Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

Richard,

We are in agreement about despots, thank you for adding semantics and
details. In order to communicate the problem, I found that it is
required to argue it in terms of "post-truth" otherwise, your pov will
be rejected, outright or, at best, result in very long explanations
(and being called a troll, etc) Many people are simply stuck in what
they think the truth is and showing them "another truth" is not that
easy. More so, if they are strongly opinionated DNS ops whom believe
that they are "doing the right thing"

Anyway, my main objection still is that we cannot legitimize
Distributed Denial of Service software. We cannot legitimize Brute
Force cracking Software - So we also cannot legitimize RPZ

RPZ is unethical.


Arguing that RPZ is used for good is EXACTLY the same as using a DDOS
tool to "take out" a network or server.

a botnet or drt-botnet can be used for "good" in exactly the same
fashion RPZ is used for "good"


RPZ is simply unethical and very wrong. There is no due process, there
is simple vigilante behavior. And there is lies to users and then
deception, on top of different lies.

Reference to President Elect Donald Trump and North Korea IS 100%
related to this WG, here is why:

RPZ is a tool that works in exactly the same way as nuclear weapons do:

If 8.8.8.8 tells you example.com is at c.c.c.c and someone else that
example.com is at q.q.q.q - and simply starts making up its own answers
it will be far too late for you to even try to explain to anyone that
there is a problem as the people that understands the problem and will
listen to you ARE GETTING FEWER each passing day.

Of course: 8.8.8.8 will be telling you these lies - TO PROTECT YOU, so
it is perfectly fine...?


Then there is the simple TECHNICAL view: 
--
DNS firewalls are stupid.

This is NOT the real reason we have RPZ...

The real reasons we have RPZ has NOTHING to do with abuse protection,
as it is a stupid tool.

The people that are actively using RPZ to "protect" their users are
finding that it is a piss poor method and that their users are as
compromized as any other non RPZ user pool.

"protecting users" is simply a smoke screen as the real reasons for RPZ
is quite EVIL.

And, it is EVIL for almost everyone (99%), from ethical ISP's, to low life 
cyber crime scumbags.

Andre

 

On Fri, 6 Jan 2017 12:18:30 +
Richard Clayton  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> In message , ox  writes
> 
> >The Bind software is the dominant DNS software on the planet.
> >
> >The IETF doc, relating to RPZ - is intended for Bind ops.
> 
> Not really -- it's an attempt to document what Bind does in a way that
> will make it easier for other platforms to do the same thing (it turns
> out that there's a lot of interaction with the innards of Bind and
> setting out the semantics in a way that is platform independent is not
> as simple as you might initially think).
> 
> >If left unchallenged, RPZ will become a standard (RFC)
> 
> Not in the short term and not in the medium term either... there is a
> difference between a standard and an RFC -- as Jon Postel set out two
> decades ago
> 
> https://tools.ietf.org/html/rfc1796
> 
> >Which will legitimize it. 
> 
> As it happens, I agree with that view (since I think that many people
> completely erroneously conflate RFCs with standards).
> 
> >What I am objecting to, is that non ethical software and systems are
> >being legitimized.
> 
> As it happens, I agree that there are serious ethical issues with RPZ
> And I said so in an academic paper about ethics (as applied to
> research into online criminality) several years back
> 
> http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf
> 
> I've recently re-expressed my opinion on the relevant IETF list, that
> the document should not be adopted by the Working Group.
> 
> Essentially I believe documenting RPZ in a platform independent way
> will lead to some Governments taking the view that they can censor
> the web by compelling the consumption of an Officially Endorsed RPZ
> feed -- at present, the fact that many platforms do not implement RPZ
> at all (or in what is probably an inconsistent manner) gives them
> some pause. I think we remove that (admittedly small for some regimes
> around the world) roadbump at our peril.
> 
> - -- 
> richard   Richard
> Clayton
> 
> Those who would give up essential Liberty, to purchase a little
> temporary Safety, deserve neither Liberty nor Safety. Benjamin
> Franklin 11 Nov 1755
> 
> -BEGIN PGP SIGNATURE-
> Version: PGPsdk version 1.7.1
> 
> iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO
> QmGUXnqCk56ANjr9wLoXHvxn
> =A6Jd
> -END PGP SIGNATURE-
> 

Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 62, Issue 9

[Marilson]

> However you would need to get past your emotive arguments and focus on clear 
> objective issues. Wrote Michele

> Can you maybe help me to formulate this in a non emotive manner? wrote Andre.

> So, I truly thank you for your constructive comments as I am stuck at the 
> emotive side... Wrote Andre.

