[gnso-rds-pdp-wg] Reputation systems are not just nice to have (was Re: What we want redux)

[allison nixon]

Jeremy, I strongly disagree with your previous email on a technical and
factual basis due to the fact that my dayjob often centers on the exact
issues you're describing. I think it's very important that the EFF
understands the nuances of this issue and if you're interested in learning
more about the process of how information is gathered and used I can walk
you through recent incidents i worked on, and any number of other incidents
i can remember working if you have the interest.

Whether or not the EFF agrees with the work of anti-abuse professionals may
be a point of debate (or may not, I don't know if your org even likes the
idea of anti-abuse or not), but if the EFF believes this information has no
utility for our purposes then that is completely factually incorrect.

I coped your email and responded inline.

>> They think that anti-abuse professionals should be able to work with
>> whatever information they have that we already collect for the narrower
>> technical purposes of the operation of the DNS.

"whatever information they have" includes the currently collected WHOIS
info, which we are not asking for any expansion of.

>>There is no added value
>> in collecting personal information -

This is completely and factually untrue. There are countless cases that I
can point to where WHOIS data either connected previously-unrelated pieces
of malicious infrastructure, or connected malicious infrastructure to their
original owner's true identity. Also the ability to notify owners of
compromised infrastructure. I believe that counts as added value.

>> after all, criminals are not going
>> to provide correct information anyway,

Again, a completely factually untrue statement. It is an assumption that
many people make if they have not spent much time using WHOIS to track
abuse. Many criminals do, or used to, put their personal data in WHOIS
fields. They often redact them later when they get far along enough in
their criminal careers. This is where historical WHOIS plays a part.

Additionally, faked WHOIS data is critically important. Similarities
between faked WHOIS data are used to find potentially related domains and
inform investigations. Any investigator worth their salt knows the value in
observing the human predictability in attempts to generate randomness. Lies
tell their own truth.

>> and if a domain has been
>> compromised then the personal information of the original registrant
>> isn't going to help much,

This is once again very much factually untrue. In cases of domains that are
stolen and used to commit crimes, this makes a huge difference in how the
registrant is treated. In most abuse cases, the provider cuts off service
and does not offer refunds. However if the registrant is simply another
victim, the provider treats them differently.

>> and its availability in the wild could cause
>> significant harm to the registrant.

Once again, untrue. If the people dealing with the abuse see the registrant
as another victim, instead of the perpetrator, this can prevent situations
where people are wrongfully searched or arrested. In the investigations
world there are still a lot of police, especially in jurisdictions without
a mature cyber investigations program, that are unable to differentiate
when someone is the criminal or is simply another victim/proxy. Making
these waters muddier increases the chance of this happening, and increases
the number of arrests and searches on people who are simply another victim.

In conclusion, I don't know who your cybersecurity expert is within the
EFF, but they are not an expert in WHOIS or investigations. But there are a
number of people on this list that do use WHOIS in our daily jobs and we
are telling you a very different message. Jeremy if my offer to show you my
work interests you, might be best for a direct phone call and screen share
session.

re: jonathan matkowsky's email, which came later:
>> The overwhelming majority of phishing is on compromised domains, and the
primary course of mitigation is contacting the victim alongside their
hosting provider. This is not done by the registrars currently but it could
be contractually imposed on them, I suppose.

If WHOIS is shut down, then the registrars absolutely must take an
increased responsibility. In my work with different providers, the vast
majority will absolutely refuse to forward any concerns to the end user
even with evidence. They only want to do the bare minimum because reducing
costs is more important than anything else to that industry.

I like the idea of ICANN contractually obligating registrars to take on
increased anti-abuse responsibility, but I also know this is never going to
happen because the costs are going to be unacceptable. We also run into the
issue that some registrars are run by criminals and they would love that
kind of power.





