Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

That's fine. The WG can make suggestions, RIPE NCC considers this, and 
if necessary asks the members, possibly explaining, or asking the WG to 
explain why the change makes sense. Most people are sensible.


I don't see where there is a problem.

Best
Serge

On 13.05.24 16:11, Michele Neylon - Blacknight wrote:

Suresh

It might be helpful to discuss this with them. I’m sure there are 
**some** things that they could do without putting it to the members, 
but there’s a lot of things that would need member agreement in order to 
change.


Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/ <https://www.blacknight.com/>

https://blacknight.blog/ <https://blacknight.blog/>

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/ <https://michele.blog/>

Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


I have sent this email at a time that is convenient for me. I do not 
expect you to respond to it outside of your usual working hours.


*From: *anti-abuse-wg  on behalf of 
Suresh Ramasubramanian 

*Date: *Monday, 13 May 2024 at 14:44
*To: *Serge Droz 
*Cc: *anti-abuse-wg@ripe.net 
*Subject: *Re: [anti-abuse-wg] Seeking Input on the Future of the 
Anti-Abuse Working Group


*[EXTERNAL EMAIL]*Please use caution when opening attachments from 
unrecognised sources.


RIPE NCC doesn’t really need member input or consensus to change a lot 
of this. Certainly not in tightening or enforcing due diligence 
procedures rather than charging 50 euro an ASN


—srs



*From:*anti-abuse-wg  on behalf of Serge 
Droz via anti-abuse-wg 

*Sent:* Monday, May 13, 2024 7:03:18 PM
*Cc:* anti-abuse-wg@ripe.net 
*Subject:* Re: [anti-abuse-wg] Seeking Input on the Future of the 
Anti-Abuse Working Group


Hi Michele


RIPE currently does not have the power to do a lot of things. The WG 
cannot magically change that.



This is the old merry go round.

Maybe RIPE NCC needs to change certain things, or it will be changed for
them. The WG could provide guidance and suggest possible avenues where
RIPE needs/should change. RIPE can then still ignore that. Believe it or
not: Organizations can change.

So if you say you don't want to discuss this, fine. But don't blame it
RIPE not being able to change.

Best
Serge

--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org <https://www.first.org>

--

To unsubscribe from this mailing list, get a password reminder, or 
change your subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg 
<https://lists.ripe.net/mailman/listinfo/anti-abuse-wg>




--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

Hi Michele


RIPE currently does not have the power to do a lot of things. The WG 
cannot magically change that.



This is the old merry go round.

Maybe RIPE NCC needs to change certain things, or it will be changed for 
them. The WG could provide guidance and suggest possible avenues where 
RIPE needs/should change. RIPE can then still ignore that. Believe it or 
not: Organizations can change.


So if you say you don't want to discuss this, fine. But don't blame it 
RIPE not being able to change.


Best
Serge

--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

Hi Nick

I agree. But what you are saying, is that the WG should continue having no 
tangible effect, because the status quo is more important than getting out of 
one's comfort zone. 

Meanwhile others will, in my opinion, push for policy change. And these others 
likely lack crucial insight, i.e. will produce policies that have undesirable 
side effects. 

The question was if we want to recharter this WG, so I answered what I felt 
merits the name. 

I like the training the WG produced in the past, but I don't remember much else.

If we want to make a concrete contribution to fighting abuse, we may have to 
leave our comfort zone. The internet and the world it lies within has changed 
considerably in the past years. This would suggest we should too. 

But I think I made my point by now, and I realise it's not a comfortable one. 

Best 
Serge

On 10 May 2024 11:57:44 UTC, Nick Hilliard  wrote:
>Serge,
>
>there's been extensive debate on AAWG over the years about the principles 
>behind your additional suggestions below, but very little consensus. If 
>sanctioning is added to the charter of a new security-wg, this lack of 
>consensus is likely to continue, and the only outcome will be that the WG will 
>be distracted from other productive output. I understand why you might want it 
>in there, but punitive action is not within the remit of the RIPE NCC. 
>Similarly on point 2, advocacy is important, but requirement / enforcement is 
>out of scope for both the RIPE Community and RIPE NCC.
>
>Nick
>
>Serge Droz via anti-abuse-wg wrote on 10/05/2024 07:21:
>> 
>> Hi Leo
>> 
>> It's more about sharpening the focus. I colored this red below. I feel 
>> eventually the RIPE NCC must adapt stronger policies to punish non-action or 
>> disregard of action. I think it would be better if this WG comes up with 
>> such policies which the RIPE NCC can then adopt (or not) rather than the 
>> RIPE NCC having to react to external pressure, e.g. from policy makers, in 
>> particular the EU. I'm sure one can formulate this much better. I firmly 
>> believe, that there is no way around stronger regulation, and I'd much 
>> rather see this coming from this community than form the outside. The 
>> regulators i see and work with are increasingly irritated and react with 
>> totally inadequate demands, which I wont reproduce here.
>> 
>>  1. Identifying and analyzing emerging security threats and
>> vulnerabilities affecting Internet infrastructure.
>>  2. Collaborating with stakeholders, in particular the RIPE community,
>> to develop and advocate and implement best practices, guidelines,
>> and standards for securing Internet resources.
>>  3. Facilitating information sharing and cooperation among network
>> operators, law enforcement, and relevant entities to mitigate
>> security risks.
>>  4. Providing education, training, and outreach initiatives to raise
>> awareness of security issues and promote best practices adoption.
>>  5. Develop policies recommendations to the RIPE NCC that help
>> enforcing good behavior and sanction disregard for faccepted
>> security standards. This includes the definition of acceptable
>> minimal standards.
>> 
>> Best regards
>> Serge
>> 
>> On 09.05.24 21:39, Leo Vegoda wrote:
>>> Hi Serge,
>>> 
>>> On Thu, 9 May 2024 at 11:41, Serge Droz via anti-abuse-wg
>>>   wrote:
>>>> Hi Leo
>>>> 
>>>> We can only recommend the community, obviously.
>>> I agree.
>>> 
>>>> So these aare the best
>>>> practices
>>>> 
>>>> We can recommend that RIPE NCC changes its rules and procedures to
>>>> address certain issues.
>>>> 
>>>> As a WG, if I'm correct we have no other power.
>>> Based on thisl, I don't understand what's missing from the draft text.
>>> Maybe you could suggest some specific edits?
>>> 
>>> Kind regards,
>>> 
>>> Leo
>> -- 
>> Dr. Serge Droz
>> Member, FIRST Board of Directors
>> https://www.first.org
>> 
>> 
>

--
Dr. Serge Droz
Director, Forum of Incident Response and Security Teams
https://first.org-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

Hi Leo

It's more about sharpening the focus. I colored this red below. I feel 
eventually the RIPE NCC must adapt stronger policies to punish 
non-action or disregard of action. I think it would be better if this WG 
comes up with such policies which the RIPE NCC can then adopt (or not) 
rather than the RIPE NCC having to react to external pressure, e.g. from 
policy makers, in particular the EU. I'm sure one can formulate this 
much better. I firmly believe, that there is no way around stronger 
regulation, and I'd much rather see this coming from this community than 
form the outside. The regulators i see and work with are increasingly 
irritated and react with totally inadequate demands, which I wont 
reproduce here.


1. Identifying and analyzing emerging security threats and
   vulnerabilities affecting Internet infrastructure.
2. Collaborating with stakeholders, in particular the RIPE community,
   to develop and advocate and implement best practices, guidelines,
   and standards for securing Internet resources.
3. Facilitating information sharing and cooperation among network
   operators, law enforcement, and relevant entities to mitigate
   security risks.
4. Providing education, training, and outreach initiatives to raise
   awareness of security issues and promote best practices adoption.
5. Develop policies recommendations to the RIPE NCC that help enforcing
   good behavior and sanction disregard for faccepted security
   standards. This includes the definition of acceptable minimal
   standards.

Best regards
Serge

On 09.05.24 21:39, Leo Vegoda wrote:

Hi Serge,

On Thu, 9 May 2024 at 11:41, Serge Droz via anti-abuse-wg
  wrote:

Hi Leo

We can only recommend the community, obviously.

I agree.


So these aare the best
practices

We can recommend that RIPE NCC changes its rules and procedures to
address certain issues.

As a WG, if I'm correct we have no other power.

Based on thisl, I don't understand what's missing from the draft text.
Maybe you could suggest some specific edits?

Kind regards,

Leo


--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org
-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

Hi Leo

We can only recommend the community, obviously. So these aare the best 
practices


We can recommend that RIPE NCC changes its rules and procedures to 
address certain issues.


As a WG, if I'm correct we have no other power.

Best
Serge

On 09.05.24 20:15, Leo Vegoda wrote:

Serge,

On Thu, 9 May 2024 at 10:23, Serge Droz via anti-abuse-wg
 wrote:


Dear Markus

Thanks for this list. I'd love to see a bit more than best practices
though. I'd like to see this group come up with recommendations of what
RIPE can/should do to curb malicious behavior.


Are you referring to RIPE as a community or to the RIPE NCC as a legal entity?

Kind regards,

Leo


--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Seeking Input on the Future of the Anti-Abuse Working Group

[Serge Droz via anti-abuse-wg]

Dear Markus

Thanks for this list. I'd love to see a bit more than best practices 
though. I'd like to see this group come up with recommendations of what 
RIPE can/should do to curb malicious behavior.


I think there are already a lot of groups that share info, so I'm not 
sure we need another one, but if members have a need for that, we could 
liaise with such existing groups. Shadowserver and FIRST come to mind. 
But again, people that want to do things probably already have this inf. 
We should figure out what to do with people who don't care.


Best
Serge



On 07.05.24 13:59, mar...@mxdomain.de wrote:

Dear Anti-Abuse Working Group Members,

Thank you for your responses and support for both the WG itself and the 
current Co-Chairs. We are pleased to see that you prefer to keep this WG 
active.


As Co-Chairs, we see an opportunity to broaden our scope (i.e., 
re-charter). Our main intention is to bring in fresh energy and 
perspectives by welcoming new faces. Additionally, there are relevant 
security topics that don't always neatly fit into other WGs.


Regarding the question of what a new charter might entail, we have put 
together a preliminary, high level, draft that we would love to discuss 
further at RIPE88.


— snip —
Objective:
The Security Working Group is committed to fostering collaboration, 
sharing best practices, and addressing security challenges within the 
RIPE community. The primary objective of the WG is to enhance the 
security, resilience, and stability of the Internet infrastructure 
within our region. Tackling abuse of Internet infrastructure and 
resources would remain a goal of the WG.


Scope:
- Identifying and analyzing emerging security threats and 
vulnerabilities affecting Internet infrastructure.
- Collaborating with stakeholders to develop and advocate for best 
practices, guidelines, and standards for securing Internet resources.
- Facilitating information sharing and cooperation among network 
operators, law enforcement, and relevant entities to mitigate security 
risks.
- Providing education, training, and outreach initiatives to raise 
awareness of security issues and promote best practices adoption.
- Develop policies and best practices to improve security and response 
to security incidents and abuse issues.

— snap —

We are looking forward to your input and comments.

Best regards,
Brian, Tobias, Markus



--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] LEA Transparency Report 2023

[Serge Droz via anti-abuse-wg]

Hi Randy

Agreed and I'm not saying we should just hand everything over on a gold plate 
to LE. Bien we cannot just say no all the time, but should actually come up 
with solutions we feel are good or a good compromise.

I expect LE to understand our issues, but we should understand theirs 

Best
Serge

On 10 April 2024 16:25:26 UTC, Randy Bush  wrote:
>> In a recent talk Jane Easterly said: "The private sector has promised
>> better security for yeas but has not delivered. This has to change".
>
>was this not in the context of software and platform safety?  easterly
>has been riding that hobby horse for a few years, and with serious
>justification.
>
>but i agree that the RIRs could be clearer in what they can and can not
>do for LE.  and there needs to be a balance of visibility and privacy.
>LE is always gonna want more; that's their job, and we need them.  but,
>as jeff schiller said (in the ietf protocol design context) "Law
>enforcement was not supposed to be easy.  Where it is easy, it's called
>a police state."
>
>randy
>
>-- 
>
>To unsubscribe from this mailing list, get a password reminder, or change your 
>subscription options, please visit: 
>https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

--
Dr. Serge Droz
Director, Forum of Incident Response and Security Teams
https://first.org-- 

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] LEA Transparency Report 2023

[Serge Droz via anti-abuse-wg]

Hi Michele

As I said: They may make a point. Maybe they don't understand what RIPS 
dies. But that's an assumption, and the tech community tends to 
underrate authorities, so don't count on it.


