At 12:21 PM +0100 on 2/9/07, Thomas Roessler wrote to a bunch of us, saying:
On 2007-02-09 06:07:13 -0500, Neil Schwartzman wrote:
In other words, obfuscate WHOIS, it will be exploited immediately and rampantly, and we might not have a network to argue about in the ensuing days.
So, there's no decent enforcement of accuracy for WHOIS data. There's rampant trade of stolen identities and credit cards that get abused to register domain names.
Also, high-level domain names are pretty optional for many spamming and phishing operations. Mind elaborating a bit more as to how further obfuscated WHOIS is going to let the sky fall, and what WHOIS has to do with the recent attacks on the root servers that you chose to use as an example?
Ignoring the needlessly sarcastic tone for the moment - forensically speaking, when bad guys register 100s or thousands of domains they do not do so one at a time. They do so in bulk, and more often than you would think, they make mistakes, by referencing pieces of data to which we *can* link to real-world identities. Patterns emerge, and the true face of the enemy is revealed. Should we obfuscate WHOIS, the ability for non-LEA security investigators to do their work will be hamstrung. The results will be, to say the least, deleterious. I am truly sorry you don't see the situation on the Internet as critical as it is; but that's o.k., I have made it my business to alert people to what is actually happening, so thanks for the opportunity to step up onto the soapbox. The recent L.A.P./C.N.S.A. with OECD representation meeting in Brussels was a particularly poignant case in point. I am used to rolled eyes when I say the things I do; on a Canadian Federal Task Force on Spam the lead RCMP officer had the same reaction you did. When I related some tales of net destruction to the assemblage in Belgium during my part of the keynote speeches, there was a period of silence. Then, over the next day and a half, there were four other presentations which served to underscore my points and my contentions. By the end of the meetings there reminded no-one unconvinced. I reiterated my speech and what some have called a manifesto published at http://www.circleid.com/posts/anti_spam_virus_trench_warfare/ at the recent MAAWG meetings in San Francisco, during a phishing session. Investigators, both LEA and non-LEA have been able to track the origins of the botnet controllers to a specific place in Eastern Europe, and tie it to a group of people. WHOIS doubtlessly aided in those investigations. If anyone here believes the infrastructure is robust enough to mitigate such attacks, I would hasten to point out that while the commercial TLDs are indeed redundant enough to likely deal with the size of the recent attack; BUT they were affected by as few as 100 machines. Spamthru, the source of the recent mega-spikes in spam has been used at best to 10% of capacity. Furthermore, few if any CC TLDs are similarly configured. Bottom line: the bad guys can take out a country at will. Tangential to the original question, but I ask you two in return - do you REALLY want to hinder investigations by obfuscating a valuable investigative tool? And, do you REALLY think things are going to get better, security-wise over time? -- == Neil Schwartzman Chair, Board of Directors CAUCE Canada: The Canadian Coalition Against Unsolicited Commercial Email Canada: +1 (514) 485-9713 US: +1 (303) 800 6345 UK: 020 8144 6345 Skype: spamfighter666 Fax: +1 (419) 793-0430 [AIM / MSN / Yahoo!]: CAUCECanada [Web]: http://cauce.ca See http://stopspamhere.ca for ways to prevent spam from hitting your inbox.