Re: [anti-abuse-wg] Webzilla

[Fi Shing]

There is no incentive for a corporation to remove an abuser if the abuser is a paying customer.There is also no incentive for RIR to create any sort of oversight, if that oversight requires investment.Hence, the shit fight known as "the internet" that we have today.


 Original Message 
Subject: [anti-abuse-wg] Webzilla
From: "Ronald F. Guilmette" 
Date: Sun, March 17, 2019 7:15 am
To: anti-abuse-wg@ripe.net


Perhaps some folks here might be interested to read these two report,
the first of which is a fresh news report published just a couple of
days ago, and the other one is a far more detailed investigative report
that was completed some time ago now.

https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-hackers-dnc

https://www.documentcloud.org/documents/5770258-Fti.html

Please share these links widely.

The detailed technical report makes it quite abundantly clear that
Webzilla, and all of its various tentacles... many of which even I didn't
know about until seeing this report... most probably qualifies as, and
has qualified as a "bullet proof hosting" operation for some considerable
time now.  As the report notes, the company has received over 400,000
complaints or reports of bad behavior, and it is not clear to me, from
reading the report, if anyone at the company even bothered to read any
more than a small handful of those.

I have two comments about this.

First, I am inclined to wonder aloud why anyone is even still peering
with any of the several ASNs mentioned in the report.  To me, the mere
fact that any of these ASNs still have connectivity represents a clear
and self-evident failure of "self policing" in and among the networks
that comprise the Internet.

Second, its has already been a well know fact, both to me and to many
others, for some years now, that Webzilla is by no means alone in the
category commonly refered to as "bullet proof hosters".  This fact
itself raises some obvious questions.

It is clear and apparent, not only from the report linked to above, but
from the continuous and years-long existance of -many- "bullet proof
hosters" on the Internet that there is no shortage of a market for the
services of such hosting companies.  The demand for "bullet proof"
services is clearly there, and it is not likely to go away any time
soon.  In addition to the criminal element, there are also various
mischevious governments, or their agents, that will always be more
that happy to pay premium prices for no-questions-asked connectivity.

So the question naturally arises:  Other than de-peering by other networks,
are there any other steps that can be taken to disincentivize networks
from participating in this "bullet proof" market and/or to incentivize
them to give a damn about their received network abuse complaints?

I have no answers for this question myself, but I felt that it was about
time that someone at least posed the question.

The industry generally, and especially in the RIPE region, has a clear
and evident problem that traditional "self policing" is not solving.
Worse yet, it is not even discussed much, and that is allowing it to
fester and worsen, over time.

It would be Good if there was some actual leadership on this issue, at
least from -some- quarter.  So far I have not noticed any such worth
commenting about, and even looking out towards the future horizon, I
don't see any arriving any time soon.


Regards,
rfg

[anti-abuse-wg] Webzilla

[Ronald F. Guilmette]

Perhaps some folks here might be interested to read these two report,
the first of which is a fresh news report published just a couple of
days ago, and the other one is a far more detailed investigative report
that was completed some time ago now.

https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-hackers-dnc

https://www.documentcloud.org/documents/5770258-Fti.html

Please share these links widely.

The detailed technical report makes it quite abundantly clear that
Webzilla, and all of its various tentacles... many of which even I didn't
know about until seeing this report... most probably qualifies as, and
has qualified as a "bullet proof hosting" operation for some considerable
time now.  As the report notes, the company has received over 400,000
complaints or reports of bad behavior, and it is not clear to me, from
reading the report, if anyone at the company even bothered to read any
more than a small handful of those.

I have two comments about this.

First, I am inclined to wonder aloud why anyone is even still peering
with any of the several ASNs mentioned in the report.  To me, the mere
fact that any of these ASNs still have connectivity represents a clear
and self-evident failure of "self policing" in and among the networks
that comprise the Internet.

Second, its has already been a well know fact, both to me and to many
others, for some years now, that Webzilla is by no means alone in the
category commonly refered to as "bullet proof hosters".  This fact
itself raises some obvious questions.

It is clear and apparent, not only from the report linked to above, but
from the continuous and years-long existance of -many- "bullet proof
hosters" on the Internet that there is no shortage of a market for the
services of such hosting companies.  The demand for "bullet proof"
services is clearly there, and it is not likely to go away any time
soon.  In addition to the criminal element, there are also various
mischevious governments, or their agents, that will always be more
that happy to pay premium prices for no-questions-asked connectivity.

