Random Bytes...by Ross Rader :: Wesson, IP Interests Completely Miss the Point

Main Page » Random Bytes » Code

Previous:	Bill not the right answer
Next:	weblog.edventure.com

by Ross at 10:49AM (EST) on February 6, 2004 | Permanent Link

Making the same mistakes as intellectual property interests, Rick Wesson presumes that accurate whois data is the key to wiping the internet clean of bad actors and eliminating online fraud.

Perhaps in some Pollyanna world where everyone wears rose-tinted glasses. On the internet I use, nothing could be further from the truth.

In today's world, accurate data leads to accurate data. It provides a mechanism by which one entity can, at will, contact another entity. It provides anyone willing to make a casual inquiry with phone numbers, street names, names and email addresses.

In a Pollyanna world, accurate data makes it easy to reach out to a bad actor and ask them to stop the harm that they are inflicting on the internet population. In Rick's world, conversations like this one happen every day...

Mr. Internet User: Oh drat. I got more spam today. I better check the whois to see who is responsible for sending me this information. I'm sure glad that the spammer didn't forge their email header and that their registrar provides 100% accurate information in their whois database. (types in source domain into whois database lookup)

Looky here, a phone number! Excellent. I can fix this immediately. (dials)

Spammer Secretary: Hello, UCE Inc. how may I direct your call.

Mr. Internet User: Can I speak to your complaint department please?

Secretary Spammer: Certainly, please hold while I put you through.

(hold music with a voiceover extolling the virtues of bulk unsolicited mail)

Complaint Department Operator: Hello, complaint department, can I help you?

Mr. Internet User: Hello, I believe that your company sent me commercial email today that I did not request. I believe that this makes it spam. I don't like spam. Would you please stop?

Complaint Department Operator: My goodness. Our sincere apologies sir. This never should have happened. If you can give me some more information, I can get this straightened out immediately and make sure that it never happens again...<fade to black>

Of course, similar conversations will happen when Mr. Internet User gets a virus, or when someone tries to steal his Visa number and certainly when someone launches a distributed denial of service attack on his ISP.

The problem with this thinking is that it is extremely narrow-minded and focused exclusively on an outcome that prefers the interests of the few, not the many. The intellectual property brigade, wants to make sure that the outcome fosters an environment where they are able to maintain and increase their billable hours. Rick is looking for a similar financial outcome. 100% accurate data will undoubtedly put cash in Rick's pocket as he hopes that at least a few registrars adopt his Fraudit "solution".

Rick's easy answers, like those of the IP interests, simply don't fully address the myriad of complexities that the problem poses.

For instance, he points out a problem that he has with "igger.com". Tucows is the registrar for the "igger.com" domain which is easily confirmed with a quick whois query. He also mentions that the whois record for this domain contained inaccuracies at one point. This is confirmed by internal Tucows Compliance Department records. This record also shows that the registrant promptly updated the record with apparently accurate data as per their obligations under the Registration Agreement.

[Aside: Tucows Compliance is an internal group over here whose sole focus is to deal with inquiries like this and ensure that our resellers and registrants abide by the various policies set forth in the various accreditation and registration agreements that Tucows operates under. On any given day they will deal with everything from end-user inquiries about the status of various domain names, whois problem reports, UDRP complaints, threats of lawsuits and every other imaginable query under the sun. I personally wish that more registrars had departments like this to ensure that the broad range of contractual compliance issues that registrars face was dealt with in a more even and regular manner.]

Rick also alleges that the domain name is used as the basis for distributed denial of service attacks. Of course, there is nothing but Rick's word to substantiate this. But he asks that, in the interests of the security and stability of the internet, our responsibility to the internet community and the universe as a whole, this domain name should be irrecoverably deleted without further question.

Bollocks.

Registrars are not, and should not be forced into a position where they are required to delete a registrants domain name based on the unsubstantiated allegations of a potentially uninformed third party. In the same breathe that Rick talks of being a responsible user of the internet, he implies that creating a system of accredited vigilantes will solve all woes. This is, of course, ridiculous.

Current practice is not as bleak as Rick and his IPC co-conspirators would have us believe. Internet operators have a long history of cooperation and coordination. ISPs and Network Operators are in continuous contact with one another and are very willing to work together to solve mutual problems. These problems include situations where users of one network are causing problems with users of another network. Furthermore, in today's specialized environment, there is often more than one technical provider to turn to when attempting to solve a problem. Remember Mr. Internet User? In the untinted real-world, he would typically contact his Internet Service Provider and explain the problem. The ISP would first validate the problem and then determine who they could reach out to in order to get the problem fixed. In the case of Rick's DDOS hassles, there are a number of parties that can help him alleviate or eliminate the datastorm.

upstream DNS providers
upstream bandwidth providers
ISPs hosting the cable/DSL-drones that the traffic is coming from
netblock managers

And even if none of those parties is willing to help Rick solve his problem, he still has legal options at his disposal.

But, that sounds like work. Very few people are willing to do things the hard way. It is much easier to ignore the entire picture and get half-baked laws passed.

Even if they are unwilling to solve their own problems, there isn't a lack of community attention devoted to solving this issue. 100% of my policy attention at Tucows is focused on whois-related and data accuracy issues. Elliot is working with an ad hoc group of industry participants that recently came together. Tucows has had several internal meetings over the past few months to discuss different ways in that we can be part of the solution. And we're not unique. Hundreds of internet firms and thousands of internet professionals are clearly focused on addressing the core set of issues that make this such a vexing problem. Even ICANN's GNSO, not always the most action oriented organization, has mobilized unprecedented resources in an attempt to craft policy that constructively deals with the problems we face.

This hearing has made a few things abundantly clear. First, both the intellectual property interests and Rick Wesson are in this for themselves. Their concern lies with lining their own pockets and not with the interests of the community. The second thing that this situation draws into relief is the degree by which the internet community must reinforce its efforts to address these pressing problems. ICANN's Whois Task Force initiatives are a great start. Microsoft reworking the browser to clamp down on spoofing is another. But, there is more work to do.

It needs to be easier for technical operators to coordinate with one another. Incentives for them to do so should be abundant. Outreach from the technical community to the legal community regarding best practices in technical data gathering, analysis and actioning would also go a long way. Unless the ecosystem of cooperation is properly understood, it will never be properly used.

The conversation must come around to focusing on these issues of coordination and attention must be paid to developing a framework that allows cooperation to develop and flourish. More laws, more regulation and more proprietary technology is simply more noise, more interference and ultimately, more problems. Let's avoid the regulatory mistakes that we've seen elsewhere and focus on continuing to build the internet that we want to use.

Posted to:

Code

This work is licensed under a Creative Commons License.

Comments

Re: Wesson, IP Interests Completely Miss the Point

by rick wesson on Wed 11 Feb 2004 12:09 PM EST | Profile | Permanent Link

[17:03:03] [z] do me a favor and stay out?
[17:03:29] [z] k?
[17:04:15] >wessorh< k, keep your packets off my network
[17:04:21] [z] what happened?
[17:04:56] [z] who are you, what network are you talking about, and were the packets incoming or outgoing?
[17:05:02] >wessorh< irc bot is managing a DDoS attack
[17:05:16] >wessorh< you wana help track it dow?
[17:05:24] [z] sure
[17:05:37] [z] did one of the bots infect someone on your network?
[17:05:41] [z] or were the bots attacking it
[17:06:32] [z] hello?
[17:06:47] >wessorh< the bots manage the attacks, infected nodes connect the irc and join #uberdust15
[17:07:19] [z] * wessorh H ~wessorh@flash.ar.com :0 sirc user
[17:07:19] [z] * ckuaizc H ~zack@66.123.187.78.ar.com :0 wessorh
[17:07:29] [z] i believe you ran it on your computer?
[17:07:46] >wessorh< come again, i dont understand.
[17:08:02] [z] someone from same domain as you
[17:08:10] [z] logged into windows as wessorh
[17:08:14] [z] is that you?
[17:08:27] [z] you confused me
[17:08:28] [z] heh
[17:08:29] >wessorh< yes, a computer on my net is connected too thats how i traced the packets
[17:08:39] [z] okay
[17:08:44] [z] want me to uninstall it?
[17:08:59] >wessorh< sure, can you do that?
[17:10:02] [z] well
[17:10:07] [z] hm
[17:10:26] >wessorh< are you the person managing the bots?
[17:10:38] [z] one of the 7
[17:10:41] [z] yes
[17:10:50] [z] i haven't ddosed with them for so long now
[17:10:52] >wessorh< why do you do it?
[17:10:56] [z] but i'll help you get it off your network
[17:11:05] >wessorh< cool i'd appreciate that
[17:11:07] [z] i'm helping my friends run it
[17:11:27] >wessorh< can i play too, i'd love to have a tool like this =)
[17:11:28] [z] one small problem though .. that bot isn't responding to my commands
[17:11:34] [z] ya lol
[17:11:50] >wessorh< how do you controll them?
[17:11:56] [z] master channel
[17:12:14] >wessorh< where can i read about this stuff?
[17:12:32] [z] ckuaizc is ~zack@66.123.187.78.ar.com * wessorh
[17:12:32] [z] ckuaizc is really *@66.123.187.78
[17:12:35] [z] ckuaizc using dev.null DevNull
[17:12:35] [z] ckuaizc has been idle 2hrs 44mins 4secs, signed on Thu Jul 31 17:28:16
[17:12:35] [z] ckuaizc End of /WHOIS list.
[17:12:43] [z] that's the bot we're talking about right now
[17:12:52] [z] it's not responding to my commands :/
[17:13:09] >wessorh< well, can you tell me what to do to it?
[17:13:15] [z] so i'm unable to uninstall it easily. what you could do is remove it manually
[17:13:19] [z] yeah sure
[17:13:23] [z] on that computer
[17:13:25] [z] ctrl alt del
[17:13:27] >wessorh< its plugged in...
[17:13:27] [z] kill netd32.exe
[17:13:37] [z] then remove these registry entries:
[17:13:54] [z] hkey local machine/software/microsoft/windows/currentversion/run -> netd32.exe
[17:13:57] [z] hkey local machine/software/microsoft/windows/currentversion/runservices -> netd32.exe
[17:14:12] >wessorh< rad, thanks!
[17:14:15] [z] and optionally delete C:\Windows\system32\netd32.exe
[17:14:17] >wessorh< so, how did i get it?
[17:14:36] [z] we have a bunch of them dedicated to automatically spreading it
[17:14:46] [z] it looks for NULL shares and uploads to startup directories
[17:14:58] [z] once the PC reboots, it runs it from startup dir
...
[17:15:39] [z] uhm well
[17:15:48] [z] i'll talk to the other dude about it
[17:15:50] [z] he might agree
[17:15:53] >wessorh< i can send it to pay pal o something...
[17:15:55] [z] i don't like getting paid for illegal stuff
[17:15:58] [z] but he does
[17:16:03] [z] his nickname here is g
[17:16:04] [z] hehe
[17:16:11] [z] you could talk to him
[17:16:23] >wessorh< ok, well is there another way i could compensate you for a job well done?
[17:16:38] >wessorh< and can you keep my blocks outta your hit list?
[17:16:48] [z] it's totally random :(
[17:16:52] [z] i can't make exceptions
[17:16:57] [z] these bots scan .gov, .edu, whatever else
[17:17:00] [z] nothing i can do about it
[17:17:13] >wessorh< how about writing better code =)
[17:17:44] [z] when they connect, they receive a command to scan a random IP
[17:17:55] [z] so it starts .. say .. at ..
[17:17:55] [z] uhm
[17:18:06] [z] 66.123.185.12
[17:18:10] >wessorh< oh, bummer -- why do you do it then?
[17:18:13] [z] and adds one every time
[17:18:20] [z] eventually reaches 66.123.187.78
[17:18:23] [z] finds that it's vulnerable
[17:18:25] [z] and infects it
[17:18:26] [z] and goes on
[17:18:32] [z] why do i do what?
[17:18:47] >wessorh< run this little playground dossing folks
[17:19:16] [z] well
[17:19:37] [z] in case some lamer on IRC takes over a channel that is ran by a friend of mine
[17:19:40] [z] stuff like that .. ya know?
[17:19:51] [z] i don't ddos for fun
[17:19:54] [z] because it's not
...
[17:21:43] >wessorh< ok, i'll talk to g. where do i find him?
[17:21:49] [z] he's here
[17:21:51] [z] /msg g hi
[17:21:53] [z] well
[17:21:56] [z] here as in connected
[17:22:04] [z] he's away i think
[17:22:19] >wessorh< thanks for the clue, is it ok if i come back here some time?
[17:22:35] [z] sure i guess ..

Re: Re: Wesson, IP Interests Completely Miss the Point

by Ross on Wed 11 Feb 2004 02:51 PM EST | Profile | Permanent Link

So let me guess, you were able to track down "z" simply because he had an accurate whois record?

Trackbacks

TrackBack URL:
http://www.byte.org/blog/_trackback/18559

No trackbacks found.