Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

Richard,

We are in agreement about despots, thank you for adding semantics and
details. In order to communicate the problem, I found that it is
required to argue it in terms of "post-truth" otherwise, your pov will
be rejected, outright or, at best, result in very long explanations
(and being called a troll, etc) Many people are simply stuck in what
they think the truth is and showing them "another truth" is not that
easy. More so, if they are strongly opinionated DNS ops whom believe
that they are "doing the right thing"

Anyway, my main objection still is that we cannot legitimize
Distributed Denial of Service software. We cannot legitimize Brute
Force cracking Software - So we also cannot legitimize RPZ

RPZ is unethical.


Arguing that RPZ is used for good is EXACTLY the same as using a DDOS
tool to "take out" a network or server.

a botnet or drt-botnet can be used for "good" in exactly the same
fashion RPZ is used for "good"


RPZ is simply unethical and very wrong. There is no due process, there
is simple vigilante behavior. And there is lies to users and then
deception, on top of different lies.

Reference to President Elect Donald Trump and North Korea IS 100%
related to this WG, here is why:

RPZ is a tool that works in exactly the same way as nuclear weapons do:

If 8.8.8.8 tells you example.com is at c.c.c.c and someone else that
example.com is at q.q.q.q - and simply starts making up its own answers
it will be far too late for you to even try to explain to anyone that
there is a problem as the people that understands the problem and will
listen to you ARE GETTING FEWER each passing day.

Of course: 8.8.8.8 will be telling you these lies - TO PROTECT YOU, so
it is perfectly fine...?


Then there is the simple TECHNICAL view: 
--
DNS firewalls are stupid.

This is NOT the real reason we have RPZ...

The real reasons we have RPZ has NOTHING to do with abuse protection,
as it is a stupid tool.

The people that are actively using RPZ to "protect" their users are
finding that it is a piss poor method and that their users are as
compromized as any other non RPZ user pool.

"protecting users" is simply a smoke screen as the real reasons for RPZ
is quite EVIL.

And, it is EVIL for almost everyone (99%), from ethical ISP's, to low life 
cyber crime scumbags.

Andre

 

On Fri, 6 Jan 2017 12:18:30 +
Richard Clayton  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> In message , ox  writes
> 
> >The Bind software is the dominant DNS software on the planet.
> >
> >The IETF doc, relating to RPZ - is intended for Bind ops.
> 
> Not really -- it's an attempt to document what Bind does in a way that
> will make it easier for other platforms to do the same thing (it turns
> out that there's a lot of interaction with the innards of Bind and
> setting out the semantics in a way that is platform independent is not
> as simple as you might initially think).
> 
> >If left unchallenged, RPZ will become a standard (RFC)
> 
> Not in the short term and not in the medium term either... there is a
> difference between a standard and an RFC -- as Jon Postel set out two
> decades ago
> 
> https://tools.ietf.org/html/rfc1796
> 
> >Which will legitimize it. 
> 
> As it happens, I agree with that view (since I think that many people
> completely erroneously conflate RFCs with standards).
> 
> >What I am objecting to, is that non ethical software and systems are
> >being legitimized.
> 
> As it happens, I agree that there are serious ethical issues with RPZ
> And I said so in an academic paper about ethics (as applied to
> research into online criminality) several years back
> 
> http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf
> 
> I've recently re-expressed my opinion on the relevant IETF list, that
> the document should not be adopted by the Working Group.
> 
> Essentially I believe documenting RPZ in a platform independent way
> will lead to some Governments taking the view that they can censor
> the web by compelling the consumption of an Officially Endorsed RPZ
> feed -- at present, the fact that many platforms do not implement RPZ
> at all (or in what is probably an inconsistent manner) gives them
> some pause. I think we remove that (admittedly small for some regimes
> around the world) roadbump at our peril.
> 
> - -- 
> richard   Richard
> Clayton
> 
> Those who would give up essential Liberty, to purchase a little
> temporary Safety, deserve neither Liberty nor Safety. Benjamin
> Franklin 11 Nov 1755
> 
> -BEGIN PGP SIGNATURE-
> Version: PGPsdk version 1.7.1
> 
> iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO
> QmGUXnqCk56ANjr9wLoXHvxn
> =A6Jd
> -END PGP SIGNATURE-
> 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Richard Clayton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In message , ox  writes

>The Bind software is the dominant DNS software on the planet.
>
>The IETF doc, relating to RPZ - is intended for Bind ops.

Not really -- it's an attempt to document what Bind does in a way that
will make it easier for other platforms to do the same thing (it turns
out that there's a lot of interaction with the innards of Bind and
setting out the semantics in a way that is platform independent is not
as simple as you might initially think).

>If left unchallenged, RPZ will become a standard (RFC)

Not in the short term and not in the medium term either... there is a
difference between a standard and an RFC -- as Jon Postel set out two
decades ago

https://tools.ietf.org/html/rfc1796

>Which will legitimize it. 

As it happens, I agree with that view (since I think that many people
completely erroneously conflate RFCs with standards).

>What I am objecting to, is that non ethical software and systems are
>being legitimized.

As it happens, I agree that there are serious ethical issues with RPZ
And I said so in an academic paper about ethics (as applied to research
into online criminality) several years back

http://www.cl.cam.ac.uk/~rnc1/ntdethics.pdf

I've recently re-expressed my opinion on the relevant IETF list, that
the document should not be adopted by the Working Group.

Essentially I believe documenting RPZ in a platform independent way will
lead to some Governments taking the view that they can censor the web by
compelling the consumption of an Officially Endorsed RPZ feed -- at
present, the fact that many platforms do not implement RPZ at all (or in
what is probably an inconsistent manner) gives them some pause. I think
we remove that (admittedly small for some regimes around the world)
roadbump at our peril.

- -- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1

iQA/AwUBWG+LFju8z1Kouez7EQKaMwCeOntURBJAr/IKbWtos9rb5yQzsOMAnRNO
QmGUXnqCk56ANjr9wLoXHvxn
=A6Jd
-END PGP SIGNATURE-

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Thu, 5 Jan 2017 11:43:33 +0100
Thomas Mechtersheimer  wrote:
> On Thu, Jan 05, 2017 at 12:04:19PM +0200, ox wrote:
> >[...]
> > But, you neglected to add - That is is not socially acceptable to
> > define protocols for defrauding people, to tell lies, commit
> > deception,
> 
> Who defines waht is socially acceptable?
> 
Great point :)

Society defines its own ethics, morals and values. For example it would
be perfectly acceptable to eat other people if we were cannibals :)

In modern societies, from African, to Eastern, To American, European,
etc. I would argue that there are certain "baselines"

For example, it is not acceptable to eat people, as it is also not
acceptable to defraud and tell lies.

Or do you not agree?

> btw: most phishing pages use HTTP; HTTP is used for fraud and lies
> (probably more than RPZ will ever be...); but no one objects the use
> of HTTP as a protocol -- as the protocol by itself has no moral
> "value"; it's only the use of a protocol for fraud which is not
> acceptable.
> 
Yes, and the but... Nowhere is there a protocol or defined method in
RFC about http's that promotes deception and lies...

So, it is not about the technology existing - as was recently pointed
out, technology in itself cannot be unethical... It is about the
publication of a process that is unethical and if leaved unopposed will,
in all probability, lead to a "standard" 

> >[...]
> > Heck, if you are honest, and from the responses in this thread, it
> > is already "best practise" and quite acceptable to use/apply RPZ -
> > as apparently "many" are doing this and has been doing it for years.
> 
> Yes; mangling of DNS responses has been done for years; RPZ only
> defines a standard for this procedure (which is better than having
> many non-standard ways).
> 
same as above

> >[...]
> > That RPZ is DNS abuse, in itself, it is an abuse to Internet Society
> > and it serves to promote Crime.
> 
> This is your point of view. Could you provide some evidence where RPZ
> promotes crime etc. (more than it helps preventing it)?
> Repeating "RPZ is Evil" again and again doesn't convice me, but as you
> said: we're in a post-truth world...
> 
I did post an exact example, but here it is again:

The clear objective issue with RPZ is that it is unethical.

