Mailing List Archive: NANOG: users

Congress may require ISPs to block fraud sites H.R.3817

Index | Next | Previous | View Threaded

bking at inline

Nov 5, 2009, 2:40 PM

Post #1 of 22 (1244 views)
Permalink

Congress may require ISPs to block fraud sites H.R.3817

Did I miss a thread on this? Has anyone looked at this yet?

http://m.news.com/2166-12_3-10390779-38.html

Section 508 of H.R.3817:

SEC. 508. PENALTY FOR MISREPRESENTATION OF SIPC MEMBERSHIP OR PROTECTION.

Section 14 of the Securities Investor Protection Act of 1970 (15 U.S.C.
78jjj) is amended by adding at the end the following new subsection:

`(d) Misrepresentation of SIPC Membership or Protection-

`(1) IN GENERAL- Any person who falsely represents by any means
(including, without limitation, through the Internet or any other medium
of mass communication), with actual knowledge of the falsity of the
representation and with an intent to deceive or cause injury to another,
that such person, or another person, is a member of SIPC or that any
person or account is protected or is eligible for protection under this
Act or by SIPC, shall be liable for any damages caused thereby and shall
be fined not more than $250,000 or imprisoned for not more than five years.

`(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
or through a system or network controlled or operated by the Internet
service provider, transmits, routes, provides connections for, or stores
any material containing any misrepresentation of the kind prohibited in
paragraph (1) shall be liable for any damages caused thereby, including
damages suffered by SIPC, if the Internet service provider--

`(A) has actual knowledge that the material contains a misrepresentation
of the kind prohibited in paragraph (1), or

`(B) in the absence of actual knowledge, is aware of facts or
circumstances from which it is apparent that the material contains a
misrepresentation of the kind prohibited in paragraph (1), and

upon obtaining such knowledge or awareness, fails to act expeditiously
to remove, or disable access to, the material.

`(3) INJUNCTIONS- Any court having jurisdiction of a civil action
arising under this Act may grant temporary injunctions and final
injunctions on such terms as the court deems reasonable to prevent or
restrain any violation of paragraph (1) or (2). Any such injunction may
be served anywhere in the United States on the person enjoined, shall be
operative throughout the United States, and shall be enforceable, by
proceedings in contempt or otherwise, by any United States court having
jurisdiction over that person. The clerk of the court granting the
injunction shall, when requested by any other court in which enforcement
of the injunction is sought, transmit promptly to the other court a
certified copy of all papers in the case on file in such clerk's office.'.

Valdis.Kletnieks at vt

Nov 5, 2009, 2:56 PM

Post #2 of 22 (1215 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
> Did I miss a thread on this? Has anyone looked at this yet?

> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
> or through a system or network controlled or operated by the Internet
> service provider, transmits, routes, provides connections for, or stores
> any material containing any misrepresentation of the kind prohibited in
> paragraph (1) shall be liable for any damages caused thereby, including
> damages suffered by SIPC, if the Internet service provider--

"routes" sounds the most dangerous part there. Does this mean that if
we have a BGP peering session with somebody, we need to filter it?

Fortunately, there's the conditions:

> `(A) has actual knowledge that the material contains a misrepresentation
> of the kind prohibited in paragraph (1), or

> `(B) in the absence of actual knowledge, is aware of facts or
> circumstances from which it is apparent that the material contains a
> misrepresentation of the kind prohibited in paragraph (1), and

> upon obtaining such knowledge or awareness, fails to act expeditiously
> to remove, or disable access to, the material.

So the big players that just provide bandwidth to the smaller players are
mostly off the hook - AS701 has no reason to be aware that some website in
Tortuga is in violation (which raises an intresting point - what if the
site *is* offshore?)

And the immediate usptreams will fail to obtain knowledge or awareness of
their customer's actions, the same way they always have.

Move along, nothing to see.. ;)

marka at isc

Nov 5, 2009, 4:06 PM

Post #3 of 22 (1220 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

In message <23895.1257461806 [at] turing-police>, Valdis.Kletnieks [at] vt writes:
> --==_Exmh_1257461806_2581P
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
> > Did I miss a thread on this? Has anyone looked at this yet?
>
> > `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
> > or through a system or network controlled or operated by the Internet
> > service provider, transmits, routes, provides connections for, or stores
> > any material containing any misrepresentation of the kind prohibited in
> > paragraph (1) shall be liable for any damages caused thereby, including
> > damages suffered by SIPC, if the Internet service provider--
>
> "routes" sounds the most dangerous part there. Does this mean that if
> we have a BGP peering session with somebody, we need to filter it?
>
> Fortunately, there's the conditions:
>
> > `(A) has actual knowledge that the material contains a misrepresentation
> > of the kind prohibited in paragraph (1), or
>
> > `(B) in the absence of actual knowledge, is aware of facts or
> > circumstances from which it is apparent that the material contains a
> > misrepresentation of the kind prohibited in paragraph (1), and
>
> > upon obtaining such knowledge or awareness, fails to act expeditiously
> > to remove, or disable access to, the material.
>
> So the big players that just provide bandwidth to the smaller players are
> mostly off the hook - AS701 has no reason to be aware that some website in
> Tortuga is in violation (which raises an intresting point - what if the
> site *is* offshore?)

