Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 59, Issue 7

2016-09-06 Thread Gunther Nitzsche 
Hi,

(long answer again..:-/ )

On 09/06/2016 08:21 AM, ox wrote:
> On Tue, 6 Sep 2016 07:08:05 +0100
> Richard Clayton  wrote:
>>> "The non sanctioned use of a resource to infringe upon the usage
>>> rights of another resource"
>>>
>>> (1) Resource
>>> Any Internet Resource
>> that's a recursive definition -- which doesn't assist much 
>>
> Okay, how can it be improved?
>
> All Internet resources?
>
That is still recursive. (as I wrote before).  And as I also wrote:

"The posted suggestion of "abuse" currently does not even fit for
the case where several (more than two) "resources" are involved."

You ignored this fact completely.

>> So..suggestion: abuse somehow is the violation of local laws and AUPs >> of 
>> the involved providers. (Someone might want to finalize that in
>> correct english) > > But not all Internet abuse is in violation of
laws, and, just because > it is not illegal, are you saying that because
it is not illegal, it > means that it is not abuse?

If it is legal, you can't sue your customer. It may be immoral, (is that
an english word?) but yes.. if the act in question is not stated
(somehow) in the (local) law or in the additional AUPs and contracts
then the person in question can always argue, it was no abuse.
If it is not forbidden, it is allowed.
If it is allowed it is hard to call it abuse.
Somewhere else it might be forbidden and considered abuse.
It just depends..
Sometimes things are so easy ;)

What is hard for anyone offering internet services is to
define an appropriate acceptable use policy which covers at least
most possible abusive behaviour cases..


>>> (4) Sanctioned
>>> An action, event or situation originating from the authoritative
>>> holder of rights to a resource that gives permission, or permission
>>> is granted by direct implication, which authorises that situation,
>>> event or action.   
>> excellent, the negation has disappeared

That doesn't say much. Example: Email sender provider supports sending
advertisements; because it might be just normal in that culture. So the
mail is sanctioned.
The receiver lives under different laws in a different culture where
unsolicited email
is unwanted and considered abuse. Now what.. The sending of the email is
not abuse,
but receiving the mail is?

>Infringement upon the use of a resource by the assignor or
>administrative holder of rights to a resource


assignor of a resource? What is that? (if you even say login-credentials
are a resource,
a smtp-server is a resource, cpu-cycles are, domain-names are.. )

Let's get back to RIPE: if RIPE NCC assigns ip-space to a provider, how
does
the assignor (RIPE) sees an infringement if someone sends (sanctioned,
see above) spam-emails from there?

I do not like the whole concept of these resources.

In the sentences below you now also have added the task to define "fair
use" ..

 I know that Andre will immediately answer this mail and he will pick only
some parts  and insists on his "resources"...
But I want to focus on the two statements:

* the restriction to (undefined) resources in an abuse-definition is not
helpful
* abuse is interpreted differently in different parts of this world;
therefore we
should stick with written papers.. contracts, laws, AUPs.

like: (internet) abuse is the violation of valid legal interests (laws,
contracts, AUPs)
to the detriment of a third party

..to be discussed:)

(Just found the word detriment..:)

best greetings,

Gunther

> Yeah, but now it does not cater for orphan resources
>
> Remember that; 
>
> If a resource is used with permission to abuse another resource = abuse
>
> So, the negation exists to allow the abuse to the resource (itself) by
> it's 'upstream'
>
> Which is why sanctioned - now works... (in the new order - after
> infringement...)
>
> (4) Infringe
> An action, event or situation which limits, reduces, undermines or
> encroaches upon the fair use of a resource
>
> (5) Sanctioned
> Infringement upon the use of a resource by the assignor or
> administrative holder of rights to a resource
>
> Andre
>
>


NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Definition of Internet Abuse * pre-final

2016-08-31 Thread Gunther Nitzsche 


Am 31.08.2016 um 06:35 schrieb Marilson:
> On Aug 29, 2016 Andre Coetzee wrote:
>> 2. I do not understand Marilson's objections - apparently if someone
>> steals your pc it is Internet abuse, I eventually thought he meant that
>> the computer was stolen and used to send spam, --> but the definition
>> works for that, he agreed the definition stands...,
>> but then he seems to say that it does not? for an unknown and
>> non specific reason except that it may or may not include defining
>> "theft"
>  
> Definitions Endless

Yes, but not in a helpful way..
The whole concept of these "resources" is fruitless and will not
bring us anywhere.

