RIPE NCC Anti-Abuse Training: Next Steps & WG Input!
Colleagues, Since we last spoke about the proposed training the NCC have been working with various community members to put a draft syllabus in place for further discussion. This is a link to the feedback document for this draft: https://docs.google.com/document/d/1M9Wrqu-VKGGwMfJQGK0NlTs5UzH6xJ2_HR2MkTBV... What the NCC and the Co-Chairs would love is if everybody could just comment what they think they understand from the learning goals as they’re written and suggest any changes or additions and obviously ask any questions. We’d also like the feedback on the webinar flow design. It’s important for everybody to understand that the learning objectives are the basis for the training. These are the skills that the learner must acquire. With these skills we also expect a change of attitude towards abuse handling (which is we think the purpose of this training). While discussion on the list is welcomed and encouraged, we've also planned a Zoom session for any interested parties to discuss this further. This will take place on Wednesday 23rd February at 14:00 CET: https://ripe.zoom.us/j/8221791822?pwd=ZFY0MnNQeWJsTkhQSFlyeEZlUkNJQT09 Meeting ID: 822 179 1822 Passcode: 1277 Hopefully with discussion on list and at the session on the 23rd we can move this into a final draft and progress from there. Thanks, Brian Co-Chair, RIPE AA-WG Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270
Am 10.02.22 um 10:25 schrieb Brian Nisbet:
Colleagues,
Since we last spoke about the proposed training the NCC have been working with various community members to put a draft syllabus in place for further discussion.
This is a link to the feedback document for this draft:
https://docs.google.com/document/d/1M9Wrqu-VKGGwMfJQGK0NlTs5UzH6xJ2_HR2MkTBV...
Nice!
What the NCC and the Co-Chairs would love is if everybody could just comment what they think they understand from the learning goals as they’re written and suggest any changes or additions and obviously ask any questions. We’d also like the feedback on the webinar flow design.
It’s important for everybody to understand that the learning objectives are the basis for the training. These are the skills that the learner must acquire. With these skills we also expect a change of attitude towards abuse handling (which is we think the purpose of this training).
While discussion on the list is welcomed and encouraged, we've also planned a Zoom session for any interested parties to discuss this further.
I'll most likely not be able to join the Zoom session, so here are some thoughts. The document draft shows the structure (which is good and as far as I can see covers the important areas) but not much detail. My suggestions (from the POV of an abuse reporter) go straight into the details, please forgive me if that is out of scope. * Abuse handling is not the same as support handling. Abuse reporters don't want help, they expect that it is in your own interest as a network operator to curb abuse originating from your network, and their reports are intended to help you reach that goal. This results in some Don'ts (I'm seeing all of these in reponse to abuse reports): o don't reject their messages because they are not your customers, o don't require them to register with some support system, o don't send meaningless auto-replies, o don't try to teach them (unless they are really doing something wrong). * Although there may be conflicts with protecting your user's privacy, reporters really appreciate to know whether their reports have a meaningful effect as they sometimes spend considerable amounts of time. Positive feedback ("we've terminated that customer", or "we've worked with the customer to fix their exploitable software/account") is a huge encouragement to continue reporting abuse. If there is no detectable reaction (either in form of an answer or an observable stop of abuse) then an abuse reporter might determine that blocking your network is a more effective use of their time. * Many types of abuse originating from your network are signs of substandard security and warnings of possibly more damaging future exploits. Work proactively with your customers when you find systemic problems. For example, on one of the services that I look after, we had one or two mail account password compromises which led to spam bursts. We established a strict password policy, checking the password database for easily breakable passwords, and contacting all users with weak passwords so they changed them to secure passwords. Similarly, we proactively check customer's websites for exploitable plugins. What kinds of proactive abuse prevention works in your case might be vastly different, but not doing anything is gross negligence. * Abuse desk workers need authority to contact customers and to restrict their use of your resources. One basic prerequisite for contacting customers is that you know them. If your operation does not establish appropriate KYC rules you're bound to be an attractive provider for abusers. Of course, the amount of info you need for an e-mail account and for renting out a server are different, and you may be limited by privacy laws, but if you simply refuse to take responsibility while not disclosing information on who *is* actually responsible you're in for blocking. Cheers, Hans-Martin
I’m going to try and make the call, but one thing that strikes me as important for any abuse training process is to call out different kinds of abuse online. There are things that are abuse of the internet. Abuse that harms the ability of the internet to work or for people to use the internet. Things like dDoS and spam and even phishing, mailbombing, etc. They are problems that affect a lot of people. Often we can use raw numbers of reports or complaints or traffic mapping to identify these kinds of abuses. We can usually point to objective measures and justify taking actions based on those objective measurements. They harm us collectively as a community and an infrastructure. There are those things that are abuse on the internet. This is people using internet services to harm individuals. Harassment and stalking and doxxing are examples of this. These are problems that are targeted at individuals. We can’t use raw numbers of reports or complaints or traffic mapping to identify these kinds of abuses. They are targeted at usually vulnerable or marginal individuals (or sometimes communities). In this case we don’t get the raw numbers of complaints, there’s not an objective measurement of harm. Taking action requires much more judgement on the part of the network owner. Then there are things I’ve not figured out a category for. Is it abuse to spread disinformation and propaganda campaigns? Is it abuse to sell snake oil and fear based on lies and propaganda? Is it abuse to organize a insurrectionist attack on a platform? Does the network owner have an obligation to shut down traffic? How do we tell the difference between good uprisings (Arab Spring) and bad uprisings? What do we do about Nazi and white supremacist websites that allow for actual scholarly and critical discussion of them? I certainly don’t have the answers. I think one of the learning goals should be to understand the scope and breadth of online abuse. Also making it clear what kinds of things operators must take action against and what responsibilities they have to the infrastructure and to individuals. We’re not law enforcement, but law enforcement hasn’t kept up with a lot of the abuse taking place on the internet. I think that is worthy of discussion. laura
On 10 Feb 2022, at 09:25, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Colleagues,
Since we last spoke about the proposed training the NCC have been working with various community members to put a draft syllabus in place for further discussion.
This is a link to the feedback document for this draft:
https://docs.google.com/document/d/1M9Wrqu-VKGGwMfJQGK0NlTs5UzH6xJ2_HR2MkTBV... <https://docs.google.com/document/d/1M9Wrqu-VKGGwMfJQGK0NlTs5UzH6xJ2_HR2MkTBVR2w/edit?usp=sharing>
What the NCC and the Co-Chairs would love is if everybody could just comment what they think they understand from the learning goals as they’re written and suggest any changes or additions and obviously ask any questions. We’d also like the feedback on the webinar flow design.
It’s important for everybody to understand that the learning objectives are the basis for the training. These are the skills that the learner must acquire. With these skills we also expect a change of attitude towards abuse handling (which is we think the purpose of this training).
While discussion on the list is welcomed and encouraged, we've also planned a Zoom session for any interested parties to discuss this further. This will take place on Wednesday 23rd February at 14:00 CET:
https://ripe.zoom.us/j/8221791822?pwd=ZFY0MnNQeWJsTkhQSFlyeEZlUkNJQT09 <https://ripe.zoom.us/j/8221791822?pwd=ZFY0MnNQeWJsTkhQSFlyeEZlUkNJQT09>
Meeting ID: 822 179 1822 Passcode: 1277
Hopefully with discussion on list and at the session on the 23rd we can move this into a final draft and progress from there.
Thanks,
Brian Co-Chair, RIPE AA-WG
Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie <mailto:brian.nisbet@heanet.ie> www.heanet.ie <http://www.heanet.ie/> Registered in Ireland, No. 275301. CRA No. 20036270 --
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg <https://lists.ripe.net/mailman/listinfo/anti-abuse-wg> -- The Delivery Experts
Laura Atkins Word to the Wise laura@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
Hi there, (speaking as Tobias, and not a Chair) I disagree with the idea of defining what abuse is for 3 reasons. First, we will never be going to get it done. If you ask 200 people you'll get 500 opinions. We already know that from RIPE, maawg, IETF, ICANN, and every other organization in the history of the internet and before, that tried. Second, Spam is illegal in several countries, in a lot of others it isn't. That doesn't make it right, but makes the definition harder. It gets more tricky when we are talking about copyright and trademark abuse. Which is by nature a very controversial topic. And there is enough other examples. Third, abuse depends on the perspective of the victim. And yes I know this is a very controversial statement but let me explain it. A small hosting company will see an attack towards their infrastructure differently than AWS, GOOGLE, or Cloudflare do. What might be life-threatening for the small hosting company will not even ring a bell at the big companies? So while I agree an attack of all sorts is abusive, it still depends on what you are willing to do about it. Do I send a spam report for every spam email I receive? No. Is it still abuse? Yes. At the end of the day, the solution to abuse is not going to have a clear definition of abuse, it's the fact that people or companies report what they consider abuse as the victim. And that is followed by what the receiver of the reports is doing about. Not a global definition. Fourth, I know I said 3 but ... Abuse is changing every day and nothing is worse than old stale and outdated definitions. We haven't gotten definitions in the first place. So how are we keeping them up to date on a constant basis? Abuse Management is a very simple and very pragmatic job that needs to be done. It's no science project and no Mars mission. So instead of spending a ton of time on definitions, we might just be simple and pragmatic and try to teach the people that join those training sessions to make abuse a topic in their organization and start doing a decent job in receiving and handling abuse reports as good as they can. That will already make a big impact. Without any definitions. Thanks, Tobias -- Tobias Knecht | Founder & CEO T. +49 170 455 98 45 abusix.com <https://cloud.letsignit.com/collect/bc/5fc946660b5c6b0008d672f1?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nIlQuwLC6zZ9OH0kt1uknMTCaPgfev0DqYl37D4m9Ee4vsbDzR0i3-_vR79jccowDesvdhqrvzXzi6k_yA1omSOmnzd-c_2CqBfYJjJFgV9BQOpBRSRjC8wMv-fT3nwGx3tkMlHQ6jWt4ciVIkA_II6> Book a meeting <https://cloud.letsignit.com/collect/bc/5fc946660b5c6b0008d672f1?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nIlQuwLC6zZ9OH0kt1uknMT9SwLHL8nP_FvGHuL1dmuWvzSzogpcTfxgYqITma2NzHMq5pXRQAYjPHEkBYpwTr5FBNOY9SMkZqJWdDoUo-I_A==> [image: My Logo] <https://cloud.letsignit.com/collect/bc/5fc946660b5c6b0008d672f1?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nIlQuwLC6zZ9OH0kt1uknMT9SwLHL8nP_FvGHuL1dmuWkBl_vB1ZA4WrZhHQQ6slR_5b_FnETHpRTKihQLpXLRkFBNOY9SMkZqJWdDoUo-I_A==> <https://cloud.letsignit.com/collect/bc/5fc946660b5c6b0008d672f1?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nIlQuwLC6zZ9OH0kt1uknMT9SwLHL8nP_FvGHuL1dmuWuwTIYoZ5mdTWmhqltOyd8WxVKbCGLLoqGos1EesYhP7> <https://cloud.letsignit.com/collect/bc/5fc946660b5c6b0008d672f1?p=3QW9LKZRNsNLctpv2M4xw66qtjrDbFHkRfe_Jo_T8nIlQuwLC6zZ9OH0kt1uknMT9SwLHL8nP_FvGHuL1dmuWmVS4sTjl1cJ51NN-gNCB_rcu1jgPRgfsr52W-kkb52KhFdCjGAFnnZN_nkWEHAE7w==> CONFIDENTIALITY This email and any attachments are confidential and may also be privileged or otherwise protected from disclosure. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. On Fri, Feb 11, 2022 at 11:15 AM Laura Atkins <laura@wordtothewise.com> wrote:
I’m going to try and make the call, but one thing that strikes me as important for any abuse training process is to call out different kinds of abuse online.
There are things that are abuse of the internet. Abuse that harms the ability of the internet to work or for people to use the internet. Things like dDoS and spam and even phishing, mailbombing, etc. They are problems that affect a lot of people. Often we can use raw numbers of reports or complaints or traffic mapping to identify these kinds of abuses. We can usually point to objective measures and justify taking actions based on those objective measurements. They harm us collectively as a community and an infrastructure.
There are those things that are abuse on the internet. This is people using internet services to harm individuals. Harassment and stalking and doxxing are examples of this. These are problems that are targeted at individuals. We can’t use raw numbers of reports or complaints or traffic mapping to identify these kinds of abuses. They are targeted at usually vulnerable or marginal individuals (or sometimes communities). In this case we don’t get the raw numbers of complaints, there’s not an objective measurement of harm. Taking action requires much more judgement on the part of the network owner.
Then there are things I’ve not figured out a category for. Is it abuse to spread disinformation and propaganda campaigns? Is it abuse to sell snake oil and fear based on lies and propaganda? Is it abuse to organize a insurrectionist attack on a platform? Does the network owner have an obligation to shut down traffic? How do we tell the difference between good uprisings (Arab Spring) and bad uprisings? What do we do about Nazi and white supremacist websites that allow for actual scholarly and critical discussion of them? I certainly don’t have the answers.
I think one of the learning goals should be to understand the scope and breadth of online abuse. Also making it clear what kinds of things operators must take action against and what responsibilities they have to the infrastructure and to individuals. We’re not law enforcement, but law enforcement hasn’t kept up with a lot of the abuse taking place on the internet. I think that is worthy of discussion.
laura
On 10 Feb 2022, at 09:25, Brian Nisbet <brian.nisbet@heanet.ie> wrote:
Colleagues,
Since we last spoke about the proposed training the NCC have been working with various community members to put a draft syllabus in place for further discussion.
This is a link to the feedback document for this draft:
https://docs.google.com/document/d/1M9Wrqu-VKGGwMfJQGK0NlTs5UzH6xJ2_HR2MkTBV...
What the NCC and the Co-Chairs would love is if everybody could just comment what they think they understand from the learning goals as they’re written and suggest any changes or additions and obviously ask any questions. We’d also like the feedback on the webinar flow design.
It’s important for everybody to understand that the learning objectives are the basis for the training. These are the skills that the learner must acquire. With these skills we also expect a change of attitude towards abuse handling (which is we think the purpose of this training).
While discussion on the list is welcomed and encouraged, we've also planned a Zoom session for any interested parties to discuss this further. This will take place on Wednesday 23rd February at 14:00 CET:
https://ripe.zoom.us/j/8221791822?pwd=ZFY0MnNQeWJsTkhQSFlyeEZlUkNJQT09
Meeting ID: 822 179 1822 Passcode: 1277
Hopefully with discussion on list and at the session on the 23rd we can move this into a final draft and progress from there.
Thanks,
Brian Co-Chair, RIPE AA-WG
Brian Nisbet (he/him) Service Operations Manager HEAnet CLG, Ireland's National Education and Research Network 1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland +35316609040 brian.nisbet@heanet.ie www.heanet.ie Registered in Ireland, No. 275301. CRA No. 20036270 --
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
-- The Delivery Experts
Laura Atkins Word to the Wise laura@wordtothewise.com
Email Delivery Blog: http://wordtothewise.com/blog
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
Hi, On Wed, Feb 23, 2022 at 07:20:48PM +0100, Tobias Knecht via anti-abuse-wg wrote:
I disagree with the idea of defining what abuse is for 3 reasons.
I do understand your arguments, but I'm not agreeing with the conclusion. If we can't agree on "this is abuse" and "that is not", how can we ever agree on "we should do something against abuse!"? More extreme wording: why would I, as an ISP, need an abuse handling department if I can just declare "ah, no, this is all normal customer activity" instead? So, yes, defining abuse is very hard - but if we ever want to reach a good level of common abuse squashing, we should find a common understanding. Like "using other people's resources (bandwidth, money, time) without at least implicit permission, for personal gain". (I, for one, consider half the web sites out there abusive, with cookie banners, insanely big graphics, and weird scrolling stuff - but I guess most web developers would not agree to that) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 23 Feb 2022, at 18:39, Gert Doering <gert@space.net> wrote:
Hi,
On Wed, Feb 23, 2022 at 07:20:48PM +0100, Tobias Knecht via anti-abuse-wg wrote:
I disagree with the idea of defining what abuse is for 3 reasons.
I do understand your arguments, but I'm not agreeing with the conclusion.
If we can't agree on "this is abuse" and "that is not", how can we ever agree on "we should do something against abuse!"?
Exactly. We have to have some definition to use for training, at the very minimum.
More extreme wording: why would I, as an ISP, need an abuse handling department if I can just declare "ah, no, this is all normal customer activity" instead?
So, yes, defining abuse is very hard - but if we ever want to reach a good level of common abuse squashing, we should find a common understanding. Like "using other people's resources (bandwidth, money, time) without at least implicit permission, for personal gain".
