Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Nick Hilliard]

Serge,

there's been extensive debate on AAWG over the years about the 
principles behind your additional suggestions below, but very little 
consensus. If sanctioning is added to the charter of a new security-wg, 
this lack of consensus is likely to continue, and the only outcome will 
be that the WG will be distracted from other productive output. I 
understand why you might want it in there, but punitive action is not 
within the remit of the RIPE NCC. Similarly on point 2, advocacy is 
important, but requirement / enforcement is out of scope for both the 
RIPE Community and RIPE NCC.


Nick

Serge Droz via anti-abuse-wg wrote on 10/05/2024 07:21:


Hi Leo

It's more about sharpening the focus. I colored this red below. I feel 
eventually the RIPE NCC must adapt stronger policies to punish 
non-action or disregard of action. I think it would be better if this 
WG comes up with such policies which the RIPE NCC can then adopt (or 
not) rather than the RIPE NCC having to react to external pressure, 
e.g. from policy makers, in particular the EU. I'm sure one can 
formulate this much better. I firmly believe, that there is no way 
around stronger regulation, and I'd much rather see this coming from 
this community than form the outside. The regulators i see and work 
with are increasingly irritated and react with totally inadequate 
demands, which I wont reproduce here.


 1. Identifying and analyzing emerging security threats and
vulnerabilities affecting Internet infrastructure.
 2. Collaborating with stakeholders, in particular the RIPE community,
to develop and advocate and implement best practices, guidelines,
and standards for securing Internet resources.
 3. Facilitating information sharing and cooperation among network
operators, law enforcement, and relevant entities to mitigate
security risks.
 4. Providing education, training, and outreach initiatives to raise
awareness of security issues and promote best practices adoption.
 5. Develop policies recommendations to the RIPE NCC that help
enforcing good behavior and sanction disregard for faccepted
security standards. This includes the definition of acceptable
minimal standards.

Best regards
Serge

On 09.05.24 21:39, Leo Vegoda wrote:

Hi Serge,

On Thu, 9 May 2024 at 11:41, Serge Droz via anti-abuse-wg
  wrote:

Hi Leo

We can only recommend the community, obviously.

I agree.


So these aare the best
practices

We can recommend that RIPE NCC changes its rules and procedures to
address certain issues.

As a WG, if I'm correct we have no other power.

Based on thisl, I don't understand what's missing from the draft text.
Maybe you could suggest some specific edits?

Kind regards,

Leo

--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org




-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Suresh Ramasubramanian]

Of course. Without serge’s point 5 though,  I doubt whether the rechartering 
will have very much use or effect.

--srs

From: anti-abuse-wg  on behalf of Nick Hilliard 

Sent: Friday, May 10, 2024 5:27:44 PM
To: Serge Droz 
Cc: anti-abuse-wg@ripe.net 
Subject: Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse 
Working Group

Serge,

there's been extensive debate on AAWG over the years about the principles 
behind your additional suggestions below, but very little consensus. If 
sanctioning is added to the charter of a new security-wg, this lack of 
consensus is likely to continue, and the only outcome will be that the WG will 
be distracted from other productive output. I understand why you might want it 
in there, but punitive action is not within the remit of the RIPE NCC. 
Similarly on point 2, advocacy is important, but requirement / enforcement is 
out of scope for both the RIPE Community and RIPE NCC.

Nick

Serge Droz via anti-abuse-wg wrote on 10/05/2024 07:21:

Hi Leo

It's more about sharpening the focus. I colored this red below. I feel 
eventually the RIPE NCC must adapt stronger policies to punish non-action or 
disregard of action. I think it would be better if this WG comes up with such 
policies which the RIPE NCC can then adopt (or not) rather than the RIPE NCC 
having to react to external pressure, e.g. from policy makers, in particular 
the EU. I'm sure one can formulate this much better. I firmly believe, that 
there is no way around stronger regulation, and I'd much rather see this coming 
from this community than form the outside. The regulators i see and work with 
are increasingly irritated and react with totally inadequate demands, which I 
wont reproduce here.

  1.  Identifying and analyzing emerging security threats and vulnerabilities 
affecting Internet infrastructure.
  2.  Collaborating with stakeholders, in particular the RIPE community, to 
develop and advocate and implement best practices, guidelines, and standards 
for securing Internet resources.
  3.  Facilitating information sharing and cooperation among network operators, 
law enforcement, and relevant entities to mitigate security risks.
  4.  Providing education, training, and outreach initiatives to raise 
awareness of security issues and promote best practices adoption.
  5.  Develop policies recommendations to the RIPE NCC that help enforcing good 
behavior and sanction disregard for faccepted security standards. This includes 
the definition of acceptable minimal standards.

