[gnso-rds-pdp-wg] Another perspective on gated whois

John Bambenek jcb at bambenekconsulting.com
Mon Mar 27 19:07:26 UTC 2017 

I am not the sole source on what is useful for investigators or intelligence professionals. I have some strong negative opinions on gated whois but wanted other points of view. So I spent some time speaking to some fellow intelligence professionals this weekend to get their perspective. I generally do more criminal investigation and their interests are different. I had assumed they would agree the gated whois was a bad idea but the disagreed and that surprised me. I am roughly paraphrasing their position below. 

"The current state of whois doesn't allow me to identify a requestor of domain information with non-repudiatability. If I set up a domain for an intelligence operation (spear phishing, C2, whatever) I have no good way to know via whois if the adversary is on to me. There are so many copies of these records around I'd have to serve paper on half the internet. Even if I had a wiretap on the right whois server, whois is over UDP so it can be spoofed. So I can have little confidence in what I get. 

With gated whois, according to the EWG document you sent, not only will it use a modern protocol, it will require authentication. Even in the proposal, there was keeping of audit logs of who asked for what and presumably their source IP.  I am sure this will be encrypted and over TCP so no spoofing risk. Now I can run an intelligence op, and for the price of one national security letter, not only do I know if the adversary looked at my stuff, I know exactly WHO did the looking and what IP they came from. Now I have direct access to the adversaries' researchers for direct counterintelligence operations. I can quite literally target the exact people that are on my trail. 

So instead of having to set up a global surveillance infrastructure, all I need to do is make sure my printer is stocked with letterhead for all the NSLs to send to ICANN. And the best part is, its the privacy advocates who have helpfully set up this infrastructure for me and someone else entirely funded it. Why wouldn't I love this?"

I thought this perspective was worth sharing. It certainly has given me something to think about. 

Sent from my iPhone

More information about the gnso-rds-pdp-wg mailing list