[NCAP-Discuss] Honeypot refresher
Danny McPherson
danny at tcb.net
Thu Apr 30 15:24:07 UTC 2020
On 2020-04-30 10:35, Jeff Schmidt via NCAP-Discuss wrote:
> We are stuck in a Groundhog Day cycle of re-litigation on ancient
> issues.
I'll defer to Warren on his comments here but there are pros and cons,
certainly.
Some comments inline.
> Some suggest (repeatedly) that Controlled Interruption was designed
> the way it was because we don’t like data and honeypots (redirecting
> colliding lookups to some Internet host controlled by “good guys”)
> would generate the data panacea we always wanted but never had.
> Suddenly all of our questions would be answered, toast would never
> burn, and the coronavirus would be cured. This is wrong. Honeypots
> create significant new risks; we concluded that the risks created by a
> honeypot approach were worse than the rewards and suggested
> (Recommendation 12) alternative approaches to gathering more data.
> This issue was discussed extensively in the JAS Phase 2 report.
Jeff, while I certainly understand the primitives was any actual legal
analysis done on JAS's conclusion there? I don't see any citations and
have always wondered if while intuitive, did this benefit from any legal
advice?
Further, I am familiar with large scale honeypots, as previously noted,
e.g.,:
Tracking Global Threats with the Internet Motion Sensor
https://pdfs.semanticscholar.org/5ac5/c8dab89963c69198a7597d4a81a7bad980b3.pdf
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
https://www.usenix.org/legacy/event/sruti05/tech/full_papers/cooke/cooke.pdf
> Verisign in their public comments, agreed with us (quoting from
> Section 2 of their comment to the JAS Phase 2 Report):
>
> <Verisign quote>
>
> Verisign maintains its position that directing requesters to an
> internal address during the controlled interruption period is
> preferable to an external honeypot, because as previously stated, it
> avoids “controlled exfiltration” where sensitive traffic from an
> installed system – without the advance consent of the user or system
> administrator – may be drawn outside the local network. This risk is
> acknowledged in Google Registry’s comments advocating for the
> external honeypot [5]:
>
> “Unfortunately, some protocols will send sensitive information
> unsolicited (e.g., login.example/login.php?user=fred and HTTP
> cookies). The honeypot will specifically not log this sort of
> information, but this doesn't change the fact that the information has
> been communicated over the Internet.”
>
> </Verisign quote>
Indeed, I recall that text and don't disagree, but would love to see a
study of the legal risks and liabilities as opposed to the risks of not
doing something that may occur downstream.
> https://forum.icann.org/lists/comments-name-collision-26feb14/pdfTWUAZM3gBN.pdf
>
>
> Please refer to section 3.1.6 “Alternatives to Controlled
> Interruption” for a detailed discussion of Honeypot (Section 3.1.8)
> (and other) approaches:
>
> https://www.icann.org/en/system/files/files/name-collision-mitigation-final-28oct15-en.pdf
As stated in the document, JAS selected the Controlled Interruption
solution "that offers the most value with the least risk". I think
revisiting this is not Groundhog Day. That was a unilateral decision by
JAS and ICANN and I understand why it was expeditious and convenient
given the backlog of applicants and businesses awaiting delegation
(because this work didn't happen before applications were accepted), but
it was not a community decision and the occurrence and risks of
collisions still persist, and are arguably worse in some areas with more
internet-connected devices that may present new risks (or opportunities)
that use the DNS for rendezvous and service discovery functions.
Further, what labels should be reserved v. the "constrained" set in the
original AGB (e.g., at TLD or SLD level).
From your no-bid justification it's apparent that you didn't think this
work should happen at all and yet you acknowledge in your brief
yesterday, as well as the actions with corp.com (that _are largely the
result of .CORP) that there are significant risks of collisions, even in
F20 companies that are surely the best resourced. With these positions
seem conflicted to me?
The whole point of this work is to provide some predictably to
applicants when applying for new gTLDs (and solidifying what to do with
CORP, HOME, and MAIL). The is to Neuman's "give me a test and some
predictably please" which I wholly agree with and have all along, and
continue to believe that the work such as label-based analysis affords
the best _proactive predictability -- and can measurably be impacted
with outreach to query sources (e.g., developers, operators, etc...) IF
necessary. What data enables this and what are the considerations that
should be factored (e.g., availability, negative caching, forwarders,
recursive, and other intermediaries, local roots, operators that
synthesize responses, stringent and increasing privacy implications and
data masking/anonymization, and qname minimization) are but some
examples of an evolving landscape.
-danny
> Jeff
More information about the NCAP-Discuss
mailing list