Re: [gnso-ff-pdp-may08] Choke points

[Marc Perkel <marc@xxxxxxxxxx>]

George Kirikos wrote:
> Hi Mark,
>
> Without responding to every point:
>
> On Thu, Aug 7, 2008 at 10:14 PM, Marc Perkel <marc@xxxxxxxxxx>
>   
> > I'm not reporting the bots. I'm reporting what the spam from the bots link
> > to. They all limk to fakebank.com. So if we kill the domain fakebank.com
> > then the fraud is stopped. If the spam gets through and they click on the
> > link and fakebank.com has been disabled at the registry then nothing
> > happens.
> >     
> Right, however, one need be careful about situations like Joe Jobs
> where the bad guys send out 10 million emails pretending to be Marc
> Perkel's spam filtering company, linking to your website, and then
> trying to get you shut down. I'm sure you'd want your registrar making
> that decision manually, and not some automated system that can be
> gamed. You'd want to be white-listed.
>   
Except that the fact that junkemailfilter.com is 3 years old which would 
prevent it from being shut down using automation. And we can establish a 
number of other white rules to prevent this kind of gaming from working.
>   
> > Actually that is the choke point because in one place you can shut them down
> > worldwide.
> >     
> True, but that also creates the potential danger when the wrong sites
> get shut down world-wide by mistake.
>   
Yep - and that's why we need a good rule system and reporting method 
that actually works and is actually accurate. This is something that we 
can set up and run tests on before making it active. When we can see 
that we have the accuracy we need the registrars can choose to activate it.
>   
> > If these domains are shut down in minutes after they are used then it
> > becomes useless. If someone is registering domains that fast then the
> > registrar sould disallow that. I don't think that a bot net can operate that
> > quickly.
> >     
> The only way they are going to be shut down in minutes is if the
> system is fully automated, that are never going to be perfect. Usually
> it's Hollywood movies like 2001 (Hal) or Terminator (Skynet) that
> start off with "perfect" automated systems as their premise.
>   
All it has to do is be "perfect" with respect to false positives. Or - 
if we limit automated take downs to very new domains (under 5 days old?) 
then a false positive wouldn't do as much damage.
>   
> > The registry is the only single point where they (fakebank.com) can be shut
> > down globally with a single change.
> >     
> No one disagrees with that. It's a question of who pulls the trigger,
> on what basis, and who is liable when someone gets damaged because
> they got shut down negligently.
>   
I want to point out at this point that "mistakenly" and "negligently" 
are very different. I think negligence of anyone implies perhaps 
liability. As to mistaken I'm not sure that would as long as the 
registrar takes reasonable precautions. My suggestion is to create as 
good of tools as we can and if the registrar is comfortable with the 
system they can choose to use it. And - important point - registrars are 
not requied to participate. The idea is to do this so well that 
registrars would all want to do it.
>   
> > (FF domains not being used for fraud would not be affected because there
> > wouldn't be a spam campaign driving it. So free speech is safe from this
> > method.)
> >     
> Right, so enemies of free speech would never spam in the name of their
> target, in order to frame someone:
>
> http://en.wikipedia.org/wiki/MediaSentry
>   
Quite frankly if I were running a registry and a free speech enemy gamed 
the system like that I would take down their domain. Gaming the system I 
would think would also be easily detectable. The perp would have to be 
in control of the spam bot armies.
> "The company provides several services for this purpose, such as
> monitoring popular forums for copyright infringement, aid in
> litigation, early leak detection, flooding torrents via DDoS attacks,
> and the distribution of decoy files."
>
>   
If I were a registrar and a domain registered through me used DDoS I 
would take them down.
> http://en.wikipedia.org/wiki/MediaDefender
>
> "Revision3 CEO Jim Louderback accused MediaDefender of injecting its
> decoy files into Revision3's BitTorrent service through a
> vulnerability, then automatically perpetrating the attack after
> Revision3 increased security."
>
> Suppose Pirate Bay (or a brand new torrent site) wanted to fast flux
> to increase its resilience (i.e. make itself highly available). Would
> there exist an incentive to spam in the name of that entity if you
> knew it would get it shut down by the registry, over objections of a
> registrar?
>   
My suggestion applies to spam driven fast flux. If there is another way 
to drive FF then that would be a separate and additional problem to solve.
>   
> > Getting it right means building in protections so that doesn't happen. And
> > that's doable.
> >     
> Agreed, I wouldn't be wasting my time on this list if I didn't believe
> it was doable. :)
>
>   
> > People - this war is winnable if we do it right. I think that we can take
> > out 90%+ of fraud with 100% accuracy within 5 minutes. And that's a
> > conservative guess.
> >     
> I'd be careful when quoting those stats. Check out the formulas at:
>
> http://en.wikipedia.org/wiki/Bayes%27_theorem#Example_1:_Drug_testing
>
> using Bayes' theorem when you're calculating false positives. In
> particular note how:
>
> "The rarer the condition for which we are testing, the greater the
> percentage of positive tests that will be false positives."
>   
There are classes of spam that I can block with 100% accuracy. I don't 
get rid of all spam but there are classes of spam where not a single one 
has ever made it through and no false positives. So we do this through 
testing. When we get the results we want then we go live. And if it 
doesn't work we fix it.
>   
> > I don't know what kind of detail you all want but I think that safegaurds
> > wouldn't be to hard to implement. For example, if you excluded all domains
> > over 1 yeal old and all domains that are paid up 1 year in advance they you
> > would eliminate false positives on almost all the important internet sites.
> >     
> Thanks for those specifics. I would agree with the above fully (it
> would not affect any of my domains). As I was mentioning a "6 day"
> waiting period (i.e. past the creation date), you're extending that to
> 1 year, with a "deposit" of another year as an economic signal.
>   
We'll go with what works.
>   
> > And if it does then you turn the domain back on, apologize profusely, and
> > repair the flaw that caused the problem.
> >     
> Right, that's why I've been so vocal about Afilias' .INFO policy that
> allowed it to CANCEL a domain at its discretion. Cancellation is never
> necessary (removing from the zone file is sufficient, and then that
> buys time for appeals or correcting a mistaken takedown).
>   
I'm for automated removing of the name server info and pointing it to a 
nameserver for disabled domains so that it can be quickly reversed if 
there is a mistake. Perhaps auto cancel would happen 90 days later if 
the domain isn't reinstated.
>   
> > I think if we do it right we can do it without losers. (Except of course for
> > those committing fraud. I think that we can take down a huge number of fraud
> > operations without taking down any good sites. It isn't going to get all the
> > bad guys but it will get most of them. And I think most is a good start.
> >     
> Right, that's why I'd love to have some stats on how many "bad guys"
> are using aged domains, fresh domains, etc., to really make things
> surgically targeted.
>
> It's too bad we can't (or can we?) run "experiments" with a live
> registry. e.g. I'd be really curious as to what would happen if you
> made 1/2 the .INFO domains not resolve in the first 6 days, and the
> other 1/2 resolve immediately. Say "odd" domains starting with (A, C,
> E, ....W,Y, 1, 3, 5, 7, 9) don't resolve until after 6 days, and
> "even" domains starting with (B, D, F, ... X, Z, 0, 2, 4, 6, 8)
> resolve immediately. If you found after 3 months that all the
> abusers/fast fluxers/criminals switched to "even" domains, you've
> found a choke point. Maybe some ccTLD might want to step up to the
> plate and see what happens.....
>
>
>   
We can run simulations. Create a system that creates a list of domains 
that should be shut down. Send the lists to people who verify it. Once 
the lists are 100% accurate then let the automation do the work.
But - let me refine my suggestions. I'm saying that we should:

1) Provide registry information by DNS that filtering operations can use.
2) Establish a standard reporting protocol to registries by qualified 
reporters.
I think that these two things can be done without any damage to anyone. 
(If I'm wrong tell me about it.) Then once these tools are in place we 
can do some experimenting to see what we can do with these new tools. I 
think we need an infrastructure first. So is there any reason not to do 
that?