<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:JA">Here’s one that was used during a criminal investigation though it was found by non-law-enforcement people.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:JA"><a href="http://thinkprogress.org/justice/2015/06/20/3672201/alleged-dylann-roof-racist-manifesto-revealed/">http://thinkprogress.org/justice/2015/06/20/3672201/alleged-dylann-roof-racist-manifesto-revealed/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:JA"><o:p> </o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:JA"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Rod Rasmussen [mailto:rrasmussen@infoblox.com]
<br>
<b>Sent:</b> Tuesday, July 19, 2016 5:25 PM<br>
<b>To:</b> Mounier, Grégory <gregory.mounier@europol.europa.eu><br>
<b>Cc:</b> Chuck Gomes <cgomes@verisign.com>; Mark Svancarek <marksv@microsoft.com>; Andrew Sullivan <ajs@anvilwalrusden.com>; gnso-rds-pdp-wg@icann.org<br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] @EXT WHOIS info and investigation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Krebs is always a great read - really knows his stuff technically and as a journalist. If you liked this, check out his book Spam Nation for a whole history of this and some of the main actors behind it throughout most of the last ten
years.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is a fairly typical OSINT (Open Source Intelligence) type of investigation. You’d think criminal “masterminds” wouldn’t use horrible operational security practices like using their same personal information on social media accounts,
malicious and personal domain registrations, embedded in malcode, or in e-mails. Yet they do every day and this is a major source of cybersecurity professionals being able to track down all manner of undesirable Internet activities from services abuse to
flat-out illegal acts in most if not all jurisdictions.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">A couple of additional things to note.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1) Law enforcement had nothing to do with this particular story/investigation. This is true for most cybersecurity operational activity and investigations - it’s largely a private-sector affair with security companies of various flavors
looking at the malware, spam, malvertizing, etc. that crosses their paths. From that starting point they try to figure out things like what else is tied to it (so I can block or kill it), or “who’s doing this”, or “what are they really up to?”<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) There are a lot of “established” service providers around the world that have heavy levels of abuse on them over a very long time. It is really hard at times to separate “bad guys” from “incompetent” or “uncaring" operators. Collection
of data like this can lead to connections between various activities that can put a much better color on their hats.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">3) To then bring charges that could actually affect a subject’s life though, any and all of this kind of research is merely a starting point that the police then use to inform a much more traditional investigation that involves formal records
requests, court-ordered actions like search warrants or wiretaps, etc. so they can develop court admissible evidence. A whois query result is not evidence, and no one gets thrown in jail for having a dodgy domain registered in their name.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Rod<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jul 19, 2016, at 3:03 PM, Mounier, Grégory <<a href="mailto:gregory.mounier@europol.europa.eu">gregory.mounier@europol.europa.eu</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Dear all,<span class="apple-converted-space"> </span><br>
<br>
Here is a nice example of how WHOIS information is used to investigate unlawful activities:<br>
<br>
<a href="http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/">http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/</a><br>
<br>
Greg</span><strong><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></strong></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> </span></b><o:p></o:p></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> </span></span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a><span class="apple-converted-space"> </span>on
behalf of Gomes, Chuck<br>
<b>Sent:</b><span class="apple-converted-space"> </span>18 July 2016 20:26:34<br>
<b>To:</b><span class="apple-converted-space"> </span>'Mark Svancarek'; 'Andrew Sullivan';<span class="apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Helvetica",sans-serif">Thanks Mark.<br>
<br>
Chuck<br>
<br>
-----Original Message-----<br>
From: Mark Svancarek [<a href="mailto:marksv@microsoft.com">mailto:marksv@microsoft.com</a>]<span class="apple-converted-space"> </span><br>
Sent: Monday, July 18, 2016 1:40 PM<br>
To: Gomes, Chuck; 'Andrew Sullivan';<span class="apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
Subject: RE: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )<br>
<br>
I'll take a stab at it. <span class="apple-converted-space"> </span><br>
I've also asked our IP/Brand people and digital crimes people to help me document how Microsoft uses WhoIs data today, but not ETA when that will be ready.<br>
<br>
-----Original Message-----<br>
From:<span class="apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a><span class="apple-converted-space"> </span>[<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
On Behalf Of Gomes, Chuck<br>
Sent: Saturday, July 16, 2016 6:29 AM<br>
To: 'Andrew Sullivan' <<a href="mailto:ajs@anvilwalrusden.com">ajs@anvilwalrusden.com</a>>;<span class="apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
Subject: Re: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )<br>
<br>
Any volunteers to develop Andrew's suggestions into use cases?<br>
<br>
Chuck<br>
<br>
-----Original Message-----<br>
From:<span class="apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a><span class="apple-converted-space"> </span>[<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
On Behalf Of Andrew Sullivan<br>
Sent: Saturday, July 16, 2016 1:00 AM<br>
To:<span class="apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
Subject: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )<br>
<br>
Thanks, Stephanie, for the quick issue list. There's one thing that I want to draw out here so that we can keep it foremost when thinking of<br>
issues:<br>
<br>
On Sat, Jul 16, 2016 at 12:05:10AM -0400, Stephanie Perrin wrote:<br>
<br>
> * Where the RDS (whether a central database or federated or completely<br>
> disaggregated) resides becomes important for law enforcement access.<br>
<br>
This "where data resides" issue is bound to vex us, no matter what kind of policy we come up with. But it's really important to keep in mind that the different styles of system design will yield very different properties.<br>
<br>
In the taxonomy I offered before<br>
(<a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmm.icann.org%2fpipermail%2fgnso-rds-pdp-wg%2f2016-June%2f000951.html&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=d3d1ttF1Z5Kn9M1VZ1RKPFSppMzJHpCaIKM1LHynBBQ%3d">https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmm.icann.org%2fpipermail%2fgnso-rds-pdp-wg%2f2016-June%2f000951.html&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=d3d1ttF1Z5Kn9M1VZ1RKPFSppMzJHpCaIKM1LHynBBQ%3d</a>),<br>
models I and V have a clear since answer to, "Where does the data reside?" because they have a single database backing them up. In models II-IV, however, the answer to, "Where does the data reside?" is actually not entirely meaningful. There are multiple
places where the data are, and for data with respect to any given domain name each datum might be in a different place. (Indeed, part of the design of RDAP is precisely to make such arrangements easier to deal with.)<br>
<br>
It is therefore better to try to find a way, consistent with all of the various requirements documents, to answer some other questions.<br>
I think these might be helpful in building use cases:<br>
<br>
1. For any given datum, who has control of and access to the datum?<br>
<br>
2. For any given datum, what are the conditions under which the<br>
datum ought to be accessible?<br>
<br>
3. For any given set of related data, how can it be accessed?<br>
<br>
Notice that answering (3) will provides use cases for data access, whereas (1) and (2) provide for limit conditions on how and when use cases might be apply.<br>
<br>
I hope these framing questions are helpful in figuring out which use cases we can bring to bear on requirements.<br>
<br>
Best regards,<br>
<br>
A<br>
<br>
--<br>
Andrew Sullivan<br>
<a href="mailto:ajs@anvilwalrusden.com">ajs@anvilwalrusden.com</a><br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d">https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d</a><br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d">https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d</a><br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">*******************<br>
<br>
DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained
in it.<br>
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.<br>
<br>
******************* _______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
</span><a href="mailto:gnso-rds-pdp-wg@icann.org"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">gnso-rds-pdp-wg@icann.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>