Best
Serge

On 10.04.24 11:32, Michele Neylon - Blacknight wrote:

Serge

The report speaks about French LEA asking RIPE for data that RIPE does 
not have.


You then go off on some complete tangent about governments not being 
satisfied with tech companies.


How are the two related?

What purpose does asking RIPE (or anyone else) for data they simply do 
not have serve?


A much more rational explanation is that LEA simply do not understand 
what data RIPE (or others) have and that maybe the solution is to 
educate them.


I have heard from some in LEA that the amount of engagement from RIPE, 
ICANN etc., in the past couple of years has reduced, though that’s 
purely anecdotal.


Regards

Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/ 

https://blacknight.blog/ 

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/ 

Some thoughts: https://ceo.hosting/ 

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business 
Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


I have sent this email at a time that is convenient for me. I do not 
expect you to respond to it outside of your usual working hours.




--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] LEA Transparency Report 2023

[Serge Droz via anti-abuse-wg]

Hi Brian

Just a guess: But governments get increasingly dissatisfied with the 
laissez faire attitude of the technical community and the private sector 
in fighting cyber crime. In a recent talk Jane Easterly said: "The 
private sector has promised better security for yeas but has not 
delivered. This has to change".


I don't know what French LE asked, but it may well just trying to mae 
point. Ans states will up the game, regardless of our insisting that a 
given thing is not or responsibility.


Non state actors keep talking about shared responsibilities, but I fear 
what they mean by this is some one else's responsibility. Personally I 
feel this attitude leads to a bad outcome.


Times have changed, and so we need to change too, or we'll be forced to 
change, which seems much more unpleasant.


As I said, just some thoughts, no evidence here for the concrete 
reasons. But I hear authorities here in Switzerland, and they are not 
happy. The less we do, the more they feel they need to start doing 
something.


Best
Serge


On 09.04.24 17:59, Brian Nisbet wrote:

Thank you for this, very interesting!

It really seems that French LEAs are asking for lots of information the 
NCC does not have. It really would be very interesting to understand why 
they're doing that! I'm not asking you, Theodoros, unless you do know 
and are able to share? But maybe someone else knows?


Brian

Brian Nisbet (he/him)
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
North Dock Two, 93-94 North Wall Quay, Dublin 1, D01 V8Y6
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

*From:* anti-abuse-wg  on behalf of 
Theodoros Fyllaridis 

*Sent:* Monday 8 April 2024 10:34
*To:* anti-abuse-wg@ripe.net 
*Subject:* [anti-abuse-wg] LEA Transparency Report 2023

CAUTION[External]: This email originated from outside of the 
organisation. Do not click on links or open the attachments unless you 
recognise the sender and know the content is safe.


Dear colleagues,

We have published a transparency report that details the nature and 
number of requests we received from Law Enforcement Agencies in 2023.


You can find the report at: 
https://www.ripe.net/publications/docs/ripe-819/ 
.


Kind regards,

Theodoros Fyllaridis
Legal Counsel
RIPE NCC



--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] IS3C public consultation on an alternative narrative to deploy Internet standards

[Serge Droz via anti-abuse-wg]

Pushing for DNSSEC adoption by financial services, government and other 
“enterprise” users makes a lot of sense, but pushing it for all domains 
is a terrible idea and has more negative impacts than positives.



Not if it's done properly, i.e. by the hosting providers. Should your 
aunt or uncle do it? Probably not.


Since SWITCH gives registrars a discount if they sign, the number has 
risen dramatically, without any problems: 
https://www.nic.ch/de/statistics/dnssec/


Best
Serge

--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Bulletproof servers causing mischief on the internet

[Serge Droz via anti-abuse-wg]

Hi Hank

Thanks for this: It's pure gold.

I sometimes think this WG is held prisoner by a hand full of people, 
which are the ones that then whine in five years because the EU will put 
a stop at this on their terms. Here in Switzerland more and more anti 
abuse legislation is enacted because some providers just won't move.


Best
Serge


On 18/01/2024 07:46, Hank Nussbacher wrote:
On 17/01/2024 23:05, Tomás Oliveira Valente Leite de Castro via 
anti-abuse-wg wrote:


I believe RIPE NCC's job is not to police the internet, but to provide 
registration services. However RIPE should guarantee that the 
registrant's data is correct and up to date. This includes a proper 
abuse contact.


I have heard so often that RIPE NCC's job is to *not* police the 
Internet.  Then I heard John Curran's keynote at NANOG in October:
The Expanding Landscape of Internet Governance:​ Why Network Operators 
Need a Global View

https://www.youtube.com/watch?v=U1Ip39Qv-Zk
and realize that over the next decade we will be handed EU edicts that 
will far exceed anything we thought possible.  Take the 45 minutes and 
listen to John.


Regards,
Hank



--
Dr. Serge Droz
Director, Forum of Incident Response and Security Teams (FIRST)
serge.d...@first.org | https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Abuse Report ignored. What to do as next?

[Serge Droz via anti-abuse-wg]

Maybe it's time to measure these numbers in the RIPE region by trying a time 
limit experiment. 

If it doesn't work, we stop it again. We would have to discuss criteria for 
what "it work" means. That's a discussion I'd like to see on this list.

By never trying anything concrete it's easy saying it doesn't work. 

Fact is, that other players have changed once pressure has been upped. 

Cheers
Serge

On 3 December 2023 09:48:43 UTC, Michele Neylon - Blacknight via anti-abuse-wg 
 wrote:
>Please provide actual data.
>Numbers
>
>
>--
>Mr Michele Neylon
>Blacknight Solutions
>Hosting, Colocation & Domains
>https://www.blacknight.com/
>https://blacknight.blog/
>Intl. +353 (0) 59  9183072
>Direct Dial: +353 (0)59 9183090
>Personal blog: https://michele.blog/
>Some thoughts: https://ceo.hosting/
>---
>Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty 
>Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
>
>I have sent this email at a time that is convenient for me. I do not expect 
>you to respond to it outside of your usual working hours.
>
>
>From: anti-abuse-wg  on behalf of 
>jordi.palet--- via anti-abuse-wg 
>Date: Friday, 1 December 2023 at 13:38
>To: anti-abuse-wg@ripe.net 
>Subject: Re: [anti-abuse-wg] Abuse Report ignored. What to do as next?
>[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised 
>sources.
>
>Well … exactly the same way it has been already implemented in 2 other RIRs, 
>working and no issues.
>
>Regards,
>Jordi
>
>@jordipalet
>
>
>> El 1 dic 2023, a las 14:28, Laura Atkins  escribió:
>>
>>
>>
>>> On 1 Dec 2023, at 13:22, U.Mutlu  wrote:
>>>
>>> Laura Atkins wrote on 12/01/23 13:22:
>>> > None of this will make a company who doesn’t want to deal with abuse
>>> > complaints deal with abuse complaints. It’s a total waste of resources.
>>>
>>> Then RIPE has to sanction that member.
>>
>> So we’re back to: how much will it cost to do this and how much will it 
>> actually improve anything?
>>
>> Which ignores a lot of big questions like: does RIPE actually have the 
>> authority to sanction folks, who is going to sanction them, what is the 
>> appeals process, how do we get to the sanctioning decision, how are we going 
>> to pay for the inevitable lawsuit, and a bunch of other things.
>>
>> It’s clear, though, that this is actually a much older argument. I’m pretty 
>> sure I’m not the first person to ask HOW this will all be implemented. The 
>> fact that someone can’t point me to a FAQ or actual proposal addressing 
>> these questions tells me how seriously this is being taken by the folks who 
>> are proposing it.
>>
>> laura
>>
>>>
>>> Example of ignored Abuse Reports regarding email hacking attempts:
>>>
>>> You get countless hacking attempts to your email server
>>> (ie. brute-force attacks trying to login as a mail client
>>> by using either a valid email login name or some random names;
>>> they usually fail b/c of wrong password).
>>> It all gets logged in the emailserver logs together with
>>> exact timings, so there is enough evidence available for verification.
>>>
>>> You send an Abuse Report to the owner of the IP from where
>>> these hacking attempts occur.But there is no reaction,
>>> the hacking attemps day and night continue. So, it's not just a one-time 
>>> thing.
>>> Even if you block that IP, it still generates traffic and eats-up resources 
>>> on the server.
>>>
>>> We need an effective solution to stop such abuses.
>>> RIPE NCC should ask the client to fix the problem and
>>> formally inform the RIPE NCC about the fix within 7 days.
>>>
>>> If the Abuse Reports still get ignored, then RIPE NCC
>>> should issue a 2nd warning and thereafter then terminate
>>> or suspend the membership until the issue gets fixed.
>>>
>>>
>>> Laura Atkins wrote on 12/01/23 13:22:
 None of this will make a company who doesn’t want to deal with abuse
 complaints deal with abuse complaints. It’s a total waste of resources.

 laura

> On 1 Dec 2023, at 10:53, U.Mutlu  wrote:
>
> For each complaint to RIPE NCC then such an
> (automated) email should be sent by the RIPE NCC
> to the abuse-c of that member.
> This should be the absolute minimum that should be done by the RIPE NCC.
>
>
> Matthias Merkel wrote on 11/30/23 11:47:
>> The proposal is to send verification emails to abuse mailboxes and have 
>> a link
>> in them clicked, right? I would have no objection to that.
>>
>> Is there more that is being proposed in this proposal specifically?
>>
>> —
>> Maria Merkel
>
>
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change
> your subscription options, please visit:
> https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

 --
 The Delivery Expert

 Laura Atkins
 Word to the Wise
 la...@wordtothewise.com

 Delivery 

Re: [anti-abuse-wg] Abuse Report ignored. What to do as next?

[Serge Droz via anti-abuse-wg]

It will make some organizations start handling reports that didn't do it 
before.


We tried this in Switzerland, sending all ISPs abuse data asking them to 
deal with it. In the beginning, very little enthusiasm, today most do.


None of these proposals have ever been tries, yet your you insist on 
knowing they don't work. Let's try it and see what happens. If you 
insist on 100% guarantees you'll never change anything. This is, why in 
the IETF you can't simply say no, but you have to come with an 
alternative. So to that I challenge you.


With this attitude the internet wouldn't exist. Sounds like the "Seat 
belts don't work" fraction back in the day.


But I'll shut up now and focus on more constructive discussions elsewhere.

Best
Serge


On 01.12.23 13:22, Laura Atkins wrote:
None of this will make a company who doesn’t want to deal with abuse 
complaints deal with abuse complaints. It’s a total waste of resources.


laura


On 1 Dec 2023, at 10:53, U.Mutlu  wrote:

For each complaint to RIPE NCC then such an
(automated) email should be sent by the RIPE NCC
to the abuse-c of that member.
This should be the absolute minimum that should be done by the RIPE NCC.


Matthias Merkel wrote on 11/30/23 11:47:
The proposal is to send verification emails to abuse mailboxes and 
have a link

in them clicked, right? I would have no objection to that.

Is there more that is being proposed in this proposal specifically?

—
Maria Merkel




--

To unsubscribe from this mailing list, get a password reminder, or 
change your subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg


--
The Delivery Expert

Laura Atkins
Word to the Wise
la...@wordtothewise.com

Delivery hints and commentary: http://wordtothewise.com/blog









--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Abuse Report ignored. What to do as next?

[Serge Droz via anti-abuse-wg]

As I said

I disagree. Gmail says what you can do with their accounts, that doesn't 
make them a regulator. But it doesn't matter: At the end of the day it's 
excuses to not do anything about a growing problem.


And what typically happens in such cases is that states get upset and 
start dictating the rules, i.e. the real regulators come out. At this 
point the community has pretty much lost the ability to shape the rules.


I bet a good bottle of you favorite drink, that this is what will happen.

Best
Serge

On 30.11.23 09:58, Matthias Merkel wrote:

Hi Serge,

The difference is the scope of the rules.

All organizations, including the RIPE NCC, enforce rules as part of 
their own business, for example with customers, etc.


