[gnso-irtp-b-jun09] Hijacking Statistics and Urgency

[George Kirikos <icann@xxxxxxxx>]

Hi Paul

On Tue, Jul 13, 2010 at 1:33 PM, Diaz, Paul <pdiaz@xxxxxxxxxxxxxxxxxxxx> wrote:
> Just a quick note re: the "urgency" statistics.  Many hijacking cases are not 
> reported to ICANN Compliance because registrars work behind the scenes to 
> resolve the dispute - hence the relatively low ranking.  The sense of urgency 
> remains, however, because these cases are BIG deals for the effected parties 
> and consume a lot of their resources.

(I've started a new thread) This workgroup, though, is meant to
address cases that *don't* get resolved. If all these cases are
getting resolved, how are they relevant? And even if they weren't
resolved, please quantify "many". Is it 1 million domain hijackings
per year? 5 million? 100,000? How is one supposed to weigh the
positive and negative impacts, without those numbers from registrars,
registrants, etc? Personally, I'd like to see it broken down by
registrar --- which registrars are "vaults" and which ones are
"leaking sieves"? It would probably be very educational, and would
greatly inform this workgroup.

Last week Marika reposted the issues report from last year:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00362.html

Those same kinds of "qualifiers", looking for the data to weigh
policies, were present *in* that report, but seem to have been ignored
by the workgroup's preliminary report:

"Some of the questions that might need further consideration in a
potential policy development process include determining the extent of
the problem and whether it warrants a new policy or policy change"
(page 17)

"determining the extent of the problem" cries out for hard *data*, not
just anecdotal evidence.

"Urgency" (and qualifying it) is also hinted at:

"The circumstances which distinguish when an urgent recovery policy
may be a more appropriate action than the TDRP include:
1)      Immediacy of the harm to the registrant if the transfer is not
reversed (e.g., business interruption, security incidents).
2)      Magnitude of the harm, or the extent to which the incident
threatens the security and stability of parties other than the
registrant, including but not limited to users, business partners,
customers, and subscribers of a registrant’s services.
3)      Escalating impact, or the extent to which a delay in reversing the
transfer (and DNS configuration) would cause more serious and
widespread incidents.
The emergency action procedures should be tested to verify they are
resilient to tampering and difficult to exploit. In particular, it
should be difficult or impossible for an attacker to effect a hijack
or interfere with a transfer under the guise of requesting urgent
restoration of a domain." (page 17)

They got it right last year, i.e. "magnitude of the harm", "immediacy
of the harm" all suggest tests to *limit* the procedure, to qualify it
to very narrow circumstances, unlike the ETRP which could be invoked
(as presently proposed) on a whim by any registrant for any domain
simply through a *claim* which could be a lie (irregardless of whether
it's a real "emergency" or not). Furthermore the workgroup did little
to make sure that the ETRP is "difficult to exploit", i.e. "it should
be difficult or impossible for an attacker to effect a hijack or
interfere with a transfer under the *GUISE* of requesting urgent
restoration of a domain."

So, folks were *aware* of the potential for this reverse hijacking
issue, i.e. clawbacks.

Can you now understand why it makes me angry that I even had to join
this workgroup, when it could have dealt with this issue in the
preliminary report, simply following up on that stuff from last year?
But no....instead I read statements like:

http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00285.html

"In short, I think we should consider going forward with an alternate
version that doesn't include a means to dispute the ETRP.  I say this
with full acknowledgment to the problems that Michael, Kevin, Barbara
and others have identified, and the efforts of the Working Group to
address them.  But the "ETRP Dispute" contains some fundamental flaws
that could derail our entire proposal."

(and one can re-read the entire message, to see if I "pulled it out of
context") How can one reconcile the issues report with the "rush to
push through a half-baked policy", and cut off public input to boot?
That's why I felt compelled to join this workgroup, albeit as a
"second class citizen" in some people's eyes.

So, I'll leave with one question, which should have been asked a long time ago:

(1) Where are all the detailed domain name hijacking statistics?

This goes to the question A of this charter, i.e. "Whether a process
for urgent return/resolution of a domain name should be developed". To
pass that question, it wouldn't be enough to have just the stats,
though. One would also need to demonstrate that no superior process
exists (e.g. court system, choice of a secure registrar to begin with
by the registrant, choice of other security policies that are
proactive rather than reactive, having registrars be held legally
responsible for damages, and other alternative policy choices).

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/