[At-Large] Withdraw the gun database

Derek Smythe derek at aa419.org
Thu Jan 24 23:46:01 UTC 2013


I've been reading the latest round of postings on domain WHOIS info
and privacy. This topic is by no means new and no new brilliant
suggestions have been forthcoming. In fact I have a sense of deja vu.


As such some references to comments and my response thereto. If you
would like any evidence for what I'm saying, feel free to contact me
off list. Everything here is based on actual incidents and not some
hypothetical possibility. Apologies for the long email. But the below
needs to be said on behalf of everyday innocent internet users who
have as much right as anybody else. Likewise on behalf of hard
working, dedicated LE who wish to protect those they were tasked to
protect and serve.


* Domain WHOIS details are being likened to gun registration details
and the assertion made that guns are dangerous, domains are not.

Domains are as much part and parcel of the cyber criminal's toolkit as
a gun in the hands of an dangerous criminal. In either case it takes
take a person/persons behind that tool with ill intentions to use it
in a harmful way. Gun legislation is local to a country. Domains have
international reach.

Abused domains have been used to set up fraudulent web presences in
which victims have not only been defrauded, but lured into strange
countries which they were not familiar with, where the have been
kidnapped and held to ransom, tortured, raped and even murdered.
Furthermore some of these syndicates have been linked to the drug
trade, money laundering, human trafficking, prostitution and even the
funding of terrorism.

Guns and domains are both tools. I could turn around and say the gun
does not kill, it's the bullet .... which would be petty and not
constructive.

It needs to be accepted that domains can be used to deceive internet
users and in some cases that deceit can lead to mortal danger. Search
government websites, newspapers etc as well.

* The American constitution, European privacy laws etc have been quoted.

That's great for local issues. However in the cyber criminal's case he
hardly ever discloses his real location. Privacy is also abused to
gain anonymity. All too often in these cases a party living in one
country may claim a fake address in another country, the decision of
claimed residence simply being what an anonymous proxy shows in many
cases. Does the fact that he paid $10 to a offshore registrar suddenly
put him out of reach of his local LE and does it provide him the
protection of that offshore jurisdiction or the fake claimed address?
This is happening. Applying local law to a global issue could also
lead to further consequences; if you are not willing to respect our
laws regarding issues by using your laws, why should we respect yours?

How many internet users and/or registrants (really) live in the USA?
How many Europe? Using these as an absolute in terms of this issue
will lead to fragmentation and an chaos on the net. Imagine the UK and
the USA using the same highway, each using their own rules of the
road. Neither is wrong, but not appropriate at the same time on the
same highway either.

* Whois details was not designed to combat crime, infringements etc

Neither was the internet designed for crime. However why should we
suddenly limit ourselves to mechanisms other than whois details, if
despite being fake, whois details show the extent of an issue by
trending and can lead to uncovering the larger extent of
fraud/spamming/whatever?

Whois details and accuracy have become more important than ever. Right
now whois details are used to protect innocent internet users
proactively which is more than any suggestion I have heard, which is
reactive and too late.

* Whois details should be private and only disclosed to recognized LE
or their agents.

How do you identify those LE or agents. How do you stop abuse by those
parties? How would you recognize abuse of any kind? I'm sure certain
American registrars would have and issue with certain East Asia
countries. And vice versa. At best some tokenism would be present, at
worst no cooperation.

However we find registrars deliberately setting up mechanisms to
frustrate such attempts - a lawyer in Hong Kong, one in the Sudan that
will not disclose your details. In fact it's not even asked, only your
money which can be done anonymously as they point out.

This also does not scale in terms of emergency situations. The
international nature of domain registrations would dictate that that a
system is available that can be queried 24 x 7. Currently we find that
international queries can take weeks. Yet the lifetime of logs on the
internet can be measured in days if we are lucky (on that front there
is clamoring for no logs in many cases).

We also find that an emergency situation in one country does not
constitute a crisis in another. This is frustrating to both LE and
private parties.

Also imagine the frustration of those waiting out the undue long
period and receiving something that equates to "Yogi Bear, Yellowstone
Park". It happens and has been discussed before.

* the law enforcement boogyman and eastern European crime syndicate.

I wish it was a boogeyman. It is not.

Read up on Heihachi on Webalta, fake whois was manipulated by a
criminal domain and hosting reseller serving other criminals (the term
criminal qualified by competent LE and courts), the unwillingness of a
large American registrar to act despite proven fake whois and proven
harm etc. This led to Germany's largest incident of cyber crime in
history in terms of financial loss (as per German authorities). In
turn part and parcel of this was botnet, ddos'ing and malware hosting
operation. The owner of Heihachi had been in trouble with LE before
regarding the self same issue, but became a reseller to an offshore
American registrar using fake details to do it all again.