What is being proposed here is imposing rules on unrelated things. Abuse 
isn't inherently of the resources provided by RIPE, but rather of the 
services addressed by them. It's like the postal service making rules on 
what you can do at your house because it has an address assigned by them.


This is the difference between regulator or not. The definition I cited 
is from the dictionary.


—
Maria Merkel

This email was sent by [company]. Any statements contained in this email 
are personal to the author and are not necessarily the statements of the 
company unless specifically stated.


Novecore and Staclar are collective trading names of Novecore Ltd., 
registered in England and Wales under company number 11748197, Novecore 
Licensing Ltd., registered in England and Wales under company number 
11544982, Staclar Carrier Ltd., registered in England and Wales under 
company number 12219686, Staclar Financial Services Ltd., registered in 
England and Wales under company number 13843292 (registered offices 54 
Portland Place, London, UK, W1B 1DY); Novecore Professional Services 
Ltd., registered in England and Wales under company number 13965912 
(registered office 13 Freeland Park, Wareham Road, Poole, UK, BH16 6FA); 
Novecore (Estonia) OÜ, registered in Estonia under registry code 
16543205 (local contact Baltic Business Services OÜ, Narva mnt 5, 10117 
Tallinn, Estonia); Novecore (USA) Inc., registered in Delaware under 
file number 6707907, Novecore Licensing (USA) LLC, registered in 
Delaware under file number 4030866, and Staclar, Inc., registered in 
Delaware under file number 7413401 (registered agents The Corporation 
Trust Company, Corporation Trust Center, 1209 Orange St, Wilmington DE 
19801, USA). Novecore Licensing Ltd. is registered for VAT in the United 
Kingdom under VAT registration number 347 4545 80. Novecore (Estonia) OÜ 
is registered for VAT in the European Union under VAT registration 
number EE102518979. Novecore Professional Services Ltd. is a trust or 
company service provider registered with and supervised by HM Revenue & 
Customs under the Money Laundering, Terrorist Financing and Transfer of 
Funds (Information on the Payer) Regulations 2017 (registration number 
XMML0178208). Staclar Financial Services Ltd. is an Annex 1 
financial institution registered with and supervised by the Financial 
Conduct Authority under the Money Laundering, Terrorist Financing and 
Transfer of Funds (Information on the Payer) Regulations 2017 (firm 
reference number 989521). Registration is not equivalent to 
authorisation and is not an endorsement to do business with a firm. 
Staclar Financial Services Ltd. is not an authorised person within the 
meaning of the Financial Services and Markets Act 2000 and does not 
review, approve, or endorse financial promotions for securities issues 
it is involved in or provide any form of investment advice.

Sent from Front
On November 30, 2023 at 9:54 AM GMT+1 anti-abuse-wg@ripe.net 
 wrote:


I do not agree

Every organization has rules it enforces. That doesn't make it a
regulator. The public transport here, where I live enforces that you
have a valid ticket. That doesn't make it the transport regulator.

In fact RIPE NCC will probably enforce that you pay your fees.

The issue here is, that we have two subgroups:

One that thinks we should try go a bit further to ensure that people do
what can be expected they should be doing, and another fractions that
feels every little bit of additional load is too much and will not solve
the problem 100%. It's like saying we give up on speed limits because it
doesn't prevent speeding.

And as long as this group cannot come up with a compromise nothing will
change, in essence the anti-abuse wg is taken hostage by the nay sayers.
These discussions have been going on for years. Nothing new has come out.

We don't even try. We could, and then see if it makes a difference. If
not we go back. But nope.

Best
Serge

On 30.11.23 09:39, Matthias Merkel wrote:


> Hi Leo,
>
> The definition of a regulator is an entity that sets and enforces 
rules

> on the persons it supervises.
>
> If the RIPE NCC goes further than just providing numbers, and instead
> enforces rules 

Re: [anti-abuse-wg] Abuse Report ignored. What to do as next?

[Serge Droz via anti-abuse-wg]

I do not agree

Every organization has rules it enforces. That doesn't make it a 
regulator. The public transport here, where I live enforces that you 
have a valid ticket. That doesn't make it the transport regulator.


In fact RIPE NCC will probably enforce that you pay your fees.

The issue here is, that we have two subgroups:

One that thinks we should try go a bit further to ensure that people do 
what can be expected they should be doing, and another fractions that 
feels every little bit of additional load is too much and will not solve 
the problem 100%. It's like saying we give up on speed limits because it 
doesn't prevent speeding.


And as long as this group cannot come up with a compromise nothing will 
change, in essence the anti-abuse wg is taken hostage by the nay sayers.

These discussions have been going on for years. Nothing new has come out.

We don't even try. We could, and then see if it makes a difference. If 
not we go back. But nope.


Best
Serge

On 30.11.23 09:39, Matthias Merkel wrote:

Hi Leo,

The definition of a regulator is an entity that sets and enforces rules 
on the persons it supervises.


If the RIPE NCC goes further than just providing numbers, and instead 
enforces rules on usage associated with them (note that this doesn't 
even concern the use of the numbers themselves, but rather services 
addressed by them), it will, by definition, be a regulator.


I'm not sure that there will be consensus on wanting the NCC to become a 
regulator.


—
Maria Merkel

This email was sent by Staclar, Inc. Any statements contained in this 
email are personal to the author and are not necessarily the statements 
of the company unless specifically stated.


Novecore and Staclar are collective trading names of Novecore Ltd., 
registered in England and Wales under company number 11748197, Novecore 
Licensing Ltd., registered in England and Wales under company number 
11544982, Staclar Carrier Ltd., registered in England and Wales under 
company number 12219686, Staclar Financial Services Ltd., registered in 
England and Wales under company number 13843292 (registered offices 54 
Portland Place, London, UK, W1B 1DY); Novecore Professional Services 
Ltd., registered in England and Wales under company number 13965912 
(registered office 13 Freeland Park, Wareham Road, Poole, UK, BH16 6FA); 
Novecore (Estonia) OÜ, registered in Estonia under registry code 
16543205 (local contact Baltic Business Services OÜ, Narva mnt 5, 10117 
Tallinn, Estonia); Novecore (USA) Inc., registered in Delaware under 
file number 6707907, Novecore Licensing (USA) LLC, registered in 
Delaware under file number 4030866, and Staclar, Inc., registered in 
Delaware under file number 7413401 (registered agents The Corporation 
Trust Company, Corporation Trust Center, 1209 Orange St, Wilmington DE 
19801, USA). Novecore Licensing Ltd. is registered for VAT in the United 
Kingdom under VAT registration number 347 4545 80. Novecore (Estonia) OÜ 
is registered for VAT in the European Union under VAT registration 
number EE102518979. Novecore Professional Services Ltd. is a trust or 
company service provider registered with and supervised by HM Revenue & 
Customs under the Money Laundering, Terrorist Financing and Transfer of 
Funds (Information on the Payer) Regulations 2017 (registration number 
XMML0178208). Staclar Financial Services Ltd. is an Annex 1 
financial institution registered with and supervised by the Financial 
Conduct Authority under the Money Laundering, Terrorist Financing and 
Transfer of Funds (Information on the Payer) Regulations 2017 (firm 
reference number 989521). Registration is not equivalent to 
authorisation and is not an endorsement to do business with a firm. 
Staclar Financial Services Ltd. is not an authorised person within the 
meaning of the Financial Services and Markets Act 2000 and does not 
review, approve, or endorse financial promotions for securities issues 
it is involved in or provide any form of investment advice.

Sent from Front
On November 30, 2023 at 9:36 AM GMT+1 anti-abuse-wg@ripe.net 
 wrote:


Hi Leo,

I don’t see it as a regulator, I see it as one of the functions of a 
RIR. Not just provide numbers, but also ensure that they are being 
used fairly and according community agreed policies. Otherwise we 
could also say that other reasons for recovery are invalid because we 
become a regulator, right?


Each RIR has measured the “level of adoption” as they progressed with 
the initial verification (and this was presented at least a couple of 
times in every RIR), so there are slides in each of them, showing the 
progress. I can try to find them for you in the previous year's events 
if you can’t find them. Also my personal experience reporting over 
1.500 abuse cases, average per day, shows that I get more 
“happy-ending” responses from those regions than before and keeps 
going better and better, which is not the case from RIPE 

Re: [anti-abuse-wg] Abuse Report ignored. What to do as next?

[Serge Droz via anti-abuse-wg]

I think this community let's the perfect be the enemy of the possible.

Just because there are traffic rules doesn't mean people don't violate 
them. But they violate them much less.


See, what I fear is, that at some stage states will start to regulate, 
because the industry fails to do so. And usually that is not fun.


So I support Jordi in that we should demand this. Yes there will be 
Bullet proof hosters, but maybe a lot of the others will actually 
comply, exactly because they are not bullet proof hosters.


We do this in many other places, it's called voluntary norms for 
responsible behaviour, and is seen as a great tool to improve things. 
Happy to explain more if there is an interest.


Best
Serge


On 01.11.23 10:21, Gert Doering wrote:

Hi,

On Wed, Nov 01, 2023 at 10:10:45AM +0100, jordi.palet--- via anti-abuse-wg 
wrote:

We had a policy proposal to ensure that the abuse mailbox was valid and 
monitored, but this community didn???t liked it. In other regions it works and 
it proven to be a very valid tool.


You failed to demonstrate why "the mailbox is monitored in a way that
satisfies the proposed policy" would imply "the ISP in question suddenly
gets interested in acting against abuse".  Especially those that promote
themselves as "bulletproof hosting".

This is what the community did not like - added bureaucracy with no
provable gain.

Gert Doering
 -- NetMaster




--
Dr. Serge Droz
Member, FIRST Board of Directors
https://www.first.org

--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg

Re: [anti-abuse-wg] Anti-Abuse Training: Questions for the WG

[Serge Droz via anti-abuse-wg]

Hi All

Michele, I think this is a great idea. It would probably make sense to 
liaise with https://www.m3aawg.org/ and FIRST (tha latter would be me 
;-) and I can broker an intro to the M3AAWG peoples.
Not also, that FIRST has a "DNS Abuse SIG", that focuses on domain 
related abuse, but in a wide sense. I'm sure that work could be extended 
to cover IP abuse.


And before we start our usual skirmishes: The fist step the group did 
was to come up with a taxonomy, so that we all speak of the same. A 
second step will then be suggestions on how to mitigate this.
If we feel something like this would be of value for "IP abuse" I'm 
happy to help set up a FIRST SIG, so we cover the world, and not just 
RIPE. But irrespective of this, I think some training courses would be 
awesome.


I'd be super happy to help.

Best
Serge

On 18/10/2021 18:40, Michele Neylon - Blacknight via anti-abuse-wg wrote:

Brian

I missed earlier emails about this.

I think it would be beneficial for a lot of LIRs to get some basic 
training.


Anything that improves the landscape should be encouraged and welcomed!

 1. Would training, as described, be of interest to you?

Potentially for new staff if the materials were available ie. As a resource

 2. Would training, as described, be of interest to other LIRs you know
of/work with?

I don’t know of any specifically, but that’s down to my role.

3) If not, would there be other areas of Anti-Abuse training that would 
be of interest?


A lot of hosting providers aren’t LIRs, but are getting IP space from 
LIRs. Maybe providing materials that LIRs could share with their clients 
would help? There  seems to be a lot of ignorance out there.


4) Would you be willing to help write training materials for this course?
I don’t have time to produce materials but I’d be happy to review same.

Regards


Michele

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/ 

https://blacknight.blog/ 

Intl. +353 (0) 59  9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/ 

Some thoughts: https://ceo.hosting/ 

---

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

*From: *anti-abuse-wg  on behalf of 
Brian Nisbet 

*Date: *Friday, 15 October 2021 at 10:15
*To: *anti-abuse-wg@ripe.net 
*Subject: *[anti-abuse-wg] Anti-Abuse Training: Questions for the WG

[EXTERNAL EMAIL] Please use caution when opening attachments from 
unrecognised sources.


Colleagues,

As you may remember the WG Co-Chairs have been talking to the NCC about 
some possible Anti-Abuse training in March of this year.


This proposal got very little reaction from the community, so we are 
going to try again to see if there is interest, or if people who are 
already on this mailing list believe that there would be interest from 
other LIRs that they know.


I have re-attached the proposal that Alireza sent to the mailing list in 
March.


Between now and RIPE 83 (when this matter will be on the WG session 
agenda) I would ask the following questions:


1) Would training, as described, be of interest to you?

2) Would training, as described, be of interest to other LIRs you know 
of/work with?


3) If not, would there be other areas of Anti-Abuse training that would 
be of interest?


4) Would you be willing to help write training materials for this course?

After the list discussion and discussion at RIPE 83 the Co-Chairs will 
work with the NCC Learning & Development Team to decide if there is 
enough interest to develop the course and, if there is, how to proceed 
from there.


We really do believe this is something that would be of interest to a 
large number of small LIRs in the region, but that's not something we 
can really determine without the help of the WG


Thank you,

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet (he/him)
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie 
Registered in Ireland, No. 275301. CRA No. 20036270



--
Dr. Serge Droz
Director, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] IPv4 squatting -- Courtesy of AS44050, AS58552

[Serge Droz via anti-abuse-wg]

First of: Congrats and thank you Ronald for this work.

What makes me a bit sad is, that posting this here immediately starts a
discussion about what is expected behavior on these lists, rather than
how we could combat abuse more efficiently.

It seems a seeminglu, to me at least, humorous remark, sparks more
discussion than the troubling fact that criminals have the time of their
lives during this period of time.

I'm all in favor of staying civil on public fora. But noting in the
original post was not civil. I am wondering what the we want to achieve
here on the anti-abuse list? Call me stupid, but I just don't get it.

Best
Serge


On 01.12.20 22:48, Ronald F. Guilmette wrote:
> In message 
>  outlook.com>, Brian Nisbet  wrote:
> 
>> However I suspect that X-posting to a list like apnic-talk may not be the
>> wisest idea, given the different populations etc...
> 
> It is among my fondest hopes that cybercriminals of all stripes, and
> particularly the ones who squat on IPv4 space that doesn't belong to
> them, will, in future, show more respect for regional boundaries, such
> that their devious activities will only oblige me to notify the
> members of a single one of the five RIR regions regarding any single
> one of these elaborate criminal schemes.  Alas, in this instance
> however, the perpetrators, in a very unsportsmanlike manner, elected
> to make messes whose roots were found in both the RIPE region and also
> in the APNIC region.  (And that's not even to mention that most of the
> squatted IPv4 real estate was and is under the administration of the
> ARIN region.)
> 
> Clearly, authorities in all five regions should be devoting somewhat
> more effort towards the cultivation of a better and more respectful
> class of cybercriminals who will confine their convoluted schemes to
> their own home regions.
> 
> 
> Regards,
> rfg
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] Fwd: Re: botnet controllers

[Serge Droz via anti-abuse-wg]

On 09.07.20 19:52, i...@fos-vpn.org wrote:
> Yes, VPN services can be used for unlawful activities such as Tor Exit
> Nodes or public WiFi Hotspots; that lies in the nature of things.
> However we believe that most of our customers behave behave in a
> responsible fashion and respect the laws as well as we do.

This is the equivalent of saying, you shouldn't do anything against
drunk driving, after all most people don't do it. This flawed argument
works for almost all abuse. It is and excuse you use to not take
responsibility.
You are already now paying a price for it, people will block you.

So in the end it's up to you.

Set up an abuse process and act. I would argue that within very little
time your networks become cleaner and Spamhaus will unlist you.

Best
Serge




-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] Fwd: Re: botnet controllers

[Serge Droz via anti-abuse-wg]

Hello @Moderators

Can you please suspend this participant? I take offense at this. We may
disagree on issues and opinions. However I feel there is no space for
name calling.

Best regards
Serge




On 09.07.20 15:16, Elad Cohen wrote:
> Michele how more bigger asshole you can be to be the puppet of spamhaus
> so you will be able monetize your connections with them to more $$$
> 
> You are a loser and you are a disgraceful businessman and you are a
> disgrace to the whole internet community
> 
> *From:* anti-abuse-wg  on behalf of
> Michele Neylon - Blacknight 
> *Sent:* Thursday, July 9, 2020 4:02 PM
> *To:* Serge Droz ; anti-abuse-wg@ripe.net
> 
> *Subject:* Re: [anti-abuse-wg] Fwd: Re: botnet controllers
>  
> +1 on all points
> 
> That someone who won't even disclose who they are has the gall to demand
> that Spamhaus or anyone else should is hilarious and disturbing.
> 
> 
> 
> --
> Mr Michele Neylon
> 
> Blacknight Solutions
> 
> Hosting, Colocation & Domains
> 
> https://www.blacknight.com
> https://blacknight.blog /
> 
> http://ceo.hosting/
> 
> Intl. +353 (0) 59  9183072
> 
> Direct Dial: +353 (0)59 9183090
> 
> ---
> 
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,
> Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland  Company No.: 370845
> 
> On 09/07/2020, 07:30, "anti-abuse-wg on behalf of Serge Droz via
> anti-abuse-wg"  anti-abuse-wg@ripe.net> wrote:
> 
>     Hi Info
> 
>     Maybe one of the reasons some Non-logging VPNs end up on blacklist sis
>     that the Non-Looging phrase is just an excuse to not go after misuse.
>     The rights to privacy and free speech do not mean anything goes.
> 
>     You can fight abuse without violating privacy. But of course that's not
>     for free, you need abuse people that investigate and they cost money.
>     Sadly, many of these VPNs frankly just don't care, using the lame excuse
>     that they are protecting fundamental rights, when in fact they are just
>     don't care or take responsibility.
> 
>     I don't agree with everything Spamhaus does, but I find them responsible
>     and and always found a way way to talk to them.
> 
>     I was reluctant writing this, because I'm not sure this discussion will
>     lead anywhere. It's one of these where opinions seem to already have
>     been formed.
> 
>     But you start accusing people of posting anonymously. I totally agree
>     this is bad, but then, who are you, i...@fos-vpn.org?
> 
>     You don't seem to offer a name yourself. I find this a bit hypocritical.
> 
>     Best
>     Serge
> 
> 
>     On 08.07.20 20:46, i...@fos-vpn.org wrote:
>     > All I would like from Spamhaus is to stop publishing fake SBL
> records in
>     > order to discredit us and to use that to put pressure both upon us and
>     > our upstreams.
>     > Non-logging VPN services are as legal within the EU as Exit Nodes
> of the
>     > Tor Network (which have massive abuse entries in various data bases,
>     > especially the larger ones) and public WiFi Hotspots, which can be
> used
>     > for abusive activities, too.
>     >
>     > I don't know who "PP" is (probably the same person which posts
> under the
>     > nickname "Petras Simeon" on Twitter and on various boards), but he
>     > contacted us and our upstream providers without telling his name, just
>     > using this email address: phishphuc...@storey.ovh and sending us the
>     > list of SBL entries which he also posted here.
>     > Don't know if he's working for Spamhaus or not, but before attacking
>     > others publicly, people should reveal their true identity,
> anything else
>     > would be sneaky in my opinion.
>     >
> 
>     --
>     Dr. Serge Droz
>     Chair of the FIRST Board of Directors
>     https://www.first.org
> 
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] Fwd: Re: botnet controllers

[Serge Droz via anti-abuse-wg]

Hi ángel

Thanks, good advice indeed. I second you to make your views known to the
Commission.

Best
Serge


On 09.07.20 09:16, Angel Fernandez Pineda wrote:
> Hi,
> I would like to make a recommendation to all of you. The EU has opened a
> consultation on the Digital Service Act, a future regulation that aims
> to review the role of digital platforms and technoly intermediaries and
> establish regulations to protect the rights of users and companies that
> operate online wherever is required. Of course, the role of ISPs or
> organizations like RIPE NCC can be subject to asses.
> 
> The aim of the European Commission with the consultation is to identify
> situations that put at risk the safety and rights of users or the rights
> of companies to compete in a fair market.
> 
> To those of you who know that this discussion, repeated so many times in
> this WG, will not reach to anything, I would like to invite you to
> dedicate a little of your time to answering the consultation. You will
> find it at:
> 
> https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12417-Digital-Services-Act-deepening-the-Internal-Market-and-clarifying-responsibilities-for-digital-services/public-consultation
> 
> Best,
> ángel
> Grupo Godó de Comunicación
> 
> ----------------
> *De:* anti-abuse-wg  en nombre de Serge
> Droz via anti-abuse-wg 
> *Enviado:* jueves, 9 de julio de 2020 8:29
> *Para:* anti-abuse-wg@ripe.net 
> *Asunto:* Re: [anti-abuse-wg] Fwd: Re: botnet controllers
>  
> Hi Info
> 
> Maybe one of the reasons some Non-logging VPNs end up on blacklist sis
> that the Non-Looging phrase is just an excuse to not go after misuse.
> The rights to privacy and free speech do not mean anything goes.
> 
> You can fight abuse without violating privacy. But of course that's not
> for free, you need abuse people that investigate and they cost money.
> Sadly, many of these VPNs frankly just don't care, using the lame excuse
> that they are protecting fundamental rights, when in fact they are just
> don't care or take responsibility.
> 
> I don't agree with everything Spamhaus does, but I find them responsible
> and and always found a way way to talk to them.
> 
> I was reluctant writing this, because I'm not sure this discussion will
> lead anywhere. It's one of these where opinions seem to already have
> been formed.
> 
> But you start accusing people of posting anonymously. I totally agree
> this is bad, but then, who are you, i...@fos-vpn.org?
> 
> You don't seem to offer a name yourself. I find this a bit hypocritical.
> 
> Best
> Serge
> 
> 
> On 08.07.20 20:46, i...@fos-vpn.org wrote:
>> All I would like from Spamhaus is to stop publishing fake SBL records in
>> order to discredit us and to use that to put pressure both upon us and
>> our upstreams.
>> Non-logging VPN services are as legal within the EU as Exit Nodes of the
>> Tor Network (which have massive abuse entries in various data bases,
>> especially the larger ones) and public WiFi Hotspots, which can be used
>> for abusive activities, too.
>> 
>> I don't know who "PP" is (probably the same person which posts under the
>> nickname "Petras Simeon" on Twitter and on various boards), but he
>> contacted us and our upstream providers without telling his name, just
>> using this email address: phishphuc...@storey.ovh and sending us the
>> list of SBL entries which he also posted here.
>> Don't know if he's working for Spamhaus or not, but before attacking
>> others publicly, people should reveal their true identity, anything else
>> would be sneaky in my opinion.
>> 
> 
> -- 
> Dr. Serge Droz
> Chair of the FIRST Board of Directors
> https://www.first.org
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] Fwd: Re: botnet controllers

[Serge Droz via anti-abuse-wg]

Hi Info

Maybe one of the reasons some Non-logging VPNs end up on blacklist sis
that the Non-Looging phrase is just an excuse to not go after misuse.
The rights to privacy and free speech do not mean anything goes.

You can fight abuse without violating privacy. But of course that's not
for free, you need abuse people that investigate and they cost money.
Sadly, many of these VPNs frankly just don't care, using the lame excuse
that they are protecting fundamental rights, when in fact they are just
don't care or take responsibility.

I don't agree with everything Spamhaus does, but I find them responsible
and and always found a way way to talk to them.

I was reluctant writing this, because I'm not sure this discussion will
lead anywhere. It's one of these where opinions seem to already have
been formed.

But you start accusing people of posting anonymously. I totally agree
this is bad, but then, who are you, i...@fos-vpn.org?

You don't seem to offer a name yourself. I find this a bit hypocritical.

Best
Serge


On 08.07.20 20:46, i...@fos-vpn.org wrote:
> All I would like from Spamhaus is to stop publishing fake SBL records in
> order to discredit us and to use that to put pressure both upon us and
> our upstreams.
> Non-logging VPN services are as legal within the EU as Exit Nodes of the
> Tor Network (which have massive abuse entries in various data bases,
> especially the larger ones) and public WiFi Hotspots, which can be used
> for abusive activities, too.
> 
> I don't know who "PP" is (probably the same person which posts under the
> nickname "Petras Simeon" on Twitter and on various boards), but he
> contacted us and our upstream providers without telling his name, just
> using this email address: phishphuc...@storey.ovh and sending us the
> list of SBL entries which he also posted here.
> Don't know if he's working for Spamhaus or not, but before attacking
> others publicly, people should reveal their true identity, anything else
> would be sneaky in my opinion.
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] Fwd: Re: botnet controllers

[Serge Droz via anti-abuse-wg]

On 25.06.20 10:22, PP wrote:
> Perhaps a code of conduct, with de-registration of resources if the
> entity does not comply, and enforcement costs to be levied against the
> annual fee imposed for the registering of IP resources.
> 

I'm all in favour, but I'm afraid we've had this discussion in here in
the past.