Unless it is informed. Once it is informed it has to take action.
Turning the informer off, luckily, doesn't meet the requirements
for "taking action" as you need to protect all of your customers
or make yourself liable for prosecution.

I suspect informing a closer peer that is also subject to the act
would be seen as taking reasonable action as it could be reasonably
assumed that they will take appropriate steps, but one would have
to check that the material was removed/blocked.

If you run a residential network, it appears to me that, you are
now responsible for seeing that all material that is subject to the
act that is reported to you by your customers is addressed.

INAL.

> And the immediate usptreams will fail to obtain knowledge or awareness of
> their customer's actions, the same way they always have.
>
> Move along, nothing to see.. ;)
>
> --==_Exmh_1257461806_2581P
> Content-Type: application/pgp-signature
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Exmh version 2.5 07/13/2001
>
> iD8DBQFK81gucC3lWbTT17ARAjaeAJ9Snqyq/z7qeF/Z+ag+xluKfUQAdwCgrJ4V
> LyG+0P2RJeLA9VRrzgejyiE=
> =Mxbr
> -----END PGP SIGNATURE-----
>
> --==_Exmh_1257461806_2581P--
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

smb at cs

Nov 5, 2009, 4:24 PM

Post #4 of 22 (1210 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Nov 5, 2009, at 5:56 PM, Valdis.Kletnieks [at] vt wrote:

> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>> Did I miss a thread on this? Has anyone looked at this yet?
>
>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider
>> that, on
>> or through a system or network controlled or operated by the Internet
>> service provider, transmits, routes, provides connections for, or
>> stores
>> any material containing any misrepresentation of the kind
>> prohibited in
>> paragraph (1) shall be liable for any damages caused thereby,
>> including
>> damages suffered by SIPC, if the Internet service provider--
>
> "routes" sounds the most dangerous part there. Does this mean that if
> we have a BGP peering session with somebody, we need to filter it?

Also "transmits". (I'm impressed that someone in Congress knows the
word "routes"....)
>
> Fortunately, there's the conditions:
>
>> `(A) has actual knowledge that the material contains a
>> misrepresentation
>> of the kind prohibited in paragraph (1), or
>
>> `(B) in the absence of actual knowledge, is aware of facts or
>> circumstances from which it is apparent that the material contains a
>> misrepresentation of the kind prohibited in paragraph (1), and
>
>> upon obtaining such knowledge or awareness, fails to act
>> expeditiously
>> to remove, or disable access to, the material.
>
> So the big players that just provide bandwidth to the smaller
> players are
> mostly off the hook - AS701 has no reason to be aware that some
> website in
> Tortuga is in violation (which raises an intresting point - what if
> the
> site *is* offshore?)
>
> And the immediate usptreams will fail to obtain knowledge or
> awareness of
> their customer's actions, the same way they always have.

Note the word "circumstances"...
>
> Move along, nothing to see.. ;)

Until, of course, some Assistant U.S. Attorney or some attorney in a
civil lawsuit decides you were or should have been aware and takes you
to court. You may win, but after spending O(\alph_0) zorkmids on
lawyers defending yourself....

--Steve Bellovin, http://www.cs.columbia.edu/~smb

richard at bennett

Nov 5, 2009, 4:44 PM

Post #5 of 22 (1213 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

I think the idea is for the government to create an official blacklist
of the offending sites, and for ISPs to consult it before routing a
packet to the fraud site. The common implementation would be an ACL on
the ISPs border router. The Congress doesn't yet understand the
distinction between ISPs and transit providers, of course, and typically
says that proposed ISP regulations (including the net neutrality
regulations) apply only to consumer-facing service providers.

If this measure passes, you can expect expansion of blocking mandates
for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws.

