On Wed, Jun 05, 2013 at 06:33:16PM -0400, Rich Kulawiec wrote: > One more point: operations that are this incompetent and negligent > cannot possibly provide any real assurance of security and privacy > to their users, because their putative operators are no longer in > full control of them. Not really. Oh, they can make noises about > doing so, and they can pretend that they're doing so...but they can't. > > ---rsk > > [1] One of the most profound, useful, cogent statements on this > point comes from Paul Vixie via the NANOG mailing list: > > If you give people the means to hurt you, and they do it, and > you take no action except to continue giving them the means to > hurt you, and they take no action except to keep hurting you, > then one of the ways you can describe the situation is "it isn't > scaling well". > > This explains, in one sentence, precisely why we have a spam problem > in 2013, thirty years after the fix for it was completely understood. > > [2] One baseline test of this is to find out whether mail to the RFC-2142 > stipulated address abuse@[domain] is handled properly. Responsible, > professional operations route traffic sent to that address to a person > or a team (depending on operation size/scope) who are ready and able > to immediately investigate incidents and make the abuse stop. > Irresponsible/abuse magnet operations route it to autoresponders > and/or incompetent people, or blackhole it, or forward it to the > abusers (yes, really) or simply don't support the address.
This is a really deeply interesting assertion. You seem to imagine a bright line of "abuse" that is agreed on by all parties, with a policy that can be implemented by thoughtful operators to "make the abuse stop". I submit that that is not the real world, in many different dimensions. I operate a large Tor exit node. My provider has an abuse helpdesk which gets quite a large number of complaints due to attackers using Tor to log into freemail accounts (over SSL) where the freemail provider includes the IP of the HTTPS client in the Received (or similar) headers of their outbound spam. How is my transit provider, or myself as a Tor exit node operator, supposed to take action to stop this abuse? Even if I could, I'm certainly not going to prevent people from logging into their webmail over HTTPS over Tor. My provider notifies me when an abuse complaint is filed against my Tor exit IP address. Is my provider committing the sin you enumerated above, of "forward[ing the abuse complaint] to the abuser"? If I were running a shady business on this machine rather than a Tor exit node (which distinction is, apparently, lost on some folks), then I suspect you'd answer "yes". The abuse complaints are sometimes very questionable, resulting in signficant load on the (expensive) "person or team who is ready and able to immediately investigate" at very low cost to the complainer. -andy -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