We can't even agree on the principles, let alone the details.

This seems to be harder than world peace.

Best
Serge
> 
> On 25/06/2020 5:45 pm, Serge Droz via anti-abuse-wg wrote:
>> Hi whoever you are,
>> (typically it's not a good sign, if you need hide behind an anonymous
>> alias).
>>
>>
>> I think the comparison to phone numbers is bad, that area is plagued by
>> very similar issues. But I get you point.
>>
>> I think it's not feasible that you need to somehow proof you are
>> legitimate, the same way you should not need to proof you're a honest
>> citizen before you get, e.g. an apartment.
>>
>> What we need however is a standard of what is acceptable behavior and
>> use of the resources you get, together with a process to remediate
>> failure to comply and possibly sanctions. I.e. if you use your apartment
>>   for illicit things, what ever they may be (annoying your neighbors
>> through excessive noise, running a drug empire, )
>>
>> That's what this group seems to consistently fail to come up with for
>> various reasons.
>>
>> As a reputable VPN Provider you can be log-less and yet still follow up
>> on abuse. I would argue that actually doing so will make your service
>> better for the people that legitimately need it.
>>
>> The VPN business is, not unlike the Domain business: A lot of greedy
>> people with big egos.
>>
>> This is not a technical issue.
>>
>> Best
>> Serge
>>
>>
>>
>> On 25.06.20 09:26, PP wrote:
>>> Firstly, reporting it to the LEO does not cause the resources to be
>>> de-registered.
>>>
>>> Secondly, your example regarding IPv6 is another reason why this
>>> approach is not sufficient: there are
>>> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6
>>> addresses.
>>>
>>>
>>> It should be that the resources are only allocated to legitimate
>>> established corporations.
>>>
>>>
>>> Phone numbers aren't wholly allocated to anyone who asks, they remain
>>> controlled by a reputable phone company. Why should IP addresses be
>>> different?
>>>
>>>
>>>
>>> On 25/06/2020 4:50 pm, Shane Kerr wrote:
>>>> Dear Phish Phucker,
>>>>
>>>> The RIPE NCC is a not-for-profit, membership-based organization based
>>>> in the Netherlands. They are responsible for allocating Internet
>>>> number resources (IP addresses and AS numbers) in their region. Their
>>>> policies are set by RIPE, which is just anyone who joins the RIPE
>>>> mailing lists and participates in the policy discussions.
>>>>
>>>> I'm not sure what policy can be introduced. Historically RIPE
>>>> participants have been reluctant to make any value judgements about
>>>> what IP resources can and cannot be used for. Currently as long as you
>>>> are truthful about your organization's registration information you
>>>> have fulfilled the requirements.
>>>>
>>>> In a sense this should be enough. The information is available for
>>>> anyone who cares about protecting their users from spam originating
>>>> there. Spamhaus lists the organization, and I am pretty sure that most
>>>> e-mail providers either block their IP addresses because of that - or
>>>> have their own abuse tracking which identifies them. It's not
>>>> perfect... I had to change VPS provider because my previous VPS
>>>> provider kept having its IPv6 addresses blocked by Spamhaus and
>>>> neither my provider nor Spamhaus would explain why (my provider
>>>> claimed to have never received any complains, and Spamhaus never
>>>> explains anything). But it seems to be good enough for most people.
>>>>
>>>> If an organization is breaking a law, then the correct action is to
>>>> report them to the law-enforcement organization (LEO) that feels like
>>>> it is in their jurisdiction. Again, since the member is required by
>>>> the RIPE NCC to have correct information about the person or
>>>> organization that has been allocated resources, the LEO can follow-up.
>>>>
>>

Re: [anti-abuse-wg] Fwd: Re: botnet controllers

[Serge Droz via anti-abuse-wg]

Hi whoever you are,
(typically it's not a good sign, if you need hide behind an anonymous
alias).


I think the comparison to phone numbers is bad, that area is plagued by
very similar issues. But I get you point.

I think it's not feasible that you need to somehow proof you are
legitimate, the same way you should not need to proof you're a honest
citizen before you get, e.g. an apartment.

What we need however is a standard of what is acceptable behavior and
use of the resources you get, together with a process to remediate
failure to comply and possibly sanctions. I.e. if you use your apartment
 for illicit things, what ever they may be (annoying your neighbors
through excessive noise, running a drug empire, )

That's what this group seems to consistently fail to come up with for
various reasons.

As a reputable VPN Provider you can be log-less and yet still follow up
on abuse. I would argue that actually doing so will make your service
better for the people that legitimately need it.

The VPN business is, not unlike the Domain business: A lot of greedy
people with big egos.

This is not a technical issue.

Best
Serge



On 25.06.20 09:26, PP wrote:
> Firstly, reporting it to the LEO does not cause the resources to be
> de-registered.
> 
> Secondly, your example regarding IPv6 is another reason why this
> approach is not sufficient: there are
> 340,282,366,920,938,000,000,000,000,000,000,000,000 possible IPv6
> addresses.
> 
> 
> It should be that the resources are only allocated to legitimate
> established corporations.
> 
> 
> Phone numbers aren't wholly allocated to anyone who asks, they remain
> controlled by a reputable phone company. Why should IP addresses be
> different?
> 
> 
> 
> On 25/06/2020 4:50 pm, Shane Kerr wrote:
>> Dear Phish Phucker,
>>
>> The RIPE NCC is a not-for-profit, membership-based organization based
>> in the Netherlands. They are responsible for allocating Internet
>> number resources (IP addresses and AS numbers) in their region. Their
>> policies are set by RIPE, which is just anyone who joins the RIPE
>> mailing lists and participates in the policy discussions.
>>
>> I'm not sure what policy can be introduced. Historically RIPE
>> participants have been reluctant to make any value judgements about
>> what IP resources can and cannot be used for. Currently as long as you
>> are truthful about your organization's registration information you
>> have fulfilled the requirements.
>>
>> In a sense this should be enough. The information is available for
>> anyone who cares about protecting their users from spam originating
>> there. Spamhaus lists the organization, and I am pretty sure that most
>> e-mail providers either block their IP addresses because of that - or
>> have their own abuse tracking which identifies them. It's not
>> perfect... I had to change VPS provider because my previous VPS
>> provider kept having its IPv6 addresses blocked by Spamhaus and
>> neither my provider nor Spamhaus would explain why (my provider
>> claimed to have never received any complains, and Spamhaus never
>> explains anything). But it seems to be good enough for most people.
>>
>> If an organization is breaking a law, then the correct action is to
>> report them to the law-enforcement organization (LEO) that feels like
>> it is in their jurisdiction. Again, since the member is required by
>> the RIPE NCC to have correct information about the person or
>> organization that has been allocated resources, the LEO can follow-up.
>>
>> It's hardly an ideal situation, but difficult to see how to improve it
>> given the general anti-regulation philosophy of most Internet providers.
>>
>> Cheers,
>>
>> -- 
>> Shane
>>
>> On 25/06/2020 08.03, PP wrote:
>>> So who at RIPE is responsible for allocating this resource, and what
>>> policy can be introduced to prevent the allocation of IP address
>>> resources to irresponsible organizations like this one?
>>>
>>> SpamHaus have it listed as the worlds number one source of spam:
>>>
>>> https://www.spamhaus.org/statistics/networks/
>>>
>>>
>>>
>>> On 25/06/2020 2:10 pm, Tõnu Tammer via anti-abuse-wg wrote:

 We've had similar experience with this VPN provider.

 He claims not being able to track malicious actor is for the benefit
 of free speech but when malware is used to attack people who express
 free speech he did not understand that his service is not
 contributing towards free speech but hinders it.

 Tonu
 CERT-EE

 On 25.06.2020 04:15, PP wrote:
>
> Botnet controllers on VPN provider that refuses to act:
>
>
>     organisation:    ORG-SL751-RIPE
>     org-name:    Freedom Of Speech VPN
>     org-type:    OTHER
>     address: P.O. Box 9173
>     address: Victoria
>     address: Mahe Island
>     address: Seychelles
>     e-mail: i...@fos-vpn.org
>     abuse-c: SL12644-RIPE
>     mnt-ref: 

Re: [anti-abuse-wg] Spam from provider Timeweb/Russia AS9123 - and they just ignore me

[Serge Droz via anti-abuse-wg]

Hi Martin

Have you tried t contact RU-CERT: https://www.cert.ru/en/about.shtml

They often are quite helpful.

Best
Serge


On 25.05.20 16:09, Martin Wilhelmi wrote:
> Hey everyone,
> 
> I have a conflict with a provider from Russia "Timeweb" AS9123. It seems
> to be hosting a customer who sends spam and uses one of my domains as
> sender.
> 
> I got the information via DMARC, RFC 7489 with several mails. This
> provider has an abuse email address. After I contacted them, they
> analyzed my domain, complained about the header of the automatic DMARC
> e-mail from mail.ru , because there an internal host
> distributes it and uses an internal IP address 10/8 according to RFC
> 1918 and so on.
> 
> Apparently one does not want to do anything and requests one of these
> e-mails classified as spam sent to @mail.ru.
> 
> But this is not provided for in the DMARC protocol, which the provider
> does not 'believe’.
> 
> This means I continue to receive emails from Russia telling me that my
> domain is being used by their host to send spam. And the provider writes
> me many e-mails telling me that I have to provide correct facts and that
> nothing else will be done.
> 
> Because DMARC emails are not facts and cannot be used as evidence.
> 
> Do you have any idea how to deal with this?
> 
> I have received 11 DMARC emails from mail.ru  regarding
> this host. I have attached last one here with header:
> 
> Return-Path:  >
> Delivered-To: m...@mnin.de 
> Received: from mail.mnin.de ([])
> by mail.mnin.de with LMTP
> id yedWJNMKx14sDAAAuS6XVA
> (envelope-from )
> for ; Fri, 22 May 2020 01:12:19 +0200
> Received: from relay7.m.smailru.net (relay7.m.smailru.net [94.100.178.51])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by mail.mnin.de (Postcow) with ESMTPS id 6D59868509C
> for ; Fri, 22 May 2020 01:12:18 +0200 (CEST)
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> d=corp.mail.ru; s=mail;
> h=Date:Message-ID:To:From:Subject:MIME-Version:Content-Type;
> bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
> b=k6PdTMpn2SHfn7HO4jdOto6jxVRnOLsCsFLz0Lp87ytUyQL7ifwnze/LC/xQlDQ1hLpkHdM/sM8RFDgusUQYtL4e7/Zkmln4vsjgPvsW6go/YK7hvaeQBKMKgDSXqTlTXqm7BUyXOU4g9wByuAWUM0UpOM+3lrgHzm7d/Fil5IU=;
> Received: from [10.161.4.115] (port=48176 helo=60)
> by relay7.m.smailru.net with esmtp (envelope-from
> )
> id 1jbuMI-0007Kr-2n
> for m...@mnin.de; Fri, 22 May 2020 02:12:14 +0300
> Content-Type: multipart/mixed;
> boundary="===1678280035031557895=="
> MIME-Version: 1.0
> Subject: Report Domain: mnin.de; Submitter: Mail.Ru;
>  Report-ID: 25590927945792699841590019200
> From: dmarc_supp...@corp.mail.ru
> To: m...@mnin.de
> Message-ID: 
> Date: Fri, 22 May 2020 02:12:14 +0300
> Auto-Submitted: auto-generated
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mnin.de;
> s=dkim; t=1590102738;
> h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
>  to:to:cc:mime-version:mime-version:content-type:content-type:
>  dkim-signature; bh=DMqnfyeB+D0YjhIdtRipG66iEqaOVRHns+l07FJTLbw=;
> b=YpE4Z5u3l+mzLxsH+2Qbd39KekLCXa2jbbIrdnDxvgNFS6zvl4zKq33jQ/7fs5KkJEB0Xc
> VCRT+1keQ9x/+a0tp6IMMUKE1elcOp6LHbBzTXCZYcgylnhbmb/JrCgAUI67KzXJlLn4o4
> pxToLIR5HD58dGeler0v2GTby5si8GUfczS2mM4QAvxJHDSZ8GqTE359H8HTmXUXGBQRb+
> 0RVhhOzYxwmusEpWvuMcXYm4oZ7V+eKNuv12N5xCAbaWaqen37v1M53j0pu1vYoUSQBgOa
> dv3UgtOSdPxj8wVI5OzpY6ZVKtfSqyTXW5dV+8yfZUSe1Zpm/UPOO5eaqyUnpw==
> ARC-Seal: i=1; s=dkim; d=mnin.de; t=1590102738; a=rsa-sha256; cv=none;
> b=keiIRdDt35e1bk6toEJdITgagC1CXQE81NoMoM8T19TBM9LFU4zudqRg73qPYgGkqvXqqI
> Te3Z+AC+CZp9bxfqIOrm2xSE8fNfZEKYhl5fB59sen9/m1rwiZznvvbNcBCJMpytYyDAbg
> l74M2uJVfvrUAoAbMF8dweJV/SANBC2K6eKs1r9nRu5DrCEcicWKNLxWbvZ7Q/TccUGgeZ
> VCyYvxqc0m5U7wZqK/32Sgf1EpWAjkXpC5eTMxH73FfrIkpPQa8v5ag6qKMP+GRk8B3GO1
> eQxsci0l3eATOMFFeEAW/QkSB+ur5f2bPEraluEN5VD4iwWzd2tBGmbcT0ZKaw==
> ARC-Authentication-Results: i=1;
> mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates
> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
> X-Last-TLS-Session-Version: TLSv1.2
> Authentication-Results: mail.mnin.de;
> dkim=pass header.d=corp.mail.ru header.s=mail header.b=k6PdTMpn;
> dmarc=pass (policy=reject) header.from=corp.mail.ru;
> spf=pass (mail.mnin.de: domain of dmarc_supp...@corp.mail.ru designates
> 94.100.178.51 as permitted sender) smtp.mailfrom=dmarc_supp...@corp.mail.ru
> 
> --===1678280035031557895==
> MIME-Version: 1.0
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: base64
> 
> VGhpcyBpcyBhbiBhZ2dyZWdhdGUgcmVwb3J0IGZyb20gTWFpbC5SdS4=
> 
> --===1678280035031557895==
> Content-Type: application/gzip
> MIME-Version: 1.0
> Content-Transfer-Encoding: base64
> Content-Disposition: 