So the question naturally arises:  Other than de-peering by other networks,
are there any other steps that can be taken to disincentivize networks
from participating in this "bullet proof" market and/or to incentivize
them to give a damn about their received network abuse complaints?

I have no answers for this question myself, but I felt that it was about
time that someone at least posed the question.

The industry generally, and especially in the RIPE region, has a clear
and evident problem that traditional "self policing" is not solving.
Worse yet, it is not even discussed much, and that is allowing it to
fester and worsen, over time.

It would be Good if there was some actual leadership on this issue, at
least from -some- quarter.  So far I have not noticed any such worth
commenting about, and even looking out towards the future horizon, I
don't see any arriving any time soon.


Regards,
rfg

Re: [anti-abuse-wg] Google Privacy Abuse

[ac]

Serge,

This thread is not about safebrowsing... - there is no problem/abuse
with safebrowsing as the local list is compared by the browser to the
visited URL.

So: Safebrowsing is fine (No Abuse, afaik)

I understand that you, and many others, thought that this post is about
existing technology. No, it is "new" tech, that Google has introduced
in only one version of it's Chrome product. Please do read my initial
post?

And yes, http anyone can see (it is not encrypted) 


It is good that we are discussing all this, as it helps even tech's to

understand why the ABUSE by GOOGLE in this thread, is so dangerous and

why it is so important

What Google is now selling as "NEW technology: is in fact ABUSE and it

threatens world freedom as them doing this will "force" other browsers
to do the same in order to deliver faster speeds to their own users


On Sat, 16 Mar 2019 09:45:03 +0100
Serge Droz via anti-abuse-wg  wrote:

> Dear Ac & Fi
> 
> That was what I was replying to Fi's comment:
> 
> > If opera (like chrome, edge or firefox) check the URL to see if it
> > is "dangerous" (a phishing URL etc) then that is logged on their
> > end, when it checks the database to see if the link has been
> > flagged.  
> 
> 
> Re:
> > It is a simple technical fact that ISP's etc - Do Not Have, receive
> > or are able to read the actual URL. - Please do see the https
> > protocol itself, for additional information.  
> 
> Read my answer again: It said they can see it if it is http, but not
> if it is https.
> 
> Would you agree?
> 
> Re Fi's Question:
> > Please provide your source of information that chrome browsers rely
> > on a local blacklist.  
> 
> See https://blog.chromium.org/2012/01/all-about-safe-browsing.html
> 
> You can verify this yourself by looking at browser trafic with a MITM
> setup, e.h. using sslsplit
> 
> 
> Best
> Serge
> 
> 
> 
> 

Re: [anti-abuse-wg] Google Privacy Abuse

[Serge Droz via anti-abuse-wg]

Dear Ac & Fi

That was what I was replying to Fi's comment:

> If opera (like chrome, edge or firefox) check the URL to see if it
> is "dangerous" (a phishing URL etc) then that is logged on their
> end, when it checks the database to see if the link has been
> flagged.


Re:
> It is a simple technical fact that ISP's etc - Do Not Have, receive or
> are able to read the actual URL. - Please do see the https protocol
> itself, for additional information.

Read my answer again: It said they can see it if it is http, but not if
it is https.

Would you agree?

Re Fi's Question:
> Please provide your source of information that chrome browsers rely on a 
> local blacklist.

See https://blog.chromium.org/2012/01/all-about-safe-browsing.html

You can verify this yourself by looking at browser trafic with a MITM
setup, e.h. using sslsplit


Best
Serge




-- 
Dr. Serge Droz
Member of the FIRST Board of Directors   Senior Advisor
https://www.first.orghttps://www.ict4peace.org

Re: [anti-abuse-wg] Google Privacy Abuse

[ac]

this thread: Google Privacy Abuse

has NOTHING to do with safebrowsing and you are either deliberately
causing obfuscation or you are legit in your own confusion?
Simply: In my original post I included a link to slashgear.com

Please do read my initial post.

Then, regarding https URL's: 

It is a simple technical fact that ISP's etc - Do Not Have, receive or
are able to read the actual URL. - Please do see the https protocol
itself, for additional information.