Can you maybe help me to formulate this in a non emotive manner?

What I have is examples of what  RPZ facilitates:

In truth Google.com is at a.a.a.a (or ipv6 eq)

If user1 asks resolver the IP number for Google.com, the resolver can
send false answer of x.x.x.x  
If user2 asks the same resolver where Google.com is, the resolver can
supply false answer of y.y.y.y because user2 is doing the asking
If user3 asks the same resolver where Google.com is, the same resolver
can answer a.a.a.a
In all the above examples where fake (or any) answers were supplied,
the resolver also hides the truth of the fake answer, to the user.

Andre

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Thomas Mechtersheimer]

On Thu, Jan 05, 2017 at 12:04:19PM +0200, ox wrote:
>[...]
> But, you neglected to add - That is is not socially acceptable to
> define protocols for defrauding people, to tell lies, commit deception,

Who defines waht is socially acceptable?

btw: most phishing pages use HTTP; HTTP is used for fraud and lies
(probably more than RPZ will ever be...); but no one objects the use of
HTTP as a protocol -- as the protocol by itself has no moral "value";
it's only the use of a protocol for fraud which is not acceptable.

>[...]
> Heck, if you are honest, and from the responses in this thread, it is
> already "best practise" and quite acceptable to use/apply RPZ - as
> apparently "many" are doing this and has been doing it for years.

Yes; mangling of DNS responses has been done for years; RPZ only defines a
standard for this procedure (which is better than having many non-standard
ways).

>[...]
> That RPZ is DNS abuse, in itself, it is an abuse to Internet Society
> and it serves to promote Crime.

This is your point of view. Could you provide some evidence where RPZ
promotes crime etc. (more than it helps preventing it)?
Repeating "RPZ is Evil" again and again doesn't convice me, but as you
said: we're in a post-truth world...

   Thomas

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Fri, 6 Jan 2017 06:30:32 +
Michele Neylon - Blacknight  wrote:
> If you want to lodge your opposition with IETF about a potential
> protocol / standard / $thing there are mechanisms to do so. However
> you would need to get past your emotive arguments and focus on clear
> objective issues. What are your issues with RPZ? How are those issues
> presented? What is the concern that you want to voice?
> (While you’re free to share them on this list this isn’t IETF, so it
> won’t have any impact on any RFC .. )
> 
As you have said that RPZ is just another tool (to fight abuse) my
positions in this wg is to educate, discuss and agitate for change. I
cannot do that if I am alone, or if I do not understand why we are
where we are. During the thread on the DNS OPS list, I learned that we
are where we are because the majority of DNS OPS do not understand that
domains are intellectual property and that many of them did not
understand abuse.

What I have learned up to now, here, is that there is either general
apathy or a non understanding of the principles.

So, I truly thank you for your constructive comments as I am stuck at
the emotive side and I think I suck a bit at proper communication

The clear objective issue with RPZ is that it is unethical.

Can you maybe help me to formulate this in a non emotive manner?

What I have is examples of what  RPZ facilitates:

In truth Google.com is at a.a.a.a (or ipv6 eq)

If user1 asks resolver the IP number for Google.com, the resolver can
send false answer of x.x.x.x  
If user2 asks the same resolver where Google.com is, the resolver can
supply false answer of y.y.y.y because user2 is doing the asking
If user3 asks the same resolver where Google.com is, the same resolver
can answer a.a.a.a
In all the above examples where fake (or any) answers were supplied,
the resolver also hides the truth of the fake answer, to the user.

Andre

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Thu, 5 Jan 2017 16:43:44 +
Michele Neylon - Blacknight  wrote:
> Nobody is forcing anyone to use RPZ. There are thousands of IETF
> documents covering a multitude of technologies, both real and
> imagined (just look at the avian carriers series). 
> 
You are missing important facts in your truthful statement...
(so I am agreeing with you 100% - But, you need to add the rest of the truth)

The Bind software is the dominant DNS software on the planet.

The IETF doc, relating to RPZ - is intended for Bind ops.

If left unchallenged, RPZ will become a standard (RFC)

Which will legitimize it. 

NONE of the other real and imagined docs you refer to have anywhere
near the same potential direct impact.

But, as you are arguing this, I am sure that you will tell me why I am
wrong?

I am sure that you will also send me a link to a document that defines
protocols for fraud, theft and crime?

Also, where are the lines then? I mean is hacker tools, cracking
software, theft and fraud okay and we do not support child porn? 

Or are you saying that child porn is also okay? Not clear on what you
are saying Michelle? Are you saying that RPZ is okay? That there are
worse abuse out there and we should not be concerned with dns abuse?

I do understand that people are free to use cracker  and hacker
tools, free to commit theft, fraud and do whatever their little hearts desire. 

What I am objecting to, is that non ethical software and systems are
being legitimized.

> 
> Personally I used to have issues with the concept of RPZ when it was
> first raised years ago, but my views have changed over time, though
> apparently you only discovered it a couple of weeks ago. In any case,

I honestly thought that "someone" would stand up and say something as
it is so very wrong that it was unimaginable that it would gain so much
traction.

> like so many other technologies, it is a tool. People using RPZ do so
> for a variety of reasons and they should be free to do so. Many of us
> use DNSBLs to protect our users’ inboxes from spam, phishing and
> other junk. RPZ is a different tech, but in the end is just another
> tool in our toolbox.
> 
> And please don’t bring Trump (or any other politician) into this.
> Apart from anything else this is a RIPE list not an ARIN one ☺
> 
I could have used eu examples, but, this being RIPE... 
(usa examples are less direct)

- The point I made was: The World Has Changed. 
(that goes for the eu/usa/africa/all)

Andre

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Michele Neylon - Blacknight]

Nobody is forcing anyone to use RPZ. There are thousands of IETF documents 
covering a multitude of technologies, both real and imagined (just look at the 
avian carriers series). 


Personally I used to have issues with the concept of RPZ when it was first 
raised years ago, but my views have changed over time, though apparently you 
only discovered it a couple of weeks ago.
In any case, like so many other technologies, it is a tool. People using RPZ do 
so for a variety of reasons and they should be free to do so.
Many of us use DNSBLs to protect our users’ inboxes from spam, phishing and 
other junk. RPZ is a different tech, but in the end is just another tool in our 
toolbox.

And please don’t bring Trump (or any other politician) into this. Apart from 
anything else this is a RIPE list not an ARIN one ☺

Regards

Michele


--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
http://www.blacknight.host/
http://blacknight.blog/
http://ceo.hosting/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,
Ireland  Company No.: 370845

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Thu, 05 Jan 2017 16:17:51 +0530
Suresh Ramasubramanian  wrote:

> My late grandmother said that people who are jaundiced think the
> whole world is yellow.
> 
> Andre – we just aren’t engaging in post truth as much as that you
> need to cure yourself of this jaundice (or maybe step over into the
> real world from an alternate universe)
> 
thank you for sharing that, it is so true :)


The reality is that there are enough good, ethical and honest people
left, so we can make a difference. We need to adapt to this time
Suresh, in 2017 - we need to stop compromising and speak more directly.

As president elect Trump commented recently " It will not happen!"  in
response to North Korea inter continental nuclear ballistic. 

Of course cnn, nyt etc commented that Trump is simply posturing... But,
If I was North Korea, I would seriously consider that Trump may well be
the American President that will launch a nuclear missile at North
Korea, so I probably will not push Trump at all as he will, in all
probability "push the button" 

So, time has come and gone for not saying what you think and what your
position is...

Re : RPZ 

I think you missed this, right from the bottom of the last post:

yes, because I have not said anything about this train smash many years
ago as I thought that it will be okay, "someone" would do something

Well, even in DNS OPS list, I was the only one that stated direct,
strong and uncompromising opposition to RPZ.

"Someone" did not do anything, now we are sitting with an informational
draft that promotes methods of lies, deception and is patently not
ethical.

I do not care, whether people agree with me, or disagree with me or if
I am popular (give warm fuzzy feelings) or if anyone hates my guts. I
am going to speak out, as in the next years, if RPZ does become an RFC,
then that will also be just fine - as I did my very best to "promote"
my own "truth" in this time when "truth" is negotiable and "facts" are
simply inconvenient things the Big 5 Multinationals spin any way they
like.

Andre


> --srs
> 
> On 05/01/17, 3:34 PM, "anti-abuse-wg on behalf of ox"
>  wrote:
> 
> On Thu, 5 Jan 2017 22:37:36 +1300
> Mark Foster  wrote:
> 
> > Replying against my better judgement, as Andre appears to be
> > Trolling for all he's worth.
> > But on the off chance...
> > 
> 
> It seems, every time in post-truth, when positions are
> indefensible, the name calling starts?
> 
> Calling me messianic, a troll, idiot or an assehole or whatever?
>  
> 
> 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Suresh Ramasubramanian]

My late grandmother said that people who are jaundiced think the whole world is 
yellow.

Andre – we just aren’t engaging in post truth as much as that you need to cure 
yourself of this jaundice (or maybe step over into the real world from an 
alternate universe)

--srs

On 05/01/17, 3:34 PM, "anti-abuse-wg on behalf of ox" 
 wrote:

On Thu, 5 Jan 2017 22:37:36 +1300
Mark Foster  wrote:

> Replying against my better judgement, as Andre appears to be Trolling
> for all he's worth.
> But on the off chance...
> 

It seems, every time in post-truth, when positions are indefensible,
the name calling starts?

Calling me messianic, a troll, idiot or an assehole or whatever?
 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Thu, 5 Jan 2017 22:37:36 +1300
Mark Foster  wrote:

> Replying against my better judgement, as Andre appears to be Trolling
> for all he's worth.
> But on the off chance...
> 

It seems, every time in post-truth, when positions are indefensible,
the name calling starts?

Calling me messianic, a troll, idiot or an assehole or whatever?

Instead of simply dealing with the facts, the actual issues.

And, then always adding... well, I will reply and do the world a
favour just in case this person is not a troll, etc.

> > > You seem to be assigning intent to a tool. A hammer in the hands
> > > of an artist can produce a beautiful form of art while the same
> > > hammer can be used to hurt someone. It's not the hammer's fault.
> > > Besides, RPZ is not a requirement to implement the "walled
> > > gardens" you're describing. The same thing can be achieved by
> > > other, simpler means.
> > by the same argument then it would be perfectly fine for society to
> > promote the distribution of DDOS tools, zero day hacking tools and,
> > well methods to defraud Internet users, define best practise for
> > Phishing, etc.
> Acknowledging that tools exist is not the same as condoning their
> malicious, or inappropriate, use.
> 
exactly.

But, you neglected to add - That is is not socially acceptable to
define protocols for defrauding people, to tell lies, commit deception,
etc.

> >
> > and no, of course you do not need RPZ to create "walled gardens"
> > but discussing it "as normal practice" and "the way DNS works" and
> > "okay" is what serves to legitimize RPZ as "perfectly fine"
> > Whereas in truth, it is EVIL.
> 
> I'm not sure that anyone's saying that it's accepted practice in the
> sense that everyone does - or should - do it.

My objections are entirely based on the publication and discussion and
future RFC that will serve to legitimize RPZ.

Heck, if you are honest, and from the responses in this thread, it is
already "best practise" and quite acceptable to use/apply RPZ - as
apparently "many" are doing this and has been doing it for years.

If there is no education, discussion or even understanding of that this
is becoming "standard operating procedure" 

As is evident from the past 7? years

Then, RPZ will be an RFC in the next short while. 

> > Trillions and trillions of domain names can resolve to a single ip
> > number.
> > Please give me one (as in singular) just ONE example of a domain
> > that has trillions of IP numbers?
> >
> Removing the hyperbole, there is one very obvious and well established
> reason for a 1:many relationship of IP's to DNS names: Virtual service
> hosting.

If there are domains on a virtual host that are abusive the operator of
that IP number has to either suspend that domain or remove it.

The operator is liable for whatever his or her server does.

> Given that the DNS serves to allow a human-readable name (or names) to
> point to a resource (by IP), the inverse relationship doesn't seem to
> serve many purposes (though there is a 1:many scenario, round-robin
> load balancing, that comes to mind.  But again, i've removed your
> hyperbole which may make these examples irrelevant.
> 

All this is very exciting and a great discussion for a different
thread, if everyone is in agreement that RPZ is Evil

Right now though, this tangent serves to detract from the main topic:

That RPZ is DNS abuse, in itself, it is an abuse to Internet Society
and it serves to promote Crime.

> 
> > Water does not flow uphill.
> > DNS firewalls are stupid.
> 
> You are expressing an opinion which is of course, your right.  But if
> you think that somehow you are going to change the minds of some of
> the _very_ learned minds who participate in this group, you have
> another thing coming, i'm afraid.
> 

Do not be fearful, I am not concerned so much with the  "_very_ learned
minds" in this group, they already understood what I am saying, in the
first post.

But, as we have seen, it is popularism and the _not_so_great minds that
supports the post-truth premises. It is also of course  a lack of
objectivity and a lack of understanding that domain names are actual
property - as in domain names belong to someone or some organization
and are not just simple "resources"

> > > I'm at least hesitant to describe any of those as lies. It's just
> > > a protocol exchange -- my machine asked for a name-to-IP map and
> > > received a suitable response, even one that actually fitted better
> > > with my current situation.
> >
> > You are wrong.
> >
> > When your user asks you for Google.com and you lie, this is a lie.
> >
> > It is not just a lie, it is fraud.
> >
> > If you then still take that a step further and tell different lies
> > to different users (depends who is asking)
> >
> > And, RPZ stil ltakes that a step further, you deceive and hide your
> > lies from your users
> >
> > AND RPZ makes the management of this easy and defines methods how
> > this is done - It is simply a hacking 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Mark Foster]

Replying against my better judgement, as Andre appears to be Trolling for
all he's worth.
But on the off chance...

On Thu, Jan 5, 2017 at 9:32 PM, ox  wrote:

> On Tue, 03 Jan 2017 09:42:38 -0800
> "Luis E. Muñoz"  wrote:
>
> > On 3 Jan 2017, at 2:30, ox wrote:
> > > When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> > > suddenly "the way things work" - then this is of serious concern.
> >
> > You seem to be assigning intent to a tool. A hammer in the hands of
> > an artist can produce a beautiful form of art while the same hammer
> > can be used to hurt someone. It's not the hammer's fault. Besides,
> > RPZ is not a requirement to implement the "walled gardens" you're
> > describing. The same thing can be achieved by other, simpler means.
> >
>
> by the same argument then it would be perfectly fine for society to
> promote the distribution of DDOS tools, zero day hacking tools and,
> well methods to defraud Internet users, define best practise for
> Phishing, etc.
>

Acknowledging that tools exist is not the same as condoning their
malicious, or inappropriate, use.




>
>
> and no, of course you do not need RPZ to create "walled gardens"
> but discussing it "as normal practice" and "the way DNS works" and
> "okay" is what serves to legitimize RPZ as "perfectly fine"
>
> Whereas in truth, it is EVIL.
>

I'm not sure that anyone's saying that it's accepted practice in the sense
that everyone does - or should - do it.
My experience is that private network operators, or service providers, have
used it for specific reasons that suit them.
In the case of a private network, that is entirely the right and choice.
In the case of service providers - the old adage 'walk with your feet'
applies. If you don't like it, select a different provider.
At least in my part of the world, service providers are almost universally
against 'mucking up' what is usually otherwise considered a clean and
unmangled end-to-end service. Those service providers who do create 'walled
gardens', do it for a reason, and the fact they do so is not a secret.