Re: [anti-abuse-wg] Spamming LIR accounts

[Serge Droz via anti-abuse-wg]

Hi Töma

> What does GDPR have to say about this?

Unfortunately GDPR is totally ok with mind-boggingly stupid "technical
solutions" as long as they don't contain PII ;-)

Sorry, I'll stop now

Cheers
Serge

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Even if it's the only restaurant serving food in the region it can
impose restrictions, as long as they are reasonable.


And having a working abuse e-mail address seems very reasonable for any
kind of organization working in the internet.

There are many norms that are not laws, that still apply. Try to get on
a plane misbehaving. Try to enter a government building misbehaving.


We're having this discussion, because the "it will go away if we ignore
it" approach, is just not working.

Serge



On 30.04.20 15:01, Sascha Luck [ml] wrote:
> On Thu, Apr 30, 2020 at 12:42:09PM +, Suresh Ramasubramanian wrote:
>> RIPE NCC need not decide whether a behaviour is legal or not in order
>> to prohibit use of resources that it allocates for such behaviour.
>>
>> Wearing a T-shirt, shorts and flip flops is perfectly legal and yet
>> you can be refused entry into a fancy restaurant if you wear them.
>>
>> Nobody gets to sue the restaurant for refusing admission by claiming
>> that tshirts and flip flops are perfectly legal attire, and even
>> nudity is legal in some parts of Europe (German topless and nude
>> beaches say).
> 
> If this restaurant were the only source of food in a region, it
> would damn well be illegal to refuse service no matter how (or
> if) the client is dressed.
> 
> Why are we havijg thjis discussion yet again?
> 
> rgds,
> Sascha Luck
> 
>>
>> --srs
>> 
>> From: Nick Hilliard 
>> Sent: Thursday, April 30, 2020 5:43:04 PM
>> To: Suresh Ramasubramanian 
>> Cc: anti-abuse-wg@ripe.net 
>> Subject: Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of
>> "abuse-mailbox")
>>
>> Suresh Ramasubramanian wrote on 30/04/2020 01:58:
>>> Why would I ask about something I am posting as an individual in my
>>> personal capacity?
>>
>> because your day job involves abuse / security and in that capacity you
>> may have access to good quality legal resources.
>>
>>> I see great pains being taken to have NCC stay hands off and arms length
>>> from abuse issues at its members. I understand the motivation.
>>>
>>> However, being in a fiduciary role - with IPv4 being traded like
>>> currency these days the description fits - RIPE NCC can�t not get
>>> involved.
>>>
>>> I am concerned that this is eventually going to lead to heavy handed
>>> state regulation if a regulator gets involved after some particularly
>>> egregious misbehaviour by a (hypothetical at this point but the risk
>>> exists or might even exist now) shell company that gets itself
>>> membership, even LIR status and then uses a large allocation of IPs
>>> exclusively for crime.
>>>
>>> NCC owes it to the rest of its membership and the internet community at
>>> large to take a more active role in this matter.
>>>
>>> Though those of us that are saying this are probably voices in the
>>> wilderness at this point.
>>
>> Couple of general observations:
>>
>> - internet abuse is a specific instance of general societal abuse. It's
>> a complex problem and one where punishment / the threat of punishment is
>> one of many methods of handling it, and arguably not one of the better
>> ones from a general application point of view.
>>
>> - The RIPE NCC is not constituted to evaluate what is and isn't legal in
>> the 75+ countries that it services.  E.g. should it revoke numbering
>> resources due to CSAM because that's illegal in NL?  What about
>> blasphemous material, which is such a no-no in several other service
>> countries that it attracts capital punishment?  It's a difficult
>> proposition to suggest that the RIPE NCC should start getting into the
>> business of evaluating what is and isn't abuse.
>>
>> - we already have structures in place to handle evaluation of what
>> constitutes acceptable or unacceptable behaviour.  The international
>> nature of the internet has strained this to the point where it often
>> doesn't work.
>>
>> - there's a consistent undercurrent of thought here of feeling that
>> because other societal mechanisms for controlling abuse have not stopped
>> abuse on the internet, that the RIPE NCC is obliged to act.  This
>> assumption needs to be questioned.
>>
>> - almost all of the policy proposals in AAWG over the last several years
>> have been aimed at using the RIPE number registry as a social behaviour
>> enforcement mechanism.  There are other ways of handling social
>> behaviour issues, e.g. standards creation + compliance, community
>> forums, etc, etc, etc.
>>
>> - complex problems aren't amenable to simple fixes.
>>
>> - the primary concern expressed by the people I've talked to in law
>> enforcement is: "where should the warrant be served?"
>>
>> - the RIPE NCC operates in a complex legal environment.  There's a
>> substantial risk that the types of proposals that are being pushed in
>> AAWG would be found to be illegal and would open the organisation up to
>> damages or prosecution if applied (e.g shutting down a company because
>> they insisted on using a web form instead of 

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

I do not disagree with this.

Serge


On 30.04.20 09:41, Hans-Martin Mosner wrote:
> Am 30.04.20 um 02:58 schrieb Suresh Ramasubramanian:
>>
>> However, being in a fiduciary role - with IPv4 being traded like
>> currency these days the description fits - RIPE NCC can’t not get
>> involved.
>>
> ...
>> NCC owes it to the rest of its membership and the internet community
>> at large to take a more active role in this matter.
>>
> This.
> 
> And as long as RIPE and/or NCC explicitly does not want to take action
> when RIPE members don't handle abuse from their networks properly, the
> whole issue of validating abuse mailbox addresses is moot. After all
> discussion, the toothless compromise will be that there should be an
> abuse mailbox, and FWIW it can be handled by Dave Null because nobody
> will exert pressure on the resource holder to do anything else.
> 
> Our problem on the receiving side of network abuse is not with the few
> good-willing but technically challenged providers whose abuse mailbox
> isn't working properly but with those large operators who don't give a
> flying f about their customer's network abuse.
> 
> Personally, I consider the anti-abuse WG a failure at this point. When I
> joined I had hoped to see and possibly support constructive work towards
> a reduction in network abuse, but apparently there are big players in
> this game who are not interested in such a reduction as it would
> undermine their "business".
> 
> Cheers,
> Hans-Martin
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

On 29.04.20 18:22, Nick Hilliard wrote:
> To be clear, it's a fundamental right in large chunks of the RIPE
> service region to conduct business.  If the RIPE NCC acts to threaten to
> remove this ability to conduct business, there would need to be sound
> legal justification for doing so.

Most rights come with legally required responsibilities. I don't see why
this is different here.

Best
Serge



-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

So, it's the security guys, saying

  This may help a bit, but won't solve all problems.

versus the infrastructure operators saying

  Beware! This it creating huge costs and will not help at all, and
answering two mails a year will be our ruin.

Sadly, this list is run by Naj sayers.


Serge



-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

>> Coming from the incident response side, I'm tiered of people constantly
>> telling me, that issues are not their problem
> 
> How would this proposal help with said problem?
> 
- It will catch the cases where some miss configuration happened indeed
- It will make it impossible for orgs to say "We never received a report"
- It allows us to enumerate better who does good work and who doesn't.
And making this transparent will help showing thate there is an issue
and maybe also be a motivation for people to change

But I've said that before.

Best
Serge


-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org



signature.asc
Description: OpenPGP digital signature

Re: [anti-abuse-wg] 2019-04 Discussion Phase (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

I think this is a good policy.

We can always find use cases where it fails, but it will help in some
cases.

And if some one is not able to answer an e-mail every six month, there
are probably underlying issues. Also the argument, that the bad guys
flood the mailbox is not really acceptable. It just means you can't
filter spam.

The proposal does not check how the reports are used. But it helps us to
enumerate organizations, that don't act, coming up with various excuses,
along the lines the best problems are some one else's problems, so let's
make it some on else's problem.

The fact is: Most mature organizations are perfectly capable of handling
such mail boxes, even if they have a high load.

Coming from the incident response side, I'm tiered of people constantly
telling me, that issues are not their problem

Best
Serge





On 28.04.20 16:01, Petrit Hasani wrote:
> Dear colleagues,
> 
> A new version of RIPE policy proposal, 2019-04, "Validation of
> "abuse-mailbox"", is now available for discussion.
> 
> This proposal aims to have the RIPE NCC validate "abuse-c:" information
> more often and introduces a new validation process.
> 
> Most of the text has been rewritten following the last round of
> discussion and the proposal is now at version 3.0. Some key points in
> this version:
> 
> - The abuse-mailbox should not force the sender to use a form
> - The validation process must ensure that the abuse mailbox is able to
> receive messages
> - The validation should happen at least every six months
> 
> You can find the full proposal at:
> https://www.ripe.net/participate/policies/proposals/2019-04
> 
> As per the RIPE Policy Development Process (PDP), the purpose of this
> four-week Discussion Phase is to discuss the proposal and provide
> feedback to the proposer.
> 
> At the end of the Discussion Phase, the proposer, with the agreement of
> the Anti-Abuse Working Group Chairs, will decide how to proceed with the
> proposal.
> 
> We encourage you to review this proposal and send your comments to
>  before 27 May 2020.
> 
> Kind regards,
> --
> Petrit Hasani
> Policy Officer
> RIPE NCC
> 
> 
> 
> 
> 

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org



signature.asc
Description: OpenPGP digital signature

Re: [anti-abuse-wg] @EXT: RE: RIPE NCC Executive Board election

[Serge Droz via anti-abuse-wg]

Hi David

Thanks for the feedback.

- UN GGE:

The 2015 group came up with a consensus report:
https://www.un.org/ga/search/view_doc.asp?symbol=A/70/174

The 2017 failed. Personally I think, because the rising tensions in the
global political climate, but that's another discussion. And I feat the
current GGE as well as the OEWG will face the same fate. These are not
good times for international state agreements. I completely agree with
your assessment here.

Re RIPE: I guess so.

But if RIPE is seen as representing the community, than it should be ok
for RIPE to enforce the community view.

It was said here before: If we fail as an informal community here, than
others will take this into their hands, and that will likely no procude
a better result.

Best
Serge



On 19/04/2020 00:07, David Conrad wrote:
> Serge,
> 
> On Apr 17, 2020, at 2:15 AM, Serge Droz via anti-abuse-wg
> mailto:anti-abuse-wg@ripe.net>> wrote:
>> Even the UN (through the UN GGE and the OEWG, create norms for
>> responsible behavior in cyber space.
>>
>> There is nothing that stops us from doing the same in this corner of
>> internet policy.
> 
> Perhaps not the best example.  UN "Global Group of Experts” (GGE) tried
> to come up with “cyber norms", but ultimately failed to get their norms
> accepted (that is, they were unable to come to consensus on the final
> report).  As a result, another round of UN
> GGE (https://www.un.org/disarmament/group-of-governmental-experts/)
>  kicked off and a parallel effort, the Open Ended Working Group, is also
> trying to come up with a set of cyber norms, albeit with a larger set of
> players. 
> 
> However, the reason (in my view) the UN cyber norm efforts have failed
> to date is the same reason we see failures to come up with agreed upon
> policies here: the norms would impact self-interest in a way that is
> unacceptable to parties who have the ability to derail progress. 
> 
>> Neutrality does not imply the absence of values. If we want the internet
>> to be usable and safe for users, we need to come up with what is
>> acceptable behavior and what is not. 
> 
> My impression is that the issue that derails consensus here is whether
> or not RIPE-NCC is the appropriate enforcer of “acceptable behavior”.
> 
> Regards,
> -drc
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] RIPE NCC Executive Board election

[Serge Droz via anti-abuse-wg]

HaHa

> Your post brought a smile to my face.

So I already made the world a better place ;-). And I'm a bit surprised
by your statement. Ever since I have been in the security community
you've been around you've always helped when you could.

I have it more with Martin Luther who  allegedly  said: If I knew the
world would end tomorrow, I'd still plant an apple tree today.

I guess he didn't argue for days what an Apple tree is, and which kind
to plant ;-)

Best
Serge


-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] Fw: Re: @EXT: RE: RIPE NCC Executive Board election

[Serge Droz via anti-abuse-wg]

Hi Javier


> Many times we have hackers perfectly located, many are kids with a lot
> of ability to annoy, but little to protect themselves (we often find
> them in forums)
> 
If many hackers are kids, we don't have legal problem, but we fail as
society. I think it's beyond the scope of the WG to address this
problem. But I do feel, that states need to also take care of children
that show talent in cyber matters. We do it for athletes, making sure
these kids can spend their energy in sorting competition rather than
some destructive behaviour.
Cyber Criminals are good at spotting and fostering talent in foras. No
on get's up in the morning and say, gosh today I become a cyber criminal.

Best
Serge



-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] @EXT: RE: RIPE NCC Executive Board election

[Serge Droz via anti-abuse-wg]

I second that

In fact there is much more than just codified law. For example most of
the international law ha never been codified, refereed to as customary
law, but is still enforceable in court.

What we re talking about here are so called Norms: Often non-binding,
Norms describe expected behavior. I give you a simple example: Ther is
now law, that say you must wash yourself. But try to to do so for a few
weeks, and then (once Covid-19 is over) go into a full bus and see what
happens.

This oversimplifies. But we can and should have norms that make the
internet function well. And in fact there are over 160 norms that
specifically apply to cyber space.

Even the UN (through the UN GGE and the OEWG, create norms for
responsible behavior in cyber space.

There is nothing that stops us from doing the same in this corner of
internet policy.

Neutrality does not imply the absence of values. If we want the internet
to be usable and safe for users, we need to come up with what is
acceptable behavior and what is not. There may be a time where these are
tested in court, but until then let's just make sure we give our best to
keep the internet safe and free from criminals.

Best
Serge



On 17.04.20 11:05, Marcolla, Sara Veronica wrote:
> Sure, respecting the legal framework is the basis of our legal systems,
> and abiding to rules and legal procedures is paramount. This said,
> private companies can themselves act in such a way to discourage
> criminals to take advantage of their resources, through having rules in
> place that disallow certain behaviours.
> 
>  
> 
>  
> 
> Kind regards,
> 
> * *
> 
> *Sara Marcolla*
> 
>  
> 
> *Europol - *O3 European Cyber Crime Centre (EC3)
> 
> www.europol.europa.eu 
> 
>  
> 
>  
> 
>  
> 
> *From:*Maxi 
> *Sent:* 17 April 2020 10:58
> *To:* Marcolla, Sara Veronica 
> *Subject:* Re: @EXT: RE: [anti-abuse-wg] RIPE NCC Executive Board election
> 
>  
> 
> Dear Sara,
> 
> This is not a personal attack on you, but I would handle your request
> like every other request from the police -> Go get a court order. 
> 
>  
> 
> When the RIPE would decide to block off abusive behaviour with out
> external orders, wouldn’t that open the RIPE to stuff like: “Hey in our
> country this and this party is abusive, lets delete the resources of them”?
> 
>  
> 
> So no, I would not want the RIPE to make such decisions on her own. 
> 
>  
> 
> Maxi
> 
>  
> 
> Impressum:
> Zeug e.K.
> Hochstraße 15
> 92637 Theisseil
> 
> Inhaber: Maximilian Schieder
> 
> Telefon: 015678 572314
> E-Mail: m...@zeug.co 
> 
> Registergericht:
> Amtsgericht Weiden in der Oberpfalz Registernummer: 
> HRA 2907
> 
>  
> 
>  
> 
> 
> 
> On 17. Apr 2020, at 10:54, Marcolla, Sara Veronica
>  > wrote:
> 
>  
> 
> Hi Maxi,
> 
>  
> 
> Technical innovation can be harnessed for social good, but just as
> readily for nefarious ends. This is truer of cybercrime than of
> perhaps any other crime area. And cybercriminals are also getting
> more aggressive. That’s why Europol and its partner organisations
> are taking the fight to them on all fronts.
> 
>  
> 
> Encouraging all members of the Internet community to join the fight
> against crime is one of the objectives of the Cybercrime centre, and
> working together with public-private partnerships is the best way to
> achieve these results. If you are interested, you can find out more
> on our official
> website: 
> https://www.europol.europa.eu/crime-areas-and-trends/crime-areas/cybercrime.
> 
>  
> 
>  
> 
> Kind regards,
> 
> * *
> 
> *Sara Marcolla*
> 
>  
> 
> *Europol - *O3 European Cyber Crime Centre (EC3)
> 
> www.europol.europa.eu 
> 
>  
> 
>  
> 
>  
> 
> *From:* anti-abuse-wg  >*On Behalf Of *Maxi
> *Sent:* 17 April 2020 10:43
> *To:* anti-abuse-wg@ripe.net 
> *Subject:* Re: [anti-abuse-wg] RIPE NCC Executive Board election
> 
>  
> 
> Hey,
> 
> Is this the official point of view from Europol?
> 
> If so, please have in mind that the RIPE NCC has to follow certain
> court rules. The RIPE NCC should stay neutral, because only courts
> could decide if something is illegal or not.
> 
>  
> 
> //Maxi
> 
>  
> 
> Impressum:
> Zeug e.K.
> Hochstraße 15
> 92637 Theisseil
> 
> Inhaber: Maximilian Schieder
> 
> Telefon: 015678 572314
> E-Mail: m...@zeug.co 
> 
> Registergericht:
> Amtsgericht Weiden in der Oberpfalz Registernummer: 
> HRA 2907
> 
>  
> 
>  
> 
>  
> 
> ***
> 
> DISCLAIMER : This message is sent in confidence and is only intended
> for the named recipient. If you receive this message by mistake, you
>

Re: [anti-abuse-wg] RIPE NCC Executive Board election

[Serge Droz via anti-abuse-wg]

Hello List

I've been, mostly passive, on this list for quite a while. I must say we
really excel in terms of abusing each other. And I agree with Ronald, we
seem to fail coming forward with even partial solutions to prevent
abuse. I am disappointed by the tone on this list. One can, and should
disagree on topics, but one should not loose the common goal, reduce
abuse in our case. I fear we are doing just that.

Maybe the striving for a perfect solution, that has no side effects is
not the right approach. Criminals don't mind side effects, and maybe
rather than avoiding them we should try to control and minimize them.

While I'm not the right person to determine what topics are appropriate
for the list, I don't see any harm in asking people to maybe consider
viable candidates for board positions. We can discuss the tone. This
group repeatedly pointed out the importance of a bottom up, democratic
governance structure for RIPE. I'd argue, that a good selection of
candidates for such a position is the basis for this.

I would hope for the abuse WG to become a little more pragmatic and
positive thinking when trying to come up with solutions to fight abuse.
"Divide and conquer" is a concept criminals thrive on too.

Having said that, I wish everyone good health and and a hopefully
enjoyable weekend.

Best
Serge

-- 
Dr. Serge Droz
Chair of the FIRST Board of Directors
https://www.first.org

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

How about we just try this for a year and then take stock?

Best
Serge


On 16/01/2020 18:07, Andreas Worbs wrote:
> I'm completely with you.
> 
> For our US-AS i verify my contact once a year: open the mail, click the
> link, verify my data and that's it. You don't even need 5 minutes for it.
> 
> If you have an automation fpr your abuse mails? Ok, you have to adjust
> your configuration a little bit but you have to do this only once. Is it
> really a problem?
> 
> RIPE NCC will not deregister your ressources right now just because you
> missed the verification.
> 
> I would be happy if we have a mandatory abuse-c which is validated by
> the RIPE.
> 
> Rather go forward step-by-step than stop here for years. Stagnation
> means regression.
> 
> Have a good night,
> 
> Andi
> 
> Am 16.01.20 um 09:41 schrieb Serge Droz via anti-abuse-wg:
>> Hi All
>>
>> I think we already spent way more executive time on this thread than it
>> would cost us to verify e-mail addresses.
>>
>> I agree e-mail does not solve all the problems. It's hard to
>> automatically process, .
>>
>> But it is simple to use, and from my work as an incident handler it did
>> do me good in the past. I participate in fora that validate
>> abuse/emergency addresses. WHen I ask these people what their issues in
>> daily life are it's never we have to validate or contact e-mail.
>>
>>
>> And honestly: taking a step back and reading this entire thread, I'm not
>> surprised that the bad guys are winning. You know: They don't care about
>> the purty and beauty of a solution. They just do it and profit, and
>> probably have a fabulous time seeing us argue and go at each others
>> throats.
>>
>> I think we could do better.
>>
>> Best
>> Serge
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org



signature.asc
Description: OpenPGP digital signature

Re: [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi Volker

On 16/01/2020 15:03, Volker Greimann wrote:
> isn't making the world (and the internet) first and foremost a job of
> law enforcement agencies like the police and Europol?

Law enforcement's job primarily is arresting criminals. And yes they do
prevention. But you can't stop locking your door or walk by fight just
ignoring it, because it's LEA's job.

This is even more true on the internet, where CERT's have long been
working together fighting cybercrime etc.

While there obviously is an appeal to the notion of "The best problems
are some one else's problem" my believe is we don't want to have an
internet or a world, for that matter, where this is how things run. The
internet is a bottom up thing, it is so cool because people follow
protocols, that are not law.

There was a time whn this wasn't a given: During the "Browser wars"
different producer leveraged ambiguities in the HTML standard, and the
end result was horrible.

We don't want this. If we delegate the problem, we've already lost.

Best
Serge



-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

I think we already spent way more executive time on this thread than it
would cost us to verify e-mail addresses.

I agree e-mail does not solve all the problems. It's hard to
automatically process, .

But it is simple to use, and from my work as an incident handler it did
do me good in the past. I participate in fora that validate
abuse/emergency addresses. WHen I ask these people what their issues in
daily life are it's never we have to validate or contact e-mail.


And honestly: taking a step back and reading this entire thread, I'm not
surprised that the bad guys are winning. You know: They don't care about
the purty and beauty of a solution. They just do it and profit, and
probably have a fabulous time seeing us argue and go at each others
throats.