@Andre, never lose your emotive side, your emotional way of arguing. This is a 
evidence that you are not a sociopath and is able to empathize with your fellow 
human beings. It shows that your concern, even if it is not correct, is 
legitimate. You worry about the increase in abuse that has already reached 
alarming levels. Never so few done so much harm to so many. Never. The insults 
you're getting are proof that you put your finger in the wound. I urge you to 
turn that finger violently and make public your concern, out of this group.

> And please don’t bring Trump (or any other politician) into this. Apart from 
> anything else this is a RIPE list not an ARIN one ? Wrote Michele.

260 billion spam and scam per day. An army of rascals irritating and stealing 
people's money. The level of abuse and dishonesty has reached alarming levels. 
ISPs hiding and protecting criminals. As always, civil society will force its 
rulers to intervene in this catastrophe because politicians fear their 
constituents. Who will bring politicians to "into this" will be you guys who 
turned this anti-abuse-wg into a pro-abuse-wg.

> Who defines waht is socially acceptable? Wrote Thomas.

People like Andre who are still capable of being moved are apt to define what 
is socially acceptable.
All members of modern society, if able to feel emotions, are apt to evaluate 
what is socially acceptable according to the uses and customs of the time. 
Already the sociopaths, unable to feel emotions and empathize with their fellow 
men, do not stop of develop mechanisms that enhance the ability of technology 
to hide and protect scammers and spammers with the clear objective of 
increasing traffic on the Internet to increase their profits. These are not 
able to define what is socially acceptable. They should be in jail.

Marilson

**
From: anti-abuse-wg-requ...@ripe.net 
Sent: Friday, January 06, 2017 7:57 AM
To: anti-abuse-wg@ripe.net 
Subject: anti-abuse-wg Digest, Vol 62, Issue 9

Send anti-abuse-wg mailing list submissions to
anti-abuse-wg@ripe.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
or, via email, send a message with subject or body 'help' to
anti-abuse-wg-requ...@ripe.net

You can reach the person managing the list at
anti-abuse-wg-ow...@ripe.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of anti-abuse-wg digest..."


Today's Topics:

   1. Re: DNS Abuse, Abuse of Privacy & Legitimizing Criminal
  Activity (Michele Neylon - Blacknight)
   2. Re: DNS Abuse, Abuse of Privacy & Legitimizing Criminal
  Activity (ox)
   3. Re: DNS Abuse, Abuse of Privacy & Legitimizing Criminal
  Activity (Michele Neylon - Blacknight)
   4. Re: DNS Abuse, Abuse of Privacy & Legitimizing Criminal
  Activity (ox)
   5. Re: DNS Abuse, Abuse of Privacy & Legitimizing Criminal
  Activity (Thomas Mechtersheimer)
   6. Re: DNS Abuse, Abuse of Privacy & Legitimizing Criminal
  Activity (ox)


--

Message: 1
Date: Thu, 5 Jan 2017 16:43:44 +
From: Michele Neylon - Blacknight 
To: ox , Suresh Ramasubramanian 
Cc: Luis E. Mu?oz , Mark Foster
, "anti-abuse-wg@ripe.net" 
Subject: Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy &
Legitimizing Criminal Activity
Message-ID: <5c898951-97f9-4ded-8a3f-d39013f6e...@blacknight.com>
Content-Type: text/plain; charset="utf-8"

Nobody is forcing anyone to use RPZ. There are thousands of IETF documents 
covering a multitude of technologies, both real and imagined (just look at the 
avian carriers series). 


Personally I used to have issues with the concept of RPZ when it was first 
raised years ago, but my views have changed over time, though apparently you 
only discovered it a couple of weeks ago.
In any case, like so many other technologies, it is a tool. People using RPZ do 
so for a variety of reasons and they should be free to do so.
Many of us use DNSBLs to protect our users? inboxes from spam, phishing and 
other junk. RPZ is a different tech, but in the end is just another tool in our 
toolbox.

And please don?t bring Trump (or any other politician) into this. Apart from 
anything else this is a RIPE list not an ARIN one ?

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
http://www.blacknight.host/

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Richard Clayton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In message , ox  writes

>The Bind software is the dominant DNS software on the planet.
>
>The IETF doc, relating to RPZ - is intended for Bind ops.

Not really -- it's an attempt to document what Bind does in a way that
will make it easier for other platforms to do the same thing (it turns
out that there's a lot of interaction with the innards of Bind and
setting out the semantics in a way that is platform independent is not
as simple as you might initially think).

>If left unchallenged, RPZ will become a standard (RFC)

Not in the short term and not in the medium term either... there is a
difference between a standard and an RFC -- as Jon Postel set out two
decades ago

https://tools.ietf.org/html/rfc1796

>Which will legitimize it. 

As it happens, I agree with that view (since I think that many people
completely erroneously conflate RFCs with standards).

>What I am objecting to, is that non ethical software and systems are
>being legitimized.

