Posts Tagged 'LAW'

September 17, 2012

Joining the Internet Infrastructure Coalition

In January, we posted a series of blogs about legislation in the U.S. House of Representatives and Senate that would have had a serious impact on the hosting industry. We talked about SOPA and PIPA, and how those proposed laws would "break the Internet" as we know it. The hosting industry rallied together to oppose the passage of those bills, and in doing so, we proved to be a powerful collective force.

In the months that followed the shelving of SOPA and PIPA, many of the hosting companies that were active in the fight were invited to join a new coalition that would focus on proposed legislation that affects Internet infrastructure providers ... The Internet Infrastructure Coalition (or "i2Coalition") was born. i2Coalition co-founder and Board Chair Christian Dawson explains the basics:

SoftLayer is proud to be a Charter Member of i2Coalition, and we're excited to see how many vendors, partners, peers and competitors have joined us. Scrolling the ranks of founding members is a veritable "Who's who?" of the companies that make up the "nuts and bolts" of the Internet.

The goal of i2Coalition is to facilitate public policy education and advocacy, develop market-driven standards formed by consensus and give the industry a unified voice. On the i2Coalition's Public Policy page, that larger goal is broken down into focused priorities, with the first being

"In all public policy initiatives of the i2Coalition will be to encourage the growth and development of the Internet infrastructure industry and to protect the interests of members of the Coalition consistent with this development."

Another huge priority worth noting is the focus on enabling and promoting the free exercise of human rights — including freedom of speech, freedom of assembly and the protection of personal privacy. Those rights are essential to fostering effective Internet advancement and to maintain a free and open Internet, and SoftLayer is a strong supporter of that platform.

If you operate in the hosting or Internet infrastructure space and you want to be part of the i2Coalition, we encourage you to become a member and join the conversation. When policymakers are talking about getting "an Internet" from their staff members, we know that there are plenty of opportunities to educate and provide context on the technical requirements and challenges that would result from proposed legislation, and the Internet Infrastructure Coalition is well equipped to capitalize on those opportunities.

-@toddmitchell

July 11, 2011

Texas House Bill 1841: Hosting and Taxes

Okay, so you've read the title and passed out already ... but wait – this is good stuff! Well, maybe not "good," but at least it's relevant. The esteemed governor of Texas with the big Texas hair (and aspirations of taking his big hair out of Texas) recently signed House Bill 1841 (HB1841) into law, and that law is significant to many of SoftLayer's customers.

Last year, the Texas Comptroller's Office amended a regulation and stated that the use of a server in Texas was adequate to establish a nexus, so an e-commerce vendor who used a Texas web host was required to collect sales tax from their customers even if the vendor had no other presence in the state of Texas. This amendment immediately created issues for web hosts with data centers in Texas: Why would customers get servers from a host in Texas and have to worry about this tax obligation, when they could do business with another host outside of Texas and not have this obligation?

Well, the Comptroller's Office started to realize the effect of this regulation and began to backpedal and say that they didn't really mean what they said.

HB1841 puts the Texas hosting industry back where it was before the Comptroller made those changes: The use of a server located in Texas without any other presence is not considered a substantial nexus for collecting sales taxes. HB1841 specifically states that "A person whose only activity in this state is conducted as a user of Internet hosting is not engaged in business in this state." Note: You may be wondering if this bill applies to Amazon in Texas, but HB1841 doesn't cover Amazon because they had a physical presence in Texas (albeit one operating under a different affiliate with a different name), requiring them to pay sales taxes.

Our very own Brenk Johnson was involved in the effort to pass HB1841. He attended a couple of committee hearings, and he'll tell you his mere presence got this out of committee and in front of our governor. He is quoted as saying, "I can sit in a meeting with the best of them."

At the risk of making this blog sound like an Academy Awards reception speech, we would like to thank Jeff Clark and the crew over at TechAmerica for helping to get this bill passed. TechAmerica is a technology advocacy group that we recently joined, and they have a cracker-jack lobby group. Our CFO and I were on the verge of hiring a lobbyist for the 2009 Texas session, but we ended up not doing so. Two years later, we decided to go with this industry group, and the verdict is that TechAmerica has been a great investment ... It was also through this group that Lance became a Cloud Commissioner! We also want to thank our competitors over at RackSpace, especially their General Counsel Alan Schoenbaum, for getting us involved and for leading and spearheading the passage of this bill ... What was good for the goose was good for the gander on this one.

Because we are back to where we were a couple of years ago in the definition of nexus with relationship to hosts with data centers in Texas, this was not really a game-changing bill. It was important to clarify and undo the damage caused by the waffling that occurred in the State's Comptroller's Office, so in that sense this was a good bill for the industry. Next session we're going to aim for the game-changer: Margin taxes!

-@badvizsla

December 6, 2010

I, the undersigned, certify under penalty of perjury...

“I, the undersigned, certify under penalty of perjury”, “We believe the following host has recently been compromised”, “I received the below unsolicited commercial e-mail”, are a few statements that we as The Softlayer Abuse Department receive on a routine basis. The responsibility of responding to these quite serious matters in of itself is what gives us our motivation and niche in the overall scheme of this company: the protection of our networks global reputation. Without a firm and diligent abuse department, many of our customers would experience extreme packet loss left and right. Some customers may be affected by another provider’s block on an entire subnet, due to a single server periodically attacking their network for a month. Others would assuredly have their IP addresses consistently listed in spam databases, and therefore restricting e-mail contact to most or all of their clients. So in order to help keep these things from happening; we need to ensure that any reported or detected abusive activities occurring on our network are thoroughly responded to. We do this by analyzing abuse reports, determining the nature of the issues, and if an issue is valid, a ticket is opened with the customer for further correspondence as we track the issues resolution. At the same time, we maintain communication with other organizations and providers to ensure that matters are quickly addressed.

While most issues are resolved, or are being resolved within 24 to 72 hours, some issues require a quicker response. One of these is Phishing sites, which need to be removed within a shorter time frame. Our procedures regarding these sites are due to the fact that they are one of the most dangerous and wide spread issues on the internet today. If you’re not familiar with, or just want to read up on some of the latest news regarding these sites, you can get everything you need to know at APWG’s (Anti-Phishing Working Group) website. Softlayer’s membership within APWG allows us access to the most recent industry level trends and activities for a range of abusive issues. This gives us a much greater insight and oversight to identify and resolve issues that are negatively affecting our network. I can’t speak too much publicly past the above general time frames; since most abuse work is to some degree like spam filters, immediate disclosure of detection methods and procedures would render them useless. However, I can say that we believe one of the most effective methods for combating phishing is consumer education. If users are familiar with how fraudulent operations work, they are more likely to recognize components of them when they see them and not become victims. In support of this concept, we encourage all of our customers to respond to phishing site ’take downs’ by replacing the phishing site with a redirect to the APWG’s phishing education landing page. This page is an informative document that explains to the user that they were about to become a victim of illegal activity, and goes on to explain phishing in more detail. Most people in today’s modern society won’t go too far out of their way to obtain new information regarding trends in cybercrime. As such, the moment in which someone is about to be the victim of a phishing scam is considered to the ‘teachable moment’. This is the moment that someone has clicked on a link that they believe goes to their banks’ website, but are redirected to an educational page about phishing instead. The page is also configured to work with a variety of different languages, based on the client browser settings. As more people encounter the APWG’s landing page instead of a phishing site, the faster phishing education will spread and the less number of potential victims will exist. You may find information on how to implement the redirect here.

One of the next most concerning matters that we address is, servers being used by unauthorized third parties to conduct some form of outbound attack. While each are in there own way malicious and need the same attention, here’s a few specifics on some of the general different types. Password Cracking/Brute Force – this is typically done by malicious content attacking multiple hosts simultaneously while attempting various username and password combinations, typically with a massive list of pre-defined words. One of the easiest ways to help protect a server against being effected is to change at least your SSH, FTP, RDP, to non standard ports and ensure that you have complex passwords. I would also advise enabling account lockouts after a certain number of failed login attempts. Another predominant type of malicious scanning is doing so on an entire netblock by checking each host within them to see if one or more ports are open per host, which is then reported back to a database for later use in the latter form of attack. Essentially anything that is in some way part of an intrusion attempt is a priority.

Next we move on to an area of abuse that has most likely affected all of us at some point in time – Malware. This is a very general term we use to describe any software that has been written with malicious intent. The possible functions and uses for malware are only limited by the imagination and the software platforms that they are built upon, assuming that the infection process doesn’t accidentally crash the server. Various forms of malware have been identified as responsible for every type of abuse issue noted in this article at some point in time. While at the same time, malware on your server is not the guaranteed reason it may be conducting outbound abusive activities. Most specific malware related tickets are in reference to a single or series of malicious files that are publicly accessible. These issues are often resolved quickly upon deletion of the file(s) in question. However, it is also equally as important to ensure that any security vulnerabilities that allowed these files to be uploaded are repaired, or you can almost guarantee that the problem will reoccur. Microsoft reported that during the 1st half of 2008, over 90% of system vulnerability and subsequent infections were attributable to ‘weak’ applications rather than malware targeting the operating system itself. – Microsoft S.I.R. Vulnerabilities within the application layer remained the predominant risk throughout the 2nd half of 2008 as well. Malware in general has remained a formidable electronic adversary through 2009 and on to the present. As such, it is very important to ensure that you are using the most current version of all installed applications, and that they were written by a trusted source in addition to the maintaining the operating system security.

One very common form of malware effecting servers is an IRC(Internet Relay Chat) bot. One bot alone can be responsible for the infections of countless other machines. This is commonly done by injecting malicious code into poorly written PHP scripts. However, the bigger problem with an IRC bot is the fact that it’s connected to an IRC Botnet Controller, which is capable of commanding massive amounts of infected hosts simultaneously. While these are typically used for spam or other similar illicit activities, there is still the potential for the infected servers to be involved with even worse situations. These are in effect: A virtual army that’s literally capable of taking small countries off of the internet grid. In June of 2007, the F.B.I. initiated operation ‘Bot Roast’ an ongoing investigation to locate the people behind the wires. But in the mean time, needless to say, these matters need to be addressed as soon as possible.

During our triaging of abuse reports, we also address the very common issue of Spam. The three major types listed in order of priority are: Phishing, General Fraudulence, and other infected hosts Spam. However, you may also be audited, if you will, with a Spam ticket regarding a mailing list one of your clients is operating. For additional information regarding email marketing and the industry’s best practices, spamhaus.org's FAQ is a very useful resource.

Keeping the above in mind, there is also one last thing to consider; maintain a backup of all removed malicious content after it has been found. This evidence could prove invaluable to law enforcement, should the request for it be presented. We also encourage you to review your access logs to determine the source IP address(s) of any intruder or other malicious entity, such that you may report it to the appropriate organization. As it is with many other aspects of life, communication regarding these issues remains critical for timely and appropriate resolutions.

-Andrew Smith - Martinez

Categories: 
May 31, 2007

If You Can't Beat 'em - Sue 'em!!

I just ran across an article that grossly embarrasses me to be associated with the legal profession. In a recent  NetworkWorld article I found the following paragraph:

Lawsuits are a fact of life for organizations today. Recent surveys show that the average U.S. company faces 305 suits at any one time; that number jumps to 556 for companies with $1 billion or more in revenue.

As a licensed attorney I realize that legitimate disputes do exist between parties. I take no issue with legitimate disputes. I do find it hard to believe that the average U.S. Company has over 305 active lawsuits at any one time!!

As a consumer of goods and services (individual or business), you should be angered by false and litigious lawsuits because the cost is ultimately born by you - the end consumer.

The truly alarming trend in business litigation is companies suing each other for “strategic purposes.” These cases are filed and announced in press releases as the plaintiff shouts from the courthouse steps. These types of cases have very little to do with the law, include very fuzzy causes of action and seem to languish endlessly. The goal is to slow down a competitor, burn money, waste productive resources and disparage companies.

Has corporate America forgotten how to compete? Does corporate America really feel like it must lie, cheat and manipulate the legal system to achieve their business goals? Didn’t we learn from Michael Milken and his Bond trading, Enron and their financial house of cards, Tyco and the incredulous expenditures; that cheating the system never results in a long term victory? Just because other companies are doing it doesn’t make it right. Looking down the road, some company will be “the example” when the day comes to reform the system.   

Personally, I think the penalty for a plaintiff abusing the legal process by filing a “strategic suit” should be the death penalty and the lawyers should be disbarred. That should be a sufficient deterrent for potential future players. Let’s not create SarBox for the legal profession because we abused the intended use.  Business Ethics should apply all the time, not just when required by law.

-@lavosby

Subscribe to law