You are correct in only one of your assertions and your feelings:

I agree 100% that this is an important topic



On Fri, 15 Mar 2019 20:37:04 +0100
Serge Droz via anti-abuse-wg  wrote:

> Your assertion is wrong:
> 
> Google safebrowsing works by comparing the URL to a local list, which
> the browser downloads from Google's Servers. Browser do not send the
> URL to Google for checking.
> 
> See for example
> > https://superuser.com/questions/832608/what-is-being-send-to-received-from-safebrowsing-google-com-when-i-open-firefo
> >   
> 
> 
> Some ISPs in the US collect URLs from http traffic, but not https
> traffic, the later does not work. THat is indeed concerneing, but has
> nothing to do with Google.
> 
> What Google or other see, however is URLs going through URL
> shortners,, or the urls you click on a Google page.
> 
> Also trackers, embedded in many websites deliver info back to Google
> (or whatever tracker site). This again something that should be made
> a bit more transparent.
> 
> I do feel it is very important to base any discussions surrounding the
> important topics discussed on this list on verifiable facts and not on
> claims or fear.
> 
> 
> Best
> Serge
> 
> 
> 
> 
> On 15/03/2019 13:41, Fi Shing wrote:
> > /"And no, You are also wrong: Opera does not upload your visited
> > URL's to a third party server."/
> > 
> > If opera (like chrome, edge or firefox) check the URL to see if it
> > is "dangerous" (a phishing URL etc) then that is logged on their
> > end, when it checks the database to see if the link has been
> > flagged.
> > 
> > This is the price that people pay for "free" browsers.
> > 
> > Google protects you from "phishing websites", whilst archiving your
> > website access, and then sells that as marketing data to who ever
> > will buy it.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  Original Message 
> > Subject: Re: [anti-abuse-wg] Google Privacy Abuse
> > From: ac mailto:a...@main.me>>
> > Date: Thu, March 14, 2019 8:16 pm
> > To: anti-abuse-wg@ripe.net 
> > 
> > Hi Esa,
> > 
> > No, you are wrong... the URL's are not available to anyone.
> > 
> > What is available to the ISP is the domain name lookup. (this
> > is also available to the DNS servers, etc - just the domain name)
> > 
> > And no, You are also wrong: Opera does not upload your visited
> > URL's to a third party server.
> > 
> > Up to now, nobody has even tried this as it is abuse / abusive
> > 
> > HTTPS URL's, themselves frequently contain personal data and
> > other sensitive info, as the URL itself is supposes to be part of
> > the encrypted session.
> > 
> > And, this is the whole point of all of this.
> > 
> > If Google starts saving all URL's and link that with the local
> > cache (because they control the local software), the effect will be
> > an increase
> > in speed (as the media does not have to come over the encrypted
> > session)
> > 
> > This will probably eventually FORCE Opera/Firefox/insert name
> > here - to also operate in this fashion, as users will want the
> > speed - and they will not know that it is less secure / less
> > private, etc.
> > 
> > This is a major issue and not a small issue, it will eventually
> > affect all of us.
> > 
> > for example, one of my bank URL at login is:
> > 
> > https://nameofbank.com/login
> > 
> > then, later in the session:
> > https://nameofbank.com/?id=x=1
> > etc etc
> > 
> > This, right now, is not an issue as the URL itself is encrypted
> > 
> > it is a major invasion of privacy that a third party vendor,
> > supplying "free" software is also now recording url's which gives
> > them two advantages over the ethical software providers. Not only
> > that but that their "innovation" of breaking the HTTPS protocol,
> > may force other vendors to go down the same path as the "consumers"
> > are too lazy or uninformed to understand what it happening.
> > 
> > If society does nothing about this case of a multinational
> > leveraging people
> > against people's bad behavior (or poor choices - as Ronald
> > said: use a different browser) this will eventually affect us all.
> > 
> > On Thu, 14 Mar 2019 09:53:47 +0100
> > Esa Laitinen mailto:e...@laitinen.org>> wrote:
> >   
> > > On Thu, Mar 14, 2019 at 6:05 AM ac  > > > wrote: 
> > > > HTTPS protocol, by design, is secure and private.
> > > >
> > > > The