Hacker News new | past | comments | ask | show | jobs | submit login

I'm thinking Rackspace might well have been in the right on this one. If the customer was in fact phishing, Rackspace was well within their rights to shut down the account. It's really up to the application creator to prevent that abuse.

That said, it's good to have a reminder of the risks of outsourcing your hosting. I still think the tradeoff is worth it for experimental products where you don't want to invest too much upfront.




May be technology can help a bit here? I think the issue in this case was more about the granularity of "takedown". If there was some kind of an API contract between the infrastructure provider and the application service provider - an API that lets you shutdown a single subdomain, an email service and so on, the situation would be more tolerable.


Or even something simpler - call the account holder's phone and play a simple recorded message that says "hey, its Rackspace, we need you to deal with an urgent issue, please check your email ASAP". Cheap for Rackspace, gives the customer fair warning, and if there's no response within some reasonable time frame then shutdown the machines in question.


What if I'm on a two-hour flight, though? A one-hour response time is ridiculous.


Well I didn't agree or disagree with one hour, I said "some reasonable time frame" explicitly because the expected response time needs to consider what the real risks are.


What if I'm asleep in bed?


You don't answer your phone if you're in bed?


I keep my phone permanently on vibrate (so I don't have to remember to silence it when in class, etc.), and besides, it'd take a hell of a lot more to wake me up than a ringing phone.


Some of us are heavy sleepers. I often manage to sleep through an alarm that I can hear through a brick wall when awake.


I agree. Hosting providers usually reserve the right to shutdown your server if it has been hacked, and phishing is often more directly harmful to people.


The problem here is Rackspace as a infrastructure provider judging on behalf of service provider. They give no explanation of the complaint details or why it is justified.

Many comments here take the phishing as "a fact", their terms might grant them the power to shut any server down but this is a threat I think every startup should learn if they use Rackspace Cloud or consider to. And we learnt that.

24 hrs is not just for respond to remove the content, it is also for the server providers to verify the complaint and react responsibly.


Agree. This wasn't a simple DMCA issue-- phishing is an active, criminal activity. Even one hour notice is generous.


Taking the contents of the article on faith, I think the point was that their customers were abusing the startup's service for phishing.

This would be analogous to, for example, AWS taking reddit offline because a user posted a phising link.

Nearly every web business which lets people put information on the web that others can see will face abuse issues at some point or the other - and cutting off a business and its legitimate customers because of one client misusing the service does not inspire confidence.


Everyone hate spam. I don't object Rackspace to shut down an account that is obviously phishing/spam, but not take down as soon as they think there is an abuse. Grace period must be given, so the the site holder can respond.

I don't think it is possible for few-man startup can responds in 1 hours for 24x7. I would choose to use an alternative hosting that give a longer gracing period.


> Grace period must be given, so the the site holder can respond.

Unfortunately, during that grace period, numerous people may be receiving spam emails directing them to the site, and some of those people may be naively entering their information ...

I really dislike the way most service providers and the like handle spam, but unfortunately, I too must side with Rackspace on this one. They simply can not afford to "wait and see" until the site owner responds, or provide a grace period while the site owner tries to figure things out.

Phishing attempts must be handled by site owners as though their server has just been compromised and someone is currently downloading the entire password database: the server must be shut down immediately, the problem fixed offline, and the server only brought back online once the issue is fixed.

Sorry. :-/


The real issue to me is their apparent zero tolerance policy. Unless I'm misreading something, if there are two incidents where your site is used for phishing, you will lose your Rackspace account. I understand that Rackspace doesn't want to go chasing these things left and right, but it seems that's a little extreme, especially when they're supposed to be infrastructure providers, and should recognize that their clients have clients, and their clients shouldn't be held entirely responsible for the actions of their clients' clients.


:-/

For your argument, I just created an wufoo form which should take down immediately once discovered. http://rickmak.wufoo.com/forms/phishing/. IN that case, I am sure only my account will be taken down, not the whole wufoo.

Actually, it depends on size. If someone created a phishing site on Heroku's, Amazon probably won't shutdown all Heroku sites. But to let Heroku to investigate. For small startup like pandaform, no luck. Rackspace just regards you as one site.

Pandaform can handle things better, like banned "password" field like wufoo do.


It seems like it would be an improvement to either:

1. Keep the very short notification period but also try to reach the site owner via phone or IM

2. Lengthen the notification period if using email only

(Note that I have no problem with short notice and email only if the customer was given the option of providing an emergency contact method but chose not to, and that I otherwise generally agree with the response.)

It seems like the real flaw here is the combination of lack of communication and lack of warning.


The reality is that each minute the phishing site remains up, another account may get its information stolen. Imagine if you are the person that had your bank account information stolen and drained during the "grace period" for the company to respond to the takedown notice.

This is the kind of thing where a customer who gets their information stolen while Rackspace is waiting for the grace period to expire might have a legal cause of action against Rackspace.

Ultimately, I think Rackspace did exactly the right thing here. If you are operating a service that would potentially allow fishing, then you are bearing the risk of policing your users. Asking Rackspace and affected users to give you a grace period is asking them to bear the risk instead. I 100% agree with the decision to immediately shut the site down.


Do you think that it is reasonable if someone creates a phishing website on heroku, and all servers on heroku got shut down by amazon in an hour?


No, and that's a strawman argument. That's like asking if it were reasonable for Level 3 to pull the plug on Rackspace if Level 3 got a phishing complaint.

If Amazon got complains about Heroku then I'd certainly expect them to be investigated, and in Heroku's case I'd expect Heroku would take over and shutdown the phishing site.


exactly, same in this case. I expect Rackspace should ask pandaform to investigate the case and shutdown the phishing site. I won't expect the whole pandaform would be taken down.

Also pandaform doesn't allow use to put any script or password field in the form, which the quality of the "phishing" form is not as serious as what we thought as a normal phishing site do.


In the case of Heroku, I'd expect them to be able to shut the phishing site down within the 40 minute period Rackspace apparently gave Pandaforms before shutting the whole service down themselves.

I'm sure if Pandaforms had done this (which is difficult when you're a much smaller startup than Heroku) then their server would have been left untouched.

You can argue that Heroku would have most likely got a phone call and that Pandaforms deserve the same treatment, but I don't think that they'd have been allowed to leave phishing sites up for any period of time without their servers being placed in jeopardy either.


I think everyone agreed on that the service provide have to investigate and take action on any abuse claim. But what is questioning now is that is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?


According to http://archive.nyu.edu/bitstream/2451/15020/2/Infosec+BOOK_T... “experimental studies have shown that the bulk of victim credentials are collected within 24 hours of mailing the bait messages.”

Once a phishing form is “in the wild,” every minute counts.

The burden is on the service (your site) to prevent or quickly act to rectify a situation, but if your provider determines that it must intervene, then it is well within it's right to.


is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?

Yes, if there are enough complaints and harm that may come from it is serious enough.


So, the writer of the article had one complaint. The forms cannot take passwords.

A second complaint, without any investigation, would result in the termination of his account and destruction of data.

That is not reasonable.


> So, the writer of the article had one complaint. The forms cannot take passwords.

We don't know this. We have no idea how many complaints rackspace has against this guy. It could be one or it could be dozens.


If heroku got enough complaints (relative to it's size) they would get shut down or asked to leave. Now, heroku has a lot more than two servers, so it's going to take more than one or two complaints to take them out, and they are probably going to get more than an hour of notice, but if you provide a hosting service, you need to make sure that your users and customers are not using your service to host phishing sites.


They were in their right. And I'm in the right of choosing a provider that won't disrupt my business. I'm not talking about bulletproof hosting but 1 hour notice before takedown? Can't upvote this story enough.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: