[anti-abuse-wg] Spam under protection. Believe it or not!

In message <1E574209-1163-488E-92A1-65BB7CA53A30 at blacknight.com>, you wrote:

>Using abusive language and misinformation along with hyperbole doesn't do
>you or this group any favours

If anything I've said constitutes "misinformation", please specify what
that was, specifically.  (I believe that everything I said was completely
and 100% accurate, like for example my statement that ICANN is effectively
run by the registrars.  This is in contrast to your own inaccurate
misinformation that it is not.)

>If you want to discuss anti-abuse issues and policy I'm more than happy

When it comes to policy matters relating to routing (and, for example
bogus route announcement) this mailing list is occasionally helpful.
However for most other kinds of "anti-abuse issues" there's almost no
point in discussing these, either here or elsewhere, because the game
is rigged, and the Powers That Be (e.g. ICANN) have already and long ago
decided that they simply don't WANT the problem(s) solved.  It is not
in their economic interests to have them solved.

>I don't see why you or anyone else needs to use offensive language
>and ad hominem attacks.

I use offensive language because *I* am offended... just as the original
poster who started this thread was (and is)... about the fact that so
many players (i.e. corporations) that make their daily bread on the
Internet are either profiting from network abuse, or else are knowingly
turning a blind eye to it.  (This is, you may recall, _exactly_ what
the original poster was outraged by, i.e. the complicity and duplicity.)

As regards to "ad hominem attacks", I haven't made any... but you can be
sure that you will know clearly when and if I ever do.  (There won't be
any ambiguity, I assure you.)  I have not attacked the character, motivations,
or ancestry of either you or anybody else on this list, and I have no plans
to do so.  There is neither any need nor any point to that.  I have however
made some pointed statements about various *corporations* (as did the
original poster), and will continue to do so, even though that also should
not be necessary.  Just as the original poster pointed out, in these kinds
of cases, the facts speak for themselves.

>We may not agree, but I'm always happy
>to engage in intelligent and robust debate.

Please begin, whenever you feel ready.  But don't start off with provably
silly statements like "ICANN is not controlled by the registrars".

Has there ever been a single decision taken by ICANN which they felt
they could get away with (i.e. without being sued to hell and back) that
WAS NOT in the economic interests of the domain registrars?  If so
please describe it, because it will be news to me (and to many others
also, I'm sure).

This whole sordid scheme about anonomous donmain registrations is a
case in point.  When a few greedy registrars first proposed it, even
the villiage idiot could have predicted that it would have been used
100 or 1,000 times as often by crooks, criminals, and spammers as it
would ever be used by those few rare individuals who needed a domain
name and who nontheless needed to be un-contactable, un-findable, and
un-identifiable.  And indeed, that's exactly what happened.  But the
idea sailed through the ICANN approval process.  Why?  Because the
registrars who were behind it saw just as clearly that it would be a
big money maker for them.  It wasn't a decision based on the safety,
health, happiness, or long-term well-being of the BILLIONS of individual
Internet end users affected.  It was a decison based purely on the
economic interests of the registrars.

If you want to discuss policy issues then try this:  How many more years
of this experiment (i.e. anonymized domain registrations) do we need
before we can know for certain that, on balance, ICANN's decision to
allow these criminal front man services was NOT in the best interests
of the majority of the Internet community?  More to the point, does
there exist *any* "quality control" (for lack of a better term) on
ICANN decisions?  Are any of them ever reviewed after they have been
made and implemented, you know, to see if any of them are failures and
should be recinded?  If not, why not?

And here is another policy question:  In order to deter and prevent
what might be called "sign up fraud", several companies (e.g. Google,
but there are many other examples too) have systems in place where
anyone requesting a new account must provide a working valid phone
number.  That phone number is then called, at the time of account
creation, and the person creating the new account is given a several
digit "magic code" that they must then enter into a web form in
order to complete the new account creation/registration.  This
kind of system prevents crooks and criminals from signing up for
(for example) dozens or hundreds or thousands of Google Voice
accounts at a time.  This isn't a pie-in-the-sky idea.  It is an
actual practical WORKING system.  Not in the future, but today, as
we speak.

So, there is a simple question:  If this kind of anti-fraud system
works, is practical, and is economically viable/sustainable... even
for "free" services like Google Voice... then why can't (or why
shouldn't) this exact type of anti-fraud system be applied also to
domain name registrations?

There is an obvious answer, and it coms back to just what I've already
said.  This simple and straightforward kind of perfectly workable
and marvelously inexpensive anti-fraud system will NEVER be applied
to domain name registrations for the simple reason that preventing the
fraud of multiple/numerous/thousands of domain name registrations, all
by a single party, is not in the economic interests of the registrars...
because they are currently profiting, hand-over-fist, on the thousands
or tens of thousands of provably fradulent domain registrations that
currently occur every day of the week.  Thus, this kind of idea will
surely never even find its way onto the agenda of any ICANN meeting,
let alone being seriously discussed at such a meeting, let alone being
actually implemented or used to prevent the very common fraud of snowshoe
spammers registering hundreds or thousands of domains, all on the same day.

As President John F. Kennedy once famously said "Our problems are
man-made, and they can be solved by man."  That general statement
quite certainly applies to all of the problems... hacking, phishing,
spamming, DDoSing, or whatever... that have arisen with and within
the modern Internet.  There exist technical... and often simple...
solutions to all of these problems.  However as I noted at the outset,
a lot of them (e.g. phone verification for domain registrations) won't
even be discussed, let alone actually implemented, because the people
who control the purse strings (e.g. of ICANN) have already decided
that they simply don't WANT the problem(s) solved.  As they see it,
solving these problems is not in their own economic interests.

None of this should really come as news to anybody who has been following
these problems for the past few years.  ICANN and the registrars who
fund it have no more interest in securing the domain registration
process than the NSA has in seeing all of those 0-days they have been
relying on be exposed and patched.

Ummm... well.. I take that back.  Actually, all of the domain registrars
that I personally know of *have* actually spent a lot of time, money, and bother
to fully and effectively "secure" the domain registration process... but
only to the extent necessary to insure that they have a valid name, phone
number, and credit card number for the registrant... in order to insure
that they'll get paid.

But also, as far as I know, not a single one of them requires that the
name and/or phone number that goes into the WHOIS for a domain name
matches the data given by the person (or entity) who actually paid for
the registration.  The entirely predictable result is massive and ongoing
fraud in WHOIS records... which ICANN works overtime to try to dismiss,
cover-up, sweep under the rug, and to make extremely tedious and difficult
to even report to them.  (Hint:  They don't want to know.)


Regards,
rfg


P.S.  Thirty years ago, if you had tried to invent a world-wide electronic
communications system which would perfectly serve the interests (e.g.
anonymity, deniability) of crooks, criminals, and spys, you could not,
even in your wildest dreams, have come up with a system that either
matches or surpases the modern Internet.