[gnso-rds-pdp-wg] On some security claims (was Re: Apologies, and some reflections on requirements)

TXVB ncuc at jollyrogers.email
Tue Jul 5 13:10:19 UTC 2016 

By starting with requirements, TPTB have set up the various ICANN constituencies to get the result they want via Escalation of commitment (sometimes called commitment bias or the sunk cost fallacy).

Do we agree that "abandoning today’s WHOIS model of giving every user the same entirely anonymous public access to (often inaccurate) gTLD registration data.

...basic data would remain publicly available, the rest would be accessible only to
accredited requestors who identify themselves, state their purpose, and agree to be
held accountable for appropriate use."

This should be evaluated on its merits, and THEN if it makes sense, proceed with discussing the requirements for a replacement. We as the NCUC should be the most vocal in fighting for the rights of the non-commercial use of the internet, and as an information secuirty professional, I find the idea of having WHOIS data restricted to "accredited requestors" more than a little concerning - as I forsee it creating a more dangerous internet, with independent research impossible, and

For example: per research from the Talos group at Cisco, it can be extrapolated that changes to RDS won't solve the problem. The bad guys are "renting" domains for a day or two, enabled by shady registrar practices.

This enables the explosion of malware and spam - individuals/groups are registering domains without private WHOIS, and use stolen or fake information for the registration. Full write up: http://blog.talosintel.com/2016/04/enabling-evil.html

From the OSINT.fail blog:
"This individual has registered over 4,000 domains in 11 days. I’m sure he/she has reasons, but none that I’m currently interested in hearing. Not surprisingly, the actor is also associated with over 100K other active domains. "
http://www.osint.fail/2016/02/29/large-foot-prints-and-loud-noises/

The current Registrar Agreements require complete and accurate information - do we believe setting up a whole new RDS will prevent bad actors from exploiting loopholes, or would enforcing current policy on bad registrars suffice?

Will a new NG-RDS solve this? I doubt it. Existing policies and law enforcement organizations either can't or won't enforce the law and rules, the good guys doing research, many aggressively paranoid about privacy, find themselves unable to access data to do research, unwilling to disclose their identities due to personal beliefs to access the data, or most likely both.

The question was asked:
> could you say some more about how you think anyone's life hangs in the
> balance due to registration of domain names?

Yes. Activists, protesters, and minorities could find themselves targeted, with anti-privacy, or oppressive governments with policies such as proposed by the UK Draft Communications Data Bill (sometimes called the Snooper's Charter) would make it difficult, if not impossible to build a private, pseudonymous structure for communication outside of the "approved channels" As it will be impossible in any NG-RDS to keep Governments out of this new structure. As seen by even the most supposedly "free" countries, the Governments are drooling at the idea of getting more data and monitoring of any time implemented everywhere.










https://keybase.io/txvb/key.asc
Fingerprint: 8D6F514FCF40BEB6E3F5C8835B2CD1B4FE6A8562

--------------------------------------------------------
READ CAREFULLY. By [reading this email|accepting this material|accepting this payment|accepting this business-card|viewing this t-shirt|reading this sticker] you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies (“BOGUS AGREEMENTS”) that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

For avoidance of doubt: This email does not constitute permission to add me to your mailing list.


-------- Original Message --------
Subject: RE: [gnso-rds-pdp-wg] On some security claims (was Re: Apologies, and some reflections on requirements)
Local Time: July 4, 2016 5:42 PM
UTC Time: July 4, 2016 10:42 PM
From: cgomes at verisign.com
To: ncuc at jollyrogers.email,farellfolly at gmail.com,va at bladebrains.com
CC: gnso-rds-pdp-wg at icann.org



How can we be way off course when we haven’t started deliberating yet? Are you saying that you think the work plan or approach to deliberation is way off course?





Chuck





From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of TXVB
Sent: Monday, July 04, 2016 6:09 PM
To: farellfolly at gmail.com; va at bladebrains.com
Cc: gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] On some security claims (was Re: Apologies, and some reflections on requirements)





I don't have time to address this fully right now due to family and the holiday.

I still believe we are way way off course and there are very legitimate concerns about individual security and rights.






-------- Original Message --------
On Jul 4, 2016, 4:57 PM, Farell Folly wrote:







>>>PS : If you want, I can forward the Mail Andrew Sent me threatening me to
get me ³Offlist² Separately



Really? Are you guys going so far?


Please, Let's focus on our top priority at this moment which is to put our energy together and reach consensus on how to have our list of possible requirements, this to end PDP phase 1.



Best Regards
--ff--



Mail sent from my mobile phone. Excuse for brievety.


Le 4 juil. 2016 22:51, "Catalyst-Vaibhav Aggarwal" < [ va at bladebrains.com](mailto:va at bladebrains.com)> a écrit :



So V Renaming this WG ???
Charter Re-Drawn ?