On Tue, Oct 3, 2017 at 3:05 PM, Jeremy Malcolm <jmalcolm at eff.org> wrote:

> So because my comments have generated a bit of blowback from people I
> respect, I took the initiative to consult internally with some of my
> colleagues who have more expertise in cybersecurity than I do, to make
> sure that I'm not missing something.  It turns out that they agree with
> my take on what EFF's position is here.
>
> They did not think that we should be designing an RDS that would gather
> information about domain registrants beyond what is required for
> technical operation of the DNS. Even if such information were only
> limited to anti-abuse professionals, that also wouldn't work. There
> would be nothing to stop malicious actors from identifying as anti-abuse
> professionals - neither would want to have a system to "vet" anti-abuse
> professionals, because that would be even more problematic.
>
> They think that anti-abuse professionals should be able to work with
> whatever information they have that we already collect for the narrower
> technical purposes of the operation of the DNS.  There is no added value
> in collecting personal information - after all, criminals are not going
> to provide correct information anyway, and if a domain has been
> compromised then the personal information of the original registrant
> isn't going to help much, and its availability in the wild could cause
> significant harm to the registrant.
>
> So, I stand by what I originally wrote and can confirm that this is
> EFF's position, much as the anti-abuse professionals on this list may
> disagree with it.
>
> On 30/9/17 3:07 pm, Greg Aaron wrote:
> > I assume that the EFF (or its Internet service provider, Unwired) uses
> reputation systems to filter the EFF's email and keep malware, phishing,
> and spam from reaching the EFF staff.  Just like every other enterprise out
> there.
> >
> > Recently the EFF has been worried about malware and phishing attacks
> against NGOs, and has been a proponent of patching compromised machines
> that are being used to attack other people.  Reputation systems are what
> people use to protect themselves and their networks against such things.
> >
> > Would the DNS work without reputation systems?  That is the wrong
> question, a reductio ad absurdum.  A DNS without any users is worthless.
> Reputation systems are one of the things that keeps the Internet usable.
> >
> > Domain names exist in order to enable communication.  And in the DNS,
> people can send you whatever packets they want to, whether you want it or
> not.   Users need to decide what traffic they wish to accept, and part of
> that is understanding what the sender or origin is.  And some of those
> senders want to do us, and the people we wish to protect, great harm.
> >
> > All best,
> > --Greg
> >
> >
> >
> > -----Original Message-----
> > From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-
> bounces at icann.org] On Behalf Of Jeremy Malcolm
> > Sent: Friday, September 29, 2017 2:57 PM
> > To: gnso-rds-pdp-wg at icann.org
> > Subject: Re: [gnso-rds-pdp-wg] Reputation systems are not just nice to
> have (was Re: What we want redux)
> >
> > On 29/9/17 11:44 am, Andrew Sullivan wrote:
> >> Since we are making policy for a system that is used in support of
> >> domain name operation, we need to make that support work for all the
> >> parts of the operations in question.  One of the operations in
> >> question is various reputation systems, so I think it is not optional
> >> for us to support that functionality.
> > I disagree, I think that a case can be made that reputation systems are
> important, but they're not essential to the operation of the DNS.  You
> might as easily say that because advertising revenue is also used "in
> support of domain name operation", we need to make sure that the DNS
> supports that.  There are lots of different working parts of the Internet
> ecosystem that make our online experience better, including voluntary
> reputation systems, but would the DNS still work without them?  Yes.
> >
> > --
> > Jeremy Malcolm
> > Senior Global Policy Analyst
> > Electronic Frontier Foundation
> > https://eff.org
> > jmalcolm at eff.org
> >
> > Tel: 415.436.9333 ext 161
> >
> > :: Defending Your Rights in the Digital World ::
> >
> > Public key: https://www.eff.org/files/2016/11/27/key_jmalcolm.txt
> > PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122
> >
> >
>
> --
> Jeremy Malcolm
> Senior Global Policy Analyst
> Electronic Frontier Foundation
> https://eff.org
> jmalcolm at eff.org
>
> Tel: 415.436.9333 ext 161
>
> :: Defending Your Rights in the Digital World ::
>
> Public key: https://www.eff.org/files/2016/11/27/key_jmalcolm.txt
> PGP fingerprint: 75D2 4C0D 35EA EA2F 8CA8 8F79 4911 EC4A EDDF 1122
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171003/aa455979/attachment-0001.html>