> > If you find the "lying" unacceptable, then this is what should be
> > targeted, not the tools that are being used -- which BTW have
> > positive uses that IMO far outweighs the abuse you're describing.
> > Consider this use case: RPZ can be used to prevent a set of known DNS
> > names from resolving, stopping the spread of computer malware.
> > Moreover, it can also be used to alert operators of infected machines
> > that their computers have been compromised.
> >
>
> Trillions and trillions of domain names can resolve to a single ip number.
>
> Please give me one (as in singular) just ONE example of a domain that
> has trillions of IP numbers?
>
>
Removing the hyperbole, there is one very obvious and well established
reason for a 1:many relationship of IP's to DNS names: Virtual service
hosting.
Given that the DNS serves to allow a human-readable name (or names) to
point to a resource (by IP), the inverse relationship doesn't seem to serve
many purposes (though there is a 1:many scenario, round-robin load
balancing, that comes to mind.  But again, i've removed your hyperbole
which may make these examples irrelevant.



> Water does not flow uphill.
>
> DNS firewalls are stupid.
>

You are expressing an opinion which is of course, your right.  But if you
think that somehow you are going to change the minds of some of the _very_
learned minds who participate in this group, you have another thing coming,
i'm afraid.


>
> > I'm at least hesitant to describe any of those as lies. It's just a
> > protocol exchange -- my machine asked for a name-to-IP map and
> > received a suitable response, even one that actually fitted better
> > with my current situation.
> >
>
> You are wrong.
>
> When your user asks you for Google.com and you lie, this is a lie.
>
> It is not just a lie, it is fraud.
>
> If you then still take that a step further and tell different lies to
> different users (depends who is asking)
>
> And, RPZ stil ltakes that a step further, you deceive and hide your
> lies from your users
>
> AND RPZ makes the management of this easy and defines methods how this
> is done - It is simply a hacking tool that promotes deception, secrets,
> fraud and other criminal activity.
>

This is all OTT and if it's the basis of your anger and frustration, you're
going to do yourself some harm.
It's not fraudulent.  There's no intend to gain a pecuniary advantage. It's
a safety measure[1], one fully disclosed to the user and one that can be
bypassed.
Again you make excessive use of hyperbole here so I won't further justify
your comments with a response.



>
> > Granted, this is not the only use case. I dislike walled gardens,
> > which is why I take measures to avoid them -- yet I won't attack the
> > underlying technology because as I said, has far more positive uses.
> >
>
> There are many things about RPZ which is wrong - so 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Tue, 03 Jan 2017 09:42:38 -0800
"Luis E. Muñoz"  wrote:

> On 3 Jan 2017, at 2:30, ox wrote:
> > When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> > suddenly "the way things work" - then this is of serious concern.
> 
> You seem to be assigning intent to a tool. A hammer in the hands of
> an artist can produce a beautiful form of art while the same hammer
> can be used to hurt someone. It's not the hammer's fault. Besides,
> RPZ is not a requirement to implement the "walled gardens" you're
> describing. The same thing can be achieved by other, simpler means.
> 

by the same argument then it would be perfectly fine for society to
promote the distribution of DDOS tools, zero day hacking tools and,
well methods to defraud Internet users, define best practise for
Phishing, etc.


and no, of course you do not need RPZ to create "walled gardens"
but discussing it "as normal practice" and "the way DNS works" and
"okay" is what serves to legitimize RPZ as "perfectly fine"

Whereas in truth, it is EVIL.


> > My objections are easy: Defining a clear standard on how DNS tells 
> > lies
> > to users, and different lies to different users, depending on which
> > user is doing the asking, and then hiding the truth of your lies
> > from your users, is EVIL!
> 
> If you find the "lying" unacceptable, then this is what should be 
> targeted, not the tools that are being used -- which BTW have
> positive uses that IMO far outweighs the abuse you're describing.
> Consider this use case: RPZ can be used to prevent a set of known DNS
> names from resolving, stopping the spread of computer malware.
> Moreover, it can also be used to alert operators of infected machines
> that their computers have been compromised.
> 

Trillions and trillions of domain names can resolve to a single ip number.

Please give me one (as in singular) just ONE example of a domain that
has trillions of IP numbers?

Water does not flow uphill. 

DNS firewalls are stupid.

> I'm at least hesitant to describe any of those as lies. It's just a 
> protocol exchange -- my machine asked for a name-to-IP map and
> received a suitable response, even one that actually fitted better
> with my current situation.
> 

You are wrong.

When your user asks you for Google.com and you lie, this is a lie.

It is not just a lie, it is fraud.

If you then still take that a step further and tell different lies to
different users (depends who is asking) 

And, RPZ stil ltakes that a step further, you deceive and hide your
lies from your users

AND RPZ makes the management of this easy and defines methods how this
is done - It is simply a hacking tool that promotes deception, secrets,
fraud and other criminal activity. 

> Granted, this is not the only use case. I dislike walled gardens,
> which is why I take measures to avoid them -- yet I won't attack the 
> underlying technology because as I said, has far more positive uses.
> 

There are many things about RPZ which is wrong - so many that it is EVIL!

And I am happy to discuss all the EVIL bits, which starts at the very 
foundation of RPZ
and goes all the way up to the roof...
 

> Best regards
> 
> -lem
> 
> 
> Luis Muñoz
> Director, Registry Operations
> 
> 
> http://www.uniregistry.link/
> 2161 San Joaquin Hills Road
> Newport Beach, CA 92660
> 
> Office +1 949 706 2300 x 4242
> l...@uniregistry.link

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Luis E. Muñoz]

On 3 Jan 2017, at 2:30, ox wrote:

When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
suddenly "the way things work" - then this is of serious concern.


You seem to be assigning intent to a tool. A hammer in the hands of an 
artist can produce a beautiful form of art while the same hammer can be 
used to hurt someone. It's not the hammer's fault. Besides, RPZ is not a 
requirement to implement the "walled gardens" you're describing. The 
same thing can be achieved by other, simpler means.


My objections are easy: Defining a clear standard on how DNS tells 
lies

to users, and different lies to different users, depending on which
user is doing the asking, and then hiding the truth of your lies from
your users, is EVIL!


If you find the "lying" unacceptable, then this is what should be 
targeted, not the tools that are being used -- which BTW have positive 
uses that IMO far outweighs the abuse you're describing. Consider this 
use case: RPZ can be used to prevent a set of known DNS names from 
resolving, stopping the spread of computer malware. Moreover, it can 
also be used to alert operators of infected machines that their 
computers have been compromised.


I'm at least hesitant to describe any of those as lies. It's just a 
protocol exchange -- my machine asked for a name-to-IP map and received 
a suitable response, even one that actually fitted better with my 
current situation.


Granted, this is not the only use case. I dislike walled gardens, which 
is why I take measures to avoid them -- yet I won't attack the 
underlying technology because as I said, has far more positive uses.


Best regards

-lem


Luis Muñoz
Director, Registry Operations


http://www.uniregistry.link/
2161 San Joaquin Hills Road
Newport Beach, CA 92660

Office +1 949 706 2300 x 4242
l...@uniregistry.link

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Wed, 4 Jan 2017 09:31:37 +
Rob Evans  wrote:
> >> The presumed draft you're unhappy about
> >> (https://datatracker.ietf.org/doc/draft-vixie-dns-rpz/) is
> >> informational. It is not a standard.
> > not yet a standard. operational word, I guess, is yet. so there is
> > still time to create awareness and to speak out.
> More than that, it hasn't yet been adopted by the dnsop working group
> in the IETF, where a similar discussion is happening, and I don't
> believe the authors have stated an aim for an individual submission
> RFC.
> Raising awareness of RPZ is good, however it's an operational tool
> that many service providers and enterprises might want in their
> arsenal (even if as an opt-in).
> 
This is also maybe a good discussion to have in an abuse wg on a
different thread:Why "DNS Firewalls" and RPZ is the wrong abuse tool to 
use or why it is a "good tool" for providers and enterprises to use.
Whether "walled off Internet gardens" is a good thing for abuse and how
that balances out with freedom, openness and the other pesky problems.

