Re: ICANN opens up Pandora's Box of new TLDs (fwd)

[Gadi Evron <ge () linuxbox org>]

I figured this discussion is best moved to funsec, as it doesn't involve 
routers and BGP.

The discussion started when I countered with "the Internet is perfect for 
plausible deniability.

        Gadi.

---------- Forwarded message ----------
Date: Sat, 28 Jun 2008 00:47:05 -0500 (CDT)
From: Gadi Evron <ge () linuxbox org>
To: Tomas L. Byrnes <tomb () byrneit net>
Cc: nanog () merit edu
Subject: Re: ICANN opens up Pandora's Box of new TLDs

On Fri, 27 Jun 2008, Tomas L. Byrnes wrote:
> I just know who should be held for further processing @ the gate.

This is getting off-topic, so let's continue the discussion for a couple more 
emails to see if we can bring it back on-topic to network operations, and then 
stop if not?

> Which is good enough, in this case.
>
> "What is the object of defense? Preservation. It is easier to hold
> ground than take it. . .  defense is the stronger form of waging war"
>
> Carl Von Clausewitz

Which, while valid in many cases, some of them on the Internet, is in most 
online cases--false. This is a statement by someone much lesser than 
Clausewitz--me.

It is however, an educated opinion, and chronologically up to date.

Attack is a much easier form of fighting, online (let's leave war out of it). 
For the sake of logic I will base this on two discussion points:

In security, all you need to attack is one hole, one vulnerability. As a 
defender you need to defend against everything, anywhere. This is why risk 
analysis exists, which brings us to another point from Karl--

Changing the words to fit our needs, Clausewitz also believed wars are won by 
numbers, if you have more you win (Think the American Civil War). Strategy 
starts when you have less numbers, by where you choose to apply your 
forces--where it counts. Tying it with the point above is the basics of risk 
analysis in military terms.

In security and information warfare, whlle numbers are "nice to have" and make 
operations larger and more sophisticated--they are not necessary, our rivals 
may be just a kid the same as they can be a nation-state. The cost of entry is 
low, anonymity is potentially (under the right conditions) assured.

In my article for the Georgetown Journal of International Affairs on the war in 
Estonia, I mentioned how Martin van Creveld said decades ago how we will be 
facing "organizations" rather than just countries. He was laughed at and later 
obviously vidincated (think terrorism as one example).

Today it's much worse than that, and I state the game can be played by 
individuals, ad-hoc groups and populations (not necessarily under any flag or 
leadership, think Estonia).

        Gadi.


> > -----Original Message-----
> > From: Gadi Evron [mailto:ge () linuxbox org]
> > Sent: Friday, June 27, 2008 8:33 PM
> > To: Tomas L. Byrnes
> > Cc: Christopher Morrow; Roger Marquis; nanog () nanog org
> > Subject: RE: ICANN opens up Pandora's Box of new TLDs
> >
> > On Fri, 27 Jun 2008, Tomas L. Byrnes wrote:
> > > These issues are not separate and distinct, but rather related.
> > >
> > > A graduated level of analysis of membership in any of the sets of:
> > >
> > > 1: Recently registered domain.
> > >
> > > 2: Short TTL
> > >
> > > 3: Appearance in DShield, Shadowserver, Cyber-TA and other
> > sensor lists.
> > > 4: Invalid/Non-responsive RP info in Whois
> > >
> > > Create a pretty good profile of someone you probably don't want to
> > > accept traffic from.
> > >
> > > Conflation is bad, recognizing that each metric has value, and some
> > > correlation of membership in more than one set has even
> > more value, as
> > > indicating a likely criminal node, is good.
> > >
> > > YMMV.
> > >
> > > I guess, if you have perfect malware signatures, code with
> > no errors,
> > > and vigilance the Marines on the wire @ gitmo would envy, you can
> > > accept traffic from everywhere.
> >
> > Not quite, because you still won't know who to send the Marines to
> > kill.
> > The Internet is perfect for plausible deniability.
> >
> >      Gadi.
> >
> > > > -----Original Message-----
> > > > From: Christopher Morrow [mailto:morrowc.lists () gmail com]
> > > > Sent: Friday, June 27, 2008 7:23 PM
> > > > To: Roger Marquis
> > > > Cc: nanog () nanog org
> > > > Subject: Re: ICANN opens up Pandora's Box of new TLDs
> > > >
> > > > On Fri, Jun 27, 2008 at 4:32 PM, Roger Marquis <marquis () roble com>
> > > > wrote:
> > > > > Phil Regnauld wrote:
> > > > > apply even cursory tests for domain name validity. Phishers and
> > > > > spammers will have a field day with the inevitable namespace
> > > > > collisions. It is, however, unfortunately consistent with ICANN's
> > > > > inability to address other security issues such as fast
> > flush DNS,
> > > > > domain tasting (botnets), and requiring valid domain contacts.
> > > >
> > > > Please do not conflate:
> > > >
> > > > 1) Fast flux
> > > > 2) Botnets
> > > > 3) Domain tasting
> > > > 4) valid contact info
> > > >
> > > > These are separate and distinct issues... I'd point out
> > that FastFlux
> > > > is actually sort of how Akamai does it's job (inconsistent dns
> > > > responses), Double-Flux (at least the traditional DF) isn't though
> > > > certainly Akamai COULD do something similar to Double-Flux (and
> > > > arguably does with some bits their services. The particular form
> > > > 'Double-Flux' is certainly troublesome, but arguably
> > TOS/AUP info at
> > > > Registrars already deals with most of this because #4 in your list
> > > > would apply... That or use of the domain for clearly illicit ends.
> > > > Also, perhaps just not having Registrar's that solely deal in
> > > > criminal activities would make this harder to accomplish...
> > > >
> > > > Botnets clearly are bad... I'm not sure they are related
> > to ICANN in
> > > > any real way though, so that seems like a red herring in the
> > > > discussion.
> > > >
> > > > Domain tasting has solutions on the table (thanks drc for
> > > > linkages) but was a side effect of some
> > > > customer-satisfaction/buyers-remorse
> > > > loopholes placed in the regs... the fact that someone figured out
> > > > that computers could be used to take advantage of that
> > loophole on a
> > > > massive scale isn't super surprising. In the end though,
> > it's getting
> > > > fixed, perhaps slower than we'd all prefer, but still.
> > > >
> > > > > I have to conclude that ICANN has failed, simply failed,
> > > > and should be
> > > > > returned to the US government.  Perhaps the DHL would at
> > > > least solicit
> > > > > for RFCs from the security community.
> > > >
> > > > I'm not sure a shipping company really is the best place
> > to solicit...
> > > > or did you mean DHS? and why on gods green earth would you
> > want them
> > > > involved with this?
> > > >
> > > > -chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.