RB

Steven Bellovin wrote:
>
> On Nov 5, 2009, at 5:56 PM, Valdis.Kletnieks [at] vt wrote:
>
>> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>>> Did I miss a thread on this? Has anyone looked at this yet?
>>
>>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
>>> or through a system or network controlled or operated by the Internet
>>> service provider, transmits, routes, provides connections for, or
>>> stores
>>> any material containing any misrepresentation of the kind prohibited in
>>> paragraph (1) shall be liable for any damages caused thereby, including
>>> damages suffered by SIPC, if the Internet service provider--
>>
>> "routes" sounds the most dangerous part there. Does this mean that if
>> we have a BGP peering session with somebody, we need to filter it?
>
> Also "transmits". (I'm impressed that someone in Congress knows the
> word "routes"....)
>>
>> Fortunately, there's the conditions:
>>
>>> `(A) has actual knowledge that the material contains a
>>> misrepresentation
>>> of the kind prohibited in paragraph (1), or
>>
>>> `(B) in the absence of actual knowledge, is aware of facts or
>>> circumstances from which it is apparent that the material contains a
>>> misrepresentation of the kind prohibited in paragraph (1), and
>>
>>> upon obtaining such knowledge or awareness, fails to act expeditiously
>>> to remove, or disable access to, the material.
>>
>> So the big players that just provide bandwidth to the smaller players
>> are
>> mostly off the hook - AS701 has no reason to be aware that some
>> website in
>> Tortuga is in violation (which raises an intresting point - what if the
>> site *is* offshore?)
>>
>> And the immediate usptreams will fail to obtain knowledge or
>> awareness of
>> their customer's actions, the same way they always have.
>
> Note the word "circumstances"...
>>
>> Move along, nothing to see.. ;)
>
> Until, of course, some Assistant U.S. Attorney or some attorney in a
> civil lawsuit decides you were or should have been aware and takes you
> to court. You may win, but after spending O(\alph_0) zorkmids on
> lawyers defending yourself....
>
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>
>
>

--
Richard Bennett
Research Fellow
Information Technology and Innovation Foundation
Washington, DC

smb at cs

Nov 5, 2009, 4:58 PM

Post #6 of 22 (1211 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Nov 5, 2009, at 7:44 PM, Richard Bennett wrote:

> I think the idea is for the government to create an official
> blacklist of the offending sites, and for ISPs to consult it before
> routing a packet to the fraud site. The common implementation would
> be an ACL on the ISPs border router. The Congress doesn't yet
> understand the distinction between ISPs and transit providers, of
> course, and typically says that proposed ISP regulations (including
> the net neutrality regulations) apply only to consumer-facing
> service providers.
>
> If this measure passes, you can expect expansion of blocking
> mandates for rogue sites of other kinds, such as kiddie porn and
> DMCA scofflaws.
>
>
It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a
Federal court struck down a law requiring web site blocking because of
child pornography.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

richard at bennett

Nov 5, 2009, 5:14 PM

Post #7 of 22 (1211 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

IANAL, but I wouldn't set too much stock by that order - there are
numerous errors of fact in the opinion, and much of it relates to the
lack of due process in the maintenance of a secret blacklist. It was
also a state law, not a federal one, so there was a large jurisdictional
question (the Commerce Clause concern.)

As people in Washington are saying around the net neutrality debate
these days: "anything goes is not a serious argument."

RB

Steven Bellovin wrote:
>
> On Nov 5, 2009, at 7:44 PM, Richard Bennett wrote:
>
>> I think the idea is for the government to create an official
>> blacklist of the offending sites, and for ISPs to consult it before
>> routing a packet to the fraud site. The common implementation would
>> be an ACL on the ISPs border router. The Congress doesn't yet
>> understand the distinction between ISPs and transit providers, of
>> course, and typically says that proposed ISP regulations (including
>> the net neutrality regulations) apply only to consumer-facing service
>> providers.
>>
>> If this measure passes, you can expect expansion of blocking mandates
>> for rogue sites of other kinds, such as kiddie porn and DMCA scofflaws.
>>
>>
> It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a
> Federal court struck down a law requiring web site blocking because of
> child pornography.
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>
>

--
Richard Bennett
Research Fellow
Information Technology and Innovation Foundation
Washington, DC

jeffrey.lyon at blacklotus

Nov 5, 2009, 5:16 PM

Post #8 of 22 (1214 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

Net neutrality suffers another blow. I liked Congress when they had no
idea what the internet was, now they've progressed to "still have no
idea but like to pretend."

Jeff

On Thu, Nov 5, 2009 at 7:58 PM, Steven Bellovin <smb [at] cs> wrote:
>
> On Nov 5, 2009, at 7:44 PM, Richard Bennett wrote:
>
>> I think the idea is for the government to create an official blacklist of
>> the offending sites, and for ISPs to consult it before routing a packet to
>> the fraud site. The common implementation would be an ACL on the ISPs border
>> router. The Congress doesn't yet understand the distinction between ISPs and
>> transit providers, of course, and typically says that proposed ISP
>> regulations (including the net neutrality regulations) apply only to
>> consumer-facing service providers.
>>
>> If this measure passes, you can expect expansion of blocking mandates for
>> rogue sites of other kinds, such as kiddie porn and DMCA scofflaws.
>>
>>
> It's worth looking at hhttp://www.cdt.org/speech/pennwebblock/ -- a Federal
> court struck down a law requiring web site blocking because of child
> pornography.
>
> � � � � � � � �--Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>
>
>
>

--
Jeffrey Lyon, Leadership Team
jeffrey.lyon [at] blacklotus | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

bzs at world

Nov 5, 2009, 6:26 PM

Post #9 of 22 (1211 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

I was at an IP (as in intellectual property), um, "constituency" I
think, IPC, meeting at ICANN which basically consisted of 99 lawyers
and me in the room.

There was a fair amount of grousing about how ISPs give them the
run-around when they inform them of a violation looking for a
takedown, and don't take down the site or whatever demanding (sneer
sneer) paper from a court of competent jurisdiction as a dodge.

