Re: [anti-abuse-wg] 2017-02 Review Phase Reminder
On 20/02/2018 01:06, Name wrote:
Making sure admins have a functioning abuse email address has nothing to do with security theater.
My understanding of the term "security theater" is "Unnecessary and sometimes expensive inconveniences introduced to demonstrate that 'something is being done' to address (usually legitimate) security threats, when the measures introduced have no material effect in mitigate the threat in question". It has been asserted that making sure admins have a functioning abuse e-mail address will help combat abuse, but nobody has managed to explain how in a way that I can understand. As far as I can see, this will achieve nothing useful. I have developed three possible conclusions: 1. This is just security theatre, according to the above definition. 2. There is an important reason for doing this, but the proponents are unwilling to discuss it openly and clearly. Perhaps some might hope that abusive users will initially fall foul of this rule, and arbitrarily selective and aggressive enforcement would provide a quick and easy route to de-allocate IP address allocations to those users. 3. I am simply too stupid to understand this simple issue. If there is a fourth, or if someone can explain how making people set up an autoresponder that nobody reads is useful, then I would like to hear it. Malcolm. -- Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/ London Internet Exchange Ltd Monument Place, 24 Monument Street London EC3R 8AJ Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA
On 20-02-2018 Malcolm Hutty writes:
It has been asserted that making sure admins have a functioning abuse e-mail address will help combat abuse, but nobody has managed to explain how in a way that I can understand. As far as I can see, this will achieve nothing useful.
Hello Malcolm Being able to contact the proper admins is the first step in combating the abuse. Thus, lack of contacts or non-working contacts are actually harmful in the goal of effectively dealing with abuse. This includes: - Email addresses where the mailbox does not exist. - Email addresses where the mailbox is full. - Email addresses whose domain is no longer registered. - Email addresses whose domain has no mail server that can receive the mails. - Email addresses forwarding to wrongly configured mailing lists that then proceed to reject the messages, as they don't trust its own forwarder. (I have witnessed all these cases with email addresses provided on whois) Of course, there are many more ways in that an abuse contact email address may be non-functional, from lazy/non-existent administrators to simply being a mailbox that nobody reads in the company. A particularly striking case happens when the abuse contact is filtering and rejecting as spam the reports about the spam it is sending itself. But at least this proposal sets a minimum starting point. Best regards -- CERTSI (CERT de Seguridad e Industria) - Spanish Security and Industry Incident Response Team https://www.certsi.es/ PGP Keys: https://www.certsi.es/en/what-is-certsi/pgp-public-keys ------------------------------------------------------------------------------ CERTSI (CERT de Seguridad e Industria) Spanish Security and Industry Incident Response Team operates under the auspices of the Ministry of Energy, Tourism and Digital Agenda through the State Secretariat for Information Society and Digital Agenda, and the Ministry of Interior through the Security State Secretariat of the Spanish government as a national CERT. Our main role is detection, coordination and response of security incidents that take place on Spanish CI (Critical Infrastructure), Research and Academic Network (RedIRIS), enterprises and/or citizens. Also, we act as Spanish national CERT in the role of coordination with other security teams. ------------------------------------------------------------------------------ Disclaimer: This message, including any attachments, may contain confidential information, within the framework of the corporate Security Management System. If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. ------------------------------------------------------------------------------
Ángel González Berdasco wrote:
Being able to contact the proper admins is the first step in combating the abuse.
Ángel, There is nothing in the proposal about contacting admins or that the email address is associated with combating abuse. Nick
El mar, 20-02-2018 a las 18:12 +0000, Nick Hilliard escribió:
Ángel González Berdasco wrote:
Being able to contact the proper admins is the first step in combating the abuse.
Ángel,
There is nothing in the proposal about contacting admins or that the email address is associated with combating abuse.
Nick
Hello Nick I am not sure which part you found confusing, as I feel my reply was completely in line with proposal and the previous discussion. Note that I was referring to a third party wishing to report an incident using RIPE information in order to obtain the right contact. In no way did I mean that it was an action performed by RIPE. Best regards -- CERTSI (CERT de Seguridad e Industria) - Spanish Security and Industry Incident Response Team https://www.certsi.es/ PGP Keys: https://www.certsi.es/en/what-is-certsi/pgp-public-keys ------------------------------------------------------------------------------ CERTSI (CERT de Seguridad e Industria) Spanish Security and Industry Incident Response Team operates under the auspices of the Ministry of Energy, Tourism and Digital Agenda through the State Secretariat for Information Society and Digital Agenda, and the Ministry of Interior through the Security State Secretariat of the Spanish government as a national CERT. Our main role is detection, coordination and response of security incidents that take place on Spanish CI (Critical Infrastructure), Research and Academic Network (RedIRIS), enterprises and/or citizens. Also, we act as Spanish national CERT in the role of coordination with other security teams. ------------------------------------------------------------------------------ Disclaimer: This message, including any attachments, may contain confidential information, within the framework of the corporate Security Management System. If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. ------------------------------------------------------------------------------
On Tue, Feb 20, 2018 at 12:12:41PM +0000, Malcolm Hutty wrote: your points have incited me to apply the proportionality test https://en.wikipedia.org/wiki/Proportionality_(law)#European_Union_law to this proposal. It is nowadays held that policy must pass this test. So, let's see: 1) there must be a legitimate aim for a measure IMO the proposal passes this test, the aim, as stated in the proposal, is legit. 2) the measure must be suitable to achieve the aim (potentially with a requirement of evidence to show it will have that effect) I think the proposal fails that test. It has not been demonstrated that having an abuse-c, let alone running an annual verification on it, has any actual effect ("security theatre") 3) the measure must be necessary to achieve the aim, that there cannot be any less onerous way of doing it IMO, it fails this test too, it is both unneccessary and needlessly onerous. A LIR is already obliged to have a number of contacts who must be reachable and which are audited regularly. Also, in an age of increasing automation, having a requirement for a *human* to read and *respond to* an abuse email address is nothing short of anachronistic, if not reactionary[1]. 4) the measure must be reasonable, considering the competing interests of different groups at hand The competing interests here are for the LIR to be able to go about its business for which RIR-managed resources are an absolute requirement. The competing interest is that of the proposers and supporters to have someone respond to their abuse reports with an expectation that those who do not comply are put out of business[1]. This is wildly non-proportional, it creates a "death penalty" for a tickbox offence. An equivalent in criminal law would be that someone who is repeatedly found not to be in possession of an ID paper is ultimately executed. No polity with even a pretension to democracy can have such a law, and none does, ttbomk.[1] In light of these points, I cannot but view this proposal and the resulting policy -should it pass- as unneccessary, dangerous, and disproportionally draconian, and therefore strenuously oppose it. rgds, Sascha Luck [1] Since the de-registration of resources and termination of membership are expressly mentioned in the proposal (albeit as a an argument against it) and the community here has immediately latched onto it as the desired outcome, I presume this outcome to be the "legislative intent" of this proposal. Ditto, the tenor of the discussion has been that any contact with this abuce-c email address must result in a response from a human operator. Thus I presume this to be part of the legislative intent also.
Making sure admins have a functioning abuse email address has nothing to do with security theater.
My understanding of the term "security theater" is
"Unnecessary and sometimes expensive inconveniences introduced to demonstrate that 'something is being done' to address (usually legitimate) security threats, when the measures introduced have no material effect in mitigate the threat in question".
It has been asserted that making sure admins have a functioning abuse e-mail address will help combat abuse, but nobody has managed to explain how in a way that I can understand. As far as I can see, this will achieve nothing useful.
I have developed three possible conclusions:
1. This is just security theatre, according to the above definition.
2. There is an important reason for doing this, but the proponents are unwilling to discuss it openly and clearly. Perhaps some might hope that abusive users will initially fall foul of this rule, and arbitrarily selective and aggressive enforcement would provide a quick and easy route to de-allocate IP address allocations to those users.
3. I am simply too stupid to understand this simple issue.
If there is a fourth, or if someone can explain how making people set up an autoresponder that nobody reads is useful, then I would like to hear it.
Malcolm.
-- Malcolm Hutty | tel: +44 20 7645 3523 Head of Public Affairs | Read the LINX Public Affairs blog London Internet Exchange | http://publicaffairs.linx.net/
London Internet Exchange Ltd Monument Place, 24 Monument Street London EC3R 8AJ
Company Registered in England No. 3137929 Trinity Court, Trinity Street, Peterborough PE1 1DA
In message <ba02fd00-97af-bf57-624e-bc5c87aa4feb@linx.net>, Malcolm Hutty <malcolm@linx.net> writes
It has been asserted that making sure admins have a functioning abuse e-mail address will help combat abuse, but nobody has managed to explain how in a way that I can understand. As far as I can see, this will achieve nothing useful.
It assists the diligent (but too lazy to run their own check) in learning that their abuse address is not working. This will allow them to receive more abuse reports and thereby (through their diligence) ensure that the Internet becomes a slightly safer place. in my experience, even the diligent sometimes have outdated and non- functional email contact addresses -- the Internet is getting old and things rot and decay, including email addresses and their domains
3. I am simply too stupid to understand this simple issue.
I recall that, back when I was involved with LINX (Happy 100 BTW) that Vanessa sent out an email every quarter to check that the list of contact addresses for NOCs of LINX members was still functional (and she then chased down the bounces and got things fixed). Perhaps that system remains (though of course it won't be Vanessa doing it)
If there is a fourth, or if someone can explain how making people set up an autoresponder that nobody reads is useful, then I would like to hear it.
the LINX MOU permits autoresponders on the peering contact address, so clearly they are thought to be useful ... #4 of the MOU is pretty strict about responding to emails ... so I'd have thought that you would understand how useful they can be in a related context at RIPE. -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
On 20.02.2018 16:16, Richard Clayton wrote:
It assists the diligent (but too lazy to run their own check) in learning that their abuse address is not working. This will allow them to receive more abuse reports and thereby (through their diligence) ensure that the Internet becomes a slightly safer place.
in my experience, even the diligent sometimes have outdated and non- functional email contact addresses -- the Internet is getting old and things rot and decay, including email addresses and their domains
I second this. Over the past months, we reached out to many (German) resource owners with invalid abuse contacts (user unknown, mailbox full, ...) In most cases, the owners were very thankful for our notification as they were not aware of the problem (responsible admin left the company, etc.). - Thomas
participants (7)
-
Malcolm Hutty -
Name -
Nick Hilliard -
Richard Clayton -
Sascha Luck [ml] -
Thomas Hungenberg -
Ángel González Berdasco