[anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

Hello Suresh,

Whether this wg makes any difference, or not, is completely up to each
and every one of us.

It is Simon's choice to simply say that the fact that the Internet
Standards promote fraud, is "my position" 

We live in a post-truth era.

Facts do not matter so much anymore if the spin is good.

The truth is that if nobody in the wg stands up, discusses this very
serious situation and we all simply go on with our lives, then we will
reap what we sow.

In a few years the fruits will become ripe - they will be bitter and
very difficult to challenge or change

If however someone is able to communicate the very technical issues,
in easier or better ways, maybe we can galvanize people that do not
understand abuse as well as most of us do, and that these "anti abuse"
system of "dns firewalls"  are fake reasons for 'walled gardens' and
criminal activity.

"dns firewalls" is not a real thing - quite obviously a zone file can
end up having trillions of entries, etc etc etc - I have not even shot
my load about how stupid the argument of "DNS FIrewalls" truly are
and I can literally speak for a few hours about how stupid the idea is.

I was waiting for someone, also with 25 years of DNS devsysop experience, to take me on.

Anyway, there is no other argument for the need to create DNS standards
that promote LYING/STEALING/THEFT/FRAUD

We, as an Abuse community need to talk about what is going on, we need
to understand the issues, both technically, ethically, morally and
truthfully - And then we need to stand up and destroy the EVIL forces
that are peddling this rubbish in this insidious, nefarious and slowly
slowly fashion.

Never mind the Paul Vixie name, never mind the multinational(s) never
mind the authoritative powers.

Andre


On Tue, 3 Jan 2017 21:36:58 +0530
Suresh Ramasubramanian <ops.lists at gmail.com> wrote:

> And that blinkered attitude, ladies and gentlemen, is an example why
> this wg won't ever achieve anything much at all
> 
> --srs
> 
> > On 03-Jan-2017, at 6:44 PM, Simon Forster <simon-lists at ldml.com>
> > wrote:
> > 
> > Andre
> > 
> > Your rhetoric makes it quite clear that you have taken a position
> > and will stick to it. That’s fine. We’ll just have to agree to
> > disagree.
> > 
> > All the best
> > 
> > Simon
> > 
> >> On 3 Jan 2017, at 10:30, ox <andre at ox.co.za> wrote:
> >> 
> >> On Tue, 3 Jan 2017 10:07:36 +0000
> >> Simon Forster <simon-lists at ldml.com> wrote:
> >>> Hello Andre
> >>> 
> >> Hello Simon,
> >> 
> >>> An interesting take on a mechanism that’s been available for
> >>> close to 7 years now
> >> 
> >> And, from the first DNS servers there has been people that has
> >> resolved example.com to whatever IP they choose... so what?
> >> 
> >> Many large ISP's resolve sadfgsdjfgn4563456346.com to their own
> >> home page (or a "register this domain") page -- even though
> >> whatever question was asked - is not registered at all.
> >> 
> >> When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> >> suddenly "the way things work" - then this is of serious concern.
> >> 
> >> Your reply, in a nutshell is: "This is the way things work, there
> >> is nothing wrong with it and if you do not like it setup your own
> >> resolvers"
> >> 
> >> My objections are easy: Defining a clear standard on how DNS tells
> >> lies to users, and different lies to different users, depending on
> >> which user is doing the asking, and then hiding the truth of your
> >> lies from your users, is EVIL!
> >> 
> >> Allowing the easy management of "private Internet" in as a
> >> standard, is EVIL
> >> 
> >> RPZ is the start of the end of the open and free Internet.
> >> 
> >>> Largely I believe you’re on the wrong track with your post — at
> >>> pretty much every level. Response Policy Zones (RPZ’s aka DNS
> >>> firewalls) are a powerful tool to allow individuals,
> >>> organisations or society better to control access to the darker
> >>> corners of the internet. As per Vixie’s original paper (see above
> >>> reference), this can circumvent a lot of harm for the average
> >>> user.
> >>> 
> >> 
> >> as I said: trillions of domain names can resolve to ONE ip number.
> >> 
> >> a "DNS firewall" is a silly technical argument against abuse.
> >> 
> >> What is of concern is "private" internets and this "standard"
> >> allowing easy management of lies - and then doing it in the dark,
> >> so that users have no way of knowing that they are being lied to
> >> (or "protected")
> >> 
> >>> As with any powerful tool, it can be used with ill intent but
> >>> overall, this is a useful addition to an organisation’s security
> >>> arsenal. 
> >>> 
> >> 
> >> Distributing hacker and cracker tools is also fine, I guess. But
> >> it is very wrong to define actual standards for how to break into
> >> servers and networks. - And making that a standard.
> >> 
> >>> You express concerns wrt governments. Governments have a tendency
> >>> to do what what they want to do irrespective of the tools
> >>> available to them — after all, compliance with their rules is not
> >>> their problem, they just need to prosecute those that fail to
> >>> follow the new rules.
> >>> 
> >> Also, it allows and empowers dictators (AND CRIMINALS) - and now
> >> the dictators can say: This is a "standard" the Internet community
> >> accepts that this is the methods and protocols for "protecting" my
> >> "users" 
> >> 
> >> Yes, Governments do what they want - but defining a standard on
> >> how to tell lies and in such a way that your "users" do not know
> >> if they are being lied to - is nefarious and evil.
> >> 
> >> Your objection to my allegations are quite suspect as you have not
> >> mentioned one single technical reason why making this EVIL method
> >> of operation is not abuse?
> >> 
> >>> Irrespective of any philosophical objections you’re throwing out
> >>> here, the resolution to your problem is incredibly simple — run
> >>> your own recursive resolver. In this day and age an incredibly
> >>> simple thing to do (which is another, markedly different problem).
> >>> 
> >> 
> >> Sure, and run my own Internet?
> >> 
> >> This is exactly the point.
> >> 
> >>> 
> >>>> On 2 Jan 2017, at 06:48, ox <andre at ox.co.za> wrote:
> >>>> Hello,
> >>>> 
> >>>> I wish everyone a prosperous & productive 2017
> >>>> 
> >>>> I wish to cast light on an abuse issue that has the potential to
> >>>> effect, affect and impact the entire Internet
> >>>> As among the proponents of this abuse are certain Government
> >>>> Security Agencies and many other powerful forces, I beg with you
> >>>> to attempt to understand how the changes being effected right
> >>>> now, also affects yourself right now and how it will affect you
> >>>> in the future. 
> >>>> My idea with this post is three fold, firstly, to educate,
> >>>> secondly to open discussion and thirdly to agitate for change.
> >>>> DNS Abuse
> >>>> ----------------
> >>>> Sometimes abuse is creeping, like weed in a garden it becomes
> >>>> more and more and more and does not just happen overnight. In
> >>>> fact, it is so creeping that we do not really see the weeds as
> >>>> we have become used to seeing them.
> >>>> 
> >>>> Just because there are so many weeds, it does not change the fact
> >>>> that they are weeds and, in a well maintained garden, they need
> >>>> to be eradicated for the well being of all the plants in the
> >>>> garden.
> >>>> 
> >>>> To understand how this is even abuse, and how this will change
> >>>> your own life and the Internet in the future, you need to also
> >>>> understand some basic facts. The arguments for, against the
> >>>> standards, the basic tech concepts, the functional aspects and
> >>>> then understand why this is actually abuse and not just an evil
> >>>> movement, evil standards or generally just plain old evil.  
> >>>> 
> >>>> Some important concepts in order to understand the technical
> >>>> logic and the "explained purpose" and then, importantly, "the
> >>>> real purpose" of the abusers:
> >>>> 
> >>>> Trillions of domain names can resolve to a single ipv4 ip number
> >>>> So, you could have ex.example.com and ex1.example.com and
> >>>> cat.example.com - and have the same for unlimited names from
> >>>> unlimited TLD to a SINGLE ip number.
> >>>> 
> >>>> All Domain names are intellectual property - yes, even
> >>>> abc.dsrtif.dsaurthp.example.com
> >>>> 
> >>>> If a DNS server is asked for an IP number for google.com and it
> >>>> answers 127.0.0.1 to one user and 0.0.0.0 to a different user
> >>>> (makes up its own answers)  - This is simply fraud. as google.com
> >>>> is a trademark. 
> >>>> (replace google.com with apple.com or ibm.com facebook.com or
> >>>> any.example.com)
> >>>> 
> >>>> The proponents of DNS abuse argue that they are 'protecting'
> >>>> innocent users by using DNS as a 'firewall' to create 'walled
> >>>> gardens' and to respond to one ip number for a certain set of
> >>>> users and a different ip number for different sets of users
> >>>> 
> >>>> Of course, this argument is fatally flawed as per my example
> >>>> above. Their response is that there is sometimes multi homed ip
> >>>> numbers (100 domains on a single ip number) and that blocking
> >>>> per ip number blocks innocent domains as well. 
> >>>> 
> >>>> In order for you to form your own opinion you need to know that
> >>>> the majority of DNS servers use the same software and that there
> >>>> are new standards being introduced to formalize Internet Fraud.
> >>>> This Internet Fraud empowers African Dictators to easily justify
> >>>> 'walled garden' countries and is set to revolutionize your own
> >>>> Internet access. It also empowers, facilitates and allows easy
> >>>> management to aggressive ISP's, multi nationals and many
> >>>> nefarious groups and people to manage their activities. So, not
> >>>> only does the new software 'functionality' exist, but it is
> >>>> being legitimized and formalized by https://www.ietf.org/ 
> >>>> (whom, ironically, states:The goal of the IETF is to make the
> >>>> Internet work better.)
> >>>> 
> >>>> In a nutshell, the above illustrates that the DNS software used
> >>>> by almost all of the Internet is to have functionality that
> >>>> allows DNS operators to LIE to users, but to lie one lie to
> >>>> some/certain users and another LIE to different sets of users
> >>>> (depending on whom is doing the asking) 
> >>>> 
> >>>> That is not all...
> >>>> 
> >>>> It also allows the DNS operators to hide  the truth of these
> >>>> lies...
> >>>> 
> >>>> and that is not all...
> >>>> 
> >>>> The https://www.ietf.org/  is set to legitimize this nefarious
> >>>> behavior under the flag of decency and good Internet operations.
> >>>> 
> >>>> So, it would be perfectly fine and acceptable for everyone to
> >>>> start doing this, as it will be a 'standard' 
> >>>> 
> >>>> What this means for you: The future Internet will not be free and
> >>>> open.
> >>>> 
> >>>> Engineers supporting a non functional and fatally flawed
> >>>> approach to abuse is an indication of a far more serious problem
> >>>> - you need to think about that for yourself, and what that means.
> >>>> 
> >>>> Of course, this in itself is abuse. This entire situation is
> >>>> Internet Abuse and needs to be discussed as abuse.
> >>>> 
> >>>> Andre
> >>>> 
> >>>> --
> >>>> more technical information:
> >>>> https://tools.ietf.org/html/draft-vixie-dns-rpz-00
> > 
>