I explained that they should try it from the other side, we get a fair
amount of spurious stuff. I gave the example of a spouse in an ugly
divorce demanding we do something or other with the web site they
developed together in happier days IMMEDIATELY OR ELSE!!! (typically
change the password to one only they know).

How can we as ISPs possibly sort that out? Court orders are your
friend, they're not that hard to get if you're legitimate.

The way this reg is written it has that feel, it seems to promote the
fantasy that if J. Random Voice calls me and says "a site you host,
creepsrus.com, violates HR3817, YOU HAVE BEEN INFORMED!" then we have
been informed and therefore culpable/liable.

Well, perhaps there's enough precedent that it doesn't have to be
spelled out in that text what's meant by "knowingly" and a call like
that wouldn't be sufficient.

At the very least I'd require a clear transfer of liability.

That is, if the claim (and hence, takedown) turns out to be
unsupportable then any damages etc are indemnified by the complaining
("informing") party.

--
-Barry Shein

The World | bzs [at] TheWorld | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*

brunner at nic-naa

Nov 5, 2009, 7:10 PM

Post #10 of 22 (1211 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

Barry Shein wrote:
> I was at an IP (as in intellectual property), um, "constituency" I
> think, IPC, meeting at ICANN which basically consisted of 99 lawyers
> and me in the room.
>

By the Montevideo ICANN meeting '01 the "Internet Service Providers Constituency"
(ISPC) had dwindled down to the corporate trademarks portfolio managers for
the few remaining ISPs. At the Paris ICANN meeting a year ago we corrolated
the votes of the Intellectual Property, Business, and ISP Constituencies and
found that there was no discernable independence amongst them, another way of
sayins the IPC had captured the BC and ISPC.

Of course, now we have GNSO reform, and "Stakeholder Groups" replacing the
Constituencies.

Bottom line. ISPs are f**ked by their own sonombulism. In a slightly different
and partially overlapping policy and operational scope, the Address Supporting
Organization originates no policy development of note, and has been somnolent
for most of the ICANN trajectory, so BCP 38 and sBGP and so on have no real
presence in the ICANN toolkit.

So IP lawyers are doing pretty good in the oughts, and more time and bandwidth
goes to retail cops and robbers than goes to any "critical infrastructure
vulnerability", outside of ICANN's DNS mafia, post-Kaminsky.

Any ISP that want's to spend some resources on operational issues, having some
relevance to resource identifiers, feel free to drop me a line. I could just
as well give process clue to Ops folk as ops clue to IP lawyers.

> There was a fair amount of grousing about how ISPs give them the
> run-around when they inform them of a violation looking for a
> takedown, and don't take down the site or whatever demanding (sneer
> sneer) paper from a court of competent jurisdiction as a dodge.
>
> I explained that they should try it from the other side, we get a fair
> amount of spurious stuff. I gave the example of a spouse in an ugly
> divorce demanding we do something or other with the web site they
> developed together in happier days IMMEDIATELY OR ELSE!!! (typically
> change the password to one only they know).
>
> How can we as ISPs possibly sort that out? Court orders are your
> friend, they're not that hard to get if you're legitimate.
>
> The way this reg is written it has that feel, it seems to promote the
> fantasy that if J. Random Voice calls me and says "a site you host,
> creepsrus.com, violates HR3817, YOU HAVE BEEN INFORMED!" then we have
> been informed and therefore culpable/liable.
>
> Well, perhaps there's enough precedent that it doesn't have to be
> spelled out in that text what's meant by "knowingly" and a call like
> that wouldn't be sufficient.
>
> At the very least I'd require a clear transfer of liability.
>
> That is, if the claim (and hence, takedown) turns out to be
> unsupportable then any damages etc are indemnified by the complaining
> ("informing") party.
>
>

fweimer at bfk

Nov 6, 2009, 12:18 AM

Post #11 of 22 (1201 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

* Jeffrey Lyon:

> Net neutrality suffers another blow. I liked Congress when they had no
> idea what the internet was, now they've progressed to "still have no
> idea but like to pretend."

Our company is most likely not the owner of the site associated with
this domain. Please do not contact us with inquiries regarding the web
site content as they will likely be disregarded.

If you keep playing such games, it's guaranteed that there will be
some sort of backlash.

--
Florian Weimer <fweimer [at] bfk>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra�e 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99

dgolding at tier1research

Nov 6, 2009, 6:58 AM

Post #12 of 22 (1199 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Nov 5, 2009, at 7:24 PM, Steven Bellovin wrote:

>
> On Nov 5, 2009, at 5:56 PM, Valdis.Kletnieks [at] vt wrote:
>
>> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>>> Did I miss a thread on this? Has anyone looked at this yet?
>>
>>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider
>>> that, on
>>> or through a system or network controlled or operated by the
>>> Internet
>>> service provider, transmits, routes, provides connections for, or
>>> stores
>>> any material containing any misrepresentation of the kind
>>> prohibited in
>>> paragraph (1) shall be liable for any damages caused thereby,
>>> including
>>> damages suffered by SIPC, if the Internet service provider--
>>
>> "routes" sounds the most dangerous part there. Does this mean that
>> if
>> we have a BGP peering session with somebody, we need to filter it?
>
> Also "transmits". (I'm impressed that someone in Congress knows the
> word "routes"....)

