Re: AboveNet Global Routing issue
I'm seeing everything from Hughes Network (my vsat) go to Portland, Maine, from Northern Virginia, by way of Nashville, Las Vegas, Los Angeles (Verizon), and then back to Boston (Alter), for 20 hops. The usual is 10, straight up the eastern seaboard. Lots of delay, and more bad dns than usual.
Re: [admin] Re: Fourth cable damaged in Middle Eest (Qatar to UAE)
Alex Pilosov wrote: This conversation is quickly spinning into discussion of politics and terrorism. Reminder to all, please stick to the *operational* aspects of this thread. -alex [NANOG MLC Chair] Agreed. In December of 2005, for reasons entirely personal, I read every paper available at the Dudley Knox (Naval Post Graduate School) and the Air University (Maxwell AFB) Libraries mentioned in Greta Marlatt's 06/00 IO bibliography -- Information Warfare & Information Operations (IW/IO). A Bibliography, Documents, Theses & Technical Reports. This is a snap-shot of where IO was five year ago. People who want to flesh out a modern IO reading list please mail me (off-list) your URLs. In a nutshell, there were many, many operationally unsophisticated and more-dangerous-to-self-then-other ideas in these papers, in addition to alot of "Revolution in Military Affairs (RMA) Wonder-Cruft, and a lot of it was blatent fund-me stuff. My two beads worth, Eric
Is 7bits enough? (was: Re: [admin] Re: EU Official: IP Is Personal)
My note of yesterday didn't make it to the list, which happens from time to time, but as I'm not asking about automobile licenses or number portability, this might make it past the rather broad kill-this-thread administrative dicta. Hi, We (the P3P Spec WG circa pre-9/11) didn't specify what would reasonably render a v6 addr non-PII, and we didn't provide guidance on v4 addrs, other than the 7bit mask. Since I'm the only former contributor to that activity who gets NANOG mail, if any of you who have ideas on either of those two forms of endpoint identifiers and PII, if you send them to me, I'll summarize for the purpose of offering a specific update to our final work product, P3P 1.1 [1]. I'll extract the MAC-to-v4 comments for PII in a LAN environment, which we ignored in the P3P Spec WG. Eric [1] http://www.w3.org/TR/P3P11/
Re: network reputation [was: IP is...]
Security is a strong supporter of privacy ... I've removed the part of this sentence I don't understand. Privacy involves more than just non-disclosure, it also involves issues like identifiable retention and identifiable 3rd-party provisioning and identifiable other-policy collection linkages, and ... There were, and are people who contribute from time to time to the IETF, who decided that it was sufficient to indicate if the source of a flow had a "privacy preference". Look for binary valued labels in RFCs pertaining to the provisioning of PII to some well known data collectors (and data publishers). There were also, and I suppose also are, people who contribute from time to time to the IETF, who have decided that it is insufficient to indicate the policy preference, if any, of flow sources, absent indications of the policy practices of flow otherpoints, which may also be flow endpoints. Look for labels which cannot be projected to a binary values without loss of information in RFCs pertaining to the provisioning of PII to some well known data collectors (and data publishers). Which is a long-winded way of saying that security != privacy. Eric
Re: EU Official: IP Is Personal
Lou Katz wrote: They are both right. If you have a dynamic IP such as most college students have, it is here-today-gone-tomorrow. If you have static IP (business, us slugs in the Swamp, etc) you are identifyable. Hi Lou, Long time. The thing is this isn't an atemporal question. The association of an address and any other information that tends to identify an individual (say my googling the complete works of the co-author of "Survey of Modern Algebra", along with Saunders MacLaine, in particular reference [1], the "original" treatise on shaped charges, and my groveling for clue in DNS ops, and my ...) tends to unique closure over finite time. So, for a single datagram sourced from a just-allocated at random DHCP pool, wicked hard to make PII. But for many hours or days of stream to a variety of data collectors, some of which share raw or correlated data, the problem is not insoluable. Eric [1] Garret Birkhoff, et al. "Explosives With Lined Cavities". Journal of Applied Physics. June 1948, p. 563-582.
Re: EU Official: IP Is Personal
Paul Vixie wrote: [EMAIL PROTECTED] (Hank Nussbacher) writes: http://ap.google.com/article/ALeqM5g08qkYTaNhLlscXKMnS3V8dkc-WwD8UAGH900 they say it's personally identifiable information, not personal property. EU's concern is the privacy implications of data that google and others are saving, they are not making a statement related to address ownership. Correct. In the EU DP framework (see: http://ec.europa.eu/justice_home/fsj/privacy/), personal privacy doesn't arise from private law (contract or property), but from public law (the human rights statements contained in the treaty under which the EU is formed). However, Google/DoubleClick claim they have the right to collect PII data and disclose less than their complete data collection policy, and in particular, claim that endpoint identifiers do not tend to identify individuals. Further, they assert a property claim on such collected data. See the partialip definition in the W3C's P3P Spec for an attempt to straddle the fence at offset 7: "a partialip element represents an IP version 4 address (only - not a version 6 address) which has had at least the last 7 bits of information removed" The theory for partialip was that a full address (v4 or v6) was PII, and a partial (for v4 only, at 7bits) was not PII. Eric P. S. How many bits in the mask are necessary to achieve the non-PII aim?
Re: Why ICANN did the Right Thing [Was: Re: MEDIA: ICANN rejects .xxx doma in]
hey ferg, its not that interesting an analysis. struan doesn't really close on any policy issue, and concludes with the usual: I think ICANN was right to reject the current proposal. Because it does little more than add yet another domain to the internet that nobody needs. now how reflective is that, really? is there a number n, or a rate of change of n, that is needed? that icann is ... authorized ... to set? sartorial legislation (laws against commoners wearing velvet, etc.) isn't novel, and i'm fairly plain myself, but how many brands is enough? think of all the policy elements not explored. registrars aren't limited to convicted offenders, pick your statute and jurisdiction to taste, like justice potter. registrants don't actually have to show their material is banned in boston, for some values of boston. bottom line, the author of the analysis doesn't appear to have much grasp of registry proposants, or registry economics, or registrar economics, or icann history-as-politics. i wouldn't pay him money to write part of a registry proposal, and i wouldn't want him making business decisions for a registrar, and he sure doesn't have a grasp of how the dns is used to non-graphically, using no skin tones at all, to the detriment of the users who hope that by paying us money they will get a working net. and "xxx" means corn liquor, white lightnig, the comfort in gran'ma's tea and the source of her pin money. cheers, ebw
Re: MEDIA: ICANN rejects .xxx domain
... > use. Hunt down "BU joins the internet", a typo in our initial update > tickled a bug in the bsd hosttable program which brought down about > 2/3 of the internet (yes, down.) I can't say I'm proud of that, but > it's kind of hard to forget. i overflowed the core routers, summer '88. That was good for a flurry of chitchat between bbn (noc) and sri (nic) one afternoon. ebw
Re: MEDIA: ICANN rejects .xxx domain
earlier i wrote: > the how-to-label problem has been around since the w3c's pics effort. > > the jurisdictional issue is aterritorial, as the cctlds cover that, > and the authority, nominally, is a 501(c)(3) in marina del rey, and, > purely contractual, as is the registry restricted to cooperative entities > and the registry restricted to aviation entities. this drew a response from martin hannigan: : Negative. 92% of the root is under US jurisdiction with most ccTLD's : riding on that infrastructure. I'm in the process of analyzing that : now. I'll let you know what the number comes out to, but I bet it's : close. having been a party to the drafting of the icann new gtld contracts, an interested party in the case of the neu* .biz contract, and an invited, if ad hoc, expert in the case of the aero/coop/museum contracts, mostly at louis touton's initiative, i'm of the (ianal) opinion that other than the easily answered california incorporated 501(c)(3) jurisdictional question implicit in the contracts between icann and the new gtld sponsors, that no jurisdictional restrictions were specified in the ngtld contracts. some actual lawyer may comment on the distinction between statutory authority over the conduct of parties to a private contract, and the civil law jurisdiction the parties agree to to resolve contractual disputes. there are parties that hold a territorial jurisdiction trumps all point of view. the us doc placed territorial jurisdiction (physical location) requirements in the .us rfp, which i also wrote the winning response to, so all .us nameservers are within the continental united states. personally i view this requirement as brain-dead. similarly, icann last summer adopted a contested redelegation process for cctlds which values territorial jurisdiction claims. personally i view this process change as brain-dead. obviously, milage varries. now the issue of controlling authority has come up previously, and the claim that there is only one jurisdiction, the us, has also been made previously. see the w3c's p3p standard, and the data collection (aka "privacy) policy regimes we (i'm wearing that co-author hat now) provided mechanism for. again, ymmv. eric
Re: MEDIA: ICANN rejects .xxx domain
the how-to-label problem has been around since the w3c's pics effort. the jurisdictional issue is aterritorial, as the cctlds cover that, and the authority, nominally, is a 501(c)(3) in marina del rey, and, purely contractual, as is the registry restricted to cooperative entities and the registry restricted to aviation entities. we are spared having to contest .xxx registrants who failed to meet the terms of the sponsored tld -- intolerably bland content.
Re: dnsstealer.com
isn't this a job for super-icann?
Re: .iq [ was: Re: Paul Vixie serving ORSN ]
David, Before turning to your certainty that laws are self-explanitory and not nuanced, I should mention soething I forgot. The Elashi case rattled the Export Controls Defense bar, because the Elashis didn't actually send anything to Libya, their buyer was some computer broker in Malta, and that's who sent the export controlled material on to a state on the restriced list. The Elashi case established the precedent that a buyer's actions could transfer export control liability to the seller. Turning to your certainty, the original language has been modified to put a Moore's Law (my shorthad) COLA-like MIPS excalator, and modified again to replace "proliferation" (which has a rational relationship with MIPS) with "terrorism", which has no computational characteristics known to me. I don't know why the Elashi's attorney entered a plea on the export issue, as the cost for agreement to a plea appears to be indeffinite sentancing, rather than an ordinary rational cost of business fine. Cheers, Eric
Re: .iq [ was: Re: Paul Vixie serving ORSN ]
> And they did violate US laws in the US. An export regulation, one normally punished by a fine. > Ah well, maybe they will get deported when they get released from prison, > just like their wives. There is an interesting register of export violaters, and quite a few are foreign nationals, and quite a few are also ... obscure ... like arguing that a Pentium processor constitutes a nuclear proliferation asset. Over the past three years, only one violation has ressulted in the seizure of all business assets and business records. As I pointed out to Vint some months ago, if the same standards were applied to Worldcom's Bernie the Bandit, Vint could have been in the pokey too, and even his Worldcom pencil sharpener would have a DOJ do not remove under penalty of law seal on it. Eric
Re: .iq [ was: Re: Paul Vixie serving ORSN ]
Bill, I forgot to mention that the idiot Brit who wanted .iq was going to run it -- all of it -- off of generators from inside the Green Zone. I don't know if my notes made a bit of difference, but I advised that ICANN not redel and open the adverse redel can unnecesarily. I'm not sure if I understand your note, but since you seem to be making a pragmatic "it works better" observation (and I don't know that it does) for one 3166 code point, why not another? Eric
Re: .iq [ was: Re: Paul Vixie serving ORSN ]
> > For those who care about excesses of zeal, the Elashi brothers (operators > > as well as sponsor delagees of .iq) of someplace in Texas, were charged with > > giving money to Hamas or a charity linked to Hamas, and sending a PC to > > Syria, > > and parts of a PC -- perhaps a mouse pad -- to Libya. > > http://www.usdoj.gov/usao/txn/PressRel04/Elashi.pdf Thanks Dan, I've read it, several times, and the prior and subsequent filings, and the referenced export regs as well. It all comes down to pretending a PC is a supercomputer, pretending that ordinary Syrians, let alone nuclear weapons proliferating Syrians, didn't, in this period, routinely drive from Damascus to Beruit, and an untested claim of money laundering, and a lot of highly excited politically ambitious people in North America. The Elashis didn't run a great cctld before the present excitement, but a lot of cctld operators could then be, and can now be, similarly characterized. Eric
Re: .iq [ was: Re: Paul Vixie serving ORSN ]
Bill, Have you got an opinion on .mm? Last December (when Vint and I did exchange notes on getting India to allow relief workers into the Andaman and Nicobar Islands, and some British embassy in Baghdad guy who wanted to get .iq for the Occupation regime-de-jour) it so happened that all their servers (in the UK, which isn't part of Burma, or Burma Shave, or ...) were dark. If those facts were present today, would you be ready to delta dot? Eric
.iq [ was: Re: Paul Vixie serving ORSN ]
> it's enough for me that they're going to do it no matter what you (or i) say, > and that they're doing it responsibly (without any namespace pollution). if > ORSN is afraid war is going to break out somewhere and that ICANN might delete > the ccTLD's for countries that are part of the "axis of evil", then ORSN is > probably just confused -- i don't think that's what would happen. but as i've > said, i'm indifferent to their reasons, since they only publish data that was > at one time or another published by IANA. I suppose I should mention that ICANN redelegated .iq for some mumble reason, compare, .pn. For those who care about excesses of zeal, the Elashi brothers (operators as well as sponsor delagees of .iq) of someplace in Texas, were charged with giving money to Hamas or a charity linked to Hamas, and sending a PC to Syria, and parts of a PC -- perhaps a mouse pad -- to Libya. The latter acts nominally violate export regulations intended to prevent the acquisition of supercomputers by several states for the purposes of preventing nuclear proliferation, and the government obtained a conviction on the Syrian export count. Export control violations universally result in fines, except in the case of the Elashi brothers, who are still in Federal custody. People who live in Damascus routinely drive to Beruit to buy computers, so the rationality of all this is an exercise left to the reader. It did result in the seizure of the .iq name servers, and has kept .iq dark for three years. No part of this was necessary, or could not have been solved by a trustee pending the eventual outcome of the USG's complaints, and the possible counter-complaints by the Elashis. The US has not yet, after three years, brought the giving money to Hamas issue to trial. Not that it matters, but Hamas is the government of parts of Palestine, no matter how much heartburn this gives some people, and the Elashis are diaspora Palestinians. Eric
Re: [political pontification] Re: Turkey has switched Root-Servers
> Are there operational issues to attempt to make this thread remotely on > point for NANOG? Probably not. Its just bits, and whether the bits are all > 0x000 or quasi-random distributions between 0x000 and 0x177 is water under > somebody else's bridge. The constraint-space is "solve in applications" and > not "solve in infrastructure". s/0x177/0x377/. I'm such a dolt. ENOCOFFEE. The 8th bit is the point, for some values of point. > VC: yes, that's the current vector at any rate although I gather there is > still effort being put into constraint rules at both infrastructure and > application level? Back when I still worked for a well-heeled, if only through pyramid-scams on investers in the North American numbering and speculative DNS markets, employer and could afford to go to IETF meetings, I did talk to people in the MTA and other lines of work about foo-in-infrastructure. One can hope that people do the correct things, but sometimes they need to be reminded what "correct" and "do" mean. I wonder what goodies and treats await me in this tasty tarball ... after all "sendmail X is 8 bit transparent" ... ftp://ftp.sendmail.org/pub/sendmail/.beta/antry/smX-0.0.Beta2.0.tar.gz Eric
Re: [political pontification] Re: Turkey has switched Root-Servers
Vint, I don't think I know any longer, if I ever did, what "IDN" means. Alternatives to Unicode were proposed during the IETF IDN WG lifetime, both as a single normative reference, and as a normative reference. Likewise an intermediate tables redefinition of Unicode, mentioned in my last pointless comment. Then there is the possibility of research on the problems of character repitoires and interoperable data exchange -- before engineering some solution(s). Proposed to the IRTF Chair and rejected. Are there operational issues to attempt to make this thread remotely on point for NANOG? Probably not. Its just bits, and whether the bits are all 0x000 or quasi-random distributions between 0x000 and 0x177 is water under somebody else's bridge. The constraint-space is "solve in applications" and not "solve in infrastructure". The question of semantic scope is interesting in theory, which was the point of my note to Tony Li, if not tractible in a particular context. Eric
Re: [political pontification] Re: Turkey has switched Root-Servers
> I should have made my comment more specific: what is the problem with > single namespace without ccTLDs and without per-country exceptions? Thank you for asking. Harald Alvestrand and I had just this conversation during the IETF IDN WG lifetime, about the point where the Chinese (CN, TW, MO, SG), the Koreans (SK), and to a lesser extent, the Japanese (JP) in the Chinese Domain Name Consoritum (CDNC) and/or the Joint Engineering Taskforce (JET) found IETF consensus process inalterably for an ASCII encoding of a naive transformation of a glyph repetoire (Unicode). The CDNC et al were unable to get an intermediate mapping of the code point repitoire, and proposed an alternative, scoped semantics for code point equivalency classes. That was your question right, what use is there for scoped semantics? Perhaps none, but the CDNC/JET technical people I knew, and the policy people I knew at the time were quite willing to accept all the flagday issues for domain names characters in infrastructure that were outside of the current repitoire. I think everyone here knows what those issues are, and how great a cost their resolution represents. > Per-country exceptions just creates more Balkanization of the > Internet, which hardly seems beneficial. That was Harald's arguement, and as IETF Chair, it carried much more weight than that of any other person I've ever known, in China or outside of China. The "principle of least surprise" ment that a zone file operator (in China) could not create an equivalency class a user (in Norway) would be unlikely to predict. I suppose I should mention that in mainland China, a simplified (modern) form of Han characters are used, in the province of Taiwan, traditional Han characters are used, in Korean some archaic Han characters are used, and in Japan, in the Kanji writing system, some (other) archaic Han characters are used, and in Vietnamese, still another set of Han characters are used -- and there are scads of semantic equivalencies between these different glyphs, all of which are in Unicode, without an equivalency class mechanism. And so we (or rather "they" since this is a North American list) do not have domain names composed of end-user recognizable characters. Oh. While in hospital in Beijing I asked all the medical staff (nurses, doctors, etc.) if they were "OK with ASCII". Not one English speaker was. Limited sample set, your milage may vary, season for taste, etc. It is fellicitous, but the ICANN Registrar's Constituency list just a day ago carried a request, nominally from ICANN President Paul Twomey, for a Registrar with some interest and experience in the problem area to join a President's mumble. I wrote he and Vint to see what they had in mind, and I may as well use this note to prod them again. They may simply mean that RACE needs to be re-euphamized and a few more printer glyphs in Unicode need to be made less accessible to phishers. Eric
j19n (was: Re: Turkey has switched Root-Servers)
wearing my worked-on-p3p-for-years hat, jurisdiction matters. how this translates into operational issues is: whois nonsense sld namespaces deresolution (upon local rule) process pricing and non-cash predicate and post-conditions moronic (or not) primary geolocs encodings and equivalancies (actually an interesting issue, the ietf not withstanding) safe harbor and data protection scope and semantics enjoy, eric
Re: ICANN, VeriSign Will Consider Changes on .net Agreement
> >I don't know if it is the repeated "ICANN can't be trusted / is corrupt" > >messaging, or the sensitivity of the .NET "rebid" (aka VGRS deregulation) > >that got the prompt action -- > > It's more that ICANN has figured out that registrars are where all > their revenue comes from, and if they dragged their feet signing > contracts or paying, ICANN has precious little leverage over them. That wasn't our reading of the balance of forces (contractualand share) as recent as the last budget go-around. YMLV. Vint's sent a note to the Registrar Constituency Chair in reply to the note from the 30 RC members present at the Luxembourg meeting. Eric
Re: ICANN, VeriSign Will Consider Changes on .net Agreement
FWIW, we did a "Major Protest" at the Rome meeting about Sitefinder and it took Vint months to come to the conclusion that it (interposition on the lookup error semantics) was not just a business decision. I don't know if it is the repeated "ICANN can't be trusted / is corrupt" messaging, or the sensitivity of the .NET "rebid" (aka VGRS deregulation) that got the prompt action -- by VGRS, not the ICANN BoD, but it is more likely the latter (YMMV), so it isn't a sign in itself that ICANN has any more clue today than yesterday. Eric
Fwd: ICANN Board Designates VeriSign ...
ICANN's announcement is at: http://www.icann.org/announcements/announcement-08jun05.htm See also: http://icann.org/tlds/dotnet-reassignment/net-rfp-process-summary-08jun05.pdf And so much for that. Eric
3rd and 4th place horses swap positions
Apparently DENIC is more qualified than Afilias to not run the .net registry. http://www.icann.org/tlds/dotnet-reassignment/net-rfp-finalreport-issue4-27may05.pdf
Re: Paul Wilson and Geoff Huston of APNIC on IP address allocation ITU v/s ICANN etc
as i've mentioned previously, when proposing a work-around for the mess that a blind use of iso3166 causes for territorial jurisdictions, jon and i were talking about using x.121 _in_theory_ to aggregate what i knew then (and i know still are) technically weak and policy incomplete states in the americas, and africa. we were talking about nics, not nocs, but at that point in time (and now), for some territorial jurisdictions, the distinction is artifician, a 1st worldism. http://www.gtld-mou.org/gtld-discuss/mail-archive/04468.html definitely not that any of this will change the minds of any of the usual cast of morons at the icann smorgy. i don't have my correspondence with jon, some of it was simply chatting at an ietf. eric
Re: Stanford Hack Exposes 10,000
Howdy all, Somewhere in this thread there is the issue of description of data collection practices, and for those mammals who care (see "Ice Age" with someone under 10 if you need help decoding that), you can do the following: Review the latest working draft (4 January 2005) of the P3P Spec http://www.w3.org/TR/2005/WD-P3P11-20050104/Overview.html and send issues to [EMAIL PROTECTED] and/or post to Bugzilla http://www.w3.org/Bugs/Public/ The activity you'll be assisting is getting P3P 1.1 to (W3C) last call. Like all IMF work, its unpaid, and in the event of capture, the Secretary will disavow ... Eric
Re: Underscores in host names
> Supporting "IDN" is a necessary job. That's been made clear to the > Internet community. If it "complicates" things, well, then that's > what has to be done. If the Internet is to be global, it can't > restrict the world to just a few convenient languages. Not to quibble unnecessarily, but the folks I came to the dance with at IETF-50, eventually went home fairly disapointed after -51, and -52,with none of their proposed mechanisms drafts having obtained even working group draft status. You know what the constraints are -- no zone local semantics (e.g., case folding rules, courtesy H.A.) for a glyph repetoire that in some ranges is also a character set, no intermediate tables, no flag day(s) for apps, and so on. To describe that as "IDN", rather than "a way to represent, poorly for some, not so poorly for others, character sets other than ASCII in apps", leaves the later reader ignorant of the baroque design choices available and discarded on the road to RACE II. In Abenaki, "w", "ou" and "8" all collate to the same code point, and the representation of the code point is application specific (modern, early, and 17thrCa styles). Eric P.S. 17th century French lacked a "w" character, "8" is a "u" atop an "o".
ot: gilat (spaceband, starband, deterministic) contacts
howdy, if anyone from gilat (or its northamerican downstreams) is on-list, i'd appreciate a contact. tia, eric
Re: FCC To Require 911 for VoIP
>are you -REALLY- arguing for the return of "finger" ?? If it gets the user a brown fizzy drink ... it can't be a completely bad idea.
Re: ICANN needs you!
