[gnso-rds-pdp-wg] Calling it quits

Darren S. phatbuckett at gmail.com
Mon Oct 30 07:02:54 UTC 2017


> but for anti-*, a simple related query could be enough.

This is not enough. Knowing related domains as an analytic technique
is useful, for correlation purposes. This is only part of the picture
however. Analysts require the subtle bits of information that can be
used as building blocks of intelligence during an adversary's campaign
from the details themselves, even when those details are falsified. If
these details are inaccessible, the value of the data provided by the
system is lessened, and the ability to connect dots and build a case
against the abusive actor slips away.

Not to mention as well that many criminals use numerous separate
accounts at each service provider, anticipating that abuse teams will
shut down some of those accounts. They plan for resiliency. This is
enough to make the "related domains" case ineffective in that it can
only provide part of the picture (i.e. only one of several segments of
malicious infrastructure). Analysts who can see the necessary details
can correlate across data sets, especially when combining e.g. passive
DNS, Whois data, and URL telemetry to find their own relations.

- Darren

On Sun, Oct 29, 2017 at 8:25 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> I've been involved in abuse fighting for quite some time, and my interest in
> WHOIS data was to correlate objects, not to get the information behind one
> of them, since that information was bogus, mostly.
>
> So I understand why IP concerns want access to actual WHOIS data, but for
> anti-*, a simple related query could be enough. So instead of knowing if
> phishing.com belongs to Mickey Mouse, you could access
> rdap.registrar.com/phishing.com?related=yes and know that the same
> registrant has also registered farming.com, banknameaccounts.com so now you
> can expand the investigation into those objects.
>
> Knowing that Mickey Mouse registered those domain could bring me some
> laughs, but no actionable intelligence.
>
>
> Rubens
>
>
>
> On Oct 29, 2017, at 9:27 PM, Neil Schwartzman <neil at cauce.org> wrote:
>
> All,
>
> I've decided to withdraw from this and other anti-abuse groups. My best
> wishes on a successful conclusion to the critically important work you do
> here. Please don’t mess it up for anti-abuse researchers! For real - our
> work is what keeps the Internet running, whether you know it, appreciate it,
> care about it. or not. I am much inclined to believe you do care.
>
> We need access to WHOIS as is, or same level of access of WHOIS WHATWILLBE.
>
> this might be some credentialed, qualified paid access, but please believe
> me - we Antis aren’t just saying this to be trenchant. Any strident comments
> come from a fear for all of our future without this cornerstone to our work.
> I was going to cobble together a use of WHOIS in my work for a day and it
> took so long because I use it so much, the thing ended up at several tens of
> thousands of words, and was really boring to read.
>
> Anything less, and things will become an even bigger sewer than it already
> is. I know you all care, from different angles, so please do bear these
> words in mind. You argue amongst yourselves, from a position of personal
> belief in the great goodness this thing of ours has inherent to it. It is a
> good thing, a great thing, and I intent to use that greatness.
>
> I’ve decided to tackle an easier project; rather than dealing with WHOIS @
> ICANN, I’m going to try to bring peace to the Middle East.
>
> Read all about it: HATE: The Reason I Quit Spamfighting
>
>
> Yours truly,
>
>
> Neil Schwartzman
> Executive Director
> Coalition Against Unsolicited Commercial Email
> http://cauce.org
> Tel : (303) 800-6345
> Twitter : @cauce
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg



-- 
Darren Spruell
phatbuckett at gmail.com


More information about the gnso-rds-pdp-wg mailing list