f i r m a e t
p e r s o n e n
s a g e r
k o n t a k t
Time line for take down of www.ec-gc.ca and www.enviro-canada.ca
Ca. 1433 ord.
2009-12-14www.ec-gc.ca and www.enviro-canada.ca go online and are used in a spoof by The Yes Men. The websites are hosted by Pi-Web, a Danish web hosting company that has some servers hosted at Serverloft's data center in Germany. The websites have a similar layout and build as www.ec.gc.ca, but contain different material.
2009-12-14 - 2009-12-21 14:34:37 UTCAt some point between 2009-12-14 and 2009-12-21 14:34:37 UTC Mike.Landreville@ec.gc.ca of Intellectual Property Office Environnement Canada / Environment (ECCA hereafter) contacts Canadian Cyber Incident Response Centre (CCIRC).
In ECCA's letter it says:
So ECCA is not pushing for a speedy removal, but simply asks to do this when it is convenient. The letter does not contain anything that suggests the content has been tried before a judge and deemed illegal under German law. Indeed ECCA may be unaware that the server is in Germany.Please confirm at your earliest convenience your deletion and removal of these websites.
The letter states that the websites act as phishing sites. According to Wikipedia phishing would require criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details. ECCA does not specify where on the site ECCA believes there is a chance of phishing taking place, and there is no obvious URL that lets you enter sensitive information.
2009-12-21 14:34:37 UTCCCIRC contacts the German CERT, CERT-Bund. In CCIRC's letter they claim to have contacted the hosting provider to have the sites removed, but the hosting provider has not done so. They mention that the sites are hosted on the server with the IP address 22.214.171.124, and CCIRC requests CERT-Bund's assistance in having the sites deactivated.
The letter does not contain anything proving that they in fact did contact the hosting provider. The letter is not send in Cc to me. Contact information (both phone and email) is easily found by looking up the IP address 126.96.36.199 in WHOIS.
Just like the letter from ECCA CCIRC's letter does not request urgent action. It also does not contain anything that suggests the content has been tried before a judge and deemed illegal under German law. But CCIRC clearly knows the server is in Germany, as they contact Bund-CERT.
2009-12-21 14:34:37 UTC - 2009-12-21 20:29 UTCSomewhere in this time frame Serverloft receives Bund-CERT's letter and blocks the IP addresses 188.8.131.52 - 184.108.40.206.
Bund-CERT's letter does not contain any proof that CCIRC had contacted the hosting provider (e.g. a copy of an email or reference to a phone conversation) nor does the letter contain anything that suggests Bund-CERT have contacted the hosting provider. It might have been wise to do so, as some Germans do not understand English and would not understand communication from CCIRC in English. The letter is not sent in Cc to me. Contact information (both phone and email) is easily found by looking up the IP address 220.127.116.11 in WHOIS.Bund-CERT's letter is a bit ambiguous:
Wir bitten Sie daher, entsprechende Maßnahmen vorzunehmen und die Seiten abzuschalten, um weitere Phishing-Aktivitäten zu verhindern.It is unclear whether 'Wir bitten Sie daher' in means 'We hope that you will' or 'We order you to'. If it is the last and if Serverloft by German law are not allowed to question orders from Bund-CERT, then Bund-CERT are responsible for the legal validity of the orders they send.
It is unclear what entsprechende Maßnahmen really cover: Would it be enough to call the hoster and have him deal with the matter? Would it be enough to close access to the IP number mentioned? Or is it required that all the IP addreses 18.104.22.168 - 22.214.171.124 are blocked? Is it a requirement not to call the hoster?
The urgency is stepped up a notch: 'um weitere Phishing-Aktivitäten zu verhindern'. To stop more phishing activities suggests this is fairly urgent, but not so urgent that Bund-CERT calls Serverloft to have it done immediately.
The blocking of the IP addresses 126.96.36.199 - 188.8.131.52 takes down more that 4500 customers' websites (mostly owned by small businesses and families) and thereby interferes arbitrarily with the correspondence between more than 4500 humans and the rest of the Internet. This seems to be a clear violation of UN Human Rights §12, UN Human Rights §19, and The European Convention on Human Rights §10.
The IP range 184.108.40.206 - 220.127.116.11 includes the mail server for tange.dk, so email sent to email@example.com will not get through until the IP addresses are unblocked.
It is unclear why Serverloft finds it is urgent to close down the server and why Serverloft blocks more than the IP-address of the sites in question (i.e. 18.104.22.168).
Serverloft does not contact me by phone. Serverloft has my contact details both on file and in WHOIS.
2009-12-21 20:29 UTCServerloft posts the German part of Bund-CERT's letter to Serverloft's ticking system.
CommentsThe Serverloft ticketing system is normally used for non-urgent messages initiated by customer to Serverloft. This is the first ticket I have seen initiated by Serverloft.
2009-12-21 20:35 UTCServerloft emails a 'Breach of Service Policy' to firstname.lastname@example.org.
CommentsAs Serverloft has disconnected the mailserver the email only arrives after the mailserver is back online. The email is received 2009-12-21 23:15 UTC. Nothing in the email suggest that the content has been tried before a judge and deemed illegal under German law. The email does not specify which part of the Service Policy that is breached. I can only guess it is about hosting illegal activities, but as the activities are not proven to be illegal I have a hard time seeing the breach.
2009-12-21 22:20 UTCI discover access to the mailserver is down. It happens now and then that access to Serverloft's network fail for shorter periods of times. So this in itself is no cause for alarm. I can, however, access another machine at Serverloft and can see that traceroute drops IP packets 2 hops before unaccesible the server. From this I deduce that routing in Serverloft's network is the problem.
2009-12-21 22:24:32 UTCI call Serverlofts 24-7 hotline (+4922336124711). The first person I talk to continously claims nothing is wrong with Serverloft's systems, that it must be a configuration problem on my machine and that he refuses to trouble shoot with me, but tells me to raise a ticket. The more I realize he is not going to help the more I go from calm to desperate. In the end I finally convince him to transfer me to 2nd line support by saying: "How do you want me to prove that your systems are up and running, but misconfigured?"
I explain the 2nd line support the traceroute reasoning and he puts me through to 3rd line support. 3rd line support mentions the reason for the blocking and I have to promise to take the two websites offline before he unblocks the IP addresses.
CommentsIt is astonishing that first line support did not immediately see that Serverloft had changed the configuration recently and thus would be aware that this should be fixed.
I have no problem taking an illegal site offline, but I do not want to be the judge, so I only do that if I get a warrant. Thus I felt really bad promising to take the sites offline without a warrant as I am a firm believer of the UN Human Rights. But had I not promised to take the two sites offline, the 4500 sites would still be offline - which would have been worse both from a human rights' perspective and a business perspective.
I am baffled by the missing communication from both CCIRC, CERT-Bund and Serverloft. If either of these had contacted me I believe we would have found a solution that would satisfy all.
The following daysI try to get Serverloft to clarify the reasoning behind their actions, but they simply close the issue by saying they regard this incident as solved.
I contact CCIRC and CERT-Bund to clarify the reasoning behind their actions, but have not heard back from them yet (2010-01-02).
Serverloft's CEO has been interviewed and clearly thinks Serverloft only blocked 1 IP-address and only after they had contacted their customer (me). Both assumptions are incorrect.
Sidst ændret Wed Jan 13 10:56:30 2010