Best regards
Serge

On 09.05.24 21:39, Leo Vegoda wrote:

Hi Serge,

On Thu, 9 May 2024 at 11:41, Serge Droz via anti-abuse-wg
 wrote:


Hi Leo

We can only recommend the community, obviously.


I agree.



So these aare the best
practices

We can recommend that RIPE NCC changes its rules and procedures to
address certain issues.

As a WG, if I'm correct we have no other power.


Based on thisl, I don't understand what's missing from the draft text.
Maybe you could suggest some specific edits?

Kind regards,

Leo


--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org



-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

Hi Nick

I agree. But what you are saying, is that the WG should continue having no 
tangible effect, because the status quo is more important than getting out of 
one's comfort zone. 

Meanwhile others will, in my opinion, push for policy change. And these others 
likely lack crucial insight, i.e. will produce policies that have undesirable 
side effects. 

The question was if we want to recharter this WG, so I answered what I felt 
merits the name. 

I like the training the WG produced in the past, but I don't remember much else.

If we want to make a concrete contribution to fighting abuse, we may have to 
leave our comfort zone. The internet and the world it lies within has changed 
considerably in the past years. This would suggest we should too. 

But I think I made my point by now, and I realise it's not a comfortable one. 

Best 
Serge

On 10 May 2024 11:57:44 UTC, Nick Hilliard  wrote:
>Serge,
>
>there's been extensive debate on AAWG over the years about the principles 
>behind your additional suggestions below, but very little consensus. If 
>sanctioning is added to the charter of a new security-wg, this lack of 
>consensus is likely to continue, and the only outcome will be that the WG will 
>be distracted from other productive output. I understand why you might want it 
>in there, but punitive action is not within the remit of the RIPE NCC. 
>Similarly on point 2, advocacy is important, but requirement / enforcement is 
>out of scope for both the RIPE Community and RIPE NCC.
>
>Nick
>
>Serge Droz via anti-abuse-wg wrote on 10/05/2024 07:21:
>> 
>> Hi Leo
>> 
>> It's more about sharpening the focus. I colored this red below. I feel 
>> eventually the RIPE NCC must adapt stronger policies to punish non-action or 
>> disregard of action. I think it would be better if this WG comes up with 
>> such policies which the RIPE NCC can then adopt (or not) rather than the 
>> RIPE NCC having to react to external pressure, e.g. from policy makers, in 
>> particular the EU. I'm sure one can formulate this much better. I firmly 
>> believe, that there is no way around stronger regulation, and I'd much 
>> rather see this coming from this community than form the outside. The 
>> regulators i see and work with are increasingly irritated and react with 
>> totally inadequate demands, which I wont reproduce here.
>> 
>>  1. Identifying and analyzing emerging security threats and
>> vulnerabilities affecting Internet infrastructure.
>>  2. Collaborating with stakeholders, in particular the RIPE community,
>> to develop and advocate and implement best practices, guidelines,
>> and standards for securing Internet resources.
>>  3. Facilitating information sharing and cooperation among network
>> operators, law enforcement, and relevant entities to mitigate
>> security risks.
>>  4. Providing education, training, and outreach initiatives to raise
>> awareness of security issues and promote best practices adoption.
>>  5. Develop policies recommendations to the RIPE NCC that help
>> enforcing good behavior and sanction disregard for faccepted
>> security standards. This includes the definition of acceptable
>> minimal standards.
>> 
>> Best regards
>> Serge
>> 
>> On 09.05.24 21:39, Leo Vegoda wrote:
>>> Hi Serge,
>>> 
>>> On Thu, 9 May 2024 at 11:41, Serge Droz via anti-abuse-wg
>>>   wrote:
 Hi Leo
 
 We can only recommend the community, obviously.
>>> I agree.
>>> 
 So these aare the best
 practices
 
 We can recommend that RIPE NCC changes its rules and procedures to
 address certain issues.
 
 As a WG, if I'm correct we have no other power.
>>> Based on thisl, I don't understand what's missing from the draft text.
>>> Maybe you could suggest some specific edits?
>>> 
>>> Kind regards,
>>> 
>>> Leo
>> -- 
>> Dr. Serge Droz
>> Member, FIRST Board of Directors
>> https://www.first.org
>> 
>> 
>

--
Dr. Serge Droz
Director, Forum of Incident Response and Security Teams
https://first.org-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg