Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
Replying against my better judgement, as Andre appears to be Trolling for all he's worth. But on the off chance... On Thu, Jan 5, 2017 at 9:32 PM, ox <andre@ox.co.za> wrote:
On Tue, 03 Jan 2017 09:42:38 -0800 "Luis E. Muñoz" <lem@uniregistry.link> wrote:
On 3 Jan 2017, at 2:30, ox wrote:
When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is suddenly "the way things work" - then this is of serious concern.
You seem to be assigning intent to a tool. A hammer in the hands of an artist can produce a beautiful form of art while the same hammer can be used to hurt someone. It's not the hammer's fault. Besides, RPZ is not a requirement to implement the "walled gardens" you're describing. The same thing can be achieved by other, simpler means.
by the same argument then it would be perfectly fine for society to promote the distribution of DDOS tools, zero day hacking tools and, well methods to defraud Internet users, define best practise for Phishing, etc.
Acknowledging that tools exist is not the same as condoning their malicious, or inappropriate, use.
and no, of course you do not need RPZ to create "walled gardens" but discussing it "as normal practice" and "the way DNS works" and "okay" is what serves to legitimize RPZ as "perfectly fine"
Whereas in truth, it is EVIL.
I'm not sure that anyone's saying that it's accepted practice in the sense that everyone does - or should - do it. My experience is that private network operators, or service providers, have used it for specific reasons that suit them. In the case of a private network, that is entirely the right and choice. In the case of service providers - the old adage 'walk with your feet' applies. If you don't like it, select a different provider. At least in my part of the world, service providers are almost universally against 'mucking up' what is usually otherwise considered a clean and unmangled end-to-end service. Those service providers who do create 'walled gardens', do it for a reason, and the fact they do so is not a secret.
If you find the "lying" unacceptable, then this is what should be targeted, not the tools that are being used -- which BTW have positive uses that IMO far outweighs the abuse you're describing. Consider this use case: RPZ can be used to prevent a set of known DNS names from resolving, stopping the spread of computer malware. Moreover, it can also be used to alert operators of infected machines that their computers have been compromised.
Trillions and trillions of domain names can resolve to a single ip number.
Please give me one (as in singular) just ONE example of a domain that has trillions of IP numbers?
Removing the hyperbole, there is one very obvious and well established reason for a 1:many relationship of IP's to DNS names: Virtual service hosting. Given that the DNS serves to allow a human-readable name (or names) to point to a resource (by IP), the inverse relationship doesn't seem to serve many purposes (though there is a 1:many scenario, round-robin load balancing, that comes to mind. But again, i've removed your hyperbole which may make these examples irrelevant.
Water does not flow uphill.
DNS firewalls are stupid.
You are expressing an opinion which is of course, your right. But if you think that somehow you are going to change the minds of some of the _very_ learned minds who participate in this group, you have another thing coming, i'm afraid.
I'm at least hesitant to describe any of those as lies. It's just a protocol exchange -- my machine asked for a name-to-IP map and received a suitable response, even one that actually fitted better with my current situation.
You are wrong.
When your user asks you for Google.com and you lie, this is a lie.
It is not just a lie, it is fraud.
If you then still take that a step further and tell different lies to different users (depends who is asking)
And, RPZ stil ltakes that a step further, you deceive and hide your lies from your users
AND RPZ makes the management of this easy and defines methods how this is done - It is simply a hacking tool that promotes deception, secrets, fraud and other criminal activity.
This is all OTT and if it's the basis of your anger and frustration, you're going to do yourself some harm. It's not fraudulent. There's no intend to gain a pecuniary advantage. It's a safety measure[1], one fully disclosed to the user and one that can be bypassed. Again you make excessive use of hyperbole here so I won't further justify your comments with a response.
Granted, this is not the only use case. I dislike walled gardens, which is why I take measures to avoid them -- yet I won't attack the underlying technology because as I said, has far more positive uses.
There are many things about RPZ which is wrong - so many that it is EVIL!
And I am happy to discuss all the EVIL bits, which starts at the very foundation of RPZ and goes all the way up to the roof...
You've made your feelings about RPZ known, but mailing lists are interactive and bidirectional. You don't appear willing to at least respect the right of others in this group to express their disagreements with your opinion by engaging with them rationally, and instead appear to be trying to shout everyone down. I don't think you're doing yourself any favours. I suggest other contributors to this thread weigh carefully their further contributions as from where I sit, this isn't going anywhere. Andre has marginalised himself and revealed a relatively extreme position that he will not compromise on, despite plenty of well reasoned responses. Mark. [1] I'm aware of circumstances where it's not used as a safety measure, and is instead used (or has been used) for some stupid click-intercept-advertising-revenue-crap, which I fully do not support. However Andre is railing against every situation where DNS answers are changed or filtered... and by and large most of this i'm aware of in recent years has been in the interests of security, customer / user protection, and crime fighting / fraud intervention. Quite the opposite of what Andre seems to assert.
On Thu, 5 Jan 2017 22:37:36 +1300 Mark Foster <blakjak@gmail.com> wrote:
Replying against my better judgement, as Andre appears to be Trolling for all he's worth. But on the off chance...
It seems, every time in post-truth, when positions are indefensible, the name calling starts? Calling me messianic, a troll, idiot or an assehole or whatever? Instead of simply dealing with the facts, the actual issues. And, then always adding... well, I will reply and do the world a favour just in case this person is not a troll, etc.
You seem to be assigning intent to a tool. A hammer in the hands of an artist can produce a beautiful form of art while the same hammer can be used to hurt someone. It's not the hammer's fault. Besides, RPZ is not a requirement to implement the "walled gardens" you're describing. The same thing can be achieved by other, simpler means. by the same argument then it would be perfectly fine for society to promote the distribution of DDOS tools, zero day hacking tools and, well methods to defraud Internet users, define best practise for Phishing, etc. Acknowledging that tools exist is not the same as condoning their malicious, or inappropriate, use.
exactly. But, you neglected to add - That is is not socially acceptable to define protocols for defrauding people, to tell lies, commit deception, etc.
and no, of course you do not need RPZ to create "walled gardens" but discussing it "as normal practice" and "the way DNS works" and "okay" is what serves to legitimize RPZ as "perfectly fine" Whereas in truth, it is EVIL.
I'm not sure that anyone's saying that it's accepted practice in the sense that everyone does - or should - do it.
My objections are entirely based on the publication and discussion and future RFC that will serve to legitimize RPZ. Heck, if you are honest, and from the responses in this thread, it is already "best practise" and quite acceptable to use/apply RPZ - as apparently "many" are doing this and has been doing it for years. If there is no education, discussion or even understanding of that this is becoming "standard operating procedure" As is evident from the past 7? years Then, RPZ will be an RFC in the next short while.
Trillions and trillions of domain names can resolve to a single ip number. Please give me one (as in singular) just ONE example of a domain that has trillions of IP numbers?
Removing the hyperbole, there is one very obvious and well established reason for a 1:many relationship of IP's to DNS names: Virtual service hosting.
If there are domains on a virtual host that are abusive the operator of that IP number has to either suspend that domain or remove it. The operator is liable for whatever his or her server does.
Given that the DNS serves to allow a human-readable name (or names) to point to a resource (by IP), the inverse relationship doesn't seem to serve many purposes (though there is a 1:many scenario, round-robin load balancing, that comes to mind. But again, i've removed your hyperbole which may make these examples irrelevant.
All this is very exciting and a great discussion for a different thread, if everyone is in agreement that RPZ is Evil Right now though, this tangent serves to detract from the main topic: That RPZ is DNS abuse, in itself, it is an abuse to Internet Society and it serves to promote Crime.
Water does not flow uphill. DNS firewalls are stupid.
You are expressing an opinion which is of course, your right. But if you think that somehow you are going to change the minds of some of the _very_ learned minds who participate in this group, you have another thing coming, i'm afraid.
Do not be fearful, I am not concerned so much with the "_very_ learned minds" in this group, they already understood what I am saying, in the first post. But, as we have seen, it is popularism and the _not_so_great minds that supports the post-truth premises. It is also of course a lack of objectivity and a lack of understanding that domain names are actual property - as in domain names belong to someone or some organization and are not just simple "resources"
I'm at least hesitant to describe any of those as lies. It's just a protocol exchange -- my machine asked for a name-to-IP map and received a suitable response, even one that actually fitted better with my current situation.
You are wrong.
When your user asks you for Google.com and you lie, this is a lie.
It is not just a lie, it is fraud.
If you then still take that a step further and tell different lies to different users (depends who is asking)
And, RPZ stil ltakes that a step further, you deceive and hide your lies from your users
AND RPZ makes the management of this easy and defines methods how this is done - It is simply a hacking tool that promotes deception, secrets, fraud and other criminal activity.
This is all OTT and if it's the basis of your anger and frustration, you're going to do yourself some harm. It's not fraudulent. There's no intend to gain a pecuniary advantage. It's a safety measure[1], one fully disclosed to the user and one that can be bypassed. Again you make excessive use of hyperbole here so I won't further justify your comments with a response.
Not so much as RPZ is abuse in itself. Or are you saying that RPZ is not a hacking/hacker/non ethical tool?
Granted, this is not the only use case. I dislike walled gardens, which is why I take measures to avoid them -- yet I won't attack the underlying technology because as I said, has far more positive uses. There are many things about RPZ which is wrong - so many that it is EVIL! And I am happy to discuss all the EVIL bits, which starts at the very foundation of RPZ and goes all the way up to the roof...
You've made your feelings about RPZ known, but mailing lists are interactive and bidirectional. You don't appear willing to at least respect the right of others in this group to express their disagreements with your opinion by engaging with them rationally, and instead appear to be trying to shout everyone down. I don't think you're doing yourself any favours.
I suggest other contributors to this thread weigh carefully their further contributions as from where I sit, this isn't going anywhere. Andre has marginalised himself and revealed a relatively extreme position that he will not compromise on, despite plenty of well reasoned responses.
yes, because I have not said anything about this train smash many years ago as I thought that it will be okay, "someone" would do something Well, even in DNS OPS list, I was the only one that stated direct, strong and uncompromising opposition to RPZ. "Someone" did not do anything, now we are sitting with an informational draft that promotes methods of lies, deception and is patently not ethical. I do not care, whether people agree with me, or disagree with me or if I am popular (give warm fuzzy feelings) or if anyone hates my guts. I am going to speak out, as in the next years, if RPZ does become an RFC, then that will also be just fine - as I did my very best to "promote" my own "truth" in this time when "truth" is negotiable and "facts" are simply inconvenient things the Big 5 Multinationals spin any way they like. Andre
On Thu, Jan 05, 2017 at 12:04:19PM +0200, ox wrote:
[...] But, you neglected to add - That is is not socially acceptable to define protocols for defrauding people, to tell lies, commit deception,
Who defines waht is socially acceptable? btw: most phishing pages use HTTP; HTTP is used for fraud and lies (probably more than RPZ will ever be...); but no one objects the use of HTTP as a protocol -- as the protocol by itself has no moral "value"; it's only the use of a protocol for fraud which is not acceptable.
[...] Heck, if you are honest, and from the responses in this thread, it is already "best practise" and quite acceptable to use/apply RPZ - as apparently "many" are doing this and has been doing it for years.
Yes; mangling of DNS responses has been done for years; RPZ only defines a standard for this procedure (which is better than having many non-standard ways).
[...] That RPZ is DNS abuse, in itself, it is an abuse to Internet Society and it serves to promote Crime.
This is your point of view. Could you provide some evidence where RPZ promotes crime etc. (more than it helps preventing it)? Repeating "RPZ is Evil" again and again doesn't convice me, but as you said: we're in a post-truth world... Thomas
On Thu, 5 Jan 2017 11:43:33 +0100 Thomas Mechtersheimer <thomasm@wupper.com> wrote:
On Thu, Jan 05, 2017 at 12:04:19PM +0200, ox wrote:
[...] But, you neglected to add - That is is not socially acceptable to define protocols for defrauding people, to tell lies, commit deception,
Who defines waht is socially acceptable?
Great point :) Society defines its own ethics, morals and values. For example it would be perfectly acceptable to eat other people if we were cannibals :) In modern societies, from African, to Eastern, To American, European, etc. I would argue that there are certain "baselines" For example, it is not acceptable to eat people, as it is also not acceptable to defraud and tell lies. Or do you not agree?
btw: most phishing pages use HTTP; HTTP is used for fraud and lies (probably more than RPZ will ever be...); but no one objects the use of HTTP as a protocol -- as the protocol by itself has no moral "value"; it's only the use of a protocol for fraud which is not acceptable.
Yes, and the but... Nowhere is there a protocol or defined method in RFC about http's that promotes deception and lies... So, it is not about the technology existing - as was recently pointed out, technology in itself cannot be unethical... It is about the publication of a process that is unethical and if leaved unopposed will, in all probability, lead to a "standard"
[...] Heck, if you are honest, and from the responses in this thread, it is already "best practise" and quite acceptable to use/apply RPZ - as apparently "many" are doing this and has been doing it for years.
Yes; mangling of DNS responses has been done for years; RPZ only defines a standard for this procedure (which is better than having many non-standard ways).
same as above
[...] That RPZ is DNS abuse, in itself, it is an abuse to Internet Society and it serves to promote Crime.
This is your point of view. Could you provide some evidence where RPZ promotes crime etc. (more than it helps preventing it)? Repeating "RPZ is Evil" again and again doesn't convice me, but as you said: we're in a post-truth world...
I did post an exact example, but here it is again: The clear objective issue with RPZ is that it is unethical. Can you maybe help me to formulate this in a non emotive manner? What I have is examples of what RPZ facilitates: In truth Google.com is at a.a.a.a (or ipv6 eq) If user1 asks resolver the IP number for Google.com, the resolver can send false answer of x.x.x.x If user2 asks the same resolver where Google.com is, the resolver can supply false answer of y.y.y.y because user2 is doing the asking If user3 asks the same resolver where Google.com is, the same resolver can answer a.a.a.a In all the above examples where fake (or any) answers were supplied, the resolver also hides the truth of the fake answer, to the user. Andre
participants (3)
-
Mark Foster -
ox -
Thomas Mechtersheimer