Re: [gnso-ff-pdp-may08] Choke points

["George Kirikos" <fastflux@xxxxxxxx>]

Hi Mark,

Without responding to every point:

On Thu, Aug 7, 2008 at 10:14 PM, Marc Perkel <marc@xxxxxxxxxx>
> I'm not reporting the bots. I'm reporting what the spam from the bots link
> to. They all limk to fakebank.com. So if we kill the domain fakebank.com
> then the fraud is stopped. If the spam gets through and they click on the
> link and fakebank.com has been disabled at the registry then nothing
> happens.

Right, however, one need be careful about situations like Joe Jobs
where the bad guys send out 10 million emails pretending to be Marc
Perkel's spam filtering company, linking to your website, and then
trying to get you shut down. I'm sure you'd want your registrar making
that decision manually, and not some automated system that can be
gamed. You'd want to be white-listed.

> Actually that is the choke point because in one place you can shut them down
> worldwide.

True, but that also creates the potential danger when the wrong sites
get shut down world-wide by mistake.

> If these domains are shut down in minutes after they are used then it
> becomes useless. If someone is registering domains that fast then the
> registrar sould disallow that. I don't think that a bot net can operate that
> quickly.

The only way they are going to be shut down in minutes is if the
system is fully automated, that are never going to be perfect. Usually
it's Hollywood movies like 2001 (Hal) or Terminator (Skynet) that
start off with "perfect" automated systems as their premise.

> The registry is the only single point where they (fakebank.com) can be shut
> down globally with a single change.

No one disagrees with that. It's a question of who pulls the trigger,
on what basis, and who is liable when someone gets damaged because
they got shut down negligently.

> (FF domains not being used for fraud would not be affected because there
> wouldn't be a spam campaign driving it. So free speech is safe from this
> method.)

Right, so enemies of free speech would never spam in the name of their
target, in order to frame someone:

http://en.wikipedia.org/wiki/MediaSentry

"The company provides several services for this purpose, such as
monitoring popular forums for copyright infringement, aid in
litigation, early leak detection, flooding torrents via DDoS attacks,
and the distribution of decoy files."

http://en.wikipedia.org/wiki/MediaDefender

"Revision3 CEO Jim Louderback accused MediaDefender of injecting its
decoy files into Revision3's BitTorrent service through a
vulnerability, then automatically perpetrating the attack after
Revision3 increased security."

Suppose Pirate Bay (or a brand new torrent site) wanted to fast flux
to increase its resilience (i.e. make itself highly available). Would
there exist an incentive to spam in the name of that entity if you
knew it would get it shut down by the registry, over objections of a
registrar?

> Getting it right means building in protections so that doesn't happen. And
> that's doable.

Agreed, I wouldn't be wasting my time on this list if I didn't believe
it was doable. :)

> People - this war is winnable if we do it right. I think that we can take
> out 90%+ of fraud with 100% accuracy within 5 minutes. And that's a
> conservative guess.

I'd be careful when quoting those stats. Check out the formulas at:

http://en.wikipedia.org/wiki/Bayes%27_theorem#Example_1:_Drug_testing

using Bayes' theorem when you're calculating false positives. In
particular note how:

"The rarer the condition for which we are testing, the greater the
percentage of positive tests that will be false positives."

> I don't know what kind of detail you all want but I think that safegaurds
> wouldn't be to hard to implement. For example, if you excluded all domains
> over 1 yeal old and all domains that are paid up 1 year in advance they you
> would eliminate false positives on almost all the important internet sites.

Thanks for those specifics. I would agree with the above fully (it
would not affect any of my domains). As I was mentioning a "6 day"
waiting period (i.e. past the creation date), you're extending that to
1 year, with a "deposit" of another year as an economic signal.


> And if it does then you turn the domain back on, apologize profusely, and
> repair the flaw that caused the problem.

Right, that's why I've been so vocal about Afilias' .INFO policy that
allowed it to CANCEL a domain at its discretion. Cancellation is never
necessary (removing from the zone file is sufficient, and then that
buys time for appeals or correcting a mistaken takedown).

> I think if we do it right we can do it without losers. (Except of course for
> those committing fraud. I think that we can take down a huge number of fraud
> operations without taking down any good sites. It isn't going to get all the
> bad guys but it will get most of them. And I think most is a good start.

Right, that's why I'd love to have some stats on how many "bad guys"
are using aged domains, fresh domains, etc., to really make things
surgically targeted.

It's too bad we can't (or can we?) run "experiments" with a live
registry. e.g. I'd be really curious as to what would happen if you
made 1/2 the .INFO domains not resolve in the first 6 days, and the
other 1/2 resolve immediately. Say "odd" domains starting with (A, C,
E, ....W,Y, 1, 3, 5, 7, 9) don't resolve until after 6 days, and
"even" domains starting with (B, D, F, ... X, Z, 0, 2, 4, 6, 8)
resolve immediately. If you found after 3 months that all the
abusers/fast fluxers/criminals switched to "even" domains, you've
found a choke point. Maybe some ccTLD might want to step up to the
plate and see what happens.....

Sincerely,

George Kirikos
www.LEAP.com