[gnso-rds-pdp-wg] [For Background] APWG report on phishers use of Domain Name System

Gomes, Chuck cgomes at verisign.com
Fri Jun 30 01:03:30 UTC 2017 

Everyone on this thread, please focus on the topic of data elements, and more specifically the meta set of possible data elements as we agreed to do in Johannesburg on Wednesday.

Chuck

Sent from my iPhone

On Jun 30, 2017, at 1:33 AM, allison nixon <elsakoo at gmail.com<mailto:elsakoo at gmail.com>> wrote:

>> That is not a reasonable requirement: this WG is not responsible for
>> tool development or design.  The protocol needs to change -- has
>> certainly needed to for 20 years -- and in order to make that happen
>> some tools will need to change.  There is no way to guarantee what
>> people will do to the user interface when they change tools.
>> Moreover, we don't have a common definition of what an "inferior" user
>> interface is anyway.  What would be a reasonable requirement is that
>> it is _possible_ to build a simialr user interface as what already
>> exists, but atop the new data access protocol.

My understanding is that under this closed system, the entity responsible for building the access method will no longer be "anyone with the motivation and talent", as it is now, but rather a single entity that must be authorized to work with such "sensitive" data and everyone will have to use them from now on. After all, anyone aggregating the whois data and reselling it under their interface would defeat the entire point of a gate.

>> I think I disagree with this claim.  We are in fact discussing what
>> the gated system, if it is created, is supposed to contain.  It is
>> possible that there are things currently in the public whois that
>> never should have been published at all, even to authenticated
>> parties, without some legal processes and I think we are going to have
>> to argue about that.  I am not claiming that there are such things: I
>> don't know, and part of my frustration over the last month or two has
>> been that we have been arguing over the obvious rather than getting
>> down to this quite difficult issue.

I think it's very much worth arguing about. Let's imagine the practical reality of getting that done.

For the legal process route- let's say for the sake of argument in the USA it'll require a subpoena because I don't think there's any process that has a lower bar. I've never sought a subpoena, but I know that colleagues in my industry sometimes do. I've heard that getting subpoenas for cybercrime related issues costs between 1 and 10 thousand dollars depending on lawyer and jurisdiction and other factors.  Also, using that process will get the customer's billing and IP info anyways. So if I have to get a court order, then I don't care about WHOIS. I'm getting everything.

I see two possibilities arising from requiring this. Either, a near-complete shutdown, or a streamlined process resulting in business-as-usual.

If a subpoena is the bar we set, all available information will be sought. I can guarantee these queries will also be made against every domain ever used in sent e-mail, and every domain queried from a corporate environment, at a minimum. This is supposed to enhance privacy? Or is the goal to prevent some portion of the queries made for the purposes of network defense?

We also face the obvious fact that Russian judges are unlikely to unmask whois for Russian domains used to meddle in elections(or any of the obscene volume of cybercrime coming from there), and Chinese judges are unlikely to unmask Chinese domains used to hack other militaries. Does our working group accept these predictable outcomes as valid?

Court orders also take weeks. I'd like to hear a serious proposal on how this "legal process" will work and somehow not result in either a 100% shutdown of anti-abuse activity or a massive violation of privacy.

>> I strongly agree with this.  Those registering domain names on the
>> Internet are not simply passive users, and it is reasonable to treat
>> them differently than people who are just visiting web pages, for
>> instance.  Since the test is whether some infringement on people's
>> data is necessary, we will do well to remember that there is no need
>> to register domain names on the Internet in order to connect to it or
>> use it.

Public whois has been a fact for a very long time. The only people who are shocked by this are uninformed. We can't dismantle the Internet for their sake.






On Thu, Jun 29, 2017 at 5:26 PM, Andrew Sullivan <ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>> wrote:
Hi,

I am sympathetic, as you know, to the concerns of researchers using
the current RDS.  But I think we need to be careful.

On Thu, Jun 29, 2017 at 04:04:18PM -0400, allison nixon wrote:
> -The gated access cannot have an inferior user interface compared to
> current tools

That is not a reasonable requirement: this WG is not responsible for
tool development or design.  The protocol needs to change -- has
certainly needed to for 20 years -- and in order to make that happen
some tools will need to change.  There is no way to guarantee what
people will do to the user interface when they change tools.
Moreover, we don't have a common definition of what an "inferior" user
interface is anyway.  What would be a reasonable requirement is that
it is _possible_ to build a simialr user interface as what already
exists, but atop the new data access protocol.

> -The gated access cannot have an inferior dataset

I don't think this requirement is possible to specify in advance,
since it is precisely what we are arguing about.  Accepting this
requirement would be begging the question.

(I would go through the rest of the items, but I think they have
similar problems.)  More generally,

> The gated system is supposed to replicate in a closed system what the open
> system has accomplished naturally. This is an exceedingly difficult task,
> and the price of failure is high.

I think I disagree with this claim.  We are in fact discussing what
the gated system, if it is created, is supposed to contain.  It is
possible that there are things currently in the public whois that
never should have been published at all, even to authenticated
parties, without some legal processes and I think we are going to have
to argue about that.  I am not claiming that there are such things: I
don't know, and part of my frustration over the last month or two has
been that we have been arguing over the obvious rather than getting
down to this quite difficult issue.

> Users need to be educated about all the risks so they can weigh them in a
> manner that makes the most sense for their situation. It's not just junk
> mail.

I strongly agree with this.  Those registering domain names on the
Internet are not simply passive users, and it is reasonable to treat
them differently than people who are just visiting web pages, for
instance.  Since the test is whether some infringement on people's
data is necessary, we will do well to remember that there is no need
to register domain names on the Internet in order to connect to it or
use it.

Best regards,

A

--
Andrew Sullivan
ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg



--
_________________________________
Note to self: Pillage BEFORE burning.
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170630/801e5b77/attachment.html>

More information about the gnso-rds-pdp-wg mailing list