Let's see the definition posted so far:
(1) Resource
Any Internet Resource

which means:
1) what is "recursive"?
  Answer: see 1)

The posted suggestion of "abuse" currently does not even fit for
the case where several (more than two) "resources" are involved.
If a spam-email is received - what is the resource beeing abused?
(the definiion speaks of "one") The Zombie-Bot sending the email?
The credentials used for sending? The mailserver used for sending?
The upstream providers involved? The brand which was phished? The
receiver who reads (or reads not) the mail? The Mailprovider giving
storage? The abuse-team which might investigate? And so on..

In the end it is "humans" who are abused; the provider can act
only if that kind of abuse is then somehow published in its AUPs.
So they should contain some broad terms which might be interpreted
by a reasonable abuse department. At least a violation of the local
laws should be included, so that a contract can be cancelled or
other actions be taken. And yes, if there are new forms of misuse
(abuse) not covered by the AUPs, then the AUPs have to be changed.

In the end, all anti-abuse decisions must be that good that the could
stand a trial; If sending spam is allowed in a country/at a provider
then it is hard to take countermeasures.

So..suggestion: abuse somehow is the violation of local laws and AUPs of
the involved providers. (Someone might want to finalize that in correct
english)
We might come here to a majority decision; I don't want to argue
on Andre`s resources again..


> Marilson

best greetings,
Gunther


-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:
  Timo von Lepel,
  Mario Wilhelm
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Definition of Abuse - preamble

2016-08-25 Thread Gunther Nitzsche 
On 08/25/2016 04:38 PM, ox wrote:
> ...
> I did not reply to this, as it will involve me being somewhat direct but,
>
> I have a serious problem with people when they disagree just to argue
> or for no real reason.

Hmm.. I still do not see any arguments against my abuse
definitions except: no, I want mine.

You are getting somewhat emotional here - no good.

>
> This means that they have a different intent - or agenda - or something
> and it serves only to disrupt 
>  

My intent is to have a most broad definition of abuse as possible.
You seem to intentionally want to restrict this definition. I just
don't know why. But if other members of this list tend more
to your definition, it will be fine for me.

 I even doubt that the anti-abuse-working-group is limited to
 network based abuse. Entering wrong registration data (let's say by
 FAX) could also be covered by this group though it is not a network
 based abuse.

> This is not an abuse group for battered men or battered women or abused
> animals.

What are you talking about? Yes, this group is not about animals, I agree ..
but what the heck..?


>
> It is a network abuse group.
>
> No, it is not an abuse group for people whose pc's has been stolen or
> abused in their homes.
>
> No, it is not an abuse group for old fax machines or faxing of fake
> documents to anyone or even for that matter faxing of documents to
> commit fraud.
Says who?  You are, as I do, a member of this mailing list and
therefore a standard member of the anti-abuse-working-group.  As far
as I know you are no chair nor co-chair of this group and you
are not in the position to define what to discuss in this group or not.
(neither am I)

I don't care if abuse is commited by old or new fax machines; if it
somehow involves our/any abuse-department I do care. And if I (or
i.e. legal authorities)  cannot identify a fraudster because of a fake
registration (DNS, IP-Allocation, whatsoever..) than I do see a direct
relation to this group, regardless of the used technique.

So yes, it *might* be the case that a fax triggers an abuse case.

I don't want to talk about fax machines all the time - I just want
a definition of abuse and of the goals of this group which *allows*
me  and others to discuss abuse incidents regardless of the terms
"internet abuse" or "a second resource". I don't think, that
this wish is that abstruse..