For this training I think what we’re talking about as abuse is abuse that affects normal network operations. And I’d call out specifically that we’re not discussing ALL abuse online (maybe even touch on the other kinds of abuse that they might get reports for with an admonition to ‘pass them on to the downstream customer). We’re talking about abuse that LIRs are likely to get reports for. And many of these reports are going to be unactionable. I like the phrasing “abuse of the Internet” - implying that the abuse actually damages the ability of online services to interact effectively with one another. dDOS attacks, mailbombing, spam attacks (although the mail system is pretty robust), open proxies, etc. I think of it as abnormal traffic that is pushed on an unwilling recipient that disrupts the recipient’s use of the Internet. laura
(I, for one, consider half the web sites out there abusive, with cookie banners, insanely big graphics, and weird scrolling stuff - but I guess most web developers would not agree to that)
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
-- The Delivery Experts Laura Atkins Word to the Wise laura@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
Hi, On 23.02.22 20:00, Laura Atkins wrote:
On 23 Feb 2022, at 18:39, Gert Doering <gert@space.net> wrote:
Hi,
On Wed, Feb 23, 2022 at 07:20:48PM +0100, Tobias Knecht via anti-abuse-wg wrote:
I disagree with the idea of defining what abuse is for 3 reasons.
I do understand your arguments, but I'm not agreeing with the conclusion.
If we can't agree on "this is abuse" and "that is not", how can we ever agree on "we should do something against abuse!"?
Exactly. We have to have some definition to use for training, at the very minimum.
(Speaking for myself) The training is (at first) going to be a one hour webinar. So time is very limited. I am not convinced (yet) that defining abuse is a good use of that time. Assuming that the goal is to make the participant of the webinar understand why handling abuse is important: Perhaps a few specific examples are more helpful to achieving this goal than a comprehensive definition. Markus
On 23/02/2022 20:39, Gert Doering wrote: This takes me back 50+ years to US Supreme Court Justice Stewart's definition of obscenity: https://en.wikipedia.org/wiki/I_know_it_when_I_see_it Regards, Hank
Hi,
On Wed, Feb 23, 2022 at 07:20:48PM +0100, Tobias Knecht via anti-abuse-wg wrote:
I disagree with the idea of defining what abuse is for 3 reasons.
I do understand your arguments, but I'm not agreeing with the conclusion.
If we can't agree on "this is abuse" and "that is not", how can we ever agree on "we should do something against abuse!"?
More extreme wording: why would I, as an ISP, need an abuse handling department if I can just declare "ah, no, this is all normal customer activity" instead?
So, yes, defining abuse is very hard - but if we ever want to reach a good level of common abuse squashing, we should find a common understanding. Like "using other people's resources (bandwidth, money, time) without at least implicit permission, for personal gain".
(I, for one, consider half the web sites out there abusive, with cookie banners, insanely big graphics, and weird scrolling stuff - but I guess most web developers would not agree to that)
Gert Doering -- NetMaster
Hi Gert, I think that provides a very good way to actually define it, and also coincides with my view point that it may be abuse for you and not for me, or the other way around. Regards, Jordi @jordipalet El 23/2/22 19:39, "anti-abuse-wg en nombre de Gert Doering" <anti-abuse-wg-bounces@ripe.net en nombre de gert@space.net> escribió: Hi, On Wed, Feb 23, 2022 at 07:20:48PM +0100, Tobias Knecht via anti-abuse-wg wrote: > I disagree with the idea of defining what abuse is for 3 reasons. I do understand your arguments, but I'm not agreeing with the conclusion. If we can't agree on "this is abuse" and "that is not", how can we ever agree on "we should do something against abuse!"? More extreme wording: why would I, as an ISP, need an abuse handling department if I can just declare "ah, no, this is all normal customer activity" instead? So, yes, defining abuse is very hard - but if we ever want to reach a good level of common abuse squashing, we should find a common understanding. Like "using other people's resources (bandwidth, money, time) without at least implicit permission, for personal gain". (I, for one, consider half the web sites out there abusive, with cookie banners, insanely big graphics, and weird scrolling stuff - but I guess most web developers would not agree to that) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/anti-abuse-wg ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
participants (8)
-
Brian Nisbet -
Gert Doering -
Hank Nussbacher -
Hans-Martin Mosner -
JORDI PALET MARTINEZ -
Laura Atkins -
Markus de Brün -
Tobias Knecht