Rodney, Can you compare the past out-reach exercises and the present one? You know, process and outcomes. I'm thinking of the process and outcome of the MITF exercise of 2002/3. It is now seven years since the issue of appropriation of tribal names was brought to the attention of the ICANN BoD in an ICANN VI-B(3)(b)(7) Constituency Application. The situation remains unchanged. On a personal note, I still recall then-CEO Michael Roberts telling me to just take what the IPC offered (nothing), as the ICANN bus was leaving the station. It is now six years since the issue of code point allocation by the iso3166 maintenance agency and indigenous governments was brought to the attention of the ICANN BoD in WG-C (draft-icann-dnso-wgc-naa-01.txt). The situation remains unchanged. The model of an sTLD was adopted, but sex.pro was not what we'd in mind. Had Jon not died, we might have had a solution along the lines of x.121 (and now ASO RIRs) regional DSO registries, or a .ps-like work-around. We going on the third year of .iq being dark, with no trust operator, and no contact initiated by ICANN with the Sponsoring Organization, still in a US pokey for an exports infraction (they freighted a PC to Malta, which the forwarding agent then sent to Lybia, and may have freighted a PC to Syria, about an hour's drive from Beruit). From Louis to the BoD @ Rome to Vint and Paul over the winter holidays, ICANN has been aware and the situation remains unchanged. The .ORG evaluation was rediculous. The evaluator was not independent or posses subject matter expertise. The .NET evaluation was rediculous. The evaluator ... ditto. The control of the DSO et seq by the IPC ("whois") is rediculous. The vanishing of the ISP Constituency (self-inflicted, but rational in the context, see the prior item) is rediculous. When I look at my years of non-accomplishment, and ICANN's years of little accomplishment, I don't see a lot a rational person could take a lot of pride in, or want to be associated with. Your milage may vary. You are correct that "[t]he archives of NANOG are riddled with complaints and comments about the lack of competent representation and influence for the networking community within ... ICANN." An alternative to asking for a new crop of possibly decorative worker bee candidates to self- or other-identify for a possibly decorative nomination and selection process is to identify one of more of those existing "complaints and comments" and attempt to act upon it or them. Beauty pagents and member pageout events aren't the same as working a task to a scheduled completion. Cheers, Eric P.S. If discussion of the latest ICANN process event does not belong on NANOG, does its announcement?
Re: Memory leak cause of Comcast DNS problems
A friend in St. Paul left me a comment: Irritated Comcast customer from St. Paul here. I'm just glad I didn't wait until Friday to e-file my taxes. Eric
fwd: Cobell lawyers ask trust systems be shutdown again (3rd time)
Howdy all, "Because it is indisputable that the 'poor state of network security' creates an imminent risk of irreparable injury... plaintiffs request that this court disconnect from the Internet and shut down each information technology system which houses or access individual Indian trust data to protect plaintiffs against further injury to their interests...," The perenial fuck't up ness of the US DOI BIA Trust is something that could be fixed, if the contracting office and/or contractors had competitive clue, but they don't, and probably won't ever. Think of it as a finding of fact that depeering is in the best interests of the putative beneficiaries of the Indian Trust systems. Eric --- Forwarded Message Date: Tue, 12 Apr 2005 11:08:44 -0400 (EDT) From: Indian Trust ListServ <[EMAIL PROTECTED]> To: Indian Trust ListServ <[EMAIL PROTECTED]> Subject: Cobell v. Norton - "Sham" Certification Process Used to Okay Defective Computer Systems WASHIINGTON, April 12 -- The Interior Department used "a sham certificati on and accreditation process" to operate defective computer systems which house or access individual Indian Trust accounts, plaintiffs told a federal judge. Citing the Interior Department's own records, lawyers in the Cobell laws uit against Interior Secretary Gale Norton have asked U.S. District Judge Royce Lamberth to reimpose a temporary restraining order, shutting down all trust syst ems. The temporary restraining order and a preliminary injunction against the department are essential to protect 500,000 trust account beneficiaries from fu rther irreparable harm, the petition notes. "Because it is indisputable that the 'poor state of network security' cr eates an imminent risk of irreparable injury...plaintiffs request that this cour t disconnect from the Internet and shut down each information technology system which houses or access individual Indian trust data to protect plaintiffs agains t further injury to their interests...," the petition reads. It cited a study by the Interior Department's own inspector general who reported that "given the poor state of network security...and the the weak acces s controls we encountered on many systems, it is safe to say that we could have easily compromised the confidentiality, integrity and availablity of the identif ied Indian Trust data residing on such systems." Judge Lamberth has twice directed cutoffs of Interior's computer systems to protect trust data. But each time the department has reopened those systems , contending that they were safe from computer hackers. The new filing by the Cobell lawyers reports that Interior's chief infor mation officer, Hord Tipton, has said in a deposition that Interior officials di d not even consider the risk to Indian trust data when they reviewed the systems . Additional details of how the department reconnected its computers using the sham accreditition process are available in the filing for the temporary re straining order at www.indiantrust.com. --- End of Forwarded Message
Re: Blog...
> and, instead of "polluting" the list with tech news > snippets, post them to a blog. ... > Can I get a Hallelujah?! :-) not from me. makes as much sense as turning nanog into a web-access only mail sink. i liked your news items. and sean's. i wouldn't have known to go look at the iraqi network operator/nic situation if "news" about the hack on aljazeera/akamai-reneg and so on weren't on-list. the sacred cow of the moment is the one with domain names splattered untidily all over the pasture. next week or month or year it could be something else. jamacia w/o reachable nameservers, or a trunk-cut way outside of north america by some barge dragging anchor.
Re: report of .biz outage...
Its between the CORE SRS and the NS SRS. Now if your position is that NS is inerrant, and by assertion, the failure lies somewhere else, fine. Who cares?
Re: report of .biz outage...
Ed, The occasional connectivity problems with Neulevel of March 31st persist. Eric
Re: Telcordia report on ICANN .net RFP Evaluation
> But my recent post was not "against" (or "for", for that matter) > Verisign. I am just disappointed that ICANN did not have the integrity > to select a company that is _truly_ independent to judge the > applicants. In the prior round ICANN picked a company doing non-trivial business with the LNP/NANPA side of applicant NeuStar. > Would someone from ICANN care to explain their decision process? I > cannot believe they did not know the apparent conflict of interest. Your turn. You can just make the last flight to Argintina. Eric
Re: Telcordia report on ICANN .net RFP Evaluation
> >ICANN Opens Public Comment Forum on .NET Evaluators' Report > >29 March 2005 /dev/null.
Re: Disappointment at DENIC over Poor Rating in .net Procedure
> Anyway, DENIC's offer didn't match that of Sentan ... funny, the first item of work email i read today was this: the Neulevel SRS is currently down, .biz registrations are therefore not possible. We will inform you as soon as the registry is online again. your metric for "match" may vary. eric
Re: Disappointment at DENIC over Poor Rating in .net Procedure
That's milder than the critique offered by SWITCH in the last round.
Re: The U.N. thinks about tomorrow's cyberspace
Paul, I worked with Houlin Zhao extensively during 2001, and met with him again at the Rome ICANN meeting. He's a smart guy. Eric
Telcordia report on ICANN .net RFP Evaluation
Oki all, A summary of the report and a link to the full report can be found at: http://www.icann.org/announcements/announcement-28mar05.htm So now you know. VGRS, NS+, AF, ranked 1, 2, 3; DE and CORE ranked 4 & 5. Eric
Re: ICANN on the panix.com theft
nuance. > ICANN Blames Melbourne IT for Panix Domain Hijacking ICANN's current RAA (Registrar Accreditation Agreement) lacks a profound amount of teeth. If it had any, that is, if "ICANN Blames " ment anything, Domain Registry of America' (remember them) registrars (note the plural) would be on the dock for something. MITs sins are pretty small in the grand scheme of things, and they didn't cause the race regime that was the root cause for PANIX.COM needing defense. ICANN is dorking the registry contracts for new sTLDs, and has dorked with the ccTLD contracts, and is now dorking with the registrar contracts. You all may wonder if ICANN is "bottom up" and these contracts reflect "consensus polices", if not caring about the DNSO circus for another round is really in your best interests. YMMV, as always. Eric
Re: Utah governor signs Net-porn bill
> 1) unenforcable old blue laws similar to how Native > Americans need to be escorted by police in > Massachussetts (i.e. they never got around to fixing > old bad law, but noone cares anymore) Actually, Indian towns were goverened by Blue Laws up the second half of the 20th century. Not every law against snowfall was enforced at all times, but one shouldn't infer that all laws relating to fallend snow were moot for all time.
Re: Utah governor signs Net-porn bill
Oki all, Over the holidays I had the opportunity to pick up some pin money experting for a case involving just this business model and the media ignored sides of some rather well-known persons who work the church markets in the US. > > that's EASY: there is hyperconcern for the welfare of > > children in Utah, > > Finally, someone who recognizes what this bill is > all about. It merely asks ISPs to provide parents > with a filtering tool that cannot be overridden by > their children because the process of filtering takes > place entirely outside the home. In the instance of policy and mechanism I reviewed, this was "deinstall AOL and all others, install , stuff some obscure bits into hidden files on DOS boxen to prevent replay with a possibly different permissible policy threshold, and prompt the adult/user/owner/installer for threshold definition". Clunky, IMHO, because the step after "mistake" is "reinstall OEM os", but tastes vary. > Once Utah ISPs come up with a good way to do this, > I suspect there will be a market for such services > elsewhere in the USA as well. In the instance of policy and mechanism I reviewed, this was "interpose a proxy on all http methods, and evalute some property of some of object according to some rule(s). If permissible (above), forward to the edge, if not, do something else. It could have been localized ad insertion, or bandwidth aware content frobbing, instead of ... what it was. Is it "easy" as a business proposition? Everything was on the rising side of the bubble. On the falling side of the bubble even AOL had to work its numbers. With "more moralists" dominant in public policy, market plans that replace public morality policy with private morality policies seem to me to be less likely to penetrate the "high" morality affinity-based markets than when "less moralists" dominant in public policy. To paraphrase my friend Bill, why would the little asshats settle for a private Idaho or Utah when the big asshats have promissed them the whole enchilada? Anyway, it was presents for the kiddies and some of the winter's heating oil, and I now know more about some people than I wanted to. Eric
Re: Utah governor signs Net-porn bill
Bill, I'll be happy to contact the IT and/or policy people at any or all of the Tribal Governments who's jurisdictions are surrounded by, or proximal to, those of the state of Utah. (a) They could use the business, just like anyone else, and (b) they are not subject to Utah's state law (and before any smarty pants says "PL 280 Utah Code Annotated sections 63-36-9 to 63-36-21, 1991", let me point out that Utah has not amended its state constitutions and, consequently, their claims of jurisdiction are subject to legal challenge, and (deep breath), PL 280 wasn't intended to help missionaries chase foul mouthed apostates and 1st Amendment exercisers out of Indian Country), and quite attached to keeping that difference and keeping it visibly. > NO, see 76-10-1233(1) "A content provider that is domiciled in Utah, > or generates or hosts content in Utah, "... Eric
Re: Utah governor signs Net-porn bill
thanks steve. i'm distracted. just got bit by red lake.
Re: Utah governor signs Net-porn bill
Could someone find out what the actual mandated requirements are? At one point it sounded a lot like just putting PICs lables on published URLs.
Re: Utah considers law to mandate ISP's block "harmful" sites
> | If HB260 is approved, it would require that Utah-based companies > | begin rating their sites for [... cryptofauna]. Oh. So its just PICS. If it was P3P I'd be more interested, but as it is (or appears to be at a very great distance) PICS, yawn.