>It is the RIPE Anti Abuse WG --- We discuss network abuse
Well, I do not see very much discussing here - just a very "blocking"
attitude.



tl;dr:
I prefer a very broad definition of abuse not restricted to "internet abuse"


best greetings,

Gunther

NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Definition of Abuse - preamble

2016-08-25 Thread Gunther Nitzsche 
On 08/25/2016 03:36 PM, ox wrote:
> On Thu, 25 Aug 2016 15:28:58 +0200
> Gunther Nitzsche  wrote:
>> On 08/25/2016 02:38 PM, ox wrote:
>>> Get it yet?
>>>
>> No. Sorry. :-(
> okay, I will try to explain it better :)
>
>
> Normal bitcoin mining abuse = You --> CPU
>
> Anyway, Internet abuse same principle One resource --> another resource
>
> Get it now?
I know what you mean, but I don't follow you here. I do not
want this restriction and cannot see one reason why you
insist on this.
>> "If you use my server to do something. " Stop.
>> I do not need "another resource". I wonder what arguments
>> you have against my suggestion of wording.
>>
>> I even doubt that the anti-abuse-working-group is limited to
>> network based abuse. Entering wrong registration data (let's say by
>> FAX) could also be covered by this group though it is not a network
>> based abuse.
>>
> wrong registration data by fax - is not Internet abuse (doubtful if it
> even normal or just abuse...)

First: I do not know why you also insist on "internet abuse" - I did not
see
any mention of this restriction in the existing charter of this group
 
Second: It might very well turn into "Internet abuse" i.e. when it comes
to find out sources of (other) abuse related actions. If the whois-record
is wrong, one could identify this registration fake as abuse. (the severity
might vary) So it might be a good idea to have this issue on topic right
from the beginning.

In your definition a registration fake is no abuse because only one
resource is involved *and* because it did not happen via the internet;
in my definition it is and it belongs to the topics of this group.

We can setup a doodle for this :)

As long as we don't hear other opinions on this I step back again ..


best greetings,

Gunther
>> No artificial restrictions please; they might hurt us later on.
>>
>>
NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Definition of Abuse - preamble

2016-08-25 Thread Gunther Nitzsche 
On 08/25/2016 02:38 PM, ox wrote:
> Hello Gunther,
>
> Okay, I have read through your reply and it seems you do not understand
> that a single resource is not a network.
>
> Internet Abuse - Needs two resources - otherwise it is not a network
> and by default - not Internet Abuse.
>
> If you are on my server:
> unauthorized - is abuse
> authorized - is not abuse
>
> If you use my server to do something to another resource... 
>
> Get it yet?
>
No. Sorry. :-(
"If you use my server to do something. " Stop.
I do not need "another resource". I wonder what arguments
you have against my suggestion of wording.

I even doubt that the anti-abuse-working-group is limited to
network based abuse. Entering wrong registration data (let's say by
FAX) could also be covered by this group though it is not a network
based abuse.

No artificial restrictions please; they might hurt us later on.

best greetings,

Gunther

NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Definition of Abuse - preamble

2016-08-25 Thread Gunther Nitzsche 
On 08/24/2016 12:21 PM, ox wrote:
> yes at least 2 different resources always has to be involved for it to
> be Internet Abuse 

Thanks for pointing this out, but I don't get it .. why do you want ro
restrict the
definition in this way? There might be the case that next year someone
brings
up a topic of abuse not covered by this restriction and people involved
start
to argue. I prefer to be as general as possible when defining such a word.

...
> if you use the same resource it is not Internet Abuse - as in your own
> example using someone's CPU to mine bitcoin and doing so on the CPU
> directly, is not Internet Abuse (it is very abusive, though!)

Of course it is - I remotely (via the internet) control your server,
doing abusive things. If someone would complain
at abuse@ about such an incident I would expect the source provider to
act accordingly.
The remote control can be a security breach, but that is not the point.


> if you have broken in/compromised security etc - it is Internet abuse,
> in terms of the current definition In the example of directly using my
> email server to send spam it falls within the definition of Internet
> abuse as defined above :) 

I do not see the second resource involved in this case.

So therefore I would like to change the sentence to:

"The infringement of usage rights by the non sanctioned use of resources"

along with your additional definitions.. (This includes >=1 resources..)

(Someone might correct my english)

(instead of:
"The non sanctioned use of a resource to infringe upon the usage rights
of another resource"
")



and btw ..  I would also like to see Ronald's valid questions answered.

If there are no actions, sanctions whatsoever following the definition of
abuse and the ongoing discussions here than this Group has officially
turned
into a Debate Club of old nerds (including me:), beeing probably kind of ...
how do I say...inefficient?   (at least as a RIPE working group)


...But.. On the other hand:  https://www.ripe.net/support/abuse :

"The RIPE community has an Anti-Abuse Working Group
 that discusses topics
relating to
Internet abuse and ways to prevent it. If you are interested in abuse
topics, you may
want to join the Anti-Abuse Working Group Mailing List
."


and:
https://www.ripe.net/participate/ripe/wg/anti-abuse :  
(as Brian said in 2013:
"The main text of that page is the WG Charter. It may be useful to be
more explicit on this, but that is the charter. "

"...The working group considers both technical and non-technical aspects
of abuse, with the following goals:

  * Produce and continue to update a BCP (Best Common Practice) document
for ISPs similar in nature to RIPE-409
 but covering a
wider range of possible abusive behaviours.

  * Provide advice (beyond that of the BCP) to relevant parties within
the RIPE region such as ISPs, governments and law enforcement
agencies on strategic and operational matters.

  * Discuss and disseminate information on technical and non-technical
methods of preventing or reducing network abuse."


That could mean we should just focus on the configuration of
spamassassin and force the use
of dmarc and x-arf and talk about "to block or not to block a failed
DKIM E-Mail" like other
anti-abuse groups do instead of e.g. trying to force RIPE NCC to
terminate LIR contracts
based on abusive behaviour. (no irony)

So instead of searching a definition of abuse (which will be really
helpful I believe) we also
could start to (re-)define the goals of this group. If there would be
consensus that it is not the task
of this group to discuss also anti-abuse behaviour of RIPE/RIPE NCC or
how to treat LIRs, then we
can happily focus on other things. (In that case: sorry Ronald..) But
that would not be my opinion..



>Andre

(searching for cover:)
best greetings,
Gunther

NetCologne Systemadministration

-- 

(The opinions expressed here represent my own and not those of my employer.)
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Definition of Abuse - preamble

2016-08-24 Thread Gunther Nitzsche 
Hi,

On 08/24/2016 10:05 AM, Andre Coetzee wrote:
>
> =
> Definition of abuse 
> =
>
> "The non sanctioned use of a resource to infringe upon the usage rights
> of another resource"
>
> ---
>
another? In the meaning of "a different" or at least  "an additional"
resource?
If I use (abuse) a resource which directly infringes your usage rights,
this behaviour would not fall in this definition because there is not
"another"
resource involved..?

example .. aehh.. like... I use your cpu-time for calculating bitcoins..?
I use your mailserver for spamming?

Maybe I just don't get the english words right :)

best greetings,
Gunther

NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Timo von Lepel,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln

Re: [anti-abuse-wg] Updated Document: Abuse Contact Data Sets

2016-01-22 Thread Gunther Nitzsche 
On 01/20/2016 05:22 PM, Brian Nisbet wrote:
> Colleagues,
>
> The group working on this document (L. Aaron Kaplan, Mirjam Kühne,
> Christian Teuschel) have produced a new draft. This draft contains a
> number of updates, based on feedback from the community.
>
> The main changes are:
>
> - clarified terminology such as abuse handler, security incident,
> registrant, national CERT, etc.
> - clarified problem statement
> - removed specific mentioning of name-based services in the problem
> statement
> - used "European" examples
> - added API details for Nation CSIRT DB
> - elaborated on conclusion and next steps
>
> This document was sent to me earlier in the week, but for various
> reasons I didn't manage to forward it on to you all until now. With
> the TF-CSIRT meeting happening next week it would be great if we could
> gather any further feedback before the end of this week, but I realise
> that is quite a short term period, for which I apologise. So I'm not
> proposing a hard cut-off by end of day on Friday, but I think it would
> be extremely useful if people could try to post to the list before then.
>
> This would hopefully allow the authors to go to the TF-CSIRT meeting
> with a very nearly final draft and then complete it shortly afterwards.
>
> Certainly I would propose no more than a working week to receive other
> feedback, so we'd be looking at the end of Wednesday 27th.
>
> Thanks,
>
> Brian
> Co-Chair, RIPE AA-WG



Some notes to the text:

. Problem Statement
CERTs need to look up contact information frequently


that might not hit the problem completely. Abuse-contacts are usually
contacted by victims, spamtrap/honeypot/incident reporters
or just by abuse-aware mailserver providers. CERTs are a very small
sub-section of contacts - important, but definitely not the main
abuse-contact searchers.
 