About this thread though, it is very important that any inkling of this
becoming an RFC needs to generate much more interest and involvement
than DNS ops.

Judging from where RPZ is at now: Adding DECEPTION to LIES,  and
producing different lies depending on which user is asking the questions, 
is patently and clearly not good.

Arguments that we need to become killers because there are killers is
simply not in the best interests of a free and open society.

DNS ops quite obviously cannot be objective, AND they cannot be left
alone with this issue.  It is clear where this laissez-faire re RPZ has
led and produced over the past 7? years!

And abuse admins will be directly impacted by the adoption of this as a
standard.

> The best place to discuss furthering (or otherwise) RPZ is likely to
> be on the IETF's dnsop list.
>
Not really. (and I have already done that anyway) 

It is the DNS Op's whom are in need of protection against themselves.
As I said above, the drift over the past years has been to use non
ethical, dishonest methods (and now also to even use deception and hide
their lies) - Non acceptable and the abuse admins and others need to
become involved as the situation is not fixing itself.

It is the entire methodology and flawed foundation of the entire RPZ
protocol that is in question.

if you build a house foundation in clay, your walls will crack.

If the majority here agrees that RPZ is evil, then we may start
discussing why DNS is better used as a reactive abuse tool and poorly
suited to "firewall" use and that it is completely wrong to promote a
method that involves promoting dishonesty.

If the majority does not agree that RPZ is evil, as you seem not to
yourself? then we still need to discuss the WHY you think it is not
evil and why you think it is a good idea to tell different lies to
different users and to hide the truth from your own users, etc etc

Andre 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Rob Evans]

Hi,


The presumed draft you're unhappy about
(https://datatracker.ietf.org/doc/draft-vixie-dns-rpz/) is
informational. It is not a standard.


not yet a standard. operational word, I guess, is yet. so there is
still time to create awareness and to speak out.


More than that, it hasn't yet been adopted by the dnsop working group in 
the IETF, where a similar discussion is happening, and I don't believe 
the authors have stated an aim for an individual submission RFC.


Raising awareness of RPZ is good, however it's an operational tool that 
many service providers and enterprises might want in their arsenal (even 
if as an opt-in).


The best place to discuss furthering (or otherwise) RPZ is likely to be 
on the IETF's dnsop list.


Cheers,
Rob

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[David Conrad]

Andre,

On Jan 3, 2017, at 10:43 PM, ox  wrote:
>> On Jan 3, 2017, at 9:57 PM, ox  wrote:
>>> When respected Internet Engineers and organizations develop
>>> standards for Internet software that completely ignores ethics,
>>> morality, honesty and is pale and anemic in the truth department?
>> 
>> You've developed quite the messianic complex here.
>> 
> You do not say why this is not true. or not factual. or not correct.

Because empirically, Internet Engineers (whoever they may be) and organizations 
document protocols and bit patterns expressed across wires. These protocols are 
tools that are neutral in terms of ethics, morality, and honesty. How those 
tools are used and by whom is what results in whether that are ethical, moral, 
or honest. You are blaming the tool for the (presumed) failings of it users.

However, in this context, you presume to know The Truth. Such certainty must be 
quite reassuring.

>> Yow. RPZ is a tool. You don't like that tool? Don't use it. You care
>> about the "truth"? Do your own DNSSEC validation.
> Sure, there are many tools, hacker tools, 0day scripts (for kidd1eS)

If you cannot tell the difference between a tool I choose to deploy to protect 
myself and the users I am responsible for (who can also opt out if they so 
choose) and a tool that allows me to attack external users, I doubt continued 
discussion is worthwhile.

> Why do you not discuss the real issues?

As far as I can tell, you have not identified any real issue, either here or on 
DNSOP. You have, like religious preachers, declared your view on ethics, 
morality, honesty, and truth, as axiomatic but not discussed real issues that 
affect the development of tools to help reduce abuse (relevant to this list) or 
the implementation of the protocol (relevant to DNSOP). When you do so, perhaps 
then there might be a discussion.

> The truth is: I do not have a messianic complex

It appears the truth is you believe you know The Truth.

> The truth is, very obviously, you do not care about the truth :)

If you say so, it must be true.

Regards,
-drc
(speaking only for myself)




signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Tue, 3 Jan 2017 22:18:00 -0800
David Conrad  wrote:
> Andre,
> On Jan 3, 2017, at 9:57 PM, ox  wrote:
> > When respected Internet Engineers and organizations develop
> > standards for Internet software that completely ignores ethics,
> > morality, honesty and is pale and anemic in the truth department?
> 
> You've developed quite the messianic complex here.
> 
You do not say why this is not true. or not factual. or not correct.

You prefer to reply that I have psychological diversion, or fake
beliefs, instead of playing the ball...

Nice.

> > I strongly object to RPZ being peddled as a "standard" by the
> > Internet Community.
> 
> The presumed draft you're unhappy about
> (https://datatracker.ietf.org/doc/draft-vixie-dns-rpz/) is
> informational. It is not a standard.
> 
not yet a standard. operational word, I guess, is yet. so there is

still time to create awareness and to speak out.


> > RPZ will destroy the Internet - people are lazy (i am lazy also)
> 
> Actually, it is the people who do stuff that makes RPZ a solution
> that are destroying the Internet. RPZ is a hack that some folks find
> useful in addressing particular forms of abuse, nothing more.
> 
And, this, in your argument, makes it okay to pave the road to make
this fait accompli in terms of what is acceptable Internet standards or
modus. Never mind that it is evil, wrong, immoral or at best, unethical?

> > Quite obviously we, as an Internet Community, already no longer
> > cares much about the truth of something, which is also why we live
> > in a post-truth planet.
> 
> Yow. RPZ is a tool. You don't like that tool? Don't use it. You care
> about the "truth"? Do your own DNSSEC validation.
> 
Sure, there are many tools, hacker tools, 0day scripts (for kidd1eS)

but none of them have their own  informational IETF draft, on its way
to becoming a standard, if not opposed.

> Personally, I'd prefer a world where there are fewer tools that are
> well described, even if some times those tools may be used in ways
> that I don't agree with, than in a world of a myriad of tools, poorly
> described, all trying to solve the same problem (using a solution I
> may not agree with), doing it in ways that are incompatible.
> Or do you think that by refusing to document something that it
> magically goes away?
> 
Your argument above is the same basic argument that has been stated
before and simply boils down to:

"This is the way things work, will work in the future and if I do not
like it, make my own Internet." - and you added that it is good to have
everything documented.

Why do you not discuss the real issues? 

This is also how the "other side" buries the real issues, by wind, air and fake 
truth.

The truth is: I do not have a messianic complex

The further truth is that you have made it abundantly clear how you
"feel"  and I thank you for your "feelings" in this regard.

The truth is, very obviously, you do not care about the truth :)

Andre

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

Hmm, that was not the objective. 

When respected Internet Engineers and organizations develop standards
for Internet software that completely ignores ethics, morality,
honesty and is pale and anemic in the truth department?

Then, further, when these standards will serve to enslave us in the
future and serve to destroy openness, truth and ubuntu 

Is that bashing abuse tech?

It is not a tech problem, it is not about the "use of abuse tech" 

If you use a script to hack web servers as your clients has lost their
passwords and it is extremely useful to be able to hack into webservers

Is it about the script? the tech? not so much.

I strongly object to RPZ being peddled as a "standard" by the Internet 
Community.

I do not object to people using RPZ, as I also do not object to you
using or distributing any hacking software.