Re: .US TLD Owners Lose Privacy
Oki all, For those of you in the Lower-48, plus Alaska and Hawai'i, I sent this to my local ISP association. You can ignore it, ridicule it, or adapt it to your state and pretend to have written it. I don't mind either way. If you do want to try it chez vous, and you want my help (or hinderence, depending on perspective) drop me a line. Eric --- Forwarded Message Message-Id: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Fri, 04 Mar 2005 13:05:46 -0500 From: Eric Brunner-Williams in Portland Maine <[EMAIL PROTECTED]> X-Virus-Scanned: by amavisd-new at midcoast.com Subject: [Maineisp] DoC opens .us to spam, forward from WiReD/NANOG, and some commentary X-BeenThere: [EMAIL PROTECTED] X-Mailman-Version: 2.1.5 Precedence: list List-Id: Maine ISP Association List-Unsubscribe: <http://lbs.midcoast.com/mailman/listinfo/maineisp>, <mailto:[EMAIL PROTECTED]> List-Archive: <http://lbs.midcoast.com/pipermail/maineisp> List-Post: <mailto:[EMAIL PROTECTED]> List-Help: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://lbs.midcoast.com/mailman/listinfo/maineisp>, <mailto:[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-Virus-Scanned: by amavisd-new at midcoast.com Folks, By way of background, this is part of the "whois foodfight" in the policy area of ICANN and the DNS. The working assumption is that every domain is either of interest to an intellectual property owner (infringement) or to a law enforcement officer (pedi-porn), and vastly lower down the rational food chain that every domain is used in some form of UCE scheme (spam). These are all deeply problematic assumptions, but that hasn't made any impression on the actors at ICANN, or the less than best-and-brightest at the DOC/NTIA which owns .us. I wrote the proposal for NeuStar to operate .us in 2001, which the DOC/NTIA selected, so I'm modestly clueful on the operational and policy issues. What this means here in Maine is that no one can now register domain names of the form: "michal-heath-is-a-big-fat-idiot.me.us" or "the-monopoly-ilec-blows-chunks.me.us" or "workarounds-for-nannyware-pending-constituional-challenge.me.us" without providing the semblence of a personal (or corporate) identifier, consisting of a personal (or corporate) name, and contact information, as well as an email address which is not that of a 3rd-party proxy such as attornies and registered agents, which will be accessible to anyone who wants to "look behind the veil", without restriction. I can't fix the retardation at ICANN or the DOC/NTIA, but I can ask you all to think about whether you want the Maine Legis to remain silent on the sanity of assuming that every domain name registrant is infringing on a trademark, or a publishing pedophile, or otherwise engaging in some conduct that necessitates the registrant providing an address for legal service, their identity, and expose a mail address (your product) to the address harvesters for resale to spam-based marketing operations (your problem). If you haven't passed out already from my boring prose, and you'll do me the kindness of reading another paragraph, where this is heading is moving the policy oversight for me.us, that is, the marketing of "Maine" as a state on the internet from the DoC/NTIA to Maine, and the operations for me.us from Virginia to Maine. Then we can use John Baldacci or Steve Rowe, who presumably couldn't be bothered who thinks Michael Heath is a big fat idiot, or has unflattering things to write about Verizon or TimeWarner, or discusses breast feeding, to "proxy" registrations, preserving free political and commercial speech, until due cause for "lifting the veil" is argued, and at some non-trivial standard of proof. Plus we innoculate our local policy makers from a highly contagious case of bird brain flu on issues like spam, privacy and jurisdiction. Thanks for your patience, really. Eric - --- Forwarded Message >From WiReD: "The U.S. Commerce Department has ordered companies that administer internet addresses to stop allowing customers to register .us domain names anonymously using proxy services." "The move does not affect owners of .com and .net domains. But it means website owners with .us domains will no longer be able to shield their name and contact information from public eyes." http://wired.com/news/privacy/0,1848,66787,00.html?tw=wn_tophead_1 - - - ferg - --- End of Forwarded Message ___ Maineisp mailing list [EMAIL PROTECTED] http://lbs.midcoast.com/mailman/listinfo/maineisp --- End of Forwarded Message
Re: Who is watching the watchers?
> > > Former chief privacy officer of Gator has been appointed to the Data > > > Privacy and Integrity Advisory Committee of the Department of Homeland > > > Security. > > > > > > http://www.salon.com/politics/war_room/2005/02/23/gator/index.html > > as president bush (jr) said on tv in the days following 9/11, > "america is open for business!" You don't want to know who is the CPO for DHS. Its FUBAR all the way up. Eric
Re: Iraqi TLD
> And infocom was shutdown by the feds for terrorism reasons. The DOJ advanced three claims: an INS claim, an exports rule infraction claim, and a charity-linked-to-Hammas (a/k/a "terrorism") claim. The 1st was dismissed, the second obtained a precedent-setting convinction and an unprecedented sentencing as fines are the rule, and the DOJ has not set a date to try the third claim. So, yes, former Attorney General John Ashcroft and FBI Director Robert Mueller and Michael Chertoff, then Director, Terrorist Financing Task Force, now Secretary of Homeland Security, did personally conduct the prosecution of Infocom and assert that it was a major terrorist case, but ... that was back in December 2002, when standards were lower than at present. Oblig operational item -- does anyone know of a comperable situation? An LEO deciding to seize all XYZ Corp properties in SomeState(s), including all RIR allocations made to XYZ Corp, whether for its internal use or for resale, and locking up everyone down to the first-tier line manager level? Eric
Re: Iraqi TLD
Oki all, I suppose I should update what I have up at {nic,noc}-iq.nic-naa.net. At the Rome meeting I spoke (open mic) to the ICANN BOD about the issue. That was a year ago. A week before the Asian Tsunami David Cuthbertson wrote to me and asked about the delegation. He works for Adam Smith International out of the British Embassy, Baghdad and his client was the "Iraqi government" created by US/UK military. The quotation marks and the "created by ..." is my commentary, not his. I gave him my understanding of the situation and my advice freely, knowing that he and/or his client wouldn't take the core nugget -- talk to the current delegee and find a way to arrange either restarted operations (as simple as a NS change request) or a consensual change of delegation. Shortly after the Asian Tsunami I faxed Vint Cerf a letter on the status of .iq and reviewed the arguements that could be brought by a party seeking a non-consensual change of delegation. Naturally, IANAL, but then again, what lawyer knows anything about this rather arcane area of policy? Vint was in India at the time and I was more interested in aid getting to the tribal people in the Andaman and Nicobar Islands than .iq, which has been on hold for two years already, and the Indian military were keeping any of the medical aid, or aid workers, from MSF or Oxfam, from getting to the tribal areas. There was an exchange of notes on .iq, mostly of my views on the danger to the system of internet governance and my views on the export rule infraction, and a suggestion. I haven't heard anything since. I suppose everyone on the *NOG lists understands that .iq could be a very bushy tree, with leaf nodes that resolve to live machines containing data germane to the leaf-node-name, not necessarily "in" Iraq, and with one or more levels of subdelegation, for schools, hospitals, and so on, reflecting the academic and civil society, as well as several transitional governments, refugees, NGOs, International Treaty Organizations, and interested foreign governments and businesses. The "no power, no wires, therefor no dns" kind of nonsense doesn't need refuting here. Eric
Re: Phishing Name Server?
Howdy Paul, rgid:id:domain ENOM:048:SAFE-KEYNET.com YESN:100:CITIFINANCUPDATE.com YESN:100:WAMU4U.com YESN:100:WAMUCORP >From prior experience I don't see anything novel. Yup. Real domains, and possibly real certs. >From my last go around with Vint, if I were of a mind to, I could sell bulk to even poor sniff-text buyers, cause I don't know in advance they actually do smell poorly, and my RRA doesn't really make that revenue enhancement a risk to my accreditation. No. I don't have a mind to. I wrote a longer piece on a related list recently, but I don't see much in the way of effective recourse that isn't leased-host-in-cage-seizure with the intangibles trivially rehosted. Cheers, Eric
Re: Regarding registrar LOCK for panix.com
Oki all, I wasn't going to discuss this because it is potentially confusing, but as we're ratholing on registrar lock ... --- Some 60 plus days after a party acquired a domain, s/he initiated an "UNLOCK" at the user interface of the operator that had arrainged to acquire this particular domain. The transaction completed. The "loosing" registrar showed "unlocked", the "gaining" registrar saw the "unlocked" and proceeded with a transfer, which failed. The rrp.unlock() call actually never was made from the registrar to the registry, due to a transient network event between the operator network, and the "loosing" registrar network. The point is that locks aren't what they seem. This is a distributed system with many points of failure, not completely coherent, and it does matter from where one looks. Shorter form: error is possible. --- The registrant asked me to help. I called the operator. The CSR who took the call observed the inconsistency and re-issued the rrp.unlock(). Domain unlocked by jrandom-3rd-party in under two minutes. Granted, it was in an unusual state and the caller (me) knew more than the nice CSR. --- Posit a backhoe of unusual size operating near MIT, or that MIT does business out of Sri Lanka and the State of Nagaland has just dragged anchor across the SEA-ME-WE-III (again), or any of a dozen other real life events. We'd be chatting about the state in the central registry, not the failure to trigger a state change at the periphery of the system. --- It is possible to run a domain name based network service off of addresses provisioned by dhcp. It is possible to acquire a contiguous block, and to hold them for quite a long time. But that doesn't mean that it is sensible to build a network infrastructure for dynmaically provisioned resources. The transformation of the dns service from 1990 to the present has created dynmaic provisioned name resources -- the property absent in 1990, the "competitive" registrar, is dynamic, and hence so is everything else. I picked 1990 because Panix is 15 year old. I think the fundamental issue is that things that ought to be wicked stable, are in fact not. Everyone is free to draw their own conclusions, and act as they see fit, its all just risk management anyway, but if the design respected this user community, we wouldn't be reading that the correct competitive registrar can manage the risk. --- This is my last note on the subject. Eric
Re: EPP minutia (was: Re: Gtld transfer process)
> The problem that got us here was that registrars have > historically been not flexible enough at releasing > domains when the owners *did* want to transfer them. George, The point I tried to make in my prior note was that not all domains have the same temporal property of non-functional change. The "problem" that you refer to exists for some domain owners. Bruce asked for the comments of this subscribers to this list, on the current ICANN transfer process. Since ISP/NSP/... change registrars (cosmetic non-functional change for a cost savings of $0.10/day, maximum) almost never, it is wicked unlikely that the authors of the current ICANN transfer process ever thought about network infrastructure operators as affected or interested parties to any policy change. "We" didn't have "the problem", historical or otherwise. With the exception of operators who's business value is organized around resolution in under 3 days for new customers, not ongoing resolution after the 3rd day, or who's business value is now organized or re-organized around resolution in under 2 hours with the new dynmaic update property of several registries, and not ongoing resolution, "we" have been pretty much problem free in the registrar and registry space since Jake Feinler and Jose Garcia-Luna ran the SRI NIC. If webhosting outfits want to bundle registrar-reseller into their package forcing registrar transition with renumbering, fine. But they are further down the food chain. If the registrars want to directly slam the end-users, that's fine too. But short-term 1U renters and vhost operators and registrants aren't the NANOG list, and that's what Bruce asked, cosmetically or otherwise, for input from. An unintended side-effect of "competition" between registrars is that the named network infrastructure is someone's target of opportunity. In his reply to my note, Bruce points out that the system works for all. There are two classes of domain names already. Registry reserved and not. Adding a record to the database, or a lookup in addition to the existing access, to implement a third class, could get the domain names associated with critical network infrastructure out of the risk pool for whatever the transfer model de jour is for registrar competition, and make "rollback" for this class technically distinguishable, therefor policy differentiated, from the general zoo. Why don't you collect the results of a survey of access ISPs and above who change their own domain names registrars more than once every five years and show me that NANOG is equivalent to [EMAIL PROTECTED] Cheers, Eric
Re: EPP minutia (was: Re: Gtld transfer process)
Sorry about the subject line. I switched horses in mid-stream.
EPP minutia (was: Re: Gtld transfer process)
Bruce, > I am interested to hear what members of the NANOG list believe would be > a better transfers process. Non-functional changes of operationally significant configuration data is avoided. My thumbs are as thick as the next person's. I'm quite happy to buy a decade's worth of name, even at $35/name/year, because other than changes to NS records, as renumberings come and go, and machines spontainiously combust, I don't want change. When I need change, I plan it, just like renumbering or new circuits or new network elements or new staff. The notion of "REGISTRAR LOCK" is simply too weak, it can be flipped in minutes. I want something that presents only limited windows of state change (other than NS) opportunity, which I can syncronize to corporate standard paperwork flag days, so it isn't when I hand the keys to the shop to a junior and take the kids on holiday. I want a "transfer process" that is inherently difficult, if not broken, for domain names that are business assets. I don't care about "competition" between registrars, or how much I get soaked for by the registrar and registry, or how evil and/or retarded one or both are. I actually don't care about how quickly domain names are added to a tld zone, in fact, my domain names that are business assets worked just fine when names were published 3 times a week from the SRI NIC. So, I want a "transfers process" that is not indifferent to my use of domain names. I don't care what the domain name industry does with vanity names, trademark names, speculation names, porn names, spam names, even ebusiness names that aren't in the ISP/NSP food chain. Heck, I'd be happy to pay two registrars $35/name/yr to make sure they both have to be gamed before my domain names tied to operational assets become vulnerable to unplanned and state change in the registry (3rd party acquisition). [I actually do this, with some names with one good competitior-registrar, and some self-registrared, but to spread risk.] I do have hosting customers who more or less come and go synchronous with registrar transfer. In effect, these are month-to-month or year contracts, and I understand why new customers are wary of hosting providers who want to be in the control path for registry state change. But the "bread and butter" are multi-year hosting contracts, and for these customers registrar they want to be in the same small boat I want to be in. I hope that is helpful. I'm sure everybody else is wicked happy with the system they have, which is why everyone has the same system. Cheers, Eric
Re: Association of Trustworthy Roots?
Paul, I ment to refer to the registry operator who operates the constellation of nameservers for the .com zone, and wrote something else. I'm going to press my red ears (both) to the copious available ice. Eric
Re: Terminal Servers (was Re: netblazer Was: baiting)
> Netblazers were fine except the Telebit lied about the SYN35 card > being usable with a T-1. uh, the test lab used T-0 (56kb) for the syn interface, so integers greater than 0 would be ... creative on someone's part, and TB mktg could be just as creative as the rest of the XX mktg golf pros.
Re: netblazer Was: baiting
> My recollection of that show was "T-1 to BARRnet", not > bonded-Netblazer-dialout, but I didn't "work the show" until the > following spring, so my recollection could be at fault. Hey Robert, Correct, but we stuck in the NB because the funtional principle (demand dial and route) was distinct. The T-1 to BARNet was the fastpath (but providing it didn't entitle the provider to one of my tee shirts). Fun. Before the greedbots went non-linear on the rising edge of the bubble. Eric
Re: Gtld transfer process
> There seems to be a general lack of IETF design and review of protocols > in this crucial area. The IETF does not design and review propriatary protocols. VGRS published the RRP specifications. I'm always interested in EPP technical minutia. Eric
Re: Registrar and registry backend processes.
> For what it is worth, some consider the .de whois server broken; see > below. Let's note that the new RFC (3912) doesn't mention the "help > methodology" anymore. In the high stakes game of registry redelegation, with .org as a data point and the new gTLD competition (winners: [info,biz,name,pro]) as another, the difference of function of what answers on :43 isn't, IMO, a liability. It is both trivial to fix, and defensible (EU Data Protection Framework), and not in the criteria set that appears to be key in the selection of bids. The criteria for selection of the next .net delegation operator is likely, in my limited experience, to turn on issues that have little to do with a bidders actual ability to operate the .net registry. Aside: In January 2002 I wrote Request to Move RFC 954 to Historic Status, published as draft-brunner-rfc954-historic-00.txt. Two years later, Leslie Daigle wrote a different draft which is now rfc3912. Aside: A ccTLD operator submitted a bid for .org. The "technical evaluator" retained by ICANN ranked the bids submitted by existing gTLD operators other than VGRS as (1) info, (2) biz, (3) pro. I was surprised by the presence of (2) and (3) on the list, and by the absence of two bids from that list. If you want to look for a real criteria, you might want to ask "How long after the transfer will the new operator receive any monies for the set of registrations contained in the registry at the moment of transfer?" Eric
Re: Standard of Promptness
Bill, > The Registry is the party that must revert the data to the previous > state. For the stability of the Internet, it must be done as quickly > as possible before old correct caches time out. Therefore, that's > where the penalties should apply. Agree. This is a solution to the publication problem, and putting my hat , I can say that acting in lieu of a temporarily or permanently defunct registrar is normal, as is mark-up by hand of zonefiles, post-production but pre-publication. At I used to say all the time, "We are the registrar of last resort, when things go awry, we go acorn or asquash [1]." > (2) a 4 hour standard of promptness for all Registrars, starting > from initial notice of any kind. That gives them enough time to: Here's where it gets crappy. The gTLDs are in Reston, Reston, Toronto, Toronto and Reston, Reston and New York. The latter three have little or no facilities-based names, and are out of scope. The registrars are in more than 18 timezones, and may be fictional. In fact, for malfeasence, the bad actors are likely to be resellers, not registrars, or what Bob Connolley refers to as "phantom registrars". When we started working EPP the universe of writers (the cred problem) was 70. Last week's mail from ICANN is that they expect that 60 more registrars will be accredited within the next 60 days, which is a drop off from the growth in the number of registrars over the past year. Turn to http://www.iana.org/assignments/registrar-ids and check it every so often (does anyone have dated snapshots? I want same, TiA), the integer identifier is a lot closer to 1k than 1c. Why non-linear growth in the number of registrars three years after the bottom dropped out of the market? The drop market. There is speculation that applications have been prepared in bulk. These are the "phantom registrars". The bottom has fallen out of the secondary market too. Independent of the utility or morality of the secondary market, and my registrar makes pin money in that market, there are hundreds more write access tokens to the VGRS dbms than there was two, or four years ago. In the quasi-contractual world of ICANN agreements, which everyone is ready to wave threateningly at any registrar for lack of due diligence over what amounts to less than the price of a bottle of Chilean wine, there is the equal access clause. That clause means that all of the accredited registrars, including the "phantom registrars", are in your risk universe. They all have read|write creds, and some have very, very little technical staffing, or involvement. You wrote off-list during this mess to someone at a business that offers parties that have gotten ICANN papers an outsourced operations and hosting solution, "no hands but marketing". The current chair of the registrar constituency offers "registrar in a M$ can" solutions to new registrars. As the saying goes in ICANN registrar and registry policy debates, ICANN has no business determining business models. The skill and clue level for a significant set of the registrar universe is difficult to underestimate. So, with that sleet on the city workers, every hour of every day a "phantom registrar" is going "dark" for at least 18 hours, if not longer, and that assumes that the "phantom registrar" of the hour keeps "business hours". With that in mind, would you like to try and restate the temporal properties of registrar function, where unlike the prior regime, a registrar could decline to ack a xfr request and become a loosing registrar, a gaining registrar can now decline to ack a post-xfr request to re-instate, for 18 hours plus weekends and holidays. In passing, it is possible that for the "phantom registrar" class of business models, the penalty of de-accreditation is overstated. Eric [1] Its an Indian joke. There were two of us. That's wicked rare in the network rackets. We told jokes.
Re: netblazer Was: baiting
> (And I was serious, not sarcastic, about the 'blazer. YMMV,) Martin, That's OK, I never got work for a router vendor after that, a solution that I've now completeley generalized, having discovered a trivial but obscure and beautiful technique, as any good mathematician must. However, since I was most of the QA for the NetBlazer, and whiled away my paid hours with making tcl/tk scripts to irritate units under test, which was somewhat novel in 1991, silly stuff like bringing up and tearing down a connection all night long to prove the existance of a memory leak, and networks to prove the function of rip, I'm curious what part of the NetBlazer was a piece of shit? In this period of time, the White Knights built the InterOp shownets and we had comparative access to quite a lot of vendor product, and know that the red buttons on Wellfleets were correctly positioned on the front, for easy access. We used NetBlazers for dial-up outbound (we were topologically quite diverse by '91, our last show in the San Jose facility) and I don't recall anything ... resembling the behavior that I could characterize as POS like function. Data please, but off-list. Bill will be interested too I expect. Eric
Re: Root vs TLD (was Re: Association of Trustworthy Roots?)
> You may or may not think Verisign as registry is blameless / disreputable > and to blame for this incident. There is causation for incoherence between the authoritative and non-authoritative nameservers for a particular data set. > You may or may not think the gaining/losing registrars are blameless / > disreputable for this incident. There is causation for provisioning state change triggers to the database used to construct a particular data set published by the authoritative nameservers for that particular data set. > Tou may or may not think that ICANN gTLD policy is blameless / disreputable > for this incident. There is causation for policy and mechanism that is articulated in end-to-end transactions between registrants, intermediate entities, and registries. These are not mutually exclusive. Blame and repute are secondary to the correct reconstructions of causations. Eric
Re: domain hijacking - what do you do to prepared?
Gadi, > The question that comes to mind is - what do you do to be prepared? Well, for a start you can put a comment into the ICANN comments on the new xfr policy. I did earler today. Next, you can, as some today did, decide that cache trumps authority under some conditions, and ensure that cache is controlling when some conditions exist. There are so many structural things wrong with the mechanisms this is about like asking how to write cat in perl. > I suppose that other than setting registrar lock in place, there is > another thing one can do. In terms of mechanism, this just undoes the latest change in xfr policy in the ICANN gTLD market. Instead of opt-in-after-nack-delay you go back to opt-out-after-nack-delay. It is a rational choice, but since it is, you (plural) know that your interests were not the controling ones when the policy change was debated. There are edge-case registrants who are benefited by opt-in, but if most of you (plural) opt-out, then the change in policy that affects registrants, must either be an error, or benefit some parties other than the registrants, edge-cases excluded. Mail comments to [EMAIL PROTECTED] In fact I think I'll forward this entire set of threads to [EMAIL PROTECTED] > Study! > > Whether it's checking the expiration date for your domain, establishing > contact with your up-in-line authority - registrar, tld, etc. depending > on who you are. Yes ... but ... OK. There are things anyone managing registry/registrar/reseller accounts can do, from getting all the renewal dates synchronized and tied to a date you never forget (warning, spousal birthdays not advised), and if nothing else comes up for several values of "tomorrow" I might write up. But ... Like the guy who was looking for a free solution to all the :43 formats in all the gin joints in all the world, why do you want to buy retail? You don't expect routers to autoconfig and suck up bogon filters and cough out correct aggregations for you just by the application of some electrons, so why expect to get all the nuances of the ICANN zoo, and to stay current of registry/registrar/reseller best and worst practice? Eric
Re: Association of Trustworthy Roots?
Chris, CORE was neither the losing nor the gaining registrar. Please acquire context. Eric IANA-439, and CORE-124
Re: panix.com
The outcome I expected when Bruce got involved. --- Forwarded Message From: "Bruce Tonkin" <[EMAIL PROTECTED]> To: "Eric Brunner-Williams in Portland Maine" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nic-naa.net id j0GIZIlC038110 Hello Eric, Thanks for letting me know. We will ensure the name is restored to its correct status, and are investigating how the incident occurred. Regards, Bruce Tonkin > -Original Message- > From: Eric Brunner-Williams in Portland Maine > [mailto:[EMAIL PROTECTED] > Sent: Sunday, 16 January 2005 10:49 AM > To: Bruce Tonkin > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: panix.com > > Bruce, > > Steve just sent this note to NANOG. > > panix.com has apparently been hijacked. It's now associated > with a different registrar -- melbourneit instead of dotster > -- and a different owner. Can anyone suggest appropriate > people to contact to try to get this straightened out? > > --Prof. Steven M. Bellovin, > http://www.cs.columbia.edu/~smb > > I know Steve and you know me, so lets see if this is > malfesance or error. > > Eric > --- End of Forwarded Message
Re: Association of Trustworthy Roots?
It isn't just that the root operators are silent. On the registrar's list there has been only five items on the subject. 1 Mark Jeftovic (easydns) who is on NANOG, copying the RC list. 2 Ross Rader (tucows) who is not, blowing it off, no delta between authoritative and caching servers 3 Mark asking Ross if he's had coffee yet, and yes delta between authoritative and caching servers 4 Ross, yes he's had two cups and NANOG is a ton of mindless conjecture and pretty silly 5 Mark replies with panix.net's motd and ssl alert That's it. On the registry mailing list ... well, I'm not on the registry constituency mailing list, I haven't been since I left NeuStar and .biz and .us (urk) and .cn (fun), so I don't know, but my guess is the answer is somewhere near zero. How about the IPC mailing list ... well, I never could get a group of indigenous IPR experts admitted to the ICANN IPC, so since the Berlin meeting I've not been on the IPC list, but again, knowing the actors as people, I'm going to buy an integer between -1 and +1. So, after IPC and Registries and Registrars, where would anyone expect to find a policy interest in the area, since ISP/C is wicked dead? Eric
apropos of nothing
Oki all, I was interested in a policy I came across recently at a cctld registry. If a domain has no (or few for some value of few) hits over some period of time post-registration, the registry will recover the string and let another user acquire it, and presumably actually use it. So if t = 3m, pokey.cctld could go to four users in the course of a single year, iff the first three made insufficient use of pokey.cctld during that time. I'm going to guess that panix.com is different from most of the multi-k domains that are dropping off the VGRS registry and into today's (well, yesterday's) drop pool, as measured by use. I'm going to guess that panix.com is different from most of the multi-k inter-registrar transfers of yesterday, today, and tomorrow, by the same use metric. IMHO, organizing policy around function, actually distinguishing between panix.com and the overwhelming majority of domain names for which some change of state at the registry occurs, is a better principle that to continue to organize policy around trademarks and their buyers and agents, indifferent to the frequency and distribution of use of a domain name. At some point, it really _is_ a name-to-addresss map, and not a cognate for a trademark-to-owner map. It is possible to distinguish risk, and a policy which chooses not to make distinctions isn't prudent. In case anyone's missed the obvious, we now have an incoherent dns, and caching resolver operators have introduced the incoherency, and no one in the operator community is visibly spitting blood at the intentional exception to rfc2826. This situation should not continue. Neither should the "new/hijacked" answers be served. Eric
Re: The entire mechanism is Wrong!
Gentlemen and Ladies, I concur with the view expressed by Bob Fox (IANA-134), that the "current method only favours Verisign and crooks." The hijacking of panix.com, and the post-hijacking response of VGRS, which could unilaterally act, but choses not to, for its own reasons, and MelburneIT, which could unilaterally act, but choses to not act until 72 hours after being noticed, if then, is a counter-example to any claim that the current method has any rational application to domain names that are "mission critical", that is, used for something other than proping up some shoddy trademark claim by some party that doesn't even use the dns for core operational practice. It doesn't reflect very well on the registries and registrars either. Eric Brunner-Williams CTO Wampumpeag, LLC Operator, USA Webhost, IANA-439, CORE-124
fwd: Re: [registrars] Re: panix.com hijacked
Oki all, Delivery of RC mail to me is fairly desultory. Apparently there is an earlier thread. Post-Rome the very purpose of the RC seems to me to be doubtful (advocacy for registrars other than NetSol+4), and post-Elana the process of the RC left me disinterested. I'm particularly enamored by Ross' notion of what is going on on NANOG. Cheers, Eric --- Forwarded Message Return-Path: [EMAIL PROTECTED] Delivery-Date: Sun Jan 16 11:14:04 2005 Return-Path: <[EMAIL PROTECTED]> Received: from greenriver.icann.org (greenriver.icann.org [192.0.35.121]) by nic-naa.net (8.13.1/8.13.1) with ESMTP id j0GBDxgx036293 for <[EMAIL PROTECTED]>; Sun, 16 Jan 2005 11:14:04 GMT (envelope-from [EMAIL PROTECTED]) Received: from greenriver.icann.org (greenriver [127.0.0.1]) by greenriver.icann.org (8.12.11/8.12.11) with ESMTP id j0GEx1Qg006202; Sun, 16 Jan 2005 06:59:01 -0800 Received: (from [EMAIL PROTECTED]) by greenriver.icann.org (8.12.11/8.12.11/Submit) id j0GEx0hJ006201; Sun, 16 Jan 2005 06:59:01 -0800 X-Authentication-Warning: greenriver.icann.org: majordomo set sender to [EMAIL PROTECTED] using -f Received: from pechora.icann.org (pechora.icann.org [192.0.34.35]) by greenriver.icann.org (8.12.11/8.12.11) with ESMTP id j0GEwxrw006198 for <[EMAIL PROTECTED]>; Sun, 16 Jan 2005 06:59:00 -0800 Received: from tomts16-srv.bellnexxia.net (tomts16-srv.bellnexxia.net [209.226.175.4]) by pechora.icann.org (8.11.6/8.11.6) with ESMTP id j0GEwBA16293 for <[EMAIL PROTECTED]>; Sun, 16 Jan 2005 06:58:11 -0800 Received: from [192.168.2.101] ([67.71.54.206]) by tomts16-srv.bellnexxia.net (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) with ESMTP id <[EMAIL PROTECTED]>; Sun, 16 Jan 2005 09:58:57 -0500 Message-ID: <[EMAIL PROTECTED]> Date: Sun, 16 Jan 2005 09:57:03 -0500 From: "Ross Wm. Rader" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Organization: Tucows Inc. User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Jeftovic <[EMAIL PROTECTED]> CC: Registrars Constituency <[EMAIL PROTECTED]> Subject: Re: [registrars] Re: panix.com hijacked References: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: [EMAIL PROTECTED] Precedence: bulk On 1/16/2005 12:29 AM Mark Jeftovic noted that: > There's a thread on NANOG to the effect that panix.com has been > hijacked from Dotster over to MelbourneIT and it has pretty > well taken panix.com and its customers offline, see > http://www.panix.net/ I don't see what you are looking at - .net and .com point to the same place with no indication of anything awry...of course, I'm late to the game and the DNS probably tells a different story... > > Looks like this may be among the first high-profile unauthorized > transfer under the new transfer policy. Looks like a bunch of guys on the NANOG list engaging in a lot of conjecture without the benefit of a lot of facts. > Maybe there needs to some sort of emergency reversion where at least the > nameservers can be rolled back immediately while the contesting parties > sort it out. Might be interesting - what criteria would trigger the process? - -- Regards, -rwr "In the modern world the intelligence of public opinion is the one indispensable condition for social progress." - Charles W. Eliot (1834 - 1926) --- End of Forwarded Message
Re: panix.com hijacked (VeriSign refuses to help)
Oki all, Its dawn in Maine, the caffine delivery system has only just started, but I'll comment on the overnight. You're welcome [EMAIL PROTECTED] If you'll send me the cell phone number for the MIT managment I will call wearing my registrar hat and inform whoever I end up speaking with that Bruce needs to call me urgently, on Registrar Constituency business. Next, put a call into the Washingtom Post. They lost the use of the name "washpost.com" which all their internal email used, to due to expiry, so their internal mail went "dark" for several hours. This was haha funny during the primary season (Feb 6). If they don't get it try the NYTimes. Put the problem on record. There is an elephant in the room. The elephant is that the existing regime is organized around protecting the IPR lobby from boogiemen of their own invention. They invented the theory that trademark.tld (and trademark.co.cctld) existence dilutes the value of trademark, hence names-are-marks, bringing many happy dollars (10^^6 buys) into the registrar/registry system ($29-or-less/$6, resp., per gtld and some cctlds), and retarding new "gTLD" introductions, as each costs the IPR interests an additional $35 million annually. To solve their division of spoils problem, is "united.com" UAL or is it UA?, we had DRPs, which is now a UDRP, and more DRPs for lots of cctlds. These [U]DRPs take many,many,many,many units of 24x7. They were invented for the happy IPR campers, who care about _title_, not _function_. If the net went dark that would be fine with them to, so long as the right owners owned the right names. Restated, there is no applicable (as in "useful for a 24x7 no downtime claimant") law in the ICANN jurisdiction. And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of "you"). In case it isn't obvious, the "your own damn fault" refers to a much larger class of "you" than Alexis Rosen. [Oh, the same happy campers are why :43 is broken. They want perfect data at no cost and w/o restriction. Registrars don't want slamming, today's owie, and registrants don't want spam (which some ISPs do), so the whole :43 issue is a trainwreck of non-operational interests overriding operational interests. Registrars would be happy to pump :43 data to operators, if we could manage the abuse, instead we get knuckleheads who insist that spam would be solved forever if ...] There is a fundamental choice of jurisdictions question. Is ICANN the correct venue for ajudication, or is there another venue? This is what recourse to the "ask a real person" mechanism assumes, that talking to a human being is the better choice. Bill made this comment: > Since folks have been working on this for hours, and according to > posts on NANOG, both MelbourneIT and Verisign refuse to do anything > for days or weeks, would it be a good time to take drastic action? > > Think of what we'd do about a larger ISP, or the Well, or really any > serious financial target. > > Think of the damage from harvesting <>logins and mail passwords of > panix users. You (collectively) are another venue. When the SiteFinder patch was broadly adopted to work around a change made at one of the registries, you (collectively) were replacing ICANN as the regulatory body. ICANN took weeks to arive at a conclusion about that change, then endorsed that patch to the deployed DNS, while depricating incoherence in the DNS. [I spent 5 minutes at the Rome Registrar Constituency meeting chewing Vint Cerf and Paul Twomey in front of about 100 registrars and back benchers for taking many,many,many,many units of 24x7 to arive at the conclusion that breakage, or "surprise" in .com was not a good thing.] There is a stability of the internet issue. An ISP's user names and their passwords are compromised by VGRS, MIT, DOTSTER, and PANIX all following the controlling authority -- the ICANN disputed transfer process. It isn't MCI or AOL or ... and if it were a bank it might not be Bank of America ... and if it were a newspaper it might not be the WaPo. But if size defines the class of protected businesses under the controlling jurisdiction [1], then Panix's core problem is that it isn't AOL or MSN or the ISP side of a RBOC. I'd be nervous if I were Alexis. Not enough people are running their cups on the bars to get the attention of the wardens. Eric [1] In the US FCC space, the 3-2 decision mid-last month on CLEC access to unbundled UNE is a "size defin
Re: panix.com hijacked
Howdy Perry, > Alexis Rosen of Panix was on the phone earlier today with the company > attorney for melbourneit -- reputedly he was informed that even if the > police called, they would not do anything about the problem until > Monday their time. (a) I don't know MIT's attorney, and (b) I wouldn't ever call him or her when I could reach someone I know, and (c) what would you expect an attorney to say? > Alexis is a bit on the upset side, naturally -- his company is in > serious trouble because of very obvious fraud, and waiting a few days > isn't really something he can afford to do. (If you look at the whois > records now in place for panix.com they're pretty clearly the result > of fraudulent activity. There is a pretty clear attempt there to > maximally obscure who has stolen the domain name -- this is clearly > not an innocent mistake.) Yeah, but, home truths. There are registrars who will get out of bed at night for a customer, and registrars who could give a shit if hell froze. Just like ISPs and LEOs, neh? Picking a registrar with a market share in the top 10 means that you get 1/share's worth of attention, which means 1/1488700 of Dotster's attention (using 1/15 daily market share graph). Now, was that at the NetSol $35/yr price point for customer care, or the GoDaddy $6.95/yr price point for customer care. I suppose everyone thinks that it (for some value of "it") can't happen to them, and that if it does, a wicked small amount of money will still do more than the oil that lights the lamps at Hanukkah, because bad acts are rare and all the dimes pile up into a shared fate insurance fund. Well, now I'm really going to bed. Eric
Re: panix.com hijacked
> If I were Panix ... Free advice. Bruce, Cliff and Chuck are people. Yes, even Chuck is a people. You want prompt service, you ask nice and you ask the right people and you don't assume there are facts not in evidence, like errors or malfeasence, when you could be solving the problem, before the facts could be in evidence. My phone isn't going to ring, so I'm going to bed. Eric
Re: panix.com hijacked
I've forwared to Bruce Tonkin, who I know personally, at MIT, and Cliff Page, who I don't know as well, at Dotster, Steve's note. These are the RC reps for each registrar.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonym
> The current pretense of "privacy" is nothing more than a convenient > mechanism for registrars to pad their wallets and evade responsible > for facilitating abuse. As an aside, I used a (wicked big) competitor's "privacy" service to regsiter a domain for a political worker who wanted to whistleblow but not be identified. My customer could now use a web log service such as Duncan Black did under the name of "atrios", and obtain casual (but not subpoena-proof) data protection (non-publication of customer profile data). Broadly I agree that "privacy" as a product under contract law is not a better solution than data protection as a right under human rights. However, data protection isn't as available to all potential registrants.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonym
> Because there is no data protection on many databases (such as ".com" > registrars who are forced to sell the data if requested), people lie > when registering, because it is the only tool they have to protect > their privacy. Yup. Our ICANN contracts both require us to sell bulk registrant data, and require us to maintain :42 and :80 (FORM+POST) whois servers, both unconditionally, to satisfy the trademarks interest group. The "perfect open whois to fight spam" claim exchanges 40,000,000 valid (or not dysfunctional in this particular context) for two or more orders of magintude smaller invalid and dysfunctional (in this partuclar context) addresses. Because registrar-registrar predation via whois data mining is a reality, registrars rate limit or otherwise attempt an ACL on both :43 and :80 whois service, and data format variation is a form of defense. It prevents the marginals who can't write a simple parser from theft via slamming the registrants. And since no one who wants whois data who isn't stealing registrants is paying us, grand unifying schemes aren't a registrar insterest. Again, look to the marks people, now accompanied by the new "total information" law enforcement people for the primary actors. As I've previously pointed out, neither of those two interest groups is fundamentally interested in SMTP. > Fix the data protection problem and you'll have a better case to force > people to register proper information. Bingo!
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "an
> Of course, I know that. I just mentioned Africa because, in many > countries in Africa, it is simply impossible to get a PTR > record. That's a fact, there are many reasons behind. Howdy Stephane, It is also an area where many cctld operators maintain their registration data using spreadsheets, and "whois" isn't :43. Not an issue of activel malfeasence, other than early adopter attitudes towards late, and challenged adopters. As you note, there are many reasons behind [it, the impossibility to get a PTR record or a :43 server connect]. Eric
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
Taking your comment in reverse order. > Or, alternately, you're simply saying that those who care about net > abuse are shackled by ICANN's bylaws and therefore we can do nothing. I don't think you have a monopoly on "care" (or clue) about net abuse, but it is pretty clear that you're not tall enough to ride the ICANN roller coaster. Thus far, all you've done is recycle the policy claim of the trademarks interests, a highly effective "stakeholder" and rational entity within ICANN, and the policy claim of the law enforcement interests, typically American, and not an organic ICANN "stakeholder", and neither effective nor rational within ICANN (personal opinion, from the first FBI/LE UWHOIS meeting, March 2000 WDC if memory serves, to the present). Now why should that catch your attention? How about because neither of these policy authors (good, bad or simply ugly) care particularly about SMTP, in fact, the trademark policy author doesn't know that SMTP exists, because the use of trademarks in SMTP envelopes or bodies has not been argued (yet) to support a dilution claim. As the FBI/LE goal set isn't coherent or rational I'm going to assign it a protocol independent end point identifier goal, because I don't think the FBI/LE goal set is as limited as SMTP. This thread however is about SMTP, and some glop that might make it differently, or less "insecure". So, if your primary policy tool is the same policy tool used by actors seeking ends indifferent to yours, either you are lucky or you are wrong. Now, is ICANN part of the problem space? It is for me, but I'm trying to compete with entrenched monopoly in the registry space that has the single greatest control over domain name policy, and entrenched cartel in the registrar space, and no technical issue, not secure operation of the root zone servers, correctness of the gtld zone servers, SLA metrics for gtld registry systems, data escrow, etc., has displaced the trademark position on whois:43 for the most important policy or operational issue for that corporation. My competitors (measured by market share) are for the most part indifferent to spam, porn, and social policy generally. Is it for you? Apparently not. So just leaving the trademarks people in charge should solve your problem in finite time. That means you may have already won. Eric
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
> Why is it considered such a crazy proposition that domains should have > valid and correct whois data associated with them? There is no relationship between data and funcion. The data is not necessary to implement function-based policy. > Bah. You're saying that you're uninterested in discussing the root causes > that allow and even encourage abuse to occur in specific realms. I guess > you're not interested in actually "fixing insecure email infrastructure". I have no idea what specific realms you could be referring to. >> The little table of domain names and redirects is slightly useful, but it >> would be more useful if your data could show registrar clustering. > > Why should this matter? Spammy can always choose a different registrar > every day. So what? He is registering domains for use in abusive and > criminal acts, and the message I'm getting from you is that it should > only be of concern to you if he uses the same registrar? OK. The choice of registrar, registrar policy, registrar price, and so on isn't data that could be of use to anyone ever. But you're going to get "valid and correct whois data" from all registrars. How will you get that? What does "valid" and "correct" mean? Does it apply to all the records in a single domain registration, or just some of them? Eric
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
> I suppose it depends on how you define 'unpublished'; and how you define > 'non-resolving'. Your opening remark was that policy foo must be applied to all domains. This doesn't accomplish anything for the set of domains that will never be published (registry reserved strings), nor those that absent seperate acts of malfesance, will always have a very low average association with disfunction -- the 50% of the .net namespace that actually goes to real boxen owned and operated by real people. Between, and in addition to these two samples, there are classes of domains that are vastly less likely to be used in uce and equivalent schemes. The class of domains purchased simply to take them out, such as Hamming distance buys around a defended mark, may never resolve. "All" is too blunt a tool. > I reported it to ICANN for having invalid whois data. It took them ... > ... a year to have it removed from the root dbs. That is an ICANN issue. It may come as a surprise to you but for the past few years the "ISP Constituency" has ceased to exist, and has been folded into Marilyn Cade and Philipe Sheppard's "Business Constituency". > Please see my other message. Allowing domains with invalid whois data to > remain in use facilitates abuse in other realms. If it isn't "fixing insecure email infrastructure", then it needs to find a thread and/or list of its own. The little table of domain names and redirects is slightly useful, but it would be more useful if your data could show registrar clustering. > I'd be delighted if you have pointers to a paid whois reformatter, but > I still believe strongly that it should not be necessary. The quality of data usually has a relationship with the cost of care that has gone into that data, just like abuse desks. Eric
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
> Numerous (as in "at least hundreds, probably more") of spam gangs are > purchasing domains and "burning through" them in spam runs. In many > cases, there's a pattern to them; in others, if there's a pattern, > it's not clear to me what it might be. >From my point of view, "pattern" is which registars are getting the buys, for which registries, where the ns's are hosted, and for domains used in the return value side, hosting details. The latter to reduce to RIR CIDRs. There is more, but that is the first cut, localization of registrar(s) and registries and CIDRs. > This bunch prefers domains in .info -- no doubt motivated in part by things > like the recent $1.95 sale on such domains. OK. Now you've identified price as a significant control variable. There are registrars that don't sell .info. I don't. There are registars that don't sell to directly to registrants. I can think of half a dozen of us who only sell to corporations and bonafide people who buy reasonable names. Transcendental numbers in decimal character form are "reasonable". Your two example sets are not "reasonable". > The dirty little secret is that all this activity on the part of spammers > is a gold mine for registrars. This isn't going to make me think you can add or subtract. > It's gotten so bad that -- to a darn good first approximation -- if you > find a domain in the .biz or .info TLDs I agree, and don't sell .biz, .info or .name, or .cc or .tv or .bz or any of the obvious repurposed cctlds, with the exception of my friend Bill Semich's .nu, which actually means something in Sweden for local reasons. I do plan to sell .aero, .coop and .museum, however. In case it is inobvious, there is a possibility that part of _your_ problem (and a big part of my problems) can be placed at the figurative "door" of a 501(c)(3) located in California. > The answer? (1) no obfuscated registrations (2) mass, fast, permanent > confiscation of spammer domains (3) requirement for reasonably correct > domain registration info ... and (4) publication of all WHOIS data in > a simple, easily parseable form ... Nothing in this laundry list that makes the cost of bad business for my competitors rise, see add and subtract, above. Try the following: 1,$s/registrars/isp/g and 1,$s/registry/rir/g, and 1,$s/domain/ipv4_addr/. If you're still keen on your approach, then it might be a good one. I've replied after removing your personal identifiers back to NANOG. I appreciate the data, but I want the discourse to be multicast. Eric
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
> Why would it matter if you deactivated an unpublished/non-resolving domain? How do "you deactivate an unpublished/non-resolving domain"? You may borrow a registrar or registry hat if that is useful to answer the question. > If you care about the domain, keep the whois data up to date and accurate. That is the policy articulated by the trademarks "stakeholders" in the ICANN drama, but how does their policy, which is indifferent to any condition but strindspace allocation, relate to any infrastructure that has one or more additional constraints? > > I'm not sure why anyone cares about a very large class of domains in the > > context of SMTP however. > > For one thing, a very large class of domains are being used as > throwaways by spammers ... Do you know anything about the acquisition pattern at all, or if there is any useful characterization finer in scope than "all"? > ... (thanks, VRSN!) I pointed out to Mark here on NANOG months ago that there were side effects to pursuit of zonefile publication that was asynchronous with whois data publication. Now that the temporal properties of resolution by one or more registries has your attention, just what part of the actions by all registrants is controlling? > potential protection value whois might offer, and allows spammers and > other abusers to fly below the radar, accountable to nobody. I'm sure they pay their ns providers, and their isps, for the critical portions of the value return path. > > There are some registries that use paper to answer registration queries. > > And? You appear to see a policy that would cause them to change their operational practice, and I'm not clear on how your policy goal would benefit them, or how they would recover costs if your policy goal did not benefit them. > > I'm not sure why anyone cares about a very small class of domains in the > > context of SMTP however. > > It's not a very small class of domains with more or less unpredictable > data formats. It's ALL of them, or damn near. So in your current conceptual model, a uniform distribution correctly characterizes the utility of knowing any particular registrar's or registry's whois (whois/tcp or http-form-post/tcp) format? > I should be able to write > a program, relatively easily, that would give me any available contact > or registrant information on a per-field basis, from any whois service. > The wide variety and nonuniformity of the existing services makes that > task daunting at best ... Have you considered looking for a paid service that does :43 reformatting? > > Aggregation and reformatting have their place. We explored this in the > > whoisfix bofs but no working group congealed around "fixing" :43. > > What were the objections/sticking points? I'll see if I still have the minutes. > > Again, I'm not sure why anyone cares about a very large class of whois:43 > > output sources in the context of SMTP however. > > It's not just the context of SMTP. It's the context of accountability on > the Internet, which bad actors are exploiting, currently, via SMTP. Hmm. I'd prefer to stay on point. As for accountability and bad actors, this is a target rich environment. For instance, all paid registrations for .net domains after mid-year already present an interesting accountability issue. > I really do think it would benefit some folks here to read up on the > "broken windows theory" of crime prevention. Anyone in particular? Is the theory a better choice than empirical data? Eric registry, registrar, whoisfix and epp hats lying around somewhere, most collecting snow today.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet)
> 4) all domains with invalid whois data MUST be deactivated (not >confiscated, just temporarily removed ... All? Even those unpublished and therefore non-resolving? Sensible for the scoped-to-totality trademarks weenies who argue that the stringspace is a venue for dilution, whether the registry publishes all of its allocations or not. I'm not sure why anyone cares about a very large class of domains in the context of SMTP however. > 5) whois data MUST be normalized and available in machine-readable form There are some registries that use paper to answer registration queries. I'm not sure why anyone cares about a very small class of domains in the context of SMTP however. Aggregation and reformatting have their place. We explored this in the whoisfix bofs but no working group congealed around "fixing" :43. Again, I'm not sure why anyone cares about a very large class of whois:43 output sources in the context of SMTP however. Eric
Re: Survey of interest ..
I first read their report on blogs ... We're holding the Koufax Awards _now_ for lefty blogs, so we're about as root on the left hand side of the radio dial as one could hope for. It wasn't worth reading twice. Turning to the Pew vetted punditocracy, I went to the questionaire. Q9a got the belly laugh. Q9a.Prediction on attacks on network infrastructure. At least one devastating attack will occur in the next 10 years on the networked information infrastruture or the country's power grid. Somewhere on my extended desk is a critical paper by a zoomie on the power grid as a target. OK. So one would have to be literate in a particular genre. The Army Air Corp started targeting power generation and distribution in the metro NY area in the late '30s, to see what a strategic bombing campaign against national civilian infrastructure could accomplish. Results are mixed, from the empirical experiences in the WW2 period, through GW1 and the Yugoslav war, and the conclusion is ... it is wicked difficult, even with lots of expensive planes and many, many fine bombs, and possibly effective by any of several metrics _only_ when the targeted nation is isolated and the campaign is of unlimited duration, as under all other models (and emperical tests) the results are negative. Sixty six percent of the Pew respondents agreed with the assertion. Only seven percent challenged the prediction, another eleven percent disagreed with the predictive model. I'll cut to the chase. The Pew questionaire in this instance is bad scholarship. It promotes an already well answered question (vulnerability) as if it were not answered, and as a side-effect, promotes the presumption that targeting the power generation and distribution capacity of hostile states isn't a waste of finite military and industrial resources. Boeing and its cognates and Bob Dornan and his cognates may benefit, but that wasn't the apparent policy goal. As for the other part of the question, routers twinkle. Worldcom, Enron and failed switches would be less ... fantastic lines of inquiry. Would you like some snow? We're celebrating the 1998 Ice Storm in NNE today. http://wampum.wabanaki.net/archives/001610.html Cheers, Eric
A Road Runner NOC contact
Off list please. A user issue. Sensetive.
Re: New Computer? Six Steps to Safer Surfing
Got (soy) milk? The WaPo writer's take on cookies is ... not mine. Then again, I wrote the cookie portions of the P3P spec and was "inside" the meetings between M$'s IE team circa IE5.5 pre-fcs and the (other) IAB (the word is "Advertizers") and the P3P tech and policy teams. I worked for Engage (statistical user tracking) and compeated with DoubleClick (deterministic user tracking) at the time, so I wouldn't know as much as he does. Walking down the cookie path there is ... name: WebLogicSessionAc2 cont: BFQyXGC69R1Z50JL8ZBuhBubbnR3BzbFzqythwbSKtlS59ZX41Sw!-1332720106!-548373882 host: www.washingtonpost.com path: / type: any type of connection expr: at end of session 616 bits of session state labl: none name: DMID3 cont: 4WuLXH8AAAEAAD40XBYAAABD host: .rsi.washingtonpost.com path: / type: any type of connection200 bits of persistent state expr: 12/14/24 09:13:45 persistent till 2024 labl: stores identifiable information without any user consent name: sa_cdc_u cont: g0020020006AB1103466779794930.0018C61897 host: .surfaid.ihost.com path: /crc type: any type of connection376 bits of persistent state expr: 01/29/12 18:45:58 persistent till 2012 labl: does not store identifiable information Registration form interposition, collecting email address password us zip code iso3166 id (string form) gender year of birth job title primary responsiblity job industry company size 1st-party marketing click box (default opt out) 3rd-party marketing click box (default opt out) 16 x 1st-party targeted content click box (default opt out) --- first name (optional) last name (optional) street address (optional) street name (optional) apt. number (optional) city (optional) state (optional) 3rd-party (American Express) marketing click box (default opt out) 10 diget telephone number (disclosure noted to AmEx) (optional) 3rd-party (International Living) marketing click box (default opt out) --- in very small font and with gray-on-blue color difference is this: By submitting your registration information, you indicate that you agree to our User Agreement Privacy Policy. these two texts are not displayed by default, each has an anchored link, not a checkbox, that must be manually clicked to display the associated legal agreement. --- I decided I was Vint Cerf and I was CEO of a 50-100 person cluster-phuck in the IT rackets. As good a stuckee as any. And yes, all this good stuff is sent in the clear, over an unencrypted link. More cookies follow: --- name: ASPSESSIONIDSSTSRRQB cont: LPAKIBLBPJJFNFKOCFOEHMAP host: financial.washingtonpost.com path: / type: any type of connection expr: at end of session 208 bits of session state labl: stores identifiable information without any user consent name: test_cookie cont: CheckForPermission host: .doubleclick.net path: / type: any type of connection expr: 12/19/04 10:24:40 labl: stores identifiable information without any user consent name: ru4.28 cont: 1#1106#0#1106=ad-1106-154|1|1103470287%7C1106%7Cad-1106-154%7Cpl-1106-125%7Ccontrol%7C0%7Cpl-1106-125%2526northeast%2526morning%2526noinfo%2526high%25260%2526C3%7C28|null%7Cnull%7Cnull%7Cnull%7Cnull%7Cnull%7Cnoinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%2526noinfo%7C0|1103470287# host: .edge.ru4.com path: / type: any type of connection expr: 02/17/05 10:12:14 2408 bits of persistent state labl: stores identifiable information without any user consent At this point the registration page is interposed again, and submitted again, and no more cookies appear to be deposited or replayed and modified, but are there actually only that many cookies??? Snuck in are these additional cookies: name: ACID cont: ee140011034695480036! host: .advertising.com path: / type: any type of connection expr: at end of session 176 bits of session state labl: stores identifiable information without any user consent name: ru4.1106.gts cont: 2 host: edge.ru4.com path: / type: any type of connection expr: 02/17/05 10:13:46 labl: stores identifiable information without any user consent name: 86698181 cont: _41c59bec,0668393370,699393^235460_ host: .servedby.advertising.com path: / type: any type of connection expr: at end of session 288 bits of session state labl: stores identifiable information without any user consent name: SESSIONREM cont: (my wife's pc [EMAIL PROTECTED], omitted) host: .washingtonpost.com path: / type: any type of connection expr: at end of session labl: none name: DMSEG cont: 9463E8EFE54A1281&F04462&41C4D577&41C6E29B&0&&41C30F4B&5D313C73C487FF2C5853E61C6A470E77 host: .washingtonpost.com path: / type: any type of connection exp
Re: latest FCC rulings
Agreed. Both Copps and Adelstein are worth reading. http://wampum.wabanaki.net/archives/001512.html
Re: Interesting DNS problem.
a related problem is having N ip addrs bound to M nics on a host, where N > M. if an ssl connection fails and debug is needed between the M:N:host and some other ssl-speaking box, then it makes a difference if the ssl connection is associated with the primary, or some aliased (set N-1) ip addr. client failure semantics are primary address specific, for some value of ssl clients. in theory you could alias an ns box's ip addrs (just did that, renumbering), and have multi-addrs on a server authoritative for multi-zones, and not have a flag day. have fun, jobs are scarce as hen's teeth.
fwd: contact for the world etc (nanog)
Oki all, FYI Eric --- Forwarded Message Return-Path: [EMAIL PROTECTED] Delivery-Date: Tue Dec 14 15:07:09 2004 Return-Path: <[EMAIL PROTECTED]> Received: from TheWorld.com (pcls3.std.com [192.74.137.143]) by nic-naa.net (8.13.1/8.13.1) with ESMTP id iBEF78Cm009901 for <[EMAIL PROTECTED]>; Tue, 14 Dec 2004 15:07:08 GMT (envelope-from [EMAIL PROTECTED]) Received: from world.std.com ([EMAIL PROTECTED] [69.38.147.5]) by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id iBEJ4rW5012319; Tue, 14 Dec 2004 14:04:53 -0500 Received: (from [EMAIL PROTECTED]) by world.std.com (8.12.8p1/8.12.8) id iBEJ4qV1016516; Tue, 14 Dec 2004 14:04:52 -0500 (EST) Date: Tue, 14 Dec 2004 14:04:52 -0500 (EST) Message-Id: <[EMAIL PROTECTED]> From: Barry Shein <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: contact for the world etc (nanog) As far as I can tell I'm permanently blocked from nanog for no reason I understand or care much about. Oh well, if someone there wants info I have I guess they can pay my consulting rates. The text the guy cites isn't from our staff, we don't even have an auto-ack system. Maybe it's from some customer or maybe entirely forged, he doesn't include any headers and seems to just want to vent. Anyhow, that's all the time I plan to spend on this one, too bad nanog has become so useless. Feel free to forward. - -- -Barry Shein Software Tool & Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo* --- End of Forwarded Message
Re: no whois info ?
Rich, You have an opinion, but I'm unable to detect a basis for that opinion. Allocations of string-space do not give rise to control over any resource other than (conditionally) the string. Publication of association(s) between strings and addresses, as well as the formation of an association subject to a publication policy, involves zero or more parties other than a "registrant", and there are several orders of magnitude fewer entities other than "registrants" that participate in address association and association publication. It wouldn't hurt you to read our spec, if only for the nomenclature. If you read some EU data directives, so much the better. You may want to look at the whois policies of the RIRs and some of the ccTLD operators. See also http://www.imc.org/ietf-whois/mail-archive/msg00218.html and rfc3912 Eric
Re: no whois info ?
In an earlier episode I pointed out to the list-resident VGRS person that the dynamic properties introduced for one marketing purpose would have a consequence in another problem domain, but no point revisiting that issue. [EMAIL PROTECTED] (Peter Corlett) wrote: > There's some awful tinpot domain registrars out there where you have > to wonder if their whois server is on the end of a dialup link, but > fortunately I'm not attempting to access those. The ICANN Registrar agreement has no transactional temporal property for :43 queries. In fact, quite a few registrars associated with one of several outsource business models, e.g., the Tucows HRS customers (complete), the Pool thead customers (partial addr allocation), etc., use common :43 servers. I've tried to work this problem, but it appears to require cooperation between isps and registrars, and that's just not happening, and agreement that persistent (hours or longer) name-to-address associations factor into the prevelant economic spam business models, and that's just not happening either as spam-presentation (to the user or the interposing device) is the problem of choice. Schemes to exhaust the dotted quad space, or exhaust the dotted string space (*lists generally) just don't help identify one asset economic spam schemes appear to require to extract value from the spam-presentation instances -- a return path that works. So, call the small registrars names as long as you want, and as long as you don't want to pay for a service, and spend your money elsewhere on something that works better, for some value of better. Cheers, Eric <{registry,registrar,isp}_hat = "off">
ddos from .mil, and from state.oh.us
Oki all, A month ago today Gadi was looking for a contact at US .mil, this morning I had the same need, as a node in the nipr.mil playpen was a major player in a 100+ node ddos directed at a web blog customer we host -- it had a high rate of fire, accounting for over 20% of the total POST methods. Email to the DO was a waste of time, but I did find a useful contact. One of the nodes used in today's ddos against that customer blog appeard in a seperate multi-thousand ad insert (unpaid, naturally) attack on another of our customer blogs, accounting for about half of the total POST methods. If anyone has a useful contact in the state.oh.us playpen, please drop me a line. Email since 24/Nov is unanswered. TiA, Eric
Anyone awake at blogspot (or google)?
Oki all, Anyone know what the story is for this morning's multi-hour unscheduled down-time for blogspot? Backhoe's surround building 5? (oops, showing my age). TiA, Eric
cisco source saga
This just made reuters: http://www.reuters.co.uk/newsArticle.jhtml?type=internetNews&storyID=6281153§ion=news
Ivan and outages
I'm looking for operational status information from Grenada, Jamaica, Grand Caymen, and Cuba. Anyone with clue drop me a note off-list, I will post a summary.
Re: Verisign vs. ICANN
> It would only be useful if those people were also in a position to > vigorously defend said patents when (and if) they were infringed. assign the patents to icann, to the eff, to the registrar constituency ...
Re: Oct. NANOG - hotel? At the two month marker now.
> ... Reston is Hell, but with better visuals. I'm not certain of the truth of this comparison, having only half the data at hand. However, it has to be just about the least interesting place on the whole Eastern seabord to travel to.