Re: [gnso-ff-pdp-may08] Saturday Harms

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

On 01/15/2005 07:27:31 Steve Bellovin wrote the following to NANOG:

   /panix.com has apparently been hijacked. It's now associated with a
   different registrar -- melbourneit instead of dotster -- and a
   different owner. Can anyone suggest appropriate people to contact to
   try to get this straightened out?
   /


Shortly thereafter I replied:

   /I've forwared to Bruce Tonkin, who I know personally, at MIT, and
   Cliff Page, who I don't know as well, at Dotster, Steve's note.
   These are the RC reps for each registrar.
   /


The "harm" to me was that any mail I usually send to users@xxxxxxxxx 
wouldn't go where I expected. Note, I am not the Registrant of the 
domain name Panix.COM.
The "harm" to users of panix.com was that, however they got internet 
access, and presumably some actually got access (dhcp provisioned, 
radius authenticated, yata yata), what they got when they got to 
panix.com wasn't what they expected. Note, Steve, a random Panix.COM 
user, is also not the Registrant of the domain name Panix.COM.
The "harm" to the Registrant of Panix.COM is another kettle of fish. 
Loss of business, and probably loss of consortium too.
Failing to distinguish between me, Steve, and the hapless down-for-a-day 
operator of one of the oldest ISPs in the world and our interests is not 
useful.
Failing to distinguish between the harms to the hapless down-for-a-day 
operator of one of the oldest ISPs in the world, from loss, temporary, 
long term, or permanent, of the domain name asset, and all the other 
harms common to ISPs, to all other assets, from spam over their 
upstreams to backhoes through their upstreams, is also not useful.
Or rather, conflating the sum of all harms serves some purpose I don't 
particularly share. See also my note "Sunday Benefits".
It is clear that Dave and Joe and Marc have one model for "who is 
harmed" and "how are they harmed", to use Mike's effort at synthesis, 
and I have another, and there isn't a lot a synthesis can do with the 
claim that "A is true" and the claim that "A is false", except to 
examine the basis for the evaluation of each claim (for which each claim 
is correct), and discard the basis for evaluation that leads to a 
conclusion inconsistent with the goal of the Working Group -- something 
consistent with the GNSO process, which as I mentioned in "Sunday 
Benefits", has to be consistent with this -- "ICANN doesn’t control 
content on the Internet. It cannot stop spam and it doesn’t deal with 
access to the Internet" -- so it seems likely to me, subject of course 
to eventual disproof, that "harms" are primarily defined by stakeholder 
relationship to other stakeholders within the multi-stakeholder institution.
Fundamentally, the value of a registration is six bucks and change, and 
I'm guessing that a higher return on attack investment is available 
targeting buyers of erectile dysfunction remedies, so Registrants qua 
Registrants, won't be harmed by "fast flux" until erectile dysfunction 
is as prevalent as polio or small pox, and every other higher ROI target 
is also exhausted, or the value of a registration is bumped up a bunch. 
At that point "fast flux" may be exploited to capture the value of 
registrations, and harm Registrants qua Registrants, and therefore, harm 
Registrars qua Registrars, and therefore, harm Registries qua 
Registries. If "fast flux" is being used to capture the value of 
trademarks or RIR allocations, distinctly from all other means used to 
try and capture those values, I don't know about it.
As before, my goal is to try and get a better understanding, even if 
just for my self, of what the harms are, and what they are not. I'm not 
trying to change anyone's mind that has already come to some other 
conclusions I haven't learned to share.
Eric

Mike O'Connor wrote:
> At 09:07 AM 7/21/2008, Eric Brunner-Williams wrote:
>
>
>
> > Dave Piscitello wrote:
> > > Eric,
> > >
> > > I think you have taken a very limited view of harm.
> > Correct.
> I think Eric gets the "brevity" award of the day. :-)
>
> If I might take the liberty of (perhaps over) summarizing the 
> positions (and bugging you all again with a reference to the Risk 
> Management model, so much for my promise on the phone call)...
> Dave and Marc are focusing on the first few steps in the Assessment 
> process.
> - What are the targets? (who is harmed?)
> - What are the threats? (how are they harmed?)
> - What are the vulnerabilities (what are the attack modes?)
>
> Eric is focusing on the last few steps.
>
> - What's the likelihood?
> - What's the impact?
>
> I think these two lines of analysis can coexist -- we need to know all 
> these things. And from a combination of all those pieces of knowledge, 
> we can answer the punchline question.
> - What's the risk?
>
> If I could offer a suggestion -- be careful of combining these topics 
> prematurely. Joe, your list of harms is fine. But the leap to an 
> assessment of risk is premature. Until we have better data about the 
> "likelihood" and "impact" questions, we don't have the underpinnings 
> to make a choice about what to do.
> What is that choice? That's the middle "Mitigate" layer in that 
> 3-layer model. Once we know the nature, likelihood and impact, we can 
> recommend a response. In general our choices are as follows.
> - Accept the risk (this is so improbable, the impact is small, we'll 
> just put up with it)
> - Avoid the risk (let's figure out preventative measures)
> - Limit the risk (let's get proactive -- rapid response, legal/policy 
> changes, hedging)
> - Transfer the risk (let's hand this risk to somebody else -- eg 
> insurance)
> Here again, some of this conversation is blending topics between 
> Assessment (what's the risk?) and Mitigation (what we gonna do?), 
> which can tie us in knots if we're not careful.
> So what? So, everybody on this thread is saying useful stuff. But we 
> need to put that stuff in buckets, otherwise we'll wind up with muddy 
> waters (as close as i could get to a "day" reference on this Stormy 
> Monday).
> my $.02
>
> m