Don't get hung up on the wording. A DNS blackhole list will do the
trick as well. I don't think border ACLs on routers will be necessary.

- Daniel Golding

morrowc.lists at gmail

Nov 6, 2009, 7:47 AM

Post #13 of 22 (1200 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Thu, Nov 5, 2009 at 5:56 PM, <Valdis.Kletnieks [at] vt> wrote:
> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>> Did I miss a thread on this? Has anyone looked at this yet?
>
>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
>> or through a system or network controlled or operated by the Internet
>> service provider, transmits, routes, provides connections for, or stores
>> any material containing any misrepresentation of the kind prohibited in
>> paragraph (1) shall be liable for any damages caused thereby, including
>> damages suffered by SIPC, if the Internet service provider--
>
> "routes" sounds the most dangerous part there. �Does this mean that if
> we have a BGP peering session with somebody, we need to filter it?
>
> Fortunately, there's the conditions:
>
>> `(A) has actual knowledge that the material contains a misrepresentation
>> of the kind prohibited in paragraph (1), or
>
>> `(B) in the absence of actual knowledge, is aware of facts or
>> circumstances from which it is apparent that the material contains a
>> misrepresentation of the kind prohibited in paragraph (1), and
>
>> upon obtaining such knowledge or awareness, fails to act expeditiously
>> to remove, or disable access to, the material.
>
> So the big players that just provide bandwidth to the smaller players are
> mostly off the hook - AS701 has no reason to be aware that some website in
> Tortuga is in violation (which raises an intresting point - what if the
> site *is* offshore?)

mail to: abuse [at] uu
Subject: Fraud through your network

Hi! someone in tortuga on ip address 1.2.3.4 which I accessed through
your network is fraudulently claiming to be the state-bank-of-elbonia.
Just though you should know! Also, I think that HR3817 expects you'll
now stop this from happening!

-concerned-internet-user

oops, now they have actual knowledge... I suppose this is a good
reason though to:

vi /etc/aliases ->
abuse: /dev/null

so, is this bill helping? or hurting? :(

>
> And the immediate usptreams will fail to obtain knowledge or awareness of
> their customer's actions, the same way they always have.
>
> Move along, nothing to see.. ;)

to my mind this is the exact same set of problems that the PA state
anti-CP law brought forth...

-chris

morrowc.lists at gmail

Nov 6, 2009, 7:51 AM

Post #14 of 22 (1199 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Thu, Nov 5, 2009 at 7:44 PM, Richard Bennett <richard [at] bennett> wrote:
> I think the idea is for the government to create an official blacklist of
> the offending sites, and for ISPs to consult it before routing a packet to

this works exceptionally unwell for the Singaporese(ian) govt'...
(list of bad sites comes out monthly, montly+1min all sites change
ips, weee!)

> the fraud site. The common implementation would be an ACL on the ISPs border

'common implementation' isn't 'common' nor 'implementable' in many cases.

> router. The Congress doesn't yet understand the distinction between ISPs and
> transit providers, of course, and typically says that proposed ISP

nor 'web hosting farm' ... (of course FastFlux puts a hole in the
'hosting' part of that)

> regulations (including the net neutrality regulations) apply only to
> consumer-facing service providers.
>
> If this measure passes, you can expect expansion of blocking mandates for
> rogue sites of other kinds, such as kiddie porn and DMCA scofflaws.

sure, been there, done that... German anti-nazi-propganda laws anyone?
(or france or singapore or ...)

-Chris
(Note, I don't think that NO LAW is a good answer, but often the laws
proposed or passed seem to misunderstand how the networks are
run/build/maintained/used)

> RB
>
> Steven Bellovin wrote:
>>
>> On Nov 5, 2009, at 5:56 PM, Valdis.Kletnieks [at] vt wrote:
>>
>>> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>>>>
>>>> Did I miss a thread on this? Has anyone looked at this yet?
>>>
>>>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
>>>> or through a system or network controlled or operated by the Internet
>>>> service provider, transmits, routes, provides connections for, or stores
>>>> any material containing any misrepresentation of the kind prohibited in
>>>> paragraph (1) shall be liable for any damages caused thereby, including
>>>> damages suffered by SIPC, if the Internet service provider--
>>>
>>> "routes" sounds the most dangerous part there. �Does this mean that if
>>> we have a BGP peering session with somebody, we need to filter it?
>>
>> Also "transmits". �(I'm impressed that someone in Congress knows the word
>> "routes"....)
>>>
>>> Fortunately, there's the conditions:
>>>
>>>> `(A) has actual knowledge that the material contains a misrepresentation
>>>> of the kind prohibited in paragraph (1), or
>>>
>>>> `(B) in the absence of actual knowledge, is aware of facts or
>>>> circumstances from which it is apparent that the material contains a
>>>> misrepresentation of the kind prohibited in paragraph (1), and
>>>
>>>> upon obtaining such knowledge or awareness, fails to act expeditiously
>>>> to remove, or disable access to, the material.
>>>
>>> So the big players that just provide bandwidth to the smaller players are
>>> mostly off the hook - AS701 has no reason to be aware that some website
>>> in
>>> Tortuga is in violation (which raises an intresting point - what if the
>>> site *is* offshore?)
>>>
>>> And the immediate usptreams will fail to obtain knowledge or awareness of
>>> their customer's actions, the same way they always have.
>>
>> Note the word "circumstances"...
>>>
>>> Move along, nothing to see.. ;)
>>
>> Until, of course, some Assistant U.S. Attorney or some attorney in a civil
>> lawsuit decides you were or should have been aware and takes you to court.
>> �You may win, but after spending O(\alph_0) zorkmids on lawyers defending
>> yourself....
>>
>>
>> � � � �--Steve Bellovin, http://www.cs.columbia.edu/~smb
>>
>>
>>
>>
>>
>>
>
> --
> Richard Bennett
> Research Fellow
> Information Technology and Innovation Foundation
> Washington, DC
>
>
>

Jonathan.Brashear at hq

Nov 6, 2009, 7:52 AM

Post #15 of 22 (1201 views)
Permalink

RE: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

Correct me if I'm wrong, but isn't there an RFC(2142 if memory serves) that states filtering certain email addresses(like abuse@, noc@, support@) isn't allowed? I understand your point, but it seems sending it to /dev/null only opens another set of problems for you down the road.

Network Engineer, JNCIS-M
> 214-981-1954 (office)
> 214-642-4075 (cell)
> jbrashear [at] hq
http://www.speakeasy.net
-----Original Message-----
From: Christopher Morrow [mailto:morrowc.lists [at] gmail]
Sent: Friday, November 06, 2009 9:47 AM
To: Valdis.Kletnieks [at] vt
Cc: nanog [at] nanog
Subject: Re: Congress may require ISPs to block fraud sites H.R.3817

On Thu, Nov 5, 2009 at 5:56 PM, <Valdis.Kletnieks [at] vt> wrote:
> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>> Did I miss a thread on this? Has anyone looked at this yet?
>
>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
>> or through a system or network controlled or operated by the Internet
>> service provider, transmits, routes, provides connections for, or stores
>> any material containing any misrepresentation of the kind prohibited in
>> paragraph (1) shall be liable for any damages caused thereby, including
>> damages suffered by SIPC, if the Internet service provider--
>
> "routes" sounds the most dangerous part there. �Does this mean that if
> we have a BGP peering session with somebody, we need to filter it?
>
> Fortunately, there's the conditions:
>
>> `(A) has actual knowledge that the material contains a misrepresentation
>> of the kind prohibited in paragraph (1), or
>
>> `(B) in the absence of actual knowledge, is aware of facts or
>> circumstances from which it is apparent that the material contains a
>> misrepresentation of the kind prohibited in paragraph (1), and
>
>> upon obtaining such knowledge or awareness, fails to act expeditiously
>> to remove, or disable access to, the material.
>
> So the big players that just provide bandwidth to the smaller players are
> mostly off the hook - AS701 has no reason to be aware that some website in
> Tortuga is in violation (which raises an intresting point - what if the
> site *is* offshore?)

mail to: abuse [at] uu
Subject: Fraud through your network

Hi! someone in tortuga on ip address 1.2.3.4 which I accessed through
your network is fraudulently claiming to be the state-bank-of-elbonia.
Just though you should know! Also, I think that HR3817 expects you'll
now stop this from happening!

-concerned-internet-user

oops, now they have actual knowledge... I suppose this is a good
reason though to:

vi /etc/aliases ->
abuse: /dev/null

so, is this bill helping? or hurting? :(

>
> And the immediate usptreams will fail to obtain knowledge or awareness of
> their customer's actions, the same way they always have.
>
> Move along, nothing to see.. ;)

to my mind this is the exact same set of problems that the PA state
anti-CP law brought forth...

-chris

morrowc.lists at gmail

Nov 6, 2009, 7:56 AM

Post #16 of 22 (1202 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Fri, Nov 6, 2009 at 9:58 AM, Dan Golding <dgolding [at] tier1research> wrote:

>
> Don't get hung up on the wording. A DNS blackhole list will do the
> trick as well. I don't think border ACLs on routers will be necessary.

do you use your ISP's dns servers? does your corporate vpn?

morrowc.lists at gmail

Nov 6, 2009, 7:58 AM

Post #17 of 22 (1200 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

(top posting makes it hard to follow the conversation, but...)