BUT, there is a bigger picture here:

RPZ will destroy the Internet - people are lazy (i am lazy also) 
We will use RPZ and we will abuse it

So, just as the DNS Ops want to "protect" their "users" by lying and
lying about their lies, so I Wand to protect the DNS Ops from themselves!

Quite obviously we, as an Internet Community, already no longer cares
much about the truth of something, which is also why we live in a
post-truth planet. 

But, this does not mean that we all like lying, falsehoods and making
fake shit up, promoting evil, deciding non moral non ethical standards
and supporting non ethical interoperability compromises in the name of
simply being water (following the path of least resistance)

Suresh, how can one communicate this better? That it is not about
bashing the tech, the tech should NOT be a standard, not just because it
is immoral, but also because it is pure evil.

Surely the "new normal" is not for us to simply accept that it is okay
to do evil and use the excuse of fighting evil, to do that evil
ourselves? 

Maybe a civilization argument? Instead of truth, honesty, ethics and
morality?

We are a civil society? so we should be civilized? (and not beat each
other with clubs, caveman style?)

Andre 





On Wed, 04 Jan 2017 11:06:04 +0530
Suresh Ramasubramanian  wrote:

> Yes – I can clearly see that in this screed, post truth, facts not
> mattering as long as there is spin and such.
> 
> You are bashing tech when you should be targeting its misuse.
> 
> --srs
> 
> On 04/01/17, 10:30 AM, "ox"  wrote:
> 
> Hello Suresh,
> 
> Whether this wg makes any difference, or not, is completely up to
> each and every one of us.
> 
> It is Simon's choice to simply say that the fact that the Internet
> Standards promote fraud, is "my position" 
> 
> We live in a post-truth era.
> 
> Facts do not matter so much anymore if the spin is good.
> 
> 
> 
> 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Suresh Ramasubramanian]

Yes – I can clearly see that in this screed, post truth, facts not mattering as 
long as there is spin and such.

You are bashing tech when you should be targeting its misuse.

--srs

On 04/01/17, 10:30 AM, "ox"  wrote:

Hello Suresh,

Whether this wg makes any difference, or not, is completely up to each
and every one of us.

It is Simon's choice to simply say that the fact that the Internet
Standards promote fraud, is "my position" 

We live in a post-truth era.

Facts do not matter so much anymore if the spin is good.

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

Hello Suresh,

Whether this wg makes any difference, or not, is completely up to each
and every one of us.

It is Simon's choice to simply say that the fact that the Internet
Standards promote fraud, is "my position" 

We live in a post-truth era.

Facts do not matter so much anymore if the spin is good.

The truth is that if nobody in the wg stands up, discusses this very
serious situation and we all simply go on with our lives, then we will
reap what we sow.

In a few years the fruits will become ripe - they will be bitter and
very difficult to challenge or change

If however someone is able to communicate the very technical issues,
in easier or better ways, maybe we can galvanize people that do not
understand abuse as well as most of us do, and that these "anti abuse"
system of "dns firewalls"  are fake reasons for 'walled gardens' and
criminal activity.

"dns firewalls" is not a real thing - quite obviously a zone file can
end up having trillions of entries, etc etc etc - I have not even shot
my load about how stupid the argument of "DNS FIrewalls" truly are
and I can literally speak for a few hours about how stupid the idea is.

I was waiting for someone, also with 25 years of DNS devsysop experience, to 
take me on.

Anyway, there is no other argument for the need to create DNS standards
that promote LYING/STEALING/THEFT/FRAUD

We, as an Abuse community need to talk about what is going on, we need
to understand the issues, both technically, ethically, morally and
truthfully - And then we need to stand up and destroy the EVIL forces
that are peddling this rubbish in this insidious, nefarious and slowly
slowly fashion.

Never mind the Paul Vixie name, never mind the multinational(s) never
mind the authoritative powers.

Andre


On Tue, 3 Jan 2017 21:36:58 +0530
Suresh Ramasubramanian  wrote:

> And that blinkered attitude, ladies and gentlemen, is an example why
> this wg won't ever achieve anything much at all
> 
> --srs
> 
> > On 03-Jan-2017, at 6:44 PM, Simon Forster 
> > wrote:
> > 
> > Andre
> > 
> > Your rhetoric makes it quite clear that you have taken a position
> > and will stick to it. That’s fine. We’ll just have to agree to
> > disagree.
> > 
> > All the best
> > 
> > Simon
> > 
> >> On 3 Jan 2017, at 10:30, ox  wrote:
> >> 
> >> On Tue, 3 Jan 2017 10:07:36 +
> >> Simon Forster  wrote:
> >>> Hello Andre
> >>> 
> >> Hello Simon,
> >> 
> >>> An interesting take on a mechanism that’s been available for
> >>> close to 7 years now
> >> 
> >> And, from the first DNS servers there has been people that has
> >> resolved example.com to whatever IP they choose... so what?
> >> 
> >> Many large ISP's resolve sadfgsdjfgn4563456346.com to their own
> >> home page (or a "register this domain") page -- even though
> >> whatever question was asked - is not registered at all.
> >> 
> >> When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> >> suddenly "the way things work" - then this is of serious concern.
> >> 
> >> Your reply, in a nutshell is: "This is the way things work, there
> >> is nothing wrong with it and if you do not like it setup your own
> >> resolvers"
> >> 
> >> My objections are easy: Defining a clear standard on how DNS tells
> >> lies to users, and different lies to different users, depending on
> >> which user is doing the asking, and then hiding the truth of your
> >> lies from your users, is EVIL!
> >> 
> >> Allowing the easy management of "private Internet" in as a
> >> standard, is EVIL
> >> 
> >> RPZ is the start of the end of the open and free Internet.
> >> 
> >>> Largely I believe you’re on the wrong track with your post — at
> >>> pretty much every level. Response Policy Zones (RPZ’s aka DNS
> >>> firewalls) are a powerful tool to allow individuals,
> >>> organisations or society better to control access to the darker
> >>> corners of the internet. As per Vixie’s original paper (see above
> >>> reference), this can circumvent a lot of harm for the average
> >>> user.
> >>> 
> >> 
> >> as I said: trillions of domain names can resolve to ONE ip number.
> >> 
> >> a "DNS firewall" is a silly technical argument against abuse.
> >> 
> >> What is of concern is "private" internets and this "standard"
> >> allowing easy management of lies - and then doing it in the dark,
> >> so that users have no way of knowing that they are being lied to
> >> (or "protected")
> >> 
> >>> As with any powerful tool, it can be used with ill intent but
> >>> overall, this is a useful addition to an organisation’s security
> >>> arsenal. 
> >>> 
> >> 
> >> Distributing hacker and cracker tools is also fine, I guess. But
> >> it is very wrong to define actual standards for how to break into
> >> servers and networks. - And making that a standard.
> >> 
> >>> You express concerns wrt governments. Governments have a tendency
> >>> to do what what they want to do irrespective of the tools
> >>> available to 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Suresh Ramasubramanian]

And that blinkered attitude, ladies and gentlemen, is an example why this wg 
won't ever achieve anything much at all

