The reality is that each minute the phishing site remains up, another account may get its information stolen. Imagine if you are the person that had your bank account information stolen and drained during the "grace period" for the company to respond to the takedown notice.
This is the kind of thing where a customer who gets their information stolen while Rackspace is waiting for the grace period to expire might have a legal cause of action against Rackspace.
Ultimately, I think Rackspace did exactly the right thing here. If you are operating a service that would potentially allow fishing, then you are bearing the risk of policing your users. Asking Rackspace and affected users to give you a grace period is asking them to bear the risk instead. I 100% agree with the decision to immediately shut the site down.
No, and that's a strawman argument. That's like asking if it were reasonable for Level 3 to pull the plug on Rackspace if Level 3 got a phishing complaint.
If Amazon got complains about Heroku then I'd certainly expect them to be investigated, and in Heroku's case I'd expect Heroku would take over and shutdown the phishing site.
exactly, same in this case. I expect Rackspace should ask pandaform to investigate the case and shutdown the phishing site. I won't expect the whole pandaform would be taken down.
Also pandaform doesn't allow use to put any script or password field in the form, which the quality of the "phishing" form is not as serious as what we thought as a normal phishing site do.
In the case of Heroku, I'd expect them to be able to shut the phishing site down within the 40 minute period Rackspace apparently gave Pandaforms before shutting the whole service down themselves.
I'm sure if Pandaforms had done this (which is difficult when you're a much smaller startup than Heroku) then their server would have been left untouched.
You can argue that Heroku would have most likely got a phone call and that Pandaforms deserve the same treatment, but I don't think that they'd have been allowed to leave phishing sites up for any period of time without their servers being placed in jeopardy either.
I think everyone agreed on that the service provide have to investigate and take action on any abuse claim. But what is questioning now is that is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?
Once a phishing form is “in the wild,” every minute counts.
The burden is on the service (your site) to prevent or quickly act to rectify a situation, but if your provider determines that it must intervene, then it is well within it's right to.
If heroku got enough complaints (relative to it's size) they would get shut down or asked to leave. Now, heroku has a lot more than two servers, so it's going to take more than one or two complaints to take them out, and they are probably going to get more than an hour of notice, but if you provide a hosting service, you need to make sure that your users and customers are not using your service to host phishing sites.
This is the kind of thing where a customer who gets their information stolen while Rackspace is waiting for the grace period to expire might have a legal cause of action against Rackspace.
Ultimately, I think Rackspace did exactly the right thing here. If you are operating a service that would potentially allow fishing, then you are bearing the risk of policing your users. Asking Rackspace and affected users to give you a grace period is asking them to bear the risk instead. I 100% agree with the decision to immediately shut the site down.