On Fri, Nov 6, 2009 at 10:52 AM, Jonathan Brashear
<Jonathan.Brashear [at] hq> wrote:
> Correct me if I'm wrong, but isn't there an RFC(2142 if memory serves) that states filtering certain email addresses(like abuse@, noc@, support@) isn't allowed? �I understand your point, but it seems sending it to /dev/null only opens another set of problems for you down the road.

There are some 'nice to have' ideas that
postmaster/abuse/root/webmaster ought to go somewhere and be seen. If
the business decides that any tom/dick/harry/mary can 'inform' them of
something such as this you can bet your aliases file that abuse@ will
get turned down somewhere.

I don't support that activity, but I also don't support this
incarnation of the anti-X regulation either.

-Chris

>
> Network Engineer, JNCIS-M
>> 214-981-1954 (office)
>> 214-642-4075 (cell)
>> jbrashear [at] hq
> http://www.speakeasy.net
> -----Original Message-----
> From: Christopher Morrow [mailto:morrowc.lists [at] gmail]
> Sent: Friday, November 06, 2009 9:47 AM
> To: Valdis.Kletnieks [at] vt
> Cc: nanog [at] nanog
> Subject: Re: Congress may require ISPs to block fraud sites H.R.3817
>
> On Thu, Nov 5, 2009 at 5:56 PM, �<Valdis.Kletnieks [at] vt> wrote:
>> On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
>>> Did I miss a thread on this? Has anyone looked at this yet?
>>
>>> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
>>> or through a system or network controlled or operated by the Internet
>>> service provider, transmits, routes, provides connections for, or stores
>>> any material containing any misrepresentation of the kind prohibited in
>>> paragraph (1) shall be liable for any damages caused thereby, including
>>> damages suffered by SIPC, if the Internet service provider--
>>
>> "routes" sounds the most dangerous part there. �Does this mean that if
>> we have a BGP peering session with somebody, we need to filter it?
>>
>> Fortunately, there's the conditions:
>>
>>> `(A) has actual knowledge that the material contains a misrepresentation
>>> of the kind prohibited in paragraph (1), or
>>
>>> `(B) in the absence of actual knowledge, is aware of facts or
>>> circumstances from which it is apparent that the material contains a
>>> misrepresentation of the kind prohibited in paragraph (1), and
>>
>>> upon obtaining such knowledge or awareness, fails to act expeditiously
>>> to remove, or disable access to, the material.
>>
>> So the big players that just provide bandwidth to the smaller players are
>> mostly off the hook - AS701 has no reason to be aware that some website in
>> Tortuga is in violation (which raises an intresting point - what if the
>> site *is* offshore?)
>
> mail to: abuse [at] uu
> Subject: Fraud through your network
>
> Hi! someone in tortuga on ip address 1.2.3.4 which I accessed through
> your network is fraudulently claiming to be the state-bank-of-elbonia.
> Just though you should know! Also, I think that HR3817 expects you'll
> now stop this from happening!
>
> -concerned-internet-user
>
> oops, now they have actual knowledge... I suppose this is a good
> reason though to:
>
> vi /etc/aliases ->
> abuse: /dev/null
>
> so, is this bill helping? or hurting? :(
>
>>
>> And the immediate usptreams will fail to obtain knowledge or awareness of
>> their customer's actions, the same way they always have.
>>
>> Move along, nothing to see.. ;)
>
> to my mind this is the exact same set of problems that the PA state
> anti-CP law brought forth...
>
> -chris
>
>
>

sthaug at nethelp

Nov 6, 2009, 8:07 AM

Post #18 of 22 (1200 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

> > Don't get hung up on the wording. A DNS blackhole list will do the
> > trick as well. I don't think border ACLs on routers will be necessary.
>
> do you use your ISP's dns servers? does your corporate vpn?

A DNS blackhole list makes it *appear* as if the government/police
is doing something.

"We must do something. This is something, therefore we must do it."

This way of thinking is alive and well in the form of DNS based child
porn blackhole lists in Norway and several other countries. The fact
that anybody who is *really interested* can easily evade these lists,
for instance by using his own DNS server, does not seem to concern
politicians or police...

Steinar Haug, Nethelp consulting, sthaug [at] nethelp

morrowc.lists at gmail

Nov 6, 2009, 8:09 AM

Post #19 of 22 (1199 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Fri, Nov 6, 2009 at 11:07 AM, <sthaug [at] nethelp> wrote:
>> > Don't get hung up on the wording. A DNS blackhole list will do the
>> > trick as well. I don't think border ACLs on routers will be necessary.
>>
>> do you use your ISP's dns servers? does your corporate vpn?
>
> A DNS blackhole list makes it *appear* as if the government/police
> is doing something.

right, so now the site I go to MUST BE the real elbonia bank site,
because... the gov't protected me!

oops :(

> "We must do something. This is something, therefore we must do it."

ah, the 'make work' plan :(

> This way of thinking is alive and well in the form of DNS based child
> porn blackhole lists in Norway and several other countries. The fact
> that anybody who is *really interested* can easily evade these lists,
> for instance by using his own DNS server, does not seem to concern
> politicians or police...

yes, though in the case of CP the properties of the user are reversed
(in my mind at least)... 'searching out content' versus stumbling upon
content.