The first example - hacked webpages - is also not completely the way how
reporters (the ones I know) work.
admin-c and tech-c are good targets for the complaint; but there is no
need to find more and more hacked
webspaces in the same ip-range before contacting the ip-address owner.
That means: the reporter resolves
the (first (!)) webpage address to an ip-address and contacts the owner
of this ip-address (who is either
responsible for the content by himself or has some kind of contract with
the domain-owner)
In the end it is always the owner of the ip-address who can put an end
to abuse.

In the end of "4" it says:  "his document aims at describing these
different datasets "
but it is not described what "these" datasets are. In the lines before
that only problems with existing
sourced are listed.



In the end of section 5 it reads:

"Sometimes an incident reporter might want to contact a single point of
contact (PoC) for a whole country."

I would change that to: "in very rare cases.." 


*6. Existing Datasets
*

If you say:  we list various datasets that can be used by incident
reporters to determine the right contact information

then it might not be the right idea to list sources who are "member
only" restricted or
give only information about listed members like the 6.1. This list maybe
helpful (?) for
CERTs contacting other CERTs, but it is not an obvious source for "the
incident reporter"

Same problem with 6.2:https://www.first.org/ 
This list maybe helpful (?) for CERTs contacting other CERTs, but it is
not an obvious source
for "the incident reporter". It is "the global Forum for Incident
Response and Security Teams",
not a source for an "incident reporter" to determine an abuse address.
The API only lists
FIRST members. Not very helpful in the day-to-day abuse contact search.

6.3 CSIRT Database...yes, nice..but ..it has nothing to do with the
search for a direct
abuse contact for a given incident.

6.4. Enisa .. even more CERTs...no api

6.5 even more CERTs ..

6.6 here we go..there is a source!

6.7. again: CERTs...

I would mention the CERT-stuff, but the only important contact for the
"incident reporter" in
this list is RIPE.

So the conclusion of the document:

"This document lists a number of known datasets that contain abuse
contacts.."

does not really fit the intention and the content of the document.

--
What I am missing:

* name based search: which whois databases are out there; maybe which format
do they use in the output, which email-address in the output should be
used as contact.

* ip-based search: which sources can really be asked (by the public
and/or by CERTs)
(like abusix, which was for some strange reasons not included. (Some
Data Sets mentioned
in the document include also "second hand sources" - can't see a
difference to
abusix)


While there might be a need or at least interest in a document like this
I would
change the targeted audience from

" This document is targeted towards CERTs and abuse handlers as well as
professionals working
on automating IT security incident handling."

to something like

" This document is targeted

Re: [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers

2015-11-25 Thread Gunther Nitzsche 
On 11/25/2015 12:17 PM, Mirjam Kuehne wrote:
> Hi,
>
> Thank you all for your feedback on the list and also in person during
> the RIPE Meeting. We will see how we can best incorporate your comments
> and will send a new version of the document to the list shortly.
>
> Kind regards,
> Mirjam
>


Thanks for the document, seems to be helpful!

One point: I miss the public available ABUSIX database, which is
very complete and accurate. (still some addresses missing, especially
for AFRINIC, but hey..)

https://abusix.com/contactdb.html


Since they do actively sending out millions of complaints every
day, they should know where to send them to.

This is at least my preferred source for finding an abuse contact.

I wonder why this DB is not included in the document, especially
since Tobias Knecht, former co-head of this working group, is the
founder of Abusix..


The part for geolocation is indeed not necessary or helpful imho.

best greetings,

Gunther

NetCologne Systemadministration
-- 
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9 ; 50829 Köln
Geschäftsführer:   
  Jost Hermanns,
  Mario Wilhelm  
Vorsitzender des Aufsichtsrates:
  Dr. Andreas Cerbe
  HRB 25580, AG Köln




signature.asc
Description: OpenPGP digital signature