Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
Hi Alex, Undersood, and thanks a lot; it is very helpful to know that the ecommerce directive has a problem. As said, I’m not advocating for RIPE to take actions if the operator doesn’t react on an abuse case. What I’m trying to make sure, mainly, is that the abuse contact is a *real one*. The actual validation doesn’t ensure this. So the current situation (using your words) is not correct. I think this is the main problem. I believe most of the LIRs/end-users, don’t understand that there is a “small” problem here. So a direct question. Do you think it is acceptable that RIPE NCC does a good validation (as done by ARIN, APNIC and soon LACNIC), or it is acceptable that any operator can use a fake email? Regards, Jordi @jordipalet El 16/1/20 18:04, "Alex de Joode" <adejoode@idgara.nl> escribió: Hi Jordi, The inability based on the current ecommerce directive to adequately hold providers responsible when they ignore notices is the reason the Dutch government came up with some 'suggestions' on how to fix these. I'm involved in mitigating the adverse effects of these proposals. (I'm a lawyer and a lobbyist, so a double bad ;)) In my opinion RIPE should ensure those willing have an easy means of knowing who to contact. (that is the current situation) Full mailboxes/bounces etc is something the resource holder should take care of himself. Resource holders who are not interested in properly handling notices, and are striving for a 'McColo status' should be dealt with. However that should not be a role nor a responsibility of RIPE. Europol' EC3, JIT's, local police etc should primarily deal with this (yes takes time and effeort). Advocating for a role for RIPE basically is outsourcing policing (based on Term of Service, something advocated by "your local police" as this looks like a "quick fix" however expect them to insist your ToS needs to have an article "x" and "y" soon.), and removes a lot of due process safeguards you have under the criminal system. If the internet is a "wretched hive of scum and villainy" the powers that be should allocate enough resources to deal with the problem. -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Thu, 16-01-2020 17h 17min, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: Hi Alex, My reading of the eCommerce Directive (https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32000L0031) is different. Some points (most relevant text only): (40) … the provisions of this Directive relating to liability should not preclude the development and effective operation, by the different interested parties, of technical systems of protection and identification and of technical surveillance instruments … (44) A service provider who deliberately collaborates with one of the recipients of his service in order to undertake illegal acts goes beyond the activities of "mere conduit" or "caching" and as a result cannot benefit from the liability exemptions established for these activities. (46) In order to benefit from a limitation of liability, the provider of an information society service, consisting of the storage of information, upon obtaining actual knowledge or awareness of illegal activities has to act expeditiously to remove or to disable access to the information concerned ... So, if I'm reading it correctly (not being a lawyer), a service provider not acting against abuse when it has been informed of so, is liable. I'm sure if the service provider tries to avoid being "informed" by not looking at notifications (email, postal, fax, etc.), they will also be liable in front of courts. Regards, Jordi @jordipalet El 16/1/20 16:40, "Alex de Joode" <alex@idgara.nl> escribió: Jordi, Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-. So the current legal environment (in the EU) isn't very 'pro' abuse handling. -- IDGARA | Alex de Joode | alex@idgara.nl | +31651108221 | Skype:adejoode On Thu, 16-01-2020 15h 18min, JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: Let’s try to see it from another perspective. If you’re an electricity provider, and one of your customers injects 1.000 v into the network and thus create damages to other customers (even from other electricity providers), the electricity provider must have the means to resolve the problem, disconnect that customer if needed, and pay the damages if the customer creating them don’t do that. When this happens, most of the time, the customer insurance will cover it, initially, and then claim to the electricity provider insurance, which in turn, can claim to the customer creating the trouble. If insurance doesn’t work, most of the time, law will make the electricity provider responsible at the same level of the defaulting customer (especially if this one doesn’t pay the damages). I’m sure that this is the same in every EU country. Can we agree on that? This is totally symmetric to the Internet. An operator provides a service. If a customer is creating damages, even to customers of other operators, the minimum that the provider of the defaulting customer should be able to do is: 1) Receive the abuse report (it can be automated) 2) Investigate the abuse (it can be automated in many cases, especially if we mandate a format for the reporting, and there are open source tools that do that for most of the cases) 3) If it is against the AUP which its customers, take actions, warnings to the customer the first time, etc., even disconnecting the customer (of course, this means losing customers such as spammers that pay a lot …) I don’t expect to respond to the abuse, but it’s nice to do. There are many open source ticket systems that do most of this. I don’t expect to compensate the victims, but I’m sure it can be done if the victims go to the courts. No difference with the electricity example, just we don’t have (as I know) this kind of insurance for Internet abuses. Actually, it will be very nice to have those insurances, because insurance companies have the power to put together many claims in the courts, so operators that don’t care about abuse pay for it. Saludos, Jordi @jordipalet El 16/1/20 15:03, "anti-abuse-wg en nombre de Volker Greimann" <anti-abuse-wg-bounces@ripe.net en nombre de vgreimann@key-systems.net> escribió: Hi Sara, isn't making the world (and the internet) first and foremost a job of law enforcement agencies like the police and Europol? While I agree that everyone has a role to play, crime prevention and protection of the public is part of the LEA job description, right? Civil society entities certainly have a role to play, but it does not help trying to deputize them into a role they do not carry. I disagree that the contract language you quote puts any duty of care regarding the abuse of any networks by third parties on the parties to the agreement. That duty may arise from other sources, but this language is directed at its own information the party provides to RIPE NCC and the cooperation with any audits. Just because it includes the word security does not mean it refers to all thinkable security issues. The ability of any part of the internet infrastructure to curtail abuse that somehow touches services it providers is usually severely curtailed and its ability to review abuse complaints is usually limited to the resources it provides. In many cases, that is simply not enough information to go on when dealing with many common forms of abuse. Best, Volker Am 16.01.2020 um 14:23 schrieb Marcolla, Sara Veronica: Very well put, Sérgio. Thank you for voicing clearly the concern of (at least a part of) the community. We should not forget that, according to the provisions of RIPE NCC audits, “every party that has entered into an agreement with the RIPE NCC is contractually obliged to provide the RIPE NCC with complete, updated and accurate information necessary for the provision of the RIPE NCC services and to assist the RIPE NCC with audits and security checks”. Complete, accurate information goes hand in hand with a duty of care, of promptly taking actions against abuse, and should be accompanied by a social responsibility of trying to make the Internet a safe and secure place for everyone, thus not enabling actively DDoS, spammers, and criminals in general. If the community does not agree that everyone has the right to a safe, spam free, crime free Internet, maybe we have some issue to solve here first. Kind regards, Sara Europol - O3 European Cyber Crime Centre (EC3) Eisenhowerlaan 73, 2517 KK The Hague, The Netherlands http://www.europol.europa.eu From: anti-abuse-wg anti-abuse-wg-bounces@ripe.net On Behalf Of Sérgio Rocha Sent: 16 January 2020 13:38 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") Hi, Agree, This anti-abuse list seems the blocking group to any anit-abuse response measure. It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against There is an idea that everyone has to hold, if as a community we cannot organize a policy, one of these days there will be a problem that will make governments take the opportunity to legislate and we will no longer have the free and open internet. There are a feew ideas that is simple to understand: 1 - If you have been assigned a network you have responsibilities, paying should not be the only one. 2 - There is no problem with email, since ever are made solutions to integrate with emails. There is no need to invent a new protocol. Who has a lot of abuse, invests in integrating these emails. 3 - If you have no ability to manage abuse should not have addressing, leave it to professionals. The internet is critical for everyone, the ability for actors to communicate with each other to respond to abuse must exist and RIPE must ensure that it exists. It’s like the relation with local governments, there is a set of information that has to be kept up to date to avoid problems, in RIPE it must be the same. Sergio From: anti-abuse-wg [anti-abuse-wg-bounces@ripe.net] On Behalf Of Fi Shing Sent: 16 de janeiro de 2020 04:55 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")
Best not to judge the race until it has been fully run.
I just do not understand how anyone on this list (other than a criminal or a business owner that wants to reduce over heads by abolishing an employee who has to sit and monitor an abuse desk) could be talking about making it easier for abuse to flourish. It is idiotic and is not ad hominem. This list is filled with people who argue for weeks, perhaps months, about the catastrophic world ending dangers of making an admin verify an abuse address ONCE a year .... and then someone says "let's abolish abuse desk all together" and these idiots emerge from the wood work like the termites that they are and there's no resistance? The good news is that nothing talked about on this list is ever implemented, so .. talk away you criminals. --------- Original Message --------- Subject: Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox") From: "Ronald F. Guilmette" <rfg@tristatelogic.com> Date: 1/16/20 11:47 am To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> In message <mailto:20200115155949.af7f9f79718891d8e76b551cf73e1563.e548b98006.mailapi@ email19.asia.godaddy.com>, "Fi Shing" <phishing@storey.xxx> wrote:
That is the most stupid thing i've read on this list.
Well, I think you shouldn't be quite so harsh in your judgement. It is not immediately apparent that you have been on the list for all that long. So perhaps you should stick around for awhile longer before making such comments. If you do, I feel sure that there will be any number of stupider things that may come to your attention, including even a few from your's truly. Best not to judge the race until it has been fully run.
Which criminal is paying you to say this nonsense, because no ordinary person that has ever received a spam email would ever say such crap.
I would also offer the suggestion that such inartful commentary, being as it is, ad hominem, is not at all likely to advance your agenda. It may have felt good, but I doubt that you have changed a single mind, other than perhaps one or two who will now be persuaded to take the opposing position, relative to whatever it was that you had hoped to achieve. Regards, rfg ******************* DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it. Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated. ******************* -- Volker A. Greimann ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Colleagues I have just read this whole thread, it took a while (I should get sick more often and spend a day in bed reading emails). I have a few points to make. Some are similar to points already raised but I will reinforce them. I cut out the bits I want to respond to, but sorry I have not included the authors (you will know if it's you). "If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them." So instead each resource holder must interpret randomly written emails and find any relevant information from within lots of junk. "ever since the day that RIPE NCC firstpublished an abuse reporting address in the data base, it has, ineffect, injected itself, even if only to a minimal degree, intothe relationship between a network abuse victim and the relevantresource holders that have clear connections to the abuse source" To be clear, the RIPE NCC is the data controller, not the data content provider. The RIPE NCC does not publish the abuse contacts, they facilitate resource holders to publish them. "make abuse-c: an optional attribute(basically, unrolling the "mandatory" part of the policy proposal thatintroduced it in the first place)" As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" attribute was to provide one single point of contact for a resource holder's abuse reports. If it is made optional, abuse reports would simply be sent to the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. People will simply search the database for any email address associated with the resource holder and spam them all. It won't stop abuse reports being sent 'somewhere'. And once someone has had to go to the trouble of finding a list of email addresses to use for the resource holder who has no "abuse-c:", then they will probably do the same for all reports they send. So those of you who do respond to abuse complaints will find complaints being sent to a whole host of your email addresses from the RIPE Database. We lose the 'keep it in one well defined location' benefit. "at the very least, RIPE NCC could setup and maintain just a basic review "platform" where the public at largecan at least make it known to all observers which networks are the assholesand which ones aren't." This would be an excellent way for a network operator to 'take out' their competitors. "While I would accept Gert's proposal for making abuse-c an optionalattribute, the reason I offered a counter proposal for publishing "astatement to the effect that the network operator does not act onabuse reports" is to add clarity at a high level." How many operators are going to make such a statement? It would become an invitation to block their traffic. If that was the alternative to any verification then they know if they don't make such a statement there will be no penalty. So just don't make a statement and still ignore the reports. "i'm more worried about someone using real e-mailaddresses of real unrelated people than the /dev/null or unattendedmailboxes." Separately to this discussion we need to have a mechanism to say "Remove my email address from this resource", as Google has when someone uses your gmail address as a recovery address. (A service I use on a weekly basis) "Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-." If you hide behind this type of logic, the EU in particular could easily change the law so that refusal to accept notifications renders you liable as if you had received it. 'Ignorance of the law is no excuse' comes to mind. ">It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments againstIt's called 'democracy'." Many of the countries in the RIPE region are not democracies (including the UK now). Having been on this mailing list for many years, as others have said, this discussion has gone round in circles so many times. It really makes it hard to follow what the general view is. To me there seems to be 2 camps. One camp wants to 'do something' to try to improve the situation. The other camp wants to do nothing for a variety of reasons (not the RIPE NCC's job, gets tangled up with other policies, too much work/time, a burden on those who do the right thing, won't help with those who avoid it, we are engineers not social workers or police). These are the same reasons used against almost every policy proposal on this list. We are in a new decade now. We have to take a more holistic view of the RIPE Database and services around it. I started at the RIPE NCC as a software engineer working on the database. But over time I became involved in almost every aspect of it, including legal, policy, feature design, contracts, etc. I thought the days of demarcation lines went out in the 70s when an engineer thought only about engineering issues. Abuse (in all its forms) is a problem on the internet. Some organisations work hard to tackle it, others ignore it. As a community (of holistic engineers) we need to try things out to reduce abuse. There have been so many negative comments in this thread and so few positive ones. It isn't just LEAs that watch what we do, it's governments as well. If we don't 'try' to reduce abuse, we may find a form of GDPR coming down the line for abuse on the internet. Then every organisation, large and small, will be rushing to their lawyers to ensure they are GDPR(abuse) compliant. Avoiding a little effort now may involve a huge effort later. We are no longer a little group of chatty engineers. We are prominent figures in a global, life critical service. Lets try to be a little more positive and constructive.... cheersdenis co-chair DB-WG
I’ve been following this mailing list for the last couple of years having read far too many arguments resulting in next to no progress. This post from Denis was a refreshing read and one that many should read more than once! Thank you Denis for a reasoned, adult (accepting the UK jab) and constructive message. Liam
On 16 Jan 2020, at 23:30, ripedenis--- via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
Colleagues
I have just read this whole thread, it took a while (I should get sick more often and spend a day in bed reading emails). I have a few points to make. Some are similar to points already raised but I will reinforce them. I cut out the bits I want to respond to, but sorry I have not included the authors (you will know if it's you).
"If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them."
So instead each resource holder must interpret randomly written emails and find any relevant information from within lots of junk.
"ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source"
To be clear, the RIPE NCC is the data controller, not the data content provider. The RIPE NCC does not publish the abuse contacts, they facilitate resource holders to publish them.
"make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)"
As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" attribute was to provide one single point of contact for a resource holder's abuse reports. If it is made optional, abuse reports would simply be sent to the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. People will simply search the database for any email address associated with the resource holder and spam them all. It won't stop abuse reports being sent 'somewhere'. And once someone has had to go to the trouble of finding a list of email addresses to use for the resource holder who has no "abuse-c:", then they will probably do the same for all reports they send. So those of you who do respond to abuse complaints will find complaints being sent to a whole host of your email addresses from the RIPE Database. We lose the 'keep it in one well defined location' benefit.
"at the very least, RIPE NCC could set up and maintain just a basic review "platform" where the public at large can at least make it known to all observers which networks are the assholes and which ones aren't."
This would be an excellent way for a network operator to 'take out' their competitors.
"While I would accept Gert's proposal for making abuse-c an optional attribute, the reason I offered a counter proposal for publishing "a statement to the effect that the network operator does not act on abuse reports" is to add clarity at a high level."
How many operators are going to make such a statement? It would become an invitation to block their traffic. If that was the alternative to any verification then they know if they don't make such a statement there will be no penalty. So just don't make a statement and still ignore the reports.
"i'm more worried about someone using real e-mail addresses of real unrelated people than the /dev/null or unattended mailboxes."
Separately to this discussion we need to have a mechanism to say "Remove my email address from this resource", as Google has when someone uses your gmail address as a recovery address. (A service I use on a weekly basis)
"Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-."
If you hide behind this type of logic, the EU in particular could easily change the law so that refusal to accept notifications renders you liable as if you had received it. 'Ignorance of the law is no excuse' comes to mind.
">It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against It's called 'democracy'."
Many of the countries in the RIPE region are not democracies (including the UK now).
Having been on this mailing list for many years, as others have said, this discussion has gone round in circles so many times. It really makes it hard to follow what the general view is. To me there seems to be 2 camps. One camp wants to 'do something' to try to improve the situation. The other camp wants to do nothing for a variety of reasons (not the RIPE NCC's job, gets tangled up with other policies, too much work/time, a burden on those who do the right thing, won't help with those who avoid it, we are engineers not social workers or police). These are the same reasons used against almost every policy proposal on this list. We are in a new decade now. We have to take a more holistic view of the RIPE Database and services around it. I started at the RIPE NCC as a software engineer working on the database. But over time I became involved in almost every aspect of it, including legal, policy, feature design, contracts, etc. I thought the days of demarcation lines went out in the 70s when an engineer thought only about engineering issues. Abuse (in all its forms) is a problem on the internet. Some organisations work hard to tackle it, others ignore it. As a community (of holistic engineers) we need to try things out to reduce abuse. There have been so many negative comments in this thread and so few positive ones. It isn't just LEAs that watch what we do, it's governments as well. If we don't 'try' to reduce abuse, we may find a form of GDPR coming down the line for abuse on the internet. Then every organisation, large and small, will be rushing to their lawyers to ensure they are GDPR(abuse) compliant. Avoiding a little effort now may involve a huge effort later. We are no longer a little group of chatty engineers. We are prominent figures in a global, life critical service. Lets try to be a little more positive and constructive....
cheers denis
co-chair DB-WG
Hello everyone, Someone said: You must be new here, yes it's true, I'm on the list for a few months. Maybe that's why you're still optimistic. Someone said that the shower of comments against any proposed amendment was Democracy. Maybe that is what we really need. Many complain that this working group never produces anything, some agree that either the community does something for itself, or sooner or later we will have politicians imposing laws and following goals that may not be beneficial. I have been on the list for a very short time but today I have learned one thing: Those who want to do something are more than I imagined, probably a silent majority and a noisy blocking group (maybe small). Respect divergence of opinion and respect freedom of expression a lot, we debate a lot and do little, maybe because we don't put democracy into practice. Perhaps what we need is for the RIPE NCC to allow us to create polls within the site (to have votes with registered accounts) and instead of arguing backwards and forwards, we submit ideas to votes, if the proposals have the majority then RIPE NCC should take into account the proposals. What I have seen is that all attempts to change something die in the debate and we never count votes. let's keep arguing but let’s vote at the end Sergio De: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] Em nome de Liam Glover via anti-abuse-wg Enviada: 17 de janeiro de 2020 00:14 Para: ripedenis@yahoo.co.uk Cc: anti-abuse-wg@ripe.net Assunto: Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox") I’ve been following this mailing list for the last couple of years having read far too many arguments resulting in next to no progress. This post from Denis was a refreshing read and one that many should read more than once! Thank you Denis for a reasoned, adult (accepting the UK jab) and constructive message. Liam On 16 Jan 2020, at 23:30, ripedenis--- via anti-abuse-wg <anti-abuse-wg@ripe.net <mailto:anti-abuse-wg@ripe.net> > wrote: Colleagues I have just read this whole thread, it took a while (I should get sick more often and spend a day in bed reading emails). I have a few points to make. Some are similar to points already raised but I will reinforce them. I cut out the bits I want to respond to, but sorry I have not included the authors (you will know if it's you). "If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them." So instead each resource holder must interpret randomly written emails and find any relevant information from within lots of junk. "ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source" To be clear, the RIPE NCC is the data controller, not the data content provider. The RIPE NCC does not publish the abuse contacts, they facilitate resource holders to publish them. "make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)" As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" attribute was to provide one single point of contact for a resource holder's abuse reports. If it is made optional, abuse reports would simply be sent to the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. People will simply search the database for any email address associated with the resource holder and spam them all. It won't stop abuse reports being sent 'somewhere'. And once someone has had to go to the trouble of finding a list of email addresses to use for the resource holder who has no "abuse-c:", then they will probably do the same for all reports they send. So those of you who do respond to abuse complaints will find complaints being sent to a whole host of your email addresses from the RIPE Database. We lose the 'keep it in one well defined location' benefit. "at the very least, RIPE NCC could set up and maintain just a basic review "platform" where the public at large can at least make it known to all observers which networks are the assholes and which ones aren't." This would be an excellent way for a network operator to 'take out' their competitors. "While I would accept Gert's proposal for making abuse-c an optional attribute, the reason I offered a counter proposal for publishing "a statement to the effect that the network operator does not act on abuse reports" is to add clarity at a high level." How many operators are going to make such a statement? It would become an invitation to block their traffic. If that was the alternative to any verification then they know if they don't make such a statement there will be no penalty. So just don't make a statement and still ignore the reports. "i'm more worried about someone using real e-mail addresses of real unrelated people than the /dev/null or unattended mailboxes." Separately to this discussion we need to have a mechanism to say "Remove my email address from this resource", as Google has when someone uses your gmail address as a recovery address. (A service I use on a weekly basis) "Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-." If you hide behind this type of logic, the EU in particular could easily change the law so that refusal to accept notifications renders you liable as if you had received it. 'Ignorance of the law is no excuse' comes to mind. ">It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against It's called 'democracy'." Many of the countries in the RIPE region are not democracies (including the UK now). Having been on this mailing list for many years, as others have said, this discussion has gone round in circles so many times. It really makes it hard to follow what the general view is. To me there seems to be 2 camps. One camp wants to 'do something' to try to improve the situation. The other camp wants to do nothing for a variety of reasons (not the RIPE NCC's job, gets tangled up with other policies, too much work/time, a burden on those who do the right thing, won't help with those who avoid it, we are engineers not social workers or police). These are the same reasons used against almost every policy proposal on this list. We are in a new decade now. We have to take a more holistic view of the RIPE Database and services around it. I started at the RIPE NCC as a software engineer working on the database. But over time I became involved in almost every aspect of it, including legal, policy, feature design, contracts, etc. I thought the days of demarcation lines went out in the 70s when an engineer thought only about engineering issues. Abuse (in all its forms) is a problem on the internet. Some organisations work hard to tackle it, others ignore it. As a community (of holistic engineers) we need to try things out to reduce abuse. There have been so many negative comments in this thread and so few positive ones. It isn't just LEAs that watch what we do, it's governments as well. If we don't 'try' to reduce abuse, we may find a form of GDPR coming down the line for abuse on the internet. Then every organisation, large and small, will be rushing to their lawyers to ensure they are GDPR(abuse) compliant. Avoiding a little effort now may involve a huge effort later. We are no longer a little group of chatty engineers. We are prominent figures in a global, life critical service. Lets try to be a little more positive and constructive.... cheers denis co-chair DB-WG
In message <2ff201d5cccf$f6ffe640$e4ffb2c0$@makeitsimple.pt>, "=?iso-8859-1?Q?S=E9rgio_Rocha?=" <sergio.rocha@makeitsimple.pt> wrote:
Someone said: You must be new here, yes it's true, I'm on the list for a few months. Maybe that's why you're still optimistic.
You completely mis-read my comment. What I meant was that you must be new here, because YOU are still optimistic that anything said or done here will ever have any effect. Some of us have already been here for years and know that it won't. Regards, rfg
Sérgio, I’m not sure if you’ve had the opportunity to read the RIPE Policy Development Process - https://www.ripe.net/participate/policies - but it lays out how policy is created in the community. Very deliberately this is not a vote, it comes out of discussion (which can, at times, seem to be or actually be, circular and/or not incredibly productive) which leads to consensus or lack thereof regarding the policy at hand. The RIPE Community that makes these policies is open to all, not just RIPE NCC members and a voting mechanism would be very easy to corrupt. While we, as a community, must never say “that is the way it is, we cannot change it” the PDP has generally worked over the years and has resulted in many new policies being created. However the policies and discussions that happen here are often on the more complex or more… fraught end of the scale. At the end of each phase of a proposal myself, Alireza and Tobias, with the wonderful help of the Policy Development Officer in the NCC, to look at the discussions and determine the next steps, as laid out in the PDP. Consensus can be hard to judge and sometimes it seems as if no progress is ever made, but this WG has produced a number of policies over the years, for the better of the Internet, while I acknowledge that they do not go far enough for some, and too far for others. For all the flaws of any human system, I do believe the PDP is a better process than would be gained by simply voting on a particular policy at any given point. Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> On Behalf Of Sérgio Rocha Sent: Friday 17 January 2020 00:49 To: anti-abuse-wg@ripe.net Subject: Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox") Hello everyone, Someone said: You must be new here, yes it's true, I'm on the list for a few months. Maybe that's why you're still optimistic. Someone said that the shower of comments against any proposed amendment was Democracy. Maybe that is what we really need. Many complain that this working group never produces anything, some agree that either the community does something for itself, or sooner or later we will have politicians imposing laws and following goals that may not be beneficial. I have been on the list for a very short time but today I have learned one thing: Those who want to do something are more than I imagined, probably a silent majority and a noisy blocking group (maybe small). Respect divergence of opinion and respect freedom of expression a lot, we debate a lot and do little, maybe because we don't put democracy into practice. Perhaps what we need is for the RIPE NCC to allow us to create polls within the site (to have votes with registered accounts) and instead of arguing backwards and forwards, we submit ideas to votes, if the proposals have the majority then RIPE NCC should take into account the proposals. What I have seen is that all attempts to change something die in the debate and we never count votes. let's keep arguing but let’s vote at the end Sergio De: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] Em nome de Liam Glover via anti-abuse-wg Enviada: 17 de janeiro de 2020 00:14 Para: ripedenis@yahoo.co.uk<mailto:ripedenis@yahoo.co.uk> Cc: anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net> Assunto: Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox") I’ve been following this mailing list for the last couple of years having read far too many arguments resulting in next to no progress. This post from Denis was a refreshing read and one that many should read more than once! Thank you Denis for a reasoned, adult (accepting the UK jab) and constructive message. Liam On 16 Jan 2020, at 23:30, ripedenis--- via anti-abuse-wg <anti-abuse-wg@ripe.net<mailto:anti-abuse-wg@ripe.net>> wrote: Colleagues I have just read this whole thread, it took a while (I should get sick more often and spend a day in bed reading emails). I have a few points to make. Some are similar to points already raised but I will reinforce them. I cut out the bits I want to respond to, but sorry I have not included the authors (you will know if it's you). "If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them." So instead each resource holder must interpret randomly written emails and find any relevant information from within lots of junk. "ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source" To be clear, the RIPE NCC is the data controller, not the data content provider. The RIPE NCC does not publish the abuse contacts, they facilitate resource holders to publish them. "make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)" As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" attribute was to provide one single point of contact for a resource holder's abuse reports. If it is made optional, abuse reports would simply be sent to the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. People will simply search the database for any email address associated with the resource holder and spam them all. It won't stop abuse reports being sent 'somewhere'. And once someone has had to go to the trouble of finding a list of email addresses to use for the resource holder who has no "abuse-c:", then they will probably do the same for all reports they send. So those of you who do respond to abuse complaints will find complaints being sent to a whole host of your email addresses from the RIPE Database. We lose the 'keep it in one well defined location' benefit. "at the very least, RIPE NCC could set up and maintain just a basic review "platform" where the public at large can at least make it known to all observers which networks are the assholes and which ones aren't." This would be an excellent way for a network operator to 'take out' their competitors. "While I would accept Gert's proposal for making abuse-c an optional attribute, the reason I offered a counter proposal for publishing "a statement to the effect that the network operator does not act on abuse reports" is to add clarity at a high level." How many operators are going to make such a statement? It would become an invitation to block their traffic. If that was the alternative to any verification then they know if they don't make such a statement there will be no penalty. So just don't make a statement and still ignore the reports. "i'm more worried about someone using real e-mail addresses of real unrelated people than the /dev/null or unattended mailboxes." Separately to this discussion we need to have a mechanism to say "Remove my email address from this resource", as Google has when someone uses your gmail address as a recovery address. (A service I use on a weekly basis) "Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-." If you hide behind this type of logic, the EU in particular could easily change the law so that refusal to accept notifications renders you liable as if you had received it. 'Ignorance of the law is no excuse' comes to mind. ">It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against It's called 'democracy'." Many of the countries in the RIPE region are not democracies (including the UK now). Having been on this mailing list for many years, as others have said, this discussion has gone round in circles so many times. It really makes it hard to follow what the general view is. To me there seems to be 2 camps. One camp wants to 'do something' to try to improve the situation. The other camp wants to do nothing for a variety of reasons (not the RIPE NCC's job, gets tangled up with other policies, too much work/time, a burden on those who do the right thing, won't help with those who avoid it, we are engineers not social workers or police). These are the same reasons used against almost every policy proposal on this list. We are in a new decade now. We have to take a more holistic view of the RIPE Database and services around it. I started at the RIPE NCC as a software engineer working on the database. But over time I became involved in almost every aspect of it, including legal, policy, feature design, contracts, etc. I thought the days of demarcation lines went out in the 70s when an engineer thought only about engineering issues. Abuse (in all its forms) is a problem on the internet. Some organisations work hard to tackle it, others ignore it. As a community (of holistic engineers) we need to try things out to reduce abuse. There have been so many negative comments in this thread and so few positive ones. It isn't just LEAs that watch what we do, it's governments as well. If we don't 'try' to reduce abuse, we may find a form of GDPR coming down the line for abuse on the internet. Then every organisation, large and small, will be rushing to their lawyers to ensure they are GDPR(abuse) compliant. Avoiding a little effort now may involve a huge effort later. We are no longer a little group of chatty engineers. We are prominent figures in a global, life critical service. Lets try to be a little more positive and constructive.... cheers denis co-chair DB-WG
Hi Denis, El 17/1/20 0:30, "ripedenis@yahoo.co.uk" <ripedenis@yahoo.co.uk> escribió: Colleagues I have just read this whole thread, it took a while (I should get sick more often and spend a day in bed reading emails). I have a few points to make. Some are similar to points already raised but I will reinforce them. I cut out the bits I want to respond to, but sorry I have not included the authors (you will know if it's you). "If I need to use a web form, which is not standard, for every abuse report that I need to submit, there is no sufficient time in the world to fill all them." So instead each resource holder must interpret randomly written emails and find any relevant information from within lots of junk. There are open source tools to extract the logs from an automated abuse reporting system (for example fail2ban), and it very easy to configure them for your own needs. In any case, much easier than having a different web form non-standard for every ISP that requires that. Of course, as said, ideally a standard system could be used. May be is time to specify it in the policy, and this is something that I’m already considering in the next version, depending on what I can interpret from all this discussion. "ever since the day that RIPE NCC first published an abuse reporting address in the data base, it has, in effect, injected itself, even if only to a minimal degree, into the relationship between a network abuse victim and the relevant resource holders that have clear connections to the abuse source" To be clear, the RIPE NCC is the data controller, not the data content provider. The RIPE NCC does not publish the abuse contacts, they facilitate resource holders to publish them. "make abuse-c: an optional attribute (basically, unrolling the "mandatory" part of the policy proposal that introduced it in the first place)" As co-author/designer of "abuse-c:" one of the original aims of the "abuse-c:" attribute was to provide one single point of contact for a resource holder's abuse reports. If it is made optional, abuse reports would simply be sent to the "admin-c:", "tech-c:", "notify:", etc email addresses, as they were before. People will simply search the database for any email address associated with the resource holder and spam them all. It won't stop abuse reports being sent 'somewhere'. And once someone has had to go to the trouble of finding a list of email addresses to use for the resource holder who has no "abuse-c:", then they will probably do the same for all reports they send. So those of you who do respond to abuse complaints will find complaints being sent to a whole host of your email addresses from the RIPE Database. We lose the 'keep it in one well defined location' benefit. I agree with you on this. I think the alternative is the autoresponder I mention. So keep the abuse-c mandatory, but tell the reporters “I will ignore your report”. "at the very least, RIPE NCC could set up and maintain just a basic review "platform" where the public at large can at least make it known to all observers which networks are the assholes and which ones aren't." This would be an excellent way for a network operator to 'take out' their competitors. "While I would accept Gert's proposal for making abuse-c an optional attribute, the reason I offered a counter proposal for publishing "a statement to the effect that the network operator does not act on abuse reports" is to add clarity at a high level." How many operators are going to make such a statement? It would become an invitation to block their traffic. If that was the alternative to any verification then they know if they don't make such a statement there will be no penalty. So just don't make a statement and still ignore the reports. Yes and not. Money talks. But at least you know what you can expect from any operator, instead of insisting in sending reports and wasting time trying to contact them. May be the point to have in the policy is that if you don’t have a valid abuse-c (so it is mandatory), either you choose to respond to abuses, or you have an autoresponder to tell you are not taking care of them. If you don’t have one or the other, it is a policy violation. "i'm more worried about someone using real e-mail addresses of real unrelated people than the /dev/null or unattended mailboxes." Separately to this discussion we need to have a mechanism to say "Remove my email address from this resource", as Google has when someone uses your gmail address as a recovery address. (A service I use on a weekly basis) I guess this is not needed. If someone is using my email in a non-related contact at the RIPE databases, and I notice it, clearly, I can tell to RIPE NCC: this is fake, please remove it. Otherwise RIPE NCC may be liable for the damages. "Nice analogy, but when you add the eCommerce Directive into the mix, where a network provider (or hosting provider) is not liable for what their users do, the outcome changes. Only if you have knowledge there might be a possibility for liability, but if you do not accept abuse notices, and therefore do not have knowledge you are not liable. Also note there is no monitoring obligation, but if you do monitor you can gain knowledge and become liable for -everything-." If you hide behind this type of logic, the EU in particular could easily change the law so that refusal to accept notifications renders you liable as if you had received it. 'Ignorance of the law is no excuse' comes to mind. Well this is already part of the law, at least in Spain, up to a certain point. If you refuse receiving a legal notification (legal in the sense accepted by each specific type of notification, sometimes just a certified post or a fax, or a burofax, certified email – yes there are legal services to do that, etc.), it is the same as if you actually received it. ">It's amazing that nobody cant propose anything without receiving a shower of all sorts of arguments against It's called 'democracy'." Many of the countries in the RIPE region are not democracies (including the UK now). Having been on this mailing list for many years, as others have said, this discussion has gone round in circles so many times. It really makes it hard to follow what the general view is. To me there seems to be 2 camps. One camp wants to 'do something' to try to improve the situation. The other camp wants to do nothing for a variety of reasons (not the RIPE NCC's job, gets tangled up with other policies, too much work/time, a burden on those who do the right thing, won't help with those who avoid it, we are engineers not social workers or police). These are the same reasons used against almost every policy proposal on this list. We are in a new decade now. We have to take a more holistic view of the RIPE Database and services around it. I started at the RIPE NCC as a software engineer working on the database. But over time I became involved in almost every aspect of it, including legal, policy, feature design, contracts, etc. I thought the days of demarcation lines went out in the 70s when an engineer thought only about engineering issues. Abuse (in all its forms) is a problem on the internet. Some organisations work hard to tackle it, others ignore it. As a community (of holistic engineers) we need to try things out to reduce abuse. There have been so many negative comments in this thread and so few positive ones. It isn't just LEAs that watch what we do, it's governments as well. If we don't 'try' to reduce abuse, we may find a form of GDPR coming down the line for abuse on the internet. Then every organisation, large and small, will be rushing to their lawyers to ensure they are GDPR(abuse) compliant. Avoiding a little effort now may involve a huge effort later. We are no longer a little group of chatty engineers. We are prominent figures in a global, life critical service. Lets try to be a little more positive and constructive.... cheers denis co-chair DB-WG ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
participants (6)
-
Brian Nisbet -
JORDI PALET MARTINEZ -
Liam Glover -
ripedenis@yahoo.co.uk -
Ronald F. Guilmette -
Sérgio Rocha