-Chris

sean at donelan

Nov 7, 2009, 12:48 PM

Post #20 of 22 (1158 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

On Fri, 6 Nov 2009, Christopher Morrow wrote:
>>> paragraph (1) shall be liable for any damages caused thereby, including
>>> damages suffered by SIPC, if the Internet service provider--

Some phrases people might search in various combindations on Google

SIPC
Stratton Oakmont
Prodigy
47 USC 230
House of Representatives Conference Report
GAO Report: Securities Investor Protection: Steps needed to better
disclose SIPC policies to investors

marka at isc

Nov 8, 2009, 2:17 PM

Post #21 of 22 (1140 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

In message <75cb24520911060747x3556e01tbb80be8c9e0d58b3 [at] mail>, Christ
opher Morrow writes:
> On Thu, Nov 5, 2009 at 5:56 PM, <Valdis.Kletnieks [at] vt> wrote:
> > On Thu, 05 Nov 2009 16:40:09 CST, Bryan King said:
> >> Did I miss a thread on this? Has anyone looked at this yet?
> >
> >> `(2) INTERNET SERVICE PROVIDERS- Any Internet service provider that, on
> >> or through a system or network controlled or operated by the Internet
> >> service provider, transmits, routes, provides connections for, or stores
> >> any material containing any misrepresentation of the kind prohibited in
> >> paragraph (1) shall be liable for any damages caused thereby, including
> >> damages suffered by SIPC, if the Internet service provider--
> >
> > "routes" sounds the most dangerous part there. =A0Does this mean that if
> > we have a BGP peering session with somebody, we need to filter it?
> >
> > Fortunately, there's the conditions:
> >
> >> `(A) has actual knowledge that the material contains a misrepresentation
> >> of the kind prohibited in paragraph (1), or
> >
> >> `(B) in the absence of actual knowledge, is aware of facts or
> >> circumstances from which it is apparent that the material contains a
> >> misrepresentation of the kind prohibited in paragraph (1), and
> >
> >> upon obtaining such knowledge or awareness, fails to act expeditiously
> >> to remove, or disable access to, the material.
> >
> > So the big players that just provide bandwidth to the smaller players are
> > mostly off the hook - AS701 has no reason to be aware that some website i=
> n
> > Tortuga is in violation (which raises an intresting point - what if the
> > site *is* offshore?)
>
> mail to: abuse [at] uu
> Subject: Fraud through your network
>
> Hi! someone in tortuga on ip address 1.2.3.4 which I accessed through
> your network is fraudulently claiming to be the state-bank-of-elbonia.
> Just though you should know! Also, I think that HR3817 expects you'll
> now stop this from happening!
>
> -concerned-internet-user
>
> oops, now they have actual knowledge... I suppose this is a good
> reason though to:
>
> vi /etc/aliases ->
> abuse: /dev/null

There are still plenty of way to inform a company. Ring up the
support line. Registered mail.

I suspect a court would see the practice of sending abuse@ to
/dev/null in a very poor light especially once the court learns
that this is the standard address. A consumer should be able to
reasonably assume that the message was delivered.

If you bounce then they should be aware that it didn't get through
and they can take other steps to inform you.

> so, is this bill helping? or hurting? :(
>
> >
> > And the immediate usptreams will fail to obtain knowledge or awareness of
> > their customer's actions, the same way they always have.
> >
> > Move along, nothing to see.. ;)
>
> to my mind this is the exact same set of problems that the PA state
> anti-CP law brought forth...
>
> -chris
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

nonobvious at gmail

Nov 8, 2009, 8:38 PM

Post #22 of 22 (1133 views)
Permalink

Re: Congress may require ISPs to block fraud sites H.R.3817 [In reply to]

If you're a consumer broadband provider, and you use a DNS blackhole
list so that any of your subscribers who tries to reach
bigbank1.fakebanks.example.com gets redirected to
fakebankwebsitelist.sipc.gov, you might be able to claim that you
complied with the law, though the law's aggressive enough that it
could be argued otherwise.

If you're a transit ISP providing upstream bandwidth the the broadband
provider, and some packets are addressed to 1.1.1.257, which is the IP
address of a hosting site in Elbonia that carries
bigbank1.fakebanks.example.com and innocent.bystander.example.com, the
fact that the broadband ISP was using a DNS blackhole list doesn't
protect you, because you're still routing packets to 1.1.0.0/16. You
could set up a /32 route to send that traffic to null0, censoring
innocent.bystander.example.com, or you could get fancy and route it to
some squid proxy that cleans up the traffic. But of course the
phisher could be using fast-flux, so 5 minutes later that trick no
longer works, and by tomorrow the 100,000 phishing websites on the
list have added 1,000,000 routes to your peering routers... Not
pleasant, but you don't really have much alternative.

--
----
Thanks; Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads