<<<
Chronological Index
>>> <<<
Thread Index
>>>
[ssac-gnso-irdwg] New comments
- To: Ird <ssac-gnso-irdwg@xxxxxxxxx>
- Subject: [ssac-gnso-irdwg] New comments
- From: Steve Sheng <steve.sheng@xxxxxxxxx>
- Date: Mon, 14 Mar 2011 18:16:56 -0700
Comments on the Interim Report of the Internationalized Registration Data
Working Group
* To: ird-wg-report@xxxxxxxxx
* Subject: Comments on the Interim Report of the Internationalized
Registration Data Working Group
* From: Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>
* Date: Mon, 14 Mar 2011 10:27:30 -0700
________________________________
On behalf of Internet Identity, an Internet Security company that routinely
deals with abuse and criminal activities that utilize the domain name system
around the world, we would like to thank the IRD Working Group for their work
on this issue. While only responding on behalf of our own company, we work
with several industry organizations and international law enforcement agencies
who we believe share similar experience and uses for whois data.
Over the years we note that the uses for whois data have expanded and changed,
and with hundreds of millions of domains in existence, diversity of domain
registrants and the uses they have for domain names are rich. Unfortunately, a
great deal of criminal activity and various abuses have also grown rapidly over
the past few years, from spam to phishing, malware, botnets, and a host of
fraudulent schemes. In a large percentage of cases, criminal elements directly
use the domain name registration system to create presences to lure victims or
to command vast infrastructures of botnets. To an even greater extent, they
compromise, hack into, and/or hijack other people's legitimate online
presences, subverting them for any and all of their nefarious uses, which turn
domain names that are providing good and valuable information or services into
platforms for abuse.
Whois services have been a valuable tool in the fight against criminal abuse.
First, they are often used to identify bad actors, or at least their oft-used
online aliases, and being able to correlate across several domain spaces (from
one TLD to another) is an invaluable research tool for building cases. Some of
the largest criminal cases pursued in the phishing space for example have been
greatly augmented by researchers tying evidence together based on registrant
information for domains used in abuse and domains used for nameservers of
fast-flux hosting. The traditional use of ASCII has aided in these efforts, as
it allows investigators to quickly and in some applications, automatically link
incidents together. Given the scale of many of these cases, automation and
data-mining are necessary to have any hope of providing effective research in
real-time to identify bad actors and their resources.
These factors auger for a solution that includes the "must be present"
requirement as put forth in your report. To the extent possible, this should
be accurate and consistent between various TLD's.
A second major use for whois data in our work is to be able to quickly contact
owners of website, mail servers, and other online presences where criminals
have hacked into those servers and are using them for active criminal
operations. Whois thus serves one of its original purposes well in this
instance (when it is accurate and non-hidden) which is to allow for people to
inform the operator of a domain that they have a problem that is affecting
other Internet users. While our team has a diversity of language speakers on
it, we typically speak =
English and are able to take advantage of ASCII based whois data to quickly be
able to reach out to affected registrants and providers. We note thought that
several CERT teams exist throughout the world where the native language of the
team is neither English nor the native language of the Internet presence they
are trying to alert to a problem. Thus having some type of mutually understood
contact information within the whois for a domain is needed. In some cases,
particularly anti-spam operations, many companies utilize tools for automatic
notification based on whois data - either IP or domain - based on the type of
incident.
We would also note that while a domain registrant may intend to only use their
domain "locally" or interact with people in their native script, the nature of
the Internet itself means that any domain provisioned on it is available
universally so is international in scope irregardless of intent. There just
isn't a local use only option for domains so any registration you make is in
all practicality, international in its nature.
Again, these factors create a need for a "must be present" requirement, and
this is largely for the benefit of the domain registrant whose assets have been
compromised.
Several options were presented in your document that include some way of
providing whois data in a universally understandable way, and all had pros and
cons. Without picking favorites, we would note a few things:
1) Any methodology needs to be as universally consistent as possible in order
to provide the most benefit to everyone in the ecosystem. Whether by
designating centralized systems, stricter standards, or some other mechanism, a
primary goal should be to assist in making handling of whois data scalable
across TLD spaces.
2) The registry for a TLD is likely the logical place to implement standards.
This could be accomplished via many methods from providing actual operations to
required contract policy to registrars or registrants (depending on the TLD
model). We're agnostic about how this gets done, but it seems that if you're
going to shoot for a universal standard to the extent possible, the registries
are going to have to be involved at some level.
3) Large distributed systems for handling identification of people and places
around the world already exist in the postal and parcel delivery systems.
Companies like Fedex, DHL, UPS, and others have "solved" many of the issues
that are being discussed in the paper in order to allow for people all around
the world to send each other items in just a day, no matter what country they
reside in and different languages they speak. This requires a massive amount
of automation in their data systems, dealing with many of the issues described
in the report. We would urge working with these kinds of organizations to
leverage standards and techniques they've already spent a great amount of time
and resources to develop.
In conclusion, we believe this paper has helped better define the issues and
present some solution paths, but could be greatly augmented by leveraging the
experience of industries that handle these issues at large scale on a daily
basis to better inform the community on directions to take going forward.
Thank you for your consideration of our comments.
Regards,
Rod Rasmussen
President/CTO
Internet Identity
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|