Re: [gnso-ff-pdp-may08] Saturday Harms

["Mike O'Connor" <mike@xxxxxxxxxx>]

At 02:08 PM 7/21/2008, RLVaughn wrote:

> Eric Brunner-Williams wrote:
> > On 01/15/2005 07:27:31 Steve Bellovin wrote the following to NANOG:
> >    /panix.com has apparently been hijacked. It's now associated with a
> >    different registrar -- melbourneit instead of dotster -- and a
> >    different owner. Can anyone suggest appropriate people to contact to
> >    try to get this straightened out?
> >    /
> >
> > Shortly thereafter I replied:
> >    /I've forwared to Bruce Tonkin, who I know personally, at MIT, and
> >    Cliff Page, who I don't know as well, at Dotster, Steve's note.
> >    These are the RC reps for each registrar.
> >    /
> >
> > The "harm" to me was that any mail I usually 
> > send to users@xxxxxxxxx wouldn't go where I 
> > expected. Note, I am not the Registrant of the domain name Panix.COM.
> <snip - control list volume>
>
>
> > It is clear that Dave and Joe and Marc have one 
> > model for "who is harmed" and "how are they 
> > harmed", to use Mike's effort at synthesis, and 
> > I have another, and there isn't a lot a 
> > synthesis can do with the claim that "A is 
> > true" and the claim that "A is false", except 
> > to examine the basis for the evaluation of each 
> > claim (for which each claim is correct), and 
> > discard the basis for evaluation that leads to 
> > a conclusion inconsistent with the goal of the 
> > Working Group -- something consistent with the 
> > GNSO process, which as I mentioned in "Sunday 
> > Benefits", has to be consistent with this -- 
> > "ICANN doesnâ??t control content on the 
> > Internet. It cannot stop spam and it doesnâ??t 
> > deal with access to the Internet" -- so it 
> > seems likely to me, subject of course to 
> > eventual disproof, that "harms" are primarily 
> > defined by stakeholder relationship to other 
> > stakeholders within the multi-stakeholder institution.
> Suddenly I see a lot of conditional probability hanging around
> and once I put on my silly hat there is no end of it.  So, with
> apologies,
> the fact that the probability of event B is low under the
> assumption of event A has occurred does not allow on to
> draw the conclusion that the probability of event A occurring
> is low.
>
> Now for my risk management observation.  Accessing the risk of
> the problem is only part of the process.  One must consider risk
> and frequency in order to obtain an expectation of loss.  The
> expectation of loss can be useful to determine an action plan.
>
> One can not, however, develop risk assessments without regard
> to observations of actual data.  For example,
> <http://blogs.zdnet.com/security/?p=1394> describes the
> activities of a VCHSN which compromised Playstation.com
> via SQL Injection.  Yes, it is collateral damage but damage
> none-the-less. Those registrants harmed by this network might be willing
> to share their insights as to what harm they have suffered.
yes indeedy.  real data is crucial.   and you're 
right, probability and frequency are all in the 
mix.  as i was composing this sentence, i 
wandered off to the Google to see if "actuaries" 
was the right name for the kinda people who 
really know this stuff.  here's the definition 
that popped out from the US Bureau of Labor Statistics;
"Through their knowledge of statistics, finance, 
and business, actuaries assess the risk of events 
occurring and help create policies that minimize 
risk and its financial impact on companies and 
clients. One of the main functions of actuaries 
is to help businesses assess the risk of certain 
events occurring and formulate policies that minimize the cost of that risk. "