* no curious parties/"vigilantes" should have WHOIS access / their
details should be sent to the registrant with proof of a crime being
committed.

The very same incident mentioned and similar to the previous point was
uncovered by technical savvy non-LE people looking at incidents,
connecting the dots and who had to do a lot of hard work to present
evidence of organized crime to the authorities for them to start
looking into it.

These same "curious" parties may also incidentally do a lot of the
legwork for overburdened LE in issues such as spamming, botnets,
malware, 419 and other forms of cyber-crime.

As for a crime being committed as a qualifier - that implies after the
fact and a victim. This would be a step in the wrong direction. Many
times with sufficient evidence, whois being part of that evidence
currently, a crime can be prevented.

I would also like to know whose laws will be used as a qualifier?
Already we find disparate laws regarding certain issues being
exploited in cross jurisdictional discrepancies.

* Each domain exposure request should go via a court of law or other
relevant due process.

Courts tend to be notoriously slow. The crime can last a day, a week a
month or however long. Many times the issue continues until someone
reports it with evidence of harm being done. There would be no element
of prevention. Also which counties court should be considered
authoritative?

"A five minute crime can take 3.5 years to fully investigate and
prosecute" - quoting a comment by a hard working LE party recognized
and respected by his peers internationally, expressing his frustrations.

At whose cost? As it is currently, a $10 transfer to a registrar
grants you a free a domain, SSL certificate, domain privacy and
unverified registration details, all thanks to a the likes of
anonymous money transfer mechanisms, anonymous proxies and less than
honorable resellers. We are assuming that the relevant skills will be
available in each country. This seems a bit like the tail wagging the
dogs.

This is also ridiculous considering the absolute amount of domain
abuse going on. This solution simply does not scale. Who has to foot
the bill for it? The victim - victimize the victim further? Tax payers
in a distant country?

Here is news to some of you that may cause a stir: LE tosses a lot of
these issues into the corner. Right now as an example 419 fraud is a
can of worms and for the bulk does not get investigated apart from
tokenism.  The amounts Americans are conned out of is staggering.
Likewise victims in other countries. Education fails as these scams
are forever evolving. 419 fraud proceeds are the 2nd largest income
for Nigeria after oil. Domains are part and parcel of 419 fraud and
links incidents beautifully for investigations. Ironically these 419
gangs are not that difficult to track, trace or arrest. Yet it does
not happen. This is known and the impunity of these gangs grows day by
day. Yet as an American citizen, try and get your 419 case
investigated in the USA? Changes are great you are doomed to become
stats at IC3. Why, even the IC3, FBI, CIA etc has been spoofed many
times in 419 fraud.

* Disclosure to registrant of accurate details of anyone inquiring to
an unverified registrant.

Great! This will alert anyone committing crime that someone is on to
him and he will immediately morph into a new identity giving him a
free next round at harming internet users. Not bad for an unverified
$10 domain registration. Additionally in some countries a life is cheap.

* private persons vs public persons and privacy

The UK's Nominet has this option as an example for private parties.
All too many times we find spoofs of banks or other real or imagined
companies used in fraud and registered as private. Would this qualify
for an immediate suspension until investigated and then either
unsuspended or cancelled depending on the outcome, if implemented? Why
else have the qualifier?


There are many more comments I can make, but what is clear to me is
that a lot of suggestions are made well intentioned, but with no real
exposure to the total spectrum of domain abuse. Nor the issues facing
anyone wishing to investigate, be it LE, a private person or a
corporation. The internet was initially built on trust. Today there is
very little of it left. Unless verification can be established at all
levels, we have zero chance of ever resolving serious issues affecting
each and every one of us mentioned in the group and we are at a
stalemate. Simply covering the mess that makes up the whois database
with privacy, will affect each and every internet use negatively.

We should also be careful to not make suggestions that negatively
affects the ability of those legally put there to protect us or
investigate when harm is done, yet by the same token hold them
responsible for protecting us. We are dooming them to failure. The
tendency to label LE in general terms as loose cannons should also be
measured against the tendency to start off with the registrant being
innocent. Why this unbalanced outlook? It's easier to take LE to task
than a rouge registrant. We also need to ask where the greater/lesser
harm is being done.

Think international as well. The internet has created it's own
ecosystems and has seen unintentional (or perhaps not?) opportunities
being created daily to harm innocent internet users.


Derek

PS:
I still believe the Heihachi / fake German shopkeeper issue should be
turned into a case study as to show how the domain system can be
manipulated to harm innocent netizens. This would be a great
opportunity for many people to learn how cyber crime can affect each
of us, also how it could have been avoided and who the role players
are. Quite frankly this is a missed opportunity.



More information about the At-Large mailing list