the crime, how responsive ought you
to be in terms of freedom-of-speech issues? Even if it is the FBI
(phishing seems like it'd more likely a Secret Service issue), are they
complaining about phishing or making such claims to stop someone who, say,
is blogging negatively about administration policies, or Committee for
State Security -- excuse me, Department of Homeland Sekurity --

Is it a crime to shout "Komitet!" in a crowded political meeting?

What's a reasonable expectation for prompt response, based on what are
after all apparently unsupported allegations?

Not so sure I know the answer anymore. <sigh> This InterWeb stuff sure
gets complicated, don't it?

grizzly at grizzly dot podzone dot org
Podcast: <>
Promo: <>
Blog: <>
The Life and Times of a Minor Local Celebrity

No comments:

Post a Comment