Slashdot Mirror
McColo Takedown, Vigilantes Or Neighborhood Watch?
CWmike writes "Few tears were shed when alleged spam and malware purveyor McColo was suddenly taken offline last Tuesday by its upstream service providers. But behind the scenes of the McColo case and another recent takedown of Intercage, a ferocious struggle is taking place between the purveyors of Web-based malware and loosely aligned but highly committed groups of security researchers who are out to neutralize them. Backers claim that the effort to shut down miscreant ISPs is needed because of the inability of law enforcement agencies to deal with a problem that is global in nature. But some question whether there is a hint of vigilantism behind the takedowns — even as they acknowledge that there may not be any other viable options for dealing with the problem at this point."
I don't think notifying providers of illegal activity that they then act on is considered vigilantism. If the spammers don't like it, they should sue.
æeee!
Your comment fails to account for:
[x] Laziness on the behalf of the Slashdot readers
[x] Lack of time
[x] Boredom with the same auto-reply form
[ ] Puppies
æeee!
Your "standard form" reply fails because:
[x] It is too short
[x] It fails to include humorous but not applicable options that are left unchecked.
[x] It lacks a "furthermore..." section
[x] You were clearly too lazy to put any real effort into...
Ah, to hell with it.
Vigilantism would be action like that employed by the Lad Vampire. This was just a bunch of experts asking companies to enforce their TOS.
The real "Libtards" are the Libertarians!
When you have no law, nobody with legal authority, vigilantes and posses will form to deal with issues. Human history is filled with evidence of this. Usually, the citizens demand a code of law to emerge from the chaos after some gross miscarriage of justice is perpetrated by an overzealous vigilante. The internet hasn't had that yet.
The internet is still in the stage where vigilantes mostly take care of it, and likely will be for some time to come. Certain nations lay claim to certain aspects of internet behavior of their citizens (we almost all agree that child porn is bad, for example.) But the more restrictive you get, the fewer people are in agreement. We'll never get the whole globe to agree on standards for porn, political content, religious content, etc., so it will be almost impossible for a Global Internet Police Force to arise.
I think the undefined-but-pragmatic status we're in will last quite a while longer, and the vigilantism will increase. Maybe the future will hold an odd-bedfellows agreement along the lines of the UK/USA spying deal. U.S. vigilantes will not be extradited for committing a good-faith takedown of a Russian spammer. And Russian vigilantes will not be extradited for taking down an American spammer.
John
Of course there's an element of vigilantism. This is the sort of situation that vigilantism is for.
Hopefully better ways to deal with the problem will come along soon. In the meantime, I hope the body count among innocent bystanders stays small.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I don't really understand, especially on a Web forum that decries most law enforcement actions as invasive to privacy and liberty, why private conduct aimed at correcting undesired private conduct is just assumed to be bad.
Does this "only the government shall administer law" doctrine apply to the civil rights movement? Greenpeace? Software piracy? Or just things we don't like?
One person's vigilantism is another's social activism.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Spammers are like Roaches. You can never quite kill them all off.
My name is Inigo Montoya. You killed my Father! Prepare to die!
If the upstream providers had a service agreement that disallowed the use of their network for illegal activities, they can pull the plug any time.
[x] Meh
æeee!
Look it up...
As I understood, the colo in question was not shut down per se, it was simply severed from its internet connectivity as its upstream/backbone internet providers terminated their contract with them. Nothing special about that; business relationships are initiated and terminated all over the world every day.
Consequently, there was no "vigilanteism" in the strict sense as such, where normals citizens take the law in their own hands and act as if they had higher authority than they really have.
It was simply a case of concerned security researchers going to the upstream providers with evidence and saying "look what scum you do business with by providing connectivity, this is bad for the internet on the whole and it hurts your reputation", and the ISPs in question took action. If innocent customers of the rouge colo got hurt when the lines got cut, then they simply have to suffer the consequences of picking a bad host to buy services from.
Of course, if the proof the security researchers had gathered also proved that the shut-down colo in question had committed crimes, then the appropriate authorities need to be involved. But that is another chain of events, separate from the disconnection of the lines.
No, not remotely vigilantism. Its not like someone went to these people and cut their fiber cable with a hacksaw - *THEIR ISP* turned them off, after it received reports of TOS violations and (presumably) investigated same. We should live in a world where all ISP's have and enforce anti-spam TOS, and actually investigate take action, as appropriate, when they receive reports of abuse, regardless of who the reporter is.
Since the '90s, various groups have labeled other groups as "internet scum" and targeted them for banhammers.
Sure, providers of child porn an, in France and Germany, stand no chance against the national police. But everyone else - American Nazis, spammers, 409 scammers where protected by law, and those advocating unorthodox positions like "sex with children is okay" or "gay fags don't deserve to live" are generally left alone by governments.
Like-minded individuals like to get together and fight what they see is an abuse of the net and/or an abuse of free speech. Right or not, the party that "wins" is usually the party with the most political and financial might.
If a small church group goes at it alone against a well-funded Neo-Nazi organization, they will go nowhere. On the other hand, if a large denomination spearheads a global effort to get a lightly-funded neo-nazi organziation kicked off their ISP under threats of boycotts, bad press, etc. the neo-nazi organization's web site will soon go dark.
Oh, it helps to have the ISP's and upstream's moral-compass on your side: If the Neo-Nazi's ISP and upstreams are very pro-free-speech, you may not get far no matter how much influence you wield. If on the other hand they aren't very pro-free-speech but are pro-racial-equality, then they'll help you find an excuse to terminate their contract or not renew it.