--srs

> On 03-Jan-2017, at 6:44 PM, Simon Forster  wrote:
> 
> Andre
> 
> Your rhetoric makes it quite clear that you have taken a position and will 
> stick to it. That’s fine. We’ll just have to agree to disagree.
> 
> All the best
> 
> Simon
> 
>> On 3 Jan 2017, at 10:30, ox  wrote:
>> 
>> On Tue, 3 Jan 2017 10:07:36 +
>> Simon Forster  wrote:
>>> Hello Andre
>>> 
>> Hello Simon,
>> 
>>> An interesting take on a mechanism that’s been available for close to
>>> 7 years now
>> 
>> And, from the first DNS servers there has been people that has resolved
>> example.com to whatever IP they choose... so what?
>> 
>> Many large ISP's resolve sadfgsdjfgn4563456346.com to their own home
>> page (or a "register this domain") page -- even though whatever
>> question was asked - is not registered at all.
>> 
>> When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
>> suddenly "the way things work" - then this is of serious concern.
>> 
>> Your reply, in a nutshell is: "This is the way things work, there is
>> nothing wrong with it and if you do not like it setup your own
>> resolvers"
>> 
>> My objections are easy: Defining a clear standard on how DNS tells lies
>> to users, and different lies to different users, depending on which
>> user is doing the asking, and then hiding the truth of your lies from
>> your users, is EVIL!
>> 
>> Allowing the easy management of "private Internet" in as a standard, is
>> EVIL
>> 
>> RPZ is the start of the end of the open and free Internet.
>> 
>>> Largely I believe you’re on the wrong track with your post — at
>>> pretty much every level. Response Policy Zones (RPZ’s aka DNS
>>> firewalls) are a powerful tool to allow individuals, organisations or
>>> society better to control access to the darker corners of the
>>> internet. As per Vixie’s original paper (see above reference), this
>>> can circumvent a lot of harm for the average user.
>>> 
>> 
>> as I said: trillions of domain names can resolve to ONE ip number.
>> 
>> a "DNS firewall" is a silly technical argument against abuse.
>> 
>> What is of concern is "private" internets and this "standard" allowing
>> easy management of lies - and then doing it in the dark, so that users
>> have no way of knowing that they are being lied to (or "protected")
>> 
>>> As with any powerful tool, it can be used with ill intent but
>>> overall, this is a useful addition to an organisation’s security
>>> arsenal. 
>>> 
>> 
>> Distributing hacker and cracker tools is also fine, I guess. But it is
>> very wrong to define actual standards for how to break into servers and
>> networks. - And making that a standard.
>> 
>>> You express concerns wrt governments. Governments have a tendency to
>>> do what what they want to do irrespective of the tools available to
>>> them — after all, compliance with their rules is not their problem,
>>> they just need to prosecute those that fail to follow the new rules.
>>> 
>> Also, it allows and empowers dictators (AND CRIMINALS) - and now the
>> dictators can say: This is a "standard" the Internet community accepts
>> that this is the methods and protocols for "protecting" my "users" 
>> 
>> Yes, Governments do what they want - but defining a standard on how to
>> tell lies and in such a way that your "users" do not know if they are
>> being lied to - is nefarious and evil.
>> 
>> Your objection to my allegations are quite suspect as you have not
>> mentioned one single technical reason why making this EVIL method of
>> operation is not abuse?
>> 
>>> Irrespective of any philosophical objections you’re throwing out
>>> here, the resolution to your problem is incredibly simple — run your
>>> own recursive resolver. In this day and age an incredibly simple
>>> thing to do (which is another, markedly different problem).
>>> 
>> 
>> Sure, and run my own Internet?
>> 
>> This is exactly the point.
>> 
>>> 
 On 2 Jan 2017, at 06:48, ox  wrote:
 Hello,
 
 I wish everyone a prosperous & productive 2017
 
 I wish to cast light on an abuse issue that has the potential to
 effect, affect and impact the entire Internet
 As among the proponents of this abuse are certain Government
 Security Agencies and many other powerful forces, I beg with you to
 attempt to understand how the changes being effected right now, also
 affects yourself right now and how it will affect you in the
 future. 
 My idea with this post is three fold, firstly, to educate, secondly
 to open discussion and thirdly to agitate for change.
 DNS Abuse
 
 Sometimes abuse is creeping, like weed in a garden it becomes more
 and more and more and does not just happen overnight. In fact, it is
 so creeping that we do not really see the weeds as we have 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[Simon Forster]

Andre

Your rhetoric makes it quite clear that you have taken a position and will 
stick to it. That’s fine. We’ll just have to agree to disagree.

All the best

Simon

> On 3 Jan 2017, at 10:30, ox  wrote:
> 
> On Tue, 3 Jan 2017 10:07:36 +
> Simon Forster  wrote:
>> Hello Andre
>> 
> Hello Simon,
> 
>> An interesting take on a mechanism that’s been available for close to
>> 7 years now
> 
> And, from the first DNS servers there has been people that has resolved
> example.com to whatever IP they choose... so what?
> 
> Many large ISP's resolve sadfgsdjfgn4563456346.com to their own home
> page (or a "register this domain") page -- even though whatever
> question was asked - is not registered at all.
> 
> When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> suddenly "the way things work" - then this is of serious concern.
> 
> Your reply, in a nutshell is: "This is the way things work, there is
> nothing wrong with it and if you do not like it setup your own
> resolvers"
> 
> My objections are easy: Defining a clear standard on how DNS tells lies
> to users, and different lies to different users, depending on which
> user is doing the asking, and then hiding the truth of your lies from
> your users, is EVIL!
> 
> Allowing the easy management of "private Internet" in as a standard, is
> EVIL
> 
> RPZ is the start of the end of the open and free Internet.
> 
>> Largely I believe you’re on the wrong track with your post — at
>> pretty much every level. Response Policy Zones (RPZ’s aka DNS
>> firewalls) are a powerful tool to allow individuals, organisations or
>> society better to control access to the darker corners of the
>> internet. As per Vixie’s original paper (see above reference), this
>> can circumvent a lot of harm for the average user.
>> 
> 
> as I said: trillions of domain names can resolve to ONE ip number.
> 
> a "DNS firewall" is a silly technical argument against abuse.
> 
> What is of concern is "private" internets and this "standard" allowing
> easy management of lies - and then doing it in the dark, so that users
> have no way of knowing that they are being lied to (or "protected")
> 
>> As with any powerful tool, it can be used with ill intent but
>> overall, this is a useful addition to an organisation’s security
>> arsenal. 
>> 
> 
> Distributing hacker and cracker tools is also fine, I guess. But it is
> very wrong to define actual standards for how to break into servers and
> networks. - And making that a standard.
> 
>> You express concerns wrt governments. Governments have a tendency to
>> do what what they want to do irrespective of the tools available to
>> them — after all, compliance with their rules is not their problem,
>> they just need to prosecute those that fail to follow the new rules.
>> 
> Also, it allows and empowers dictators (AND CRIMINALS) - and now the
> dictators can say: This is a "standard" the Internet community accepts
> that this is the methods and protocols for "protecting" my "users" 
> 
> Yes, Governments do what they want - but defining a standard on how to
> tell lies and in such a way that your "users" do not know if they are
> being lied to - is nefarious and evil.
> 
> Your objection to my allegations are quite suspect as you have not
> mentioned one single technical reason why making this EVIL method of
> operation is not abuse?
> 
>> Irrespective of any philosophical objections you’re throwing out
>> here, the resolution to your problem is incredibly simple — run your
>> own recursive resolver. In this day and age an incredibly simple
>> thing to do (which is another, markedly different problem).
>> 
> 
> Sure, and run my own Internet?
> 
> This is exactly the point.
> 
>> 
>>> On 2 Jan 2017, at 06:48, ox  wrote:
>>> Hello,
>>> 
>>> I wish everyone a prosperous & productive 2017
>>> 
>>> I wish to cast light on an abuse issue that has the potential to
>>> effect, affect and impact the entire Internet
>>> As among the proponents of this abuse are certain Government
>>> Security Agencies and many other powerful forces, I beg with you to
>>> attempt to understand how the changes being effected right now, also
>>> affects yourself right now and how it will affect you in the
>>> future. 
>>> My idea with this post is three fold, firstly, to educate, secondly
>>> to open discussion and thirdly to agitate for change.
>>> DNS Abuse
>>> 
>>> Sometimes abuse is creeping, like weed in a garden it becomes more
>>> and more and more and does not just happen overnight. In fact, it is
>>> so creeping that we do not really see the weeds as we have become
>>> used to seeing them.
>>> 
>>> Just because there are so many weeds, it does not change the fact
>>> that they are weeds and, in a well maintained garden, they need to
>>> be eradicated for the well being of all the plants in the garden.
>>> 
>>> To understand how this is even abuse, and how this will change your
>>> own 

Re: [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

On Tue, 3 Jan 2017 10:07:36 +
Simon Forster  wrote:
> Hello Andre
>
Hello Simon,
 
> An interesting take on a mechanism that’s been available for close to
> 7 years now

And, from the first DNS servers there has been people that has resolved
example.com to whatever IP they choose... so what?

