Re: [gnso-ff-pdp-may08] Saturday Harms

[RLVaughn <RL_Vaughn@xxxxxxxxxx>]

Eric Brunner-Williams wrote:
> On 01/15/2005 07:27:31 Steve Bellovin wrote the following to NANOG:
>
>    /panix.com has apparently been hijacked. It's now associated with a
>    different registrar -- melbourneit instead of dotster -- and a
>    different owner. Can anyone suggest appropriate people to contact to
>    try to get this straightened out?
>    /
>
>
> Shortly thereafter I replied:
>
>    /I've forwared to Bruce Tonkin, who I know personally, at MIT, and
>    Cliff Page, who I don't know as well, at Dotster, Steve's note.
>    These are the RC reps for each registrar.
>    /
>
>
> The "harm" to me was that any mail I usually send to users@xxxxxxxxx 
> wouldn't go where I expected. Note, I am not the Registrant of the 
> domain name Panix.COM.
<snip - control list volume>


> It is clear that Dave and Joe and Marc have one model for "who is 
> harmed" and "how are they harmed", to use Mike's effort at synthesis, 
> and I have another, and there isn't a lot a synthesis can do with the 
> claim that "A is true" and the claim that "A is false", except to 
> examine the basis for the evaluation of each claim (for which each claim 
> is correct), and discard the basis for evaluation that leads to a 
> conclusion inconsistent with the goal of the Working Group -- something 
> consistent with the GNSO process, which as I mentioned in "Sunday 
> Benefits", has to be consistent with this -- "ICANN doesn’t control 
> content on the Internet. It cannot stop spam and it doesn’t deal with 
> access to the Internet" -- so it seems likely to me, subject of course 
> to eventual disproof, that "harms" are primarily defined by stakeholder 
> relationship to other stakeholders within the multi-stakeholder 
> institution.
Suddenly I see a lot of conditional probability hanging around
and once I put on my silly hat there is no end of it.  So, with
apologies,
the fact that the probability of event B is low under the
assumption of event A has occurred does not allow on to
draw the conclusion that the probability of event A occurring
is low.

Now for my risk management observation.  Accessing the risk of
the problem is only part of the process.  One must consider risk
and frequency in order to obtain an expectation of loss.  The
expectation of loss can be useful to determine an action plan.

One can not, however, develop risk assessments without regard
to observations of actual data.  For example,
<http://blogs.zdnet.com/security/?p=1394> describes the
activities of a VCHSN which compromised Playstation.com
via SQL Injection.  Yes, it is collateral damage but damage
none-the-less. Those registrants harmed by this network might be willing
to share their insights as to what harm they have suffered.


<snip>