Nah I am kiddingŠ

Sorry Chuck, This is gotta wait. I am traveling international till the
10th and this requires Some snippets to be picked up and carefully worded
to showcase that Andrew is hedonistic and came down heavily on a personal
attack and did not respect a fellow WG-M. I am seeing this getting into a
political battle rather than an Intellectual exchange. And I don¹t seem to
have time for it.

If You want me to exchange Many Pleasantries here, then tell me so and
then Tell Everyone So. Then we can all start posting jokes to this list
once a while :-)

Lets get on with it !
-VA

PS : If you want, I can forward the Mail Andrew Sent me threatening me to
get me ³Offlist² Separately. If this is for that then I am not the kinds
who gets pressured.


On 7/5/16, 2:33 AM, "Gomes, Chuck" < cgomes at verisign.com> wrote:

>VA,
>
>I am having trouble understanding why you had a problem with what or how
>Andrew said. Could you please help me understand?
>
>Chuck
>
>-----Original Message-----
>From: gnso-rds-pdp-wg-bounces at icann.org
>[mailto: gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Group CEO-Vaibhav
>Aggarwal
>Sent: Monday, July 04, 2016 12:15 PM
>To: Andrew Sullivan
>Cc: gnso-rds-pdp-wg at icann.org
>Subject: Re: [gnso-rds-pdp-wg] On some security claims (was Re:
>Apologies, and some reflections on requirements)
>
>Andrew,
>
>Points u have written are baseless and display ur uneasiness of learning
>about "How Internet works"
>
>I won't present a retort here which is targeted to a specific individual
>and not try to waste anyone's time in reading.
>But if u are a internet conneseiur, then u wud never write a baseless
>argument over a suggestion. So I request back off and stick to the
>agenda.
>
>Lets keep the nice nodes open to data exchange and not block the speed by
>writing baselessly.
>
>Best regards,
>-VA
>
>Sent from my mobile device. Typos regretted.
>
>> On Jul 4, 2016, at 9:30 PM, Andrew Sullivan < [ ajs at anvilwalrusden.com](mailto:ajs at anvilwalrusden.com)>
>>wrote:
>>
>> Hi,
>>
>> Responding to two messages at once. I think there are some technical
>> misconceptions in the messages from Catalyst-Vaibhav Aggarwal. We
>> won't get anywhere if we proceed by believing false things about how
>> the Internet works.
>>
>>> On Mon, Jul 04, 2016 at 03:19:53PM +0530, Catalyst-Vaibhav Aggarwal
>>>wrote:
>>>
>>> And any such suggestion can easily be implemented with the Automation
>>> of the entire Verification process. For Eg. Gmail has a two Step
>>> Authentication - One on the Password and the other on the Phone
>>> Number of the User.
>>
>> Actually, no. What Google two-step authentication does is bind a
>> login to both a password and some other communication factor. It does
>> not actually tell you who is at the other end, and can't. There is a
>> serious and important difference for our purposes between
>> authenticating that the same indvidual is undertaking two different
>> actions, and identifying who that individual is when (e.g.) wandering
>> around in the street.
>>
>>> This is a issue regaining the safety of me, my family
>>
>> Can you say more about how you think registration of domain names in
>> the global DNS could (even a little bit) affect the safety of you or
>> your family? In particular,
>>
>>> or anybody will be willing to compromise. And the Lives being lost
>>> and the
>>
>> could you say some more about how you think anyone's life hangs in the
>> balance due to registration of domain names?
>>
>> Also,
>>
>>> On Mon, Jul 04, 2016 at 04:28:29PM +0530, Catalyst-Vaibhav Aggarwal
>>>wrote:
>>>
>>> As far as Security for the Email Addresses is concerned, every email
>>> server has a built in SMTP verification mechanism that either can be
>>> switched on or Off as per the need may be - Most servers or Service
>>> providers don¹t switch it on as there is a cost added to their
>>> overall Network Management or Infrastructure. BUT Gmail has
>>> implemented it. That is why we are able to see Classification of Mails
>>>in our mail boxes.
>>
>> I would appreciate a pointer to the documentation of this SMTP
>> verification mechanism of which you speak. I'm reasonably familiar
>> with the SMTP specifications, and I'm not really sure what feature
>> you're talking about. If you mean the SMTP VRFY verb, I don't think
>> it does what you think it does, and it has been widely regarded as a
>> spam-promoting feature since at least 1999. It is certainly not the
>> basis for Google's classification of your email, which (depending on
>> how you use it) depends on them reading either your headers or your
>> mail bodies to classify it for you.
>>
>> Best regards,
>>
>> A
>>
>> --
>> Andrew Sullivan
>> ajs at anvilwalrusden.com
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> [ https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg](https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg)
>
>_______________________________________________
>gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> [ https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg](https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg)


_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160705/05acea52/attachment.html>

More information about the gnso-rds-pdp-wg mailing list