Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
Nobody is forcing anyone to use RPZ. There are thousands of IETF documents covering a multitude of technologies, both real and imagined (just look at the avian carriers series). Personally I used to have issues with the concept of RPZ when it was first raised years ago, but my views have changed over time, though apparently you only discovered it a couple of weeks ago. In any case, like so many other technologies, it is a tool. People using RPZ do so for a variety of reasons and they should be free to do so. Many of us use DNSBLs to protect our users’ inboxes from spam, phishing and other junk. RPZ is a different tech, but in the end is just another tool in our toolbox. And please don’t bring Trump (or any other politician) into this. Apart from anything else this is a RIPE list not an ARIN one ☺ Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845
On Thu, 5 Jan 2017 16:43:44 +0000 Michele Neylon - Blacknight <michele@blacknight.com> wrote:
Nobody is forcing anyone to use RPZ. There are thousands of IETF documents covering a multitude of technologies, both real and imagined (just look at the avian carriers series).
You are missing important facts in your truthful statement... (so I am agreeing with you 100% - But, you need to add the rest of the truth) The Bind software is the dominant DNS software on the planet. The IETF doc, relating to RPZ - is intended for Bind ops. If left unchallenged, RPZ will become a standard (RFC) Which will legitimize it. NONE of the other real and imagined docs you refer to have anywhere near the same potential direct impact. But, as you are arguing this, I am sure that you will tell me why I am wrong? I am sure that you will also send me a link to a document that defines protocols for fraud, theft and crime? Also, where are the lines then? I mean is hacker tools, cracking software, theft and fraud okay and we do not support child porn? Or are you saying that child porn is also okay? Not clear on what you are saying Michelle? Are you saying that RPZ is okay? That there are worse abuse out there and we should not be concerned with dns abuse? I do understand that people are free to use cracker and hacker tools, free to commit theft, fraud and do whatever their little hearts desire. What I am objecting to, is that non ethical software and systems are being legitimized.
Personally I used to have issues with the concept of RPZ when it was first raised years ago, but my views have changed over time, though apparently you only discovered it a couple of weeks ago. In any case,
I honestly thought that "someone" would stand up and say something as it is so very wrong that it was unimaginable that it would gain so much traction.
like so many other technologies, it is a tool. People using RPZ do so for a variety of reasons and they should be free to do so. Many of us use DNSBLs to protect our users’ inboxes from spam, phishing and other junk. RPZ is a different tech, but in the end is just another tool in our toolbox.
And please don’t bring Trump (or any other politician) into this. Apart from anything else this is a RIPE list not an ARIN one ☺
I could have used eu examples, but, this being RIPE... (usa examples are less direct) - The point I made was: The World Has Changed. (that goes for the eu/usa/africa/all) Andre
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message , ox <andre@ox.co.za> writes
The Bind software is the dominant DNS software on the planet.
The IETF doc, relating to RPZ - is intended for Bind ops.
Not really -- it's an attempt to document what Bind does in a way that will make it easier for other platforms to do the same thing (it turns out that there's a lot of interaction with the innards of Bind and setting out the semantics in a way that is platform independent is not as simple as you might initially think).
If left unchallenged, RPZ will become a standard (RFC)
Not in the short term and not in the medium term either... there is a difference between a standard and an RFC -- as Jon Postel set out two decades ago https://tools.ietf.org/html/rfc1796
Which will legitimize it.
As it happens, I agree with that view (since I think that many people completely erroneously conflate RFCs with standards).
What I am objecting to, is that non ethical software and systems are being legitimized.
As it happens, I agree that there are serious ethical issues with RPZ And I said so in an academic paper about ethics (as applied to research into online criminality) several years back http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf I've recently re-expressed my opinion on the relevant IETF list, that the document should not be adopted by the Working Group. Essentially I believe documenting RPZ in a platform independent way will lead to some Governments taking the view that they can censor the web by compelling the consumption of an Officially Endorsed RPZ feed -- at present, the fact that many platforms do not implement RPZ at all (or in what is probably an inconsistent manner) gives them some pause. I think we remove that (admittedly small for some regimes around the world) roadbump at our peril. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO QmGUXnqCk56ANjr9wLoXHvxn =A6Jd -----END PGP SIGNATURE-----
Richard, We are in agreement about despots, thank you for adding semantics and details. In order to communicate the problem, I found that it is required to argue it in terms of "post-truth" otherwise, your pov will be rejected, outright or, at best, result in very long explanations (and being called a troll, etc) Many people are simply stuck in what they think the truth is and showing them "another truth" is not that easy. More so, if they are strongly opinionated DNS ops whom believe that they are "doing the right thing" Anyway, my main objection still is that we cannot legitimize Distributed Denial of Service software. We cannot legitimize Brute Force cracking Software - So we also cannot legitimize RPZ RPZ is unethical. ************ Arguing that RPZ is used for good is EXACTLY the same as using a DDOS tool to "take out" a network or server. a botnet or drt-botnet can be used for "good" in exactly the same fashion RPZ is used for "good" ************ RPZ is simply unethical and very wrong. There is no due process, there is simple vigilante behavior. And there is lies to users and then deception, on top of different lies. Reference to President Elect Donald Trump and North Korea IS 100% related to this WG, here is why: RPZ is a tool that works in exactly the same way as nuclear weapons do: If 8.8.8.8 tells you example.com is at c.c.c.c and someone else that example.com is at q.q.q.q - and simply starts making up its own answers it will be far too late for you to even try to explain to anyone that there is a problem as the people that understands the problem and will listen to you ARE GETTING FEWER each passing day. Of course: 8.8.8.8 will be telling you these lies - TO PROTECT YOU, so it is perfectly fine...????? Then there is the simple TECHNICAL view: ---------------------------------------------------------- DNS firewalls are stupid. This is NOT the real reason we have RPZ... The real reasons we have RPZ has NOTHING to do with abuse protection, as it is a stupid tool. The people that are actively using RPZ to "protect" their users are finding that it is a piss poor method and that their users are as compromized as any other non RPZ user pool. "protecting users" is simply a smoke screen as the real reasons for RPZ is quite EVIL. And, it is EVIL for almost everyone (99%), from ethical ISP's, to low life cyber crime scumbags. Andre On Fri, 6 Jan 2017 12:18:30 +0000 Richard Clayton <richard@highwayman.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In message , ox <andre@ox.co.za> writes
The Bind software is the dominant DNS software on the planet.
