[anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
- Previous message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
- Next message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Tue Jan 3 17:06:58 CET 2017
And that blinkered attitude, ladies and gentlemen, is an example why this wg won't ever achieve anything much at all --srs > On 03-Jan-2017, at 6:44 PM, Simon Forster <simon-lists at ldml.com> wrote: > > Andre > > Your rhetoric makes it quite clear that you have taken a position and will stick to it. That’s fine. We’ll just have to agree to disagree. > > All the best > > Simon > >> On 3 Jan 2017, at 10:30, ox <andre at ox.co.za> wrote: >> >> On Tue, 3 Jan 2017 10:07:36 +0000 >> Simon Forster <simon-lists at ldml.com> wrote: >>> Hello Andre >>> >> Hello Simon, >> >>> An interesting take on a mechanism that’s been available for close to >>> 7 years now >> >> And, from the first DNS servers there has been people that has resolved >> example.com to whatever IP they choose... so what? >> >> Many large ISP's resolve sadfgsdjfgn4563456346.com to their own home >> page (or a "register this domain") page -- even though whatever >> question was asked - is not registered at all. >> >> When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is >> suddenly "the way things work" - then this is of serious concern. >> >> Your reply, in a nutshell is: "This is the way things work, there is >> nothing wrong with it and if you do not like it setup your own >> resolvers" >> >> My objections are easy: Defining a clear standard on how DNS tells lies >> to users, and different lies to different users, depending on which >> user is doing the asking, and then hiding the truth of your lies from >> your users, is EVIL! >> >> Allowing the easy management of "private Internet" in as a standard, is >> EVIL >> >> RPZ is the start of the end of the open and free Internet. >> >>> Largely I believe you’re on the wrong track with your post — at >>> pretty much every level. Response Policy Zones (RPZ’s aka DNS >>> firewalls) are a powerful tool to allow individuals, organisations or >>> society better to control access to the darker corners of the >>> internet. As per Vixie’s original paper (see above reference), this >>> can circumvent a lot of harm for the average user. >>> >> >> as I said: trillions of domain names can resolve to ONE ip number. >> >> a "DNS firewall" is a silly technical argument against abuse. >> >> What is of concern is "private" internets and this "standard" allowing >> easy management of lies - and then doing it in the dark, so that users >> have no way of knowing that they are being lied to (or "protected") >> >>> As with any powerful tool, it can be used with ill intent but >>> overall, this is a useful addition to an organisation’s security >>> arsenal. >>> >> >> Distributing hacker and cracker tools is also fine, I guess. But it is >> very wrong to define actual standards for how to break into servers and >> networks. - And making that a standard. >> >>> You express concerns wrt governments. Governments have a tendency to >>> do what what they want to do irrespective of the tools available to >>> them — after all, compliance with their rules is not their problem, >>> they just need to prosecute those that fail to follow the new rules. >>> >> Also, it allows and empowers dictators (AND CRIMINALS) - and now the >> dictators can say: This is a "standard" the Internet community accepts >> that this is the methods and protocols for "protecting" my "users" >> >> Yes, Governments do what they want - but defining a standard on how to >> tell lies and in such a way that your "users" do not know if they are >> being lied to - is nefarious and evil. >> >> Your objection to my allegations are quite suspect as you have not >> mentioned one single technical reason why making this EVIL method of >> operation is not abuse? >> >>> Irrespective of any philosophical objections you’re throwing out >>> here, the resolution to your problem is incredibly simple — run your >>> own recursive resolver. In this day and age an incredibly simple >>> thing to do (which is another, markedly different problem). >>> >> >> Sure, and run my own Internet? >> >> This is exactly the point. >> >>> >>>> On 2 Jan 2017, at 06:48, ox <andre at ox.co.za> wrote: >>>> Hello, >>>> >>>> I wish everyone a prosperous & productive 2017 >>>> >>>> I wish to cast light on an abuse issue that has the potential to >>>> effect, affect and impact the entire Internet >>>> As among the proponents of this abuse are certain Government >>>> Security Agencies and many other powerful forces, I beg with you to >>>> attempt to understand how the changes being effected right now, also >>>> affects yourself right now and how it will affect you in the >>>> future. >>>> My idea with this post is three fold, firstly, to educate, secondly >>>> to open discussion and thirdly to agitate for change. >>>> DNS Abuse >>>> ---------------- >>>> Sometimes abuse is creeping, like weed in a garden it becomes more >>>> and more and more and does not just happen overnight. In fact, it is >>>> so creeping that we do not really see the weeds as we have become >>>> used to seeing them. >>>> >>>> Just because there are so many weeds, it does not change the fact >>>> that they are weeds and, in a well maintained garden, they need to >>>> be eradicated for the well being of all the plants in the garden. >>>> >>>> To understand how this is even abuse, and how this will change your >>>> own life and the Internet in the future, you need to also understand >>>> some basic facts. The arguments for, against the standards, the >>>> basic tech concepts, the functional aspects and then understand why >>>> this is actually abuse and not just an evil movement, evil >>>> standards or generally just plain old evil. >>>> >>>> Some important concepts in order to understand the technical logic >>>> and the "explained purpose" and then, importantly, "the real >>>> purpose" of the abusers: >>>> >>>> Trillions of domain names can resolve to a single ipv4 ip number >>>> So, you could have ex.example.com and ex1.example.com and >>>> cat.example.com - and have the same for unlimited names from >>>> unlimited TLD to a SINGLE ip number. >>>> >>>> All Domain names are intellectual property - yes, even >>>> abc.dsrtif.dsaurthp.example.com >>>> >>>> If a DNS server is asked for an IP number for google.com and it >>>> answers 127.0.0.1 to one user and 0.0.0.0 to a different user >>>> (makes up its own answers) - This is simply fraud. as google.com >>>> is a trademark. >>>> (replace google.com with apple.com or ibm.com facebook.com or >>>> any.example.com) >>>> >>>> The proponents of DNS abuse argue that they are 'protecting' >>>> innocent users by using DNS as a 'firewall' to create 'walled >>>> gardens' and to respond to one ip number for a certain set of users >>>> and a different ip number for different sets of users >>>> >>>> Of course, this argument is fatally flawed as per my example above. >>>> Their response is that there is sometimes multi homed ip numbers >>>> (100 domains on a single ip number) and that blocking per ip number >>>> blocks innocent domains as well. >>>> >>>> In order for you to form your own opinion you need to know that the >>>> majority of DNS servers use the same software and that there are new >>>> standards being introduced to formalize Internet Fraud. This >>>> Internet Fraud empowers African Dictators to easily justify 'walled >>>> garden' countries and is set to revolutionize your own Internet >>>> access. It also empowers, facilitates and allows easy management >>>> to aggressive ISP's, multi nationals and many nefarious groups and >>>> people to manage their activities. So, not only does the new >>>> software 'functionality' exist, but it is being legitimized and >>>> formalized by https://www.ietf.org/ >>>> (whom, ironically, states:The goal of the IETF is to make the >>>> Internet work better.) >>>> >>>> In a nutshell, the above illustrates that the DNS software used by >>>> almost all of the Internet is to have functionality that allows DNS >>>> operators to LIE to users, but to lie one lie to some/certain users >>>> and another LIE to different sets of users (depending on whom is >>>> doing the asking) >>>> >>>> That is not all... >>>> >>>> It also allows the DNS operators to hide the truth of these lies... >>>> >>>> and that is not all... >>>> >>>> The https://www.ietf.org/ is set to legitimize this nefarious >>>> behavior under the flag of decency and good Internet operations. >>>> >>>> So, it would be perfectly fine and acceptable for everyone to start >>>> doing this, as it will be a 'standard' >>>> >>>> What this means for you: The future Internet will not be free and >>>> open. >>>> >>>> Engineers supporting a non functional and fatally flawed approach to >>>> abuse is an indication of a far more serious problem - you need to >>>> think about that for yourself, and what that means. >>>> >>>> Of course, this in itself is abuse. This entire situation is >>>> Internet Abuse and needs to be discussed as abuse. >>>> >>>> Andre >>>> >>>> -- >>>> more technical information: >>>> https://tools.ietf.org/html/draft-vixie-dns-rpz-00 >
- Previous message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
- Next message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]