[funsec] WHOIS Privacy Stalemate... Again

Nick FitzGerald nick at virus-l.demon.co.uk
Thu Aug 23 22:06:36 CDT 2007


Andy Sutton wrote:

> On Thu, 2007-08-23 at 14:54 +1200, Nick FitzGerald wrote:
> > You've clearly never worked real, susttained abuse rporting...
> 
> The problem isn't with the Whois information, which is a poor way to
> identify a domain owner - and always will be for obvious reasons.  The
> issue is that netblock owners and domain registrars don't have adequate
> processes (or any real incentives) to handle abuse complaints.  This
> isn't about pinning down a website to Susy Brown, but about cleaning up
> the 'net.
> 
> Identity has little to do with it unless you are actually LE.  However,
> they have additional tools in their toolbox to deal with this issue.
> Sub-LE is a do what you can, and forward to LE what you can't do,
> proposition for very good reasons.
> 
> I get the privacy aspects, and I do think they are a real concern in
> today's era of tracking everything under the sun.  (If that makes me
> part of the tin-foil club, so be it.)  However there are alternatives
> that do not require expensive, time consuming, and ultimately futile
> Identity verification and re-certification processes to be put in place.
> 
> Relying on some unattainable method of ensuring 100% positive identity
> is a total distraction from abuse handling. 

You entirely missed my point...

The fact that currently, accurate WHOIS information is (kinda) required 
_and the bad guys want to provide anything BUT accurate Whois 
information_, means that you can leverage the bad guys use of bad WHOIS 
information against them.

Yes, it's far from perfect and gradually getting less useful, but 
deliberately hamstringing even this weak form of attack against the bad 
guys, and thus NOT being able to use it either as a lever to eventually 
clue-up the hopeless registrars, or prove the complicity of the truly 
wretched registrars, means we'd have VERY, VERY LITTLE of any use left.

_THAT_ would be a truly bad result.

I'm NOT concerned about using WHOIS data to reliably ID bad guys -- LE 
has to ID them if/when they actually get involved and get to a point 
where they may try to act against the bad guys, and as you say often 
have other, better tools for doing that, BUT a lot of useful anti-abuse 
work occurs "below" the level where LE will ever get involved and 
weakening the few already pathetically weak "requirements" the name 
system currently has will significantly reduce the possibility and 
usefulness of that sub-LE anti-abuse work.

Now, if and when better domain registration _and_ "responsibility 
tracking" methods are put in place _and seriously enforced_, we can 
happily throw away the wretched mess that is WHOIS.  BUT, I strongly 
recommend you NOT hold your breath until this happens, and in the 
meantime, please leave us the seriously weak WHOIS "requirements" that 
actually DO provide a deal of anti-abuse assistance...


Regards,

Nick FitzGerald



More information about the funsec mailing list