The IETF doc, relating to RPZ - is intended for Bind ops.
Not really -- it's an attempt to document what Bind does in a way that will make it easier for other platforms to do the same thing (it turns out that there's a lot of interaction with the innards of Bind and setting out the semantics in a way that is platform independent is not as simple as you might initially think).
If left unchallenged, RPZ will become a standard (RFC)
Not in the short term and not in the medium term either... there is a difference between a standard and an RFC -- as Jon Postel set out two decades ago
https://tools.ietf.org/html/rfc1796
Which will legitimize it.
As it happens, I agree with that view (since I think that many people completely erroneously conflate RFCs with standards).
What I am objecting to, is that non ethical software and systems are being legitimized.
As it happens, I agree that there are serious ethical issues with RPZ And I said so in an academic paper about ethics (as applied to research into online criminality) several years back
http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf
I've recently re-expressed my opinion on the relevant IETF list, that the document should not be adopted by the Working Group.
Essentially I believe documenting RPZ in a platform independent way will lead to some Governments taking the view that they can censor the web by compelling the consumption of an Officially Endorsed RPZ feed -- at present, the fact that many platforms do not implement RPZ at all (or in what is probably an inconsistent manner) gives them some pause. I think we remove that (admittedly small for some regimes around the world) roadbump at our peril.
- -- richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1
iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO QmGUXnqCk56ANjr9wLoXHvxn =A6Jd -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message , ox <andre@ox.co.za> writes
The people that are actively using RPZ to "protect" their users are finding that it is a piss poor method and that their users are as compromized as any other non RPZ user pool.
that's a testable hypothesis -- what evidence do you have for it ? - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBWHEJeju8z1Kouez7EQLWpgCglpW5cWl6kwa2X9+sk8pAj41cnu8AoId9 AIfCIqbICaymQ7yizQZgsXJJ =pcRR -----END PGP SIGNATURE-----
On Sat, 7 Jan 2017 15:30:02 +0000 Richard Clayton <richard@highwayman.com> wrote:
In message , ox <andre@ox.co.za> writes
The people that are actively using RPZ to "protect" their users are finding that it is a piss poor method and that their users are as compromized as any other non RPZ user pool.
that's a testable hypothesis -- what evidence do you have for it ?
Hindsight is always perfect. SpamCop is a DNS blocklist (which by the way IS and Ethical Anti Abuse Tool) it is reactive (after it has happened) abuse reporting system, with statistics. https://www.spamcop.net/w3m?action=map Anyone can compare the abuse range volumes with that of a provider they know to be using PRZ I am not at liberty to discuss my own knowledge and personal experience in terms of specific companies. Andre
*sigh* it is sometimes difficult when people email you "off list" and they express an opinion, which should be expressed "on list" Should RPZ be defined for the sake of "interoperability" The easy answer is : No. Interoperability has limits For example: Most of us will null route abusive rogue traffic Most of use use ethical anti-abuse DNS Blocklists, for DROP (block/deny) email My easy to make point is: Interoperability does have limits. and, to be clear: I am saying that the unethical RPZ exceeds the limit (or crosses the line) in terms of any interoperability argument. Andre On Sun, 8 Jan 2017 06:01:55 +0200 ox <andre@ox.co.za> wrote:
On Sat, 7 Jan 2017 15:30:02 +0000 Richard Clayton <richard@highwayman.com> wrote:
In message , ox <andre@ox.co.za> writes
The people that are actively using RPZ to "protect" their users are finding that it is a piss poor method and that their users are as compromized as any other non RPZ user pool.
that's a testable hypothesis -- what evidence do you have for it ?
Hindsight is always perfect.
SpamCop is a DNS blocklist (which by the way IS and Ethical Anti Abuse Tool) it is reactive (after it has happened) abuse reporting system, with statistics.
https://www.spamcop.net/w3m?action=map
Anyone can compare the abuse range volumes with that of a provider they know to be using PRZ
I am not at liberty to discuss my own knowledge and personal experience in terms of specific companies.
Andre
participants (3)
-
Michele Neylon - Blacknight -
ox -
Richard Clayton