As it happens, I agree that there are serious ethical issues with RPZ
And I said so in an academic paper about ethics (as applied to research
into online criminality) several years back

http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf

I've recently re-expressed my opinion on the relevant IETF list, that
the document should not be adopted by the Working Group.

Essentially I believe documenting RPZ in a platform independent way will
lead to some Governments taking the view that they can censor the web by
compelling the consumption of an Officially Endorsed RPZ feed -- at
present, the fact that many platforms do not implement RPZ at all (or in
what is probably an inconsistent manner) gives them some pause. I think
we remove that (admittedly small for some regimes around the world)
roadbump at our peril.

- -- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1

iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO
QmGUXnqCk56ANjr9wLoXHvxn
=A6Jd
-END PGP SIGNATURE-

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Thu, 5 Jan 2017 11:43:33 +0100
Thomas Mechtersheimer  wrote:
> On Thu, Jan 05, 2017 at 12:04:19PM +0200, ox wrote:
> >[...]
> > But, you neglected to add - That is is not socially acceptable to
> > define protocols for defrauding people, to tell lies, commit
> > deception,
> 
> Who defines waht is socially acceptable?
> 
Great point :)

Society defines its own ethics, morals and values. For example it would
be perfectly acceptable to eat other people if we were cannibals :)

In modern societies, from African, to Eastern, To American, European,
etc. I would argue that there are certain "baselines"

For example, it is not acceptable to eat people, as it is also not
acceptable to defraud and tell lies.

Or do you not agree?

> btw: most phishing pages use HTTP; HTTP is used for fraud and lies
> (probably more than RPZ will ever be...); but no one objects the use
> of HTTP as a protocol -- as the protocol by itself has no moral
> "value"; it's only the use of a protocol for fraud which is not
> acceptable.
> 
Yes, and the but... Nowhere is there a protocol or defined method in
RFC about http's that promotes deception and lies...

So, it is not about the technology existing - as was recently pointed
out, technology in itself cannot be unethical... It is about the
publication of a process that is unethical and if leaved unopposed will,
in all probability, lead to a "standard" 

> >[...]
> > Heck, if you are honest, and from the responses in this thread, it
> > is already "best practise" and quite acceptable to use/apply RPZ -
> > as apparently "many" are doing this and has been doing it for years.
> 
> Yes; mangling of DNS responses has been done for years; RPZ only
> defines a standard for this procedure (which is better than having
> many non-standard ways).
> 
same as above

> >[...]
> > That RPZ is DNS abuse, in itself, it is an abuse to Internet Society
> > and it serves to promote Crime.
> 
> This is your point of view. Could you provide some evidence where RPZ
> promotes crime etc. (more than it helps preventing it)?
> Repeating "RPZ is Evil" again and again doesn't convice me, but as you
> said: we're in a post-truth world...
> 
I did post an exact example, but here it is again:

The clear objective issue with RPZ is that it is unethical.

Can you maybe help me to formulate this in a non emotive manner?

What I have is examples of what  RPZ facilitates:

In truth Google.com is at a.a.a.a (or ipv6 eq)

If user1 asks resolver the IP number for Google.com, the resolver can
send false answer of x.x.x.x  
If user2 asks the same resolver where Google.com is, the resolver can
supply false answer of y.y.y.y because user2 is doing the asking
If user3 asks the same resolver where Google.com is, the same resolver
can answer a.a.a.a
In all the above examples where fake (or any) answers were supplied,
the resolver also hides the truth of the fake answer, to the user.

Andre

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Thomas Mechtersheimer]

On Thu, Jan 05, 2017 at 12:04:19PM +0200, ox wrote:
>[...]
> But, you neglected to add - That is is not socially acceptable to
> define protocols for defrauding people, to tell lies, commit deception,

Who defines waht is socially acceptable?

btw: most phishing pages use HTTP; HTTP is used for fraud and lies
(probably more than RPZ will ever be...); but no one objects the use of
HTTP as a protocol -- as the protocol by itself has no moral "value";
it's only the use of a protocol for fraud which is not acceptable.

>[...]
> Heck, if you are honest, and from the responses in this thread, it is
> already "best practise" and quite acceptable to use/apply RPZ - as
> apparently "many" are doing this and has been doing it for years.

Yes; mangling of DNS responses has been done for years; RPZ only defines a
standard for this procedure (which is better than having many non-standard
ways).

>[...]
> That RPZ is DNS abuse, in itself, it is an abuse to Internet Society
> and it serves to promote Crime.

This is your point of view. Could you provide some evidence where RPZ
promotes crime etc. (more than it helps preventing it)?
Repeating "RPZ is Evil" again and again doesn't convice me, but as you
said: we're in a post-truth world...

   Thomas