[NyxWulf]

The reality is that each minute the phishing site remains up, another account may get its information stolen. Imagine if you are the person that had your bank account information stolen and drained during the "grace period" for the company to respond to the takedown notice.

This is the kind of thing where a customer who gets their information stolen while Rackspace is waiting for the grace period to expire might have a legal cause of action against Rackspace.

Ultimately, I think Rackspace did exactly the right thing here. If you are operating a service that would potentially allow fishing, then you are bearing the risk of policing your users. Asking Rackspace and affected users to give you a grace period is asking them to bear the risk instead. I 100% agree with the decision to immediately shut the site down.

[royuen]

Do you think that it is reasonable if someone creates a phishing website on heroku, and all servers on heroku got shut down by amazon in an hour?

[nl]

No, and that's a strawman argument. That's like asking if it were reasonable for Level 3 to pull the plug on Rackspace if Level 3 got a phishing complaint.

If Amazon got complains about Heroku then I'd certainly expect them to be investigated, and in Heroku's case I'd expect Heroku would take over and shutdown the phishing site.

[royuen]

exactly, same in this case. I expect Rackspace should ask pandaform to investigate the case and shutdown the phishing site. I won't expect the whole pandaform would be taken down.

Also pandaform doesn't allow use to put any script or password field in the form, which the quality of the "phishing" form is not as serious as what we thought as a normal phishing site do.

[notahacker]

In the case of Heroku, I'd expect them to be able to shut the phishing site down within the 40 minute period Rackspace apparently gave Pandaforms before shutting the whole service down themselves.

I'm sure if Pandaforms had done this (which is difficult when you're a much smaller startup than Heroku) then their server would have been left untouched.

You can argue that Heroku would have most likely got a phone call and that Pandaforms deserve the same treatment, but I don't think that they'd have been allowed to leave phishing sites up for any period of time without their servers being placed in jeopardy either.

[edwincheese]

I think everyone agreed on that the service provide have to investigate and take action on any abuse claim. But what is questioning now is that is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?

[mtigas]

According to http://archive.nyu.edu/bitstream/2451/15020/2/Infosec+BOOK_T... “experimental studies have shown that the bulk of victim credentials are collected within 24 hours of mailing the bait messages.”

Once a phishing form is “in the wild,” every minute counts.

The burden is on the service (your site) to prevent or quickly act to rectify a situation, but if your provider determines that it must intervene, then it is well within it's right to.

[nl]

is it reasonable to shutdown a suspect case of abuse without giving time for the service provider to investigate and respond to this case?

Yes, if there are enough complaints and harm that may come from it is serious enough.

[chopsueyar]

So, the writer of the article had one complaint. The forms cannot take passwords.

A second complaint, without any investigation, would result in the termination of his account and destruction of data.

That is not reasonable.

[epochwolf]

> So, the writer of the article had one complaint. The forms cannot take passwords.

We don't know this. We have no idea how many complaints rackspace has against this guy. It could be one or it could be dozens.

[lsc]

If heroku got enough complaints (relative to it's size) they would get shut down or asked to leave. Now, heroku has a lot more than two servers, so it's going to take more than one or two complaints to take them out, and they are probably going to get more than an hour of notice, but if you provide a hosting service, you need to make sure that your users and customers are not using your service to host phishing sites.