From owner-freebsd-questions@FreeBSD.ORG Mon Sep 15 03:26:43 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ACF6F106573A for ; Mon, 15 Sep 2008 03:26:43 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 5BE788FC21 for ; Mon, 15 Sep 2008 03:26:37 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDSK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id m8F3QaDK001408; Sun, 14 Sep 2008 20:26:37 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Beech Rintoul" , Date: Sun, 14 Sep 2008 20:27:41 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <200809140959.32653.beech@freebsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1933 Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Sun, 14 Sep 2008 20:26:37 -0700 (PDT) Cc: Art Vandelay Subject: RE: Being a shell provider - good business? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2008 03:26:43 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Beech Rintoul > Sent: Sunday, September 14, 2008 10:59 AM > To: freebsd-questions@freebsd.org > Cc: Art Vandelay > Subject: Re: Being a shell provider - good business? > > > On Saturday 13 September 2008, Art Vandelay said: > > Hello. My friend thinks that being a shell provider for IRC bots > > and bouncers is very good business. How do I convince him it's not? > > > > Sorry for going off-topic and cross-post, but I don't know who else > > to ask. > > Ask him how he's going to deal with all the angry users when one of > his script kiddie users gets the IP k-lined from all the irc servers. > Or how he's going to deal with law enforcement after one of his > accounts uses the shell for nefarious purposes. At the ISP I worked > for we stopped offering shell accounts to all but our most trusted > clients for those exact reasons. The only way I would even consider > it would be to have a block of IPs and jail every user. Even then > it's a legal and security minefield. > At our ISP we still offer shell accounts. It is not a legal and security minefield, I don't know where your getting that from. There isn't anything that a user can do on a shell server that they can't already do from an IP address on the end of a DSL line. Of course, we have our shell accounts on a separate server and that server is behind a bandwidth limiter so they don't get any more bandwidth than a DSL line would get. The only real security issue is that you have to assume that there is no security -between accounts- and so we provide a statement to every shell user saying that they have no expectation of privacy from other shell users. We also disclaim backup of course - they have to backup their own stuff. The fact of the matter is that if you are offering web hosting and you allow shell scripts, there is nothing preventing someone from running a CGI application that will give them a shell prompt on the webserver that they can access from their web browser. The webmin program has one of these in it, and I'm sure there's tons of others. The real issue seems to be to me that your friend is actively soliciting customers that he -knows- are going to be using his service for nefarious purposes. People that do this typically have a very weak AUP and do not enforce their AUP if it's violated, and trust me, word gets around if they are like this. I would explain to him that the dangers of doing this is that sooner or later he's going to snag a child porno guy who will setup an irc bot to trade underage porno with his other child porno friends, and it won't be long before the FBI has shown up at the colocate shop that his server is located at, and put a tap on his server. Every large colocate farm out there in the US at any given time has at least one of these servers that the FBI has an active tap on and I can tell you that when the FBI has gathered enough data that things will be extremely unpleasant for your friend. He can assume from the get-go that his server hardware will be gone, and that's just the beginning of it. All of the national providers have rooms with black boxes in them that only the top senior admin deals with, and that recieve visits from the men in black from time to time. And if the colocate shop is overseas, things can get even more unpleasant. Let me explain that in the United States, the courts do not accept as a defense that the defendant was kidnapped in a foreign country and secretly flown in to stand trial - and while the CIA doesen't regularly engage in these operations, they do from time to time. Foreign governments are even worse - Israel for example, regularly engages in kidnapping suspects from other countries and has been known to just kill the suspect if the kidnapping doesen't work out. Your friend definitely does not want his server in that country. And child porno is one of the few international crimes that virtually all the world's governments police forces cooperate on. Ted