Back in the days early days of spam, a major spammer paid handsomely for a very friendly upstream provider. However, the pressure finally got to be too much and they gave him a non-renewal or 30-day termination notice under the "we simply no longer want your money" clause.
Ultimately, society will have to decide if your rights to say anything you want to anyone you want who will listen on your Internet connection is a right that can be negotiated away by contract. Note the "who will listen" clause - that doesn't cover spammers, but it does cover people spewing neo-nazi propoganda and the like to people who ask to hear it. It arguably doesn't cover "force fed" material like content that lives beyond the current session or affects your computer outside the browser, e.g. malware, or even "surpise" material like Goatse, unless you specifically made an informed decision to download such material knowing full well what it was.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
> I host a few web servers at a colo. I have no idea what my neighbors are serving up. If
> my sites were shut down without notice I'd be pretty unhappy.
Well, then you would sue the colo operator, wouldn't you? They are the ones who contracted to provide you with service. Would you blame the power company if it shut down your colo operator for breaching his contract with it by not paying his bill? Then why blame your colo operator's upstream provider for shutting him down for breaching his contract with them?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I probably would too. Which is why one of the questions I ask before deciding to deal with a hosting or colo provider is "What kinds of customers will I be sharing a network with?". I look at what this provider's reputation is, what sort of history they have when it comes to spam, malware and similar things. Do they have a lot of complaints about spam and malware originating from their network? Are they known for investigating and taking action when problems are reported, or do they have a reputation for ignoring the problem for as long as possible? Do I find them showing up as a place to go for "bulletproof" hosting? Do I see their netblocks showing up in spam e-mail, attacks on my firewall or lists of netblocks known to originate malware? I make sure I've got answers to those questions that I like before I decide to do business with them.
Part of your responsibility when you start a business relationship is to know who you're getting yourself involved with. If you choose not to, don't be suprised when it comes back to bite you later.
I think we're all quite happy that the bastards are staying cockpunched after getting cockpunched by the takedown.
DDos isn't going to do much against a guy with a machine gun. I'd want them to act as a human shield so I could get the fuck out of there. But that's just me.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I'm sorry, this doesn't make any sense. When there is rule of law, a person who ignores same and takes justice into his own hands is a vigilante. There is no rule of law on the internet. Therefore, strictly speaking, there can be no vigilantes.
Moreover, even if you're not as much of a persnickety douchebag as I'm being here, you're still forced to admit that this isn't really vigilantism: reporting to a provider that one of their clients is in breach of contract isn't "taking matters into your own hands," it's being a good netizen.
Let's examine this further: under some looser definition of "vigilante," examples of qualifying behavior include defacing offending websites, DoS attacks, threats of violence against SPAM purveyors, destruction of associated computer equipment, et cetera. All of these have in common that the "vigilante" is taking it upon himself to retributively violate the rights (or right-like constructs) of the offender in some semblance of justice.
It is from this violation that complaints against vigilantes stem, by most accounts: you have some rights, and they're considered inviolate except by the government (by which you somehow agree to be governed) just in the case that you violate a law. Having come to such an agreement, you find your rights abrogated by "vigilantes" who are not associated with the government and therefor whom you do not consent to enforce laws upon you.
It's pretty clear that even under this looser definition the above didn't violate any of the spammers' rights: that the spammers were violating their providers' terms of service was public information. Bringing attention to this public fact cannot be construed in any way to violate the rights of the spammers.
Viagra! Damn it... I knew I should have bought an extra months worth. I'm about to meet my Russian bride-to-be (still waiting for an email), and my Nigerian friend is going to send me some info regarding a business proposition. Not to mention that I've got to re-register with Paypal as there has been a security breech and my bank wants to confirm my password too.
I know! I'll forward this on to all my friends. They can pass it on too and maybe I'll get lucky.
---
consort banana security boat
incongruous athletics opportunity
several thousand ants incorporated
Don't be apathetic. Procrastinate!
[x] Your mom.
You can't make an omlette without breaking eggs. I for one, and sick of finding spam in my omlette.
When you are breaking the rules, you can't complain when someone takes your toys away. I feel utterly zero pity/sadness/whatever in regards to this. As far as I am concerned, spammers are at the utter bottom of the food chain. Damned plankton eaters.
Moved to http://soylentnews.org/. You are invited to join us too!
You asked and I'm happy to oblige. As spam systems go this one scores fairly well. The biggest problem is the "worm-ridden Windows boxes" checkbox.
----
Your post advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
I have no idea what my neighbors are serving up.
That sounds like willful ignorance to me, at least if it's taken to an extreme. It's fairly easy to do some research and figure out what your colo's policies are, and whether they actually enforce those policies. If they don't, chances are they might not be a good place to house your server, because their attitude could come back to bite them eventually.
It's not necessary to know exactly what everyone else sharing a colo facility with you is up to, but you should at least have some measure of confidence in the colo operator to keep things above-board enough to keep the whole thing from getting shut down. If they allow illegal or generally-despised activities to go on, and develop a reputation for that sort of thing, they're risking everyone who's using the facility.
It's like renting an apartment where the landlord turns a blind eye to the meth lab downstairs; there's a limit to how far you want to take 'minding your own business.'
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Is the brick one of the courses? I'm in!
If a job's not worth doing, it's not worth doing right.
You bring up an excellent point. In response, I have edited my google.xml search file (C:\Program Files\Mozilla Firefox\searchplugins\google.xml) thus:
Old values:
New Values: