Dump shared hosting to avoid ASIC's Section 313 hammer
So the Australian Securities and Investment Commission (ASIC) didn't simply block access to 1,200 legitimate websites in its clumsy pursuit of alleged scammers; it turns out that on another occasion, it blocked 250,000 websites. In telling that story to a Senate committee this week, ASIC officials showed not the slightest sign of remorse. An apology seems well beyond them.
I've already called for a head on a spike in relation to ASIC's incompetence — it's a crime to disrupt someone's communication without lawful authority — and I'll get to my opinion of this week's revelations shortly.
But right now, the most important message for every business online is to build and maintain your own infrastructure, so that the bad behaviour of others doesn't end up damaging your own bottom line.
Most low-end businesses, and even many larger ones, use low-end web hosting. "Shared hosting", it's called, because your website — and often your email with it — is sharing a computer, physical or virtual, with dozens, hundreds, or even thousands of other similar-sized businesses. It's a model that makes perfect sense from a cost perspective, and it's served us well for nearly two decades.
Websites that use shared hosting also usually share an internet protocol (IP) address. Again, this makes perfect sense, because it's stopped the limited number of IPv4 addresses from being burned up by a billion little five-page brochureware sites.
But the problem with shared hosting, like living in a share house, is that you have to put up with behaviour of your co-tenants — and any fallout therefrom. And, just like living in a share house, those problems include laziness and other people stealing all the milk.
Stealing all the milk — that is, hogging the resources of the shared server — is usually a temporary problem. If it's a sudden traffic spike, it'll go away eventually. If it's sustained high traffic, the hosting provider will eventually shuffle the customers amongst their servers to balance the load.
Laziness is the killer. It takes just one shared hosting customer to fail to patch their WordPress or Drupal installation, or to lose their all-too-lame password in a data breach elsewhere, and the bad guys are in.
If you're lucky, they'll be spammers. About 10 minutes after they've broken in to the co-tenant's account and used it to send maybe 50,000 spam emails, any competent datacentre will have detected the traffic spike, taken the server offline, and started an investigation.
Of course, by then, the server's IP address will have already been added to anti-spam blacklists around the planet. Most places will reject email coming from that server as spam — including yours — and it'll take the rest of the week for the server's reputation to be restored.
Oh, you wanted to email your customers this week? Yeah, pity about that.
If you're unlucky, the bad guys will be a step up from spammers. They'll use a rootkit to get administrative access, take over the entire computer, steal data from every customer's account, including yours, install the Blackhole exploit kit to infect the computers of all your website visitors ... well, you get the picture. You're wading in brown stuff.
That all sounds bad, and it is. But these were familiar risks, and there were known procedures for detecting the problems and dealing with them.
This week, we discovered that a new and unknown risk has been added to the mix: A law enforcement agency might cut off IP access to your shared hosting server without even bothering to contact you.
Which brings us back to ASIC.
On Tuesday night, ASIC deputy chairmen Peter Kell presented a written opening statement (PDF) that dismissed its inadvertent blocking of innocent websites as a minor concern.
"In [the] instance in March this year, an IP address we blocked hosted a very large number of sites, around 250,000, of which the vast majority (in excess of 99.6 percent) appear to contain no substantive content. In this instance, we believe that less than 100 active sites (less than 0.4 percent) may have been temporarily affected. None of these are .au sites," it said.
"On the other eight occasions, only the targeted criminal site, or the targeted site and a very small number of other sites, have been affected."
The excuse seems to be that it operated only a little bit illegally, or that damaging only a small number of business' online activities matters as it runs down the bad guys.
"I repeat, we have received no complaints or expressions of concern beyond the Melbourne Free University matter," Kell said.
ASIC has made the commitment to look at how it uses Section 313 of the Telecommunications Act 1997, which is good. But there's still the question of whether it can actually decide to block access to websites in this way without a court order.
Greens Senator Scott Ludlum asked: "Could you provide the committee, on notice, with where you think your legal authorisation to actually issue these letters [requesting that ISPs block IP access] in the first place derives from? There is a bit of ambiguity about how you are even able to do that."
I await the answer with interest, because right now, it looks like ASIC has found in Section 313 a hammer, and by God it's going to use it. Judging by its performance so far, it's a hammer that it'll swing with all the grace and subtlety of a couple of New Orleans Police Department officers busting into a crack house on an episode of Cops. Even if it hasn't got the faintest idea of the difference between a nail and a screw.
God help us when it discovers the cybers.
[For a more detailed technical discussion of the risks of shared-IP hosting, see The Company You Keep by Geoff Huston, chief scientist at the Asia Pacific Network Information Centre (APNIC).]