[gnso-rds-pdp-wg] Calling it quits

consult at cgomes.com consult at cgomes.com
Mon Oct 30 08:07:33 UTC 2017 

Darren,

It doesn't seem to me that this relates to RDS purposes, which is the current focus of the WG.

Chuck

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Darren S.
Sent: Monday, October 30, 2017 12:03 AM
To: ICANN RDS <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Calling it quits

> but for anti-*, a simple related query could be enough.

This is not enough. Knowing related domains as an analytic technique is useful, for correlation purposes. This is only part of the picture however. Analysts require the subtle bits of information that can be used as building blocks of intelligence during an adversary's campaign from the details themselves, even when those details are falsified. If these details are inaccessible, the value of the data provided by the system is lessened, and the ability to connect dots and build a case against the abusive actor slips away.

Not to mention as well that many criminals use numerous separate accounts at each service provider, anticipating that abuse teams will shut down some of those accounts. They plan for resiliency. This is enough to make the "related domains" case ineffective in that it can only provide part of the picture (i.e. only one of several segments of malicious infrastructure). Analysts who can see the necessary details can correlate across data sets, especially when combining e.g. passive DNS, Whois data, and URL telemetry to find their own relations.

- Darren

On Sun, Oct 29, 2017 at 8:25 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> I've been involved in abuse fighting for quite some time, and my 
> interest in WHOIS data was to correlate objects, not to get the 
> information behind one of them, since that information was bogus, mostly.
>
> So I understand why IP concerns want access to actual WHOIS data, but 
> for anti-*, a simple related query could be enough. So instead of 
> knowing if phishing.com belongs to Mickey Mouse, you could access 
> rdap.registrar.com/phishing.com?related=yes and know that the same 
> registrant has also registered farming.com, banknameaccounts.com so 
> now you can expand the investigation into those objects.
>
> Knowing that Mickey Mouse registered those domain could bring me some 
> laughs, but no actionable intelligence.
>
>
> Rubens
>
>
>
> On Oct 29, 2017, at 9:27 PM, Neil Schwartzman <neil at cauce.org> wrote:
>
> All,
>
> I've decided to withdraw from this and other anti-abuse groups. My 
> best wishes on a successful conclusion to the critically important 
> work you do here. Please don’t mess it up for anti-abuse researchers! 
> For real - our work is what keeps the Internet running, whether you 
> know it, appreciate it, care about it. or not. I am much inclined to believe you do care.
>
> We need access to WHOIS as is, or same level of access of WHOIS WHATWILLBE.
>
> this might be some credentialed, qualified paid access, but please 
> believe me - we Antis aren’t just saying this to be trenchant. Any 
> strident comments come from a fear for all of our future without this cornerstone to our work.
> I was going to cobble together a use of WHOIS in my work for a day and 
> it took so long because I use it so much, the thing ended up at 
> several tens of thousands of words, and was really boring to read.
>
> Anything less, and things will become an even bigger sewer than it 
> already is. I know you all care, from different angles, so please do 
> bear these words in mind. You argue amongst yourselves, from a 
> position of personal belief in the great goodness this thing of ours 
> has inherent to it. It is a good thing, a great thing, and I intent to use that greatness.
>
> I’ve decided to tackle an easier project; rather than dealing with 
> WHOIS @ ICANN, I’m going to try to bring peace to the Middle East.
>
> Read all about it: HATE: The Reason I Quit Spamfighting
>
>
> Yours truly,
>
>
> Neil Schwartzman
> Executive Director
> Coalition Against Unsolicited Commercial Email http://cauce.org Tel : 
> (303) 800-6345 Twitter : @cauce
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg



--
Darren Spruell
phatbuckett at gmail.com
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list