Many large ISP's resolve sadfgsdjfgn4563456346.com to their own home
page (or a "register this domain") page -- even though whatever
question was asked - is not registered at all.

When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
suddenly "the way things work" - then this is of serious concern.

Your reply, in a nutshell is: "This is the way things work, there is
nothing wrong with it and if you do not like it setup your own
resolvers"

My objections are easy: Defining a clear standard on how DNS tells lies
to users, and different lies to different users, depending on which
user is doing the asking, and then hiding the truth of your lies from
your users, is EVIL!

Allowing the easy management of "private Internet" in as a standard, is
EVIL

RPZ is the start of the end of the open and free Internet.

> Largely I believe you’re on the wrong track with your post — at
> pretty much every level. Response Policy Zones (RPZ’s aka DNS
> firewalls) are a powerful tool to allow individuals, organisations or
> society better to control access to the darker corners of the
> internet. As per Vixie’s original paper (see above reference), this
> can circumvent a lot of harm for the average user.
>

as I said: trillions of domain names can resolve to ONE ip number.

a "DNS firewall" is a silly technical argument against abuse.

What is of concern is "private" internets and this "standard" allowing
easy management of lies - and then doing it in the dark, so that users
have no way of knowing that they are being lied to (or "protected")

> As with any powerful tool, it can be used with ill intent but
> overall, this is a useful addition to an organisation’s security
> arsenal. 
> 

Distributing hacker and cracker tools is also fine, I guess. But it is
very wrong to define actual standards for how to break into servers and
networks. - And making that a standard.

> You express concerns wrt governments. Governments have a tendency to
> do what what they want to do irrespective of the tools available to
> them — after all, compliance with their rules is not their problem,
> they just need to prosecute those that fail to follow the new rules.
> 
Also, it allows and empowers dictators (AND CRIMINALS) - and now the
dictators can say: This is a "standard" the Internet community accepts
that this is the methods and protocols for "protecting" my "users" 

Yes, Governments do what they want - but defining a standard on how to
tell lies and in such a way that your "users" do not know if they are
being lied to - is nefarious and evil.

Your objection to my allegations are quite suspect as you have not
mentioned one single technical reason why making this EVIL method of
operation is not abuse?

> Irrespective of any philosophical objections you’re throwing out
> here, the resolution to your problem is incredibly simple — run your
> own recursive resolver. In this day and age an incredibly simple
> thing to do (which is another, markedly different problem).
> 

Sure, and run my own Internet?

This is exactly the point.

> 
> > On 2 Jan 2017, at 06:48, ox  wrote:
> > Hello,
> > 
> > I wish everyone a prosperous & productive 2017
> > 
> > I wish to cast light on an abuse issue that has the potential to
> > effect, affect and impact the entire Internet
> > As among the proponents of this abuse are certain Government
> > Security Agencies and many other powerful forces, I beg with you to
> > attempt to understand how the changes being effected right now, also
> > affects yourself right now and how it will affect you in the
> > future. 
> > My idea with this post is three fold, firstly, to educate, secondly
> > to open discussion and thirdly to agitate for change.
> > DNS Abuse
> > 
> > Sometimes abuse is creeping, like weed in a garden it becomes more
> > and more and more and does not just happen overnight. In fact, it is
> > so creeping that we do not really see the weeds as we have become
> > used to seeing them.
> > 
> > Just because there are so many weeds, it does not change the fact
> > that they are weeds and, in a well maintained garden, they need to
> > be eradicated for the well being of all the plants in the garden.
> > 
> > To understand how this is even abuse, and how this will change your
> > own life and the Internet in the future, you need to also understand
> > some basic facts. The arguments for, against the standards, the
> > basic tech concepts, the functional aspects and then understand why
> > this is actually abuse and not just an evil movement, evil
> > standards or generally just plain old evil.  
> > 
> > Some important concepts in order to understand 

[anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

[ox]

Hello,

I wish everyone a prosperous & productive 2017

I wish to cast light on an abuse issue that has the potential to
effect, affect and impact the entire Internet

As among the proponents of this abuse are certain Government
Security Agencies and many other powerful forces, I beg with you to
attempt to understand how the changes being effected right now, also
affects yourself right now and how it will affect you in the future. 

My idea with this post is three fold, firstly, to educate, secondly to
open discussion and thirdly to agitate for change.

DNS Abuse

Sometimes abuse is creeping, like weed in a garden it becomes more
and more and more and does not just happen overnight. In fact, it is
so creeping that we do not really see the weeds as we have become
used to seeing them.

Just because there are so many weeds, it does not change the fact
that they are weeds and, in a well maintained garden, they need to be
eradicated for the well being of all the plants in the garden.

To understand how this is even abuse, and how this will change your
own life and the Internet in the future, you need to also understand
some basic facts. The arguments for, against the standards, the basic 
tech concepts, the functional aspects and then understand why this is
actually abuse and not just an evil movement, evil standards or
generally just plain old evil.  

Some important concepts in order to understand the technical logic and
the "explained purpose" and then, importantly, "the real purpose" of the
abusers:

Trillions of domain names can resolve to a single ipv4 ip number
So, you could have ex.example.com and ex1.example.com and
cat.example.com - and have the same for unlimited names from unlimited
TLD to a SINGLE ip number.

All Domain names are intellectual property - yes, even
abc.dsrtif.dsaurthp.example.com

If a DNS server is asked for an IP number for google.com and it
answers 127.0.0.1 to one user and 0.0.0.0 to a different user  (makes
up its own answers)  - This is simply fraud. as google.com is a
trademark. 
(replace google.com with apple.com or ibm.com facebook.com or
any.example.com)

The proponents of DNS abuse argue that they are 'protecting' innocent
users by using DNS as a 'firewall' to create 'walled gardens' and to
respond to one ip number for a certain set of users and a different ip
number for different sets of users

Of course, this argument is fatally flawed as per my example above.
Their response is that there is sometimes multi homed ip numbers (100
domains on a single ip number) and that blocking per ip number blocks
innocent domains as well. 

In order for you to form your own opinion you need to know that the
majority of DNS servers use the same software and that there are new
standards being introduced to formalize Internet Fraud. This Internet
Fraud empowers African Dictators to easily justify 'walled garden'
countries and is set to revolutionize your own Internet access. It also
empowers, facilitates and allows easy management  to aggressive 
ISP's, multi nationals and many nefarious groups and people to manage
their activities. So, not only does the new software 'functionality'
exist, but it is being legitimized and formalized
by https://www.ietf.org/ 
(whom, ironically, states:The goal of the IETF is to make the Internet
work better.)

In a nutshell, the above illustrates that the DNS software used by
almost all of the Internet is to have functionality that allows DNS
operators to LIE to users, but to lie one lie to some/certain users and
another LIE to different sets of users (depending on whom is doing the
asking) 

That is not all...

It also allows the DNS operators to hide  the truth of these lies...

and that is not all...

The https://www.ietf.org/  is set to legitimize this nefarious behavior
under the flag of decency and good Internet operations.

So, it would be perfectly fine and acceptable for everyone to start
doing this, as it will be a 'standard' 

What this means for you: The future Internet will not be free and open.

Engineers supporting a non functional and fatally flawed approach to
abuse is an indication of a far more serious problem - you need to
think about that for yourself, and what that means.

Of course, this in itself is abuse. This entire situation is Internet
Abuse and needs to be discussed as abuse.

Andre

--
more technical information:
https://tools.ietf.org/html/draft-vixie-dns-rpz-00