Re: Anonymous surfing

• Previous message: Yannick Turgeon: "Anonymous surfing"
• In reply to: Yannick Turgeon: "Anonymous surfing"
• Next in thread: Leythos: "Re: Anonymous surfing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 15 Nov 2004 23:21:06 GMT

In article <Zm8md.5108$rc.444665@news20.bellglobal.com>,
Yannick Turgeon <nobody@nowhere.com> wrote:
:I'm in charge of a website which include a forum. One of the users is using
:anonymous surfing to create new accounts and post unrespectfull messages. I
:cannot ban him because his IP is constantly changing from one location in
:the world to another one. I cannot believe *true* anonymous surfing is
:possible. What can I do to stop this? What can I do to find his real ISP.

What can you do to find his real ISP ? You take these steps if you
are in the USA or the poster is posting from the USA:

First, kick all existing users off the system -- invalidate their
accounts somehow. Next, reconfigure your system to require that each
user signing up goes through a "click-wrap" agreement that you have
a lawyer draw up, that makes it clear that the undesirable behaviour
is not permitted and will constitute a breach of contract and
will constitute exceeding the authorization to use the system. Next,
you require a payment from each user who wants to use the forum --
a nominal $1 fee will do nicely. You want that payment so as to
make it clear that your site is involved in "interstate commerce";
it also makes it clear that access to the forum is a "thing of value".
Next, you synchronize your system clock against a trusted time
source such as an atomic clock, and you make sure you -keep- it
sync'd such as by using NTP.

Then you let people start signing up again, and you don't activate their
accounts until you receive the nominal payment from them.

This will not, of course, prevent the user from abusing your system,
but it lays the foundation for everything that follows.

When the user -does- go ahead and abuse your system, you then have
your lawyer draw up a "John Doe" supena and serve it against the ISP
who owns the IP the user apparently posted from, demanding all their
records pertaining to that login session. A supena needs grounds,
and the grounds that you cite will be the US Computer Fraud And Abuse
Statutes. You attach a copy of the user agreement to demonstrate
that the behaviour engaged in was unacceptable ("exceeded authorization"
in the terms of the Statutes), and you include the payment record
to demonstrate "interstate commerce". The US Computer Fraud and Abuse
Statutes apply to all "federal interest systems", and if you read
the Statutes you'll likely get a very heavy impression that they
are really only intended to protect Banks and other Big Business,
but they are *written* to protect any system that engages in
"interstate commerce", no matter how low the value of that commerce.
So that allows you to invoke federal laws rather than having to rely
on the differening laws of the different states.

Once the ISP of last record has handed over the records, you go after
the ISP that came before that in the chain. And you keep going and
keep going until you hit a system that is deliberately refusing to
keep records so as to provide anonymous service. You then take their
refusal to a judge along with the other records, and get the judge to
authorize a wiretap; that and some patience gets you to the next hop.
And on and on you go, probably having to invoke international
extradition treaties to get overseas systems to release the information
to you. If you hit a country which refuses to play along, then you
go after all the countries that provide network feeds to said country
and get them to wiretap every data connection (and every phone line
too if necessary) until you capture information about one more hop.
Keep going on this long enough, and you'll eventually get back to the
original user's ISP and some reaon information about who the user is.

Oh yes, you should expect that this will all cost you upwards of
$US300,000 to track the user, and that you won't be able to recover
any of those costs -- you'll just get the satisfaction of having nailed
him or her with a Felony conviction and a $50 fine with no jail time.

Don't be too surprised, by the way, if somewhere along the way,
some judge refuses to issue the appropriate supena or wiretap order,
saying that there are better things for the police to be doing.
It's not uncommon for the appropriate departments to say that it
isn't worth their times to even open an investigation until the
value obtained without permission gets up to $50,000 or $100,000.

-- 
   *We* are now the times.                  -- Wim Wenders (WoD)

• Previous message: Yannick Turgeon: "Anonymous surfing"
• In reply to: Yannick Turgeon: "Anonymous surfing"
• Next in thread: Leythos: "Re: Anonymous surfing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]