RE: [gnso-ff-pdp-may08] Comment References, Interim Conclusions and Next Steps

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

This feels like the movie "ground hogs day," going over and over the 
same material time after time after time. 

I thought the draft report was it for most of the big arguments, subject
only to the addition of a chapter discussing public comments, but I see
that's not the case, and now we find ourselves re-hashing all those fun
old arguments again. Whee!

Like one of my kid's favorite cartoons says, I guess this is a case 
where whoever has the greatest endurance prevails in some meetings.

Ah well. On to the matter at hand:

Greg mentioned:

#2) Mike's edits at the end of the document change the meaning and purpose in
#a manner not agreed to by the WG.  James's draft accurately reflects the
#WG's discussion of how it wanted a way for people to "submit potential fast
#flux domains for consideration by the working group" as part of its
#research.  Mike has changed the draft to state that the WG wants ICANN to
#create a reporting system for "parties that might take action against
#illegitimate or illegal activity."  Those are two very different things.
#
#Mike's change should be stricken.   The FFWG has never endorsed the idea
#that ICANN create a WPDRS-like service for fast-flux, 

Simply factually incorrect. Grab a copy of 
gnso.icann.org/issues/fast-flux-hosting/fast-flux-initial-report-26jan09.pdf
and grep for WDPRS

On PDF page 53 as part of potential next steps you'll see:

  "FFDRS (Fast Flux Data Reporting System)

  "Collection of data about fast flux is an integral part of the work of 
  this group, and the  foundation for future analysis of the fast flux 
  issue. Currently there is no publicly available  formal mechanism for 
  members of the community to submit potential fast flux domains  for 
  consideration by the working group. The Whois Data Problem Reporting 
  Service  (WDPRS), see http://wdprs.internic.net/, is an excellent 
  example of a existing public  domain name-related data submission 
  mechanism similar to what the Working Group  might consider, albeit one 
  that is focused on Whois data problems rather than the fast flux 
  problem. Another example of a public cyber-security-related domain name 
  problem  submission portal is Phishtank, http://www.phishtank.com/.";

Greg also commented, with regard to ICANN collecting data on fast flux:

#I wonder if the thing would tell us anything new, and I wonder if any of us
#honestly has the time to verify and sift the data.  There's no reason to
#spend time and money on something that is not needed or might not be used.

And by avoiding the collection of data, we'll insure that the fast flux
problem remains murky, poorly understood, and unremediated. Nothing 
helps fix a problem quite like examining it under a bright light, and 
that requires data.

If ICANN collects the data and makes it available to the network 
research community, I guarantee folks will look at it and analyze it. 

I know that some people don't want the bright light of public scrutiny
put on fast flux methods, but I'd prefer to get the data and let the
rest sort itself out. 

Finally, Greg also commented:

#I think it
#should read: "Successful mitigation of any single technique is not likely to
#change the macro environment for Internet fraud and abuse -- every attack
#that is enhanced by the use of fast flux techniques could be pursued without
#them, but possibly at higher cost or effort for the attacker." 

By that logic, all attempts at mitigation are pointless or out of scope 
since the nature of cyber crime is persistent agility in the face of hostile 
action by the authorities or other good guys. 

There are some techniques, however, that cyber criminals REALLY like, 
and prefer to use when they can. Fast flux is one of them. No cost to 
do your hosting. Robust to any single compromised system going down. 
No pesky financial records subject to backtracking in follow-the-money 
attacks by the authorities. Scales well....

Can miscreants recover from potential loss of fast flux hosting methods?
Yes, but loss of fast flux hosting would still hurt at least some of 
them a LOT. 

It would be a real mistake to back away from action against fast flux.

Regards,

Joe

Disclaimer: all opinions strictly my own