I think we could do better.

Best
Serge
-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] working in new version of 2019-04 (Validation of "abuse-mailbox")

[Serge Droz via anti-abuse-wg]

Hi All

So maybe a word from an "Incident Responder".

I do feel very much, that we should have an abuse conntact, and it
should be tested to wok, in the sense that some one reads the mail sent
there.

Here are my reasons:

- Having such a mailbox may increase the pressure for orgs to actually
do something. My experience from previous job showed, that keep sending
abuse reports, despite complaints about "spam" eventually convinced a
lot of orgs to act. Essentially you take away the excuste "Oh, but we
didn't know"

- Even for orgs that don't react having such a conntact helps, because
it allows us to build up a history of ignored requests, which cann then
be used to reminde these orgs that they actually are part of the
problem. It is a sad fact, that a threat to your reputation, even if
it's only in colsed community, seems to sometimes help convincing said
org to reract. Finally if, at some state more drastic action would be
necessary (Think Russian Bussines Network at the time), you can build a
case.

- Lastly: It makes our life as Incident responders easier to have a
uniform way of sending reports, even if not all of them are followed up.

I kind of don't buy into "There is no point on placing a burden on orgs
that choose not to act".

Best
Serge

On 15/01/2020 08:23, Carlos Friaças via anti-abuse-wg wrote:
> 
> Hi,
> 
> I obviously don't speak for the incident handling community, but i think
> this (making it optional) would be a serious step back. The current
> situation is already very bad when in some cases we know from the start
> that we are sending (automated) messages/notices to blackholes.
> 
> To an extreme, there should always be a known contact responsible for
> any network infrastructure. If this is not the case, what's the purpose
> of a registry then?
> 
> Regards,
> Carlos
> 
> 
> 
> On Tue, 14 Jan 2020, Leo Vegoda wrote:
> 
>> On Tue, Jan 14, 2020 at 1:48 AM Gert Doering  wrote:
>>
>> [...]
>>
>>> A much simpler approach would be to make abuse-c: an optional attribute
>>> (basically, unrolling the "mandatory" part of the policy proposal that
>>> introduced it in the first place)
>>
>> This seems like a simple approach for letting network operators
>> indicate whether or not they will act on abuse reports. If there's no
>> way of reporting abuse then the operators clearly has no processes for
>> evaluating reports, or acting on them. This helps everyone save time.
>>
>> Regards,
>>
>> Leo Vegoda
>>
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] [Misc] Research project on blacklists

[Serge Droz via anti-abuse-wg]

Hi Andreas

I echo Barry's views on the research.

Some valid points, but it's a pity that you tend to void them by mostly
telling others that they are stupid.

I like your idea about studying why certain practices occur. So why not
find a University that is interested in starting a project on this?

Best
Serge


On 18/07/2019 07:20, ac wrote:
> 
> Oh. Lets look more at this then.
> 
> "UC Berkeley" - USA
> "International Computer Science Institute"
> "evaluating and improving the accuracy of blacklists." 
> "including a web link, which is tracked and cross tracked"
> "an anonymous survey"
> 
> Dude, let us be frank: On this list we discuss abuse, in the open and
> directly. People on this list has "skills" and can all be anonymous on
> this list, if they wish to, in fact, many are. (I do not and I am not
> private)
> 
> We are talking about email blacklists? right? as the routing blacklists
> do not bother the evil tech monopolies!
> 
> It is a fact that the spam from the top ten USA tech companies are the
> most challenging abuse on the planet - as this type of abuse, is the
> hardest to combat. - Twitter does not even accept abuse complaints.
> Facebook does not care and Google mixes spam with ham all the time to
> defeat email blacklists
> 
> Why not study the reasons for the percentage increase in the use of
> inspection/tracking/non private/invasive anti abuse technologies in use
> by the largest email and dominant players, Google and Microsoft, of
> ipv6 and the reason why these huge tech players HAVE to push for ipv6
> email servers relay to ensure their future dominance of email relay?
> 
> Instead of "My colleagues and I are working on evaluating and improving
> the accuracy of blacklists"
> 
> As, imnsho, that is absolute USA bullshit. and is not even possible.
> 
> I would go sofar as to state that such research is not intended to
> "improve" anything but to cement the monopolies we fight daily and is
> on the EVIL side of the fight.
> 
> Andre
> 
> 
> 
> On Wed, 17 Jul 2019 10:01:16 -0700
> Barry Greene  wrote:
> 
>> Not a joke. 
>>
>> Just a researcher exploring ways to quantify and measure. Always
>> important to have the academic doing the due diligence on our
>> operational assumptions.
>>
>>> On Jul 17, 2019, at 07:40, ac  wrote:
>>>
>>>
>>> This is a joke email, right?
>>>
>>> Is it the 1st of April already? :)
>>>
>>> Andre
>>>
>>> On Wed, 17 Jul 2019 13:42:21 +0200
>>> Anushah Hossain  wrote:
>>>   
 Hi everyone,

 I'm a researcher at UC Berkeley and the International Computer
 Science Institute. My colleagues and I are working on evaluating
 and improving the accuracy of blacklists. As part of this work,
 we'd like to hear from you about the blacklists you currently use,
 what you perceive as their strengths and weaknesses, and any
 thoughts you have on how they might be improved.

 We've prepared an anonymous survey where you can share your views:

 If you have five to ten minutes free today to fill it out, I would
 greatly appreciate your help! Thank you, and please don't hesitate
 to respond to me with comments or questions.

 (Apologies if you receive this message twice - trying to minimize
 cross-posting while still reaching a broad audience)

 Best,
 Anushah
   
>>>
>>>   
> 
> 

-- 
Dr. Serge Droz
Chair, Forum of Incident Response and Security Teams (FIRST)
Phone +41 76 542 44 93 | serge.d...@first.org | https://www.first.org

Re: [anti-abuse-wg] 2019-03 and over-reach

[Serge Droz via anti-abuse-wg]

There are different things that can habbe.

What we are talking here is a breach of contract, i.e. two parties agree
on something and then one one does not stick to the agreement. This is
typically handled under civil law. The parties can agree agree to
whatever actions.

Then there is criminal law, which is a different matter. Stealing power
is probably illegal under criminal law in most places. Hijacking a BGP
prefix, I don't know, it may be, but there is most likely no law that
says "Hijacking a BGP prefix is illegal" But it may be illegal to
disrupt a communication service. That needs to be checked.

Now the police typically only must act in serious crimes (murder), but
can act on lesser charges (petty theft). There is no equality when you
are breaking the law.

What we are talking here is contractual issues. You can do agree to
*almost* anything in a contract, but only almost. This is important and
is here to prevent misuse of the party delivering a service.

So i suggest we consider this whole thing as
- We try to fix a contract, so RIPE has the possibility to stop certain
bad behaviour.
- We are not taking people to court in this (one could add a sentence to
that effect) But we're not in the policing business.
- We don't know how effective this new clause will be, it may not help,
because the bad guys come up with another idea, or because it creates
too much work, or whatever. In any case, we then can always abolish it.

Personally I'd say let's try to find obvious problems, fix these in the
policy proposal and then try it out.

Cheers
Serge

PS: I'm not a lawyer, but I happen to be involved in such issue a lot
lately.








On 23.03.19 07:02, Lu Heng wrote:
> Emm...so if someone steal your house you will take your staff back from
> his home without police and court? Because you “admin” your staff?
> 
> Try that next time and try your best explain to the judge why you think
> he took your staff give you rights to become police.
> 
> On Sat, Mar 23, 2019 at 18:50 ac mailto:a...@main.me>> wrote:
> 
> On Sat, 23 Mar 2019 18:29:55 +0800
> Lu Heng mailto:h...@anytimechinese.com>>
> wrote:
> > When you stealing electricity the electricity company will not cut
> > your electricity at home but report you to the policy.
> >
> > No one saying stealing is ok, but no one agrees electricity company
> > should have policing power.
> >
> 
> bottom line: you can do what you like with your electricity but the
> electricity company cannot allow you to just take any electricity as
> the electricity company is responsible for the administration of the
> electricity.
> 
> not stopping you from taking someone else's electricity is not a
> "policing" or "judicial" thing - it is an administrative power as this
> is the primary job of the electricity company: administer the
> electricity.
> 
> otherwise why have an electricity company at all?
> 
> just let anyone use any electricity they like.
> 
> this is a stupid thread.
> 
> 
> >
> >
> > On Sat, Mar 23, 2019 at 18:27 ac mailto:a...@main.me>>
> wrote:
> >
> > > On Sat, 23 Mar 2019 18:04:22 +0800
> > > Lu Heng  > wrote: 
> > > >
> > > > It’s very much like electricity company tell you if you do
> > > > something bad we will cut you off and stop supply electricity.and
> > > > yes, they will cut you if you stop paying them, but that doesn’t
> > > > mean they can 
> > >
> > > they also cut if you cheat by stealing electricity.
> > >
> > > you not talk about stealing but you and Nick talk about how use
> > > electricity.
> > >
> > > use any way you like, ripe not internet police, but you no steal,
> > > okay?
> > > > make themselve self juridical court in any bad thing happen in
> > > > this world.
> > > > 
> > > not every bad thing, just administrative duty to say stealing is
> > > stealing.
> > >
> > > stealing not the same as using electricity to fry naughty neighbor
> > > in chair.
> > >
> > > stealing is when you no pay for electricity you use to fry
> > > neighbor, see?
> > >
> > > you use for anything bad, this your business, ripe not judicial
> > > court, administrative authority.
> > >
> > > but you no hijack, okay?
> > > 
> > > > Internet, or registry, are starting if not already is, become
> > > > part of base infrastructure of the society, but that does not
> > > > give us any rights in the society to become the supreme court of
> > > > the society, just like your water company or electricity company
> > > > won’t judge you for what you use water or electricity for.
> > > >
> > > >
> > > >
> > > > On Sat, Mar 23, 2019 at 16:54 ac  > wrote:
> > > > 
> > > > >
> > > > > ugh, english. I do not mean external as in outside I meant
> 

Re: [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

[Serge Droz via anti-abuse-wg]

I agree two years are long.

But if we assume it's always the same few black sheep that engage in
this activety, then it's worth going that route.

If that is not the case, then I would suggest to change the termination
process in a second step. We would then have good arguments supporting
this.

Typically trying to pack too much in one change triggers rejection.

Cheers
Serge


On 20.03.19 08:57, Gert Doering wrote:
> Hi,
> 
> On Wed, Mar 20, 2019 at 09:53:02AM +0200, Hank Nussbacher wrote:
>>> So that's a fairly effective way to sanction abusive behaviour.
>>
>> The amount of time that will transpire from the time of abuse and a LIR 
>> closed and their resources withdrawn can well be in excess of a year if 
>> not two years.
>>
>> Is that the end result we are looking for?
> 
> I would hope that *having* a way to sanction abusive behaviour would
> deter criminals from doing so in the first place.  Today, not enough
> people care, and playing havoc with BGP (intentional or accidentially) 
> has hardly any consequences at all.
> 
> OTOH, these are the questions that make me undecided on the proposal :-)
> 
> Gert Doering
> -- NetMaster
> 

-- 
Dr. Serge Droz
Member of the FIRST Board of Directors   Senior Advisor
https://www.first.orghttps://www.ict4peace.org



signature.asc
Description: OpenPGP digital signature

Re: [anti-abuse-wg] Google Privacy Abuse

[Serge Droz via anti-abuse-wg]

Dear Ac & Fi

That was what I was replying to Fi's comment:

> If opera (like chrome, edge or firefox) check the URL to see if it
> is "dangerous" (a phishing URL etc) then that is logged on their
> end, when it checks the database to see if the link has been
> flagged.


Re:
> It is a simple technical fact that ISP's etc - Do Not Have, receive or
> are able to read the actual URL. - Please do see the https protocol
> itself, for additional information.

Read my answer again: It said they can see it if it is http, but not if
it is https.

Would you agree?

Re Fi's Question:
> Please provide your source of information that chrome browsers rely on a 
> local blacklist.

See https://blog.chromium.org/2012/01/all-about-safe-browsing.html

You can verify this yourself by looking at browser trafic with a MITM
setup, e.h. using sslsplit


Best
Serge




-- 
Dr. Serge Droz
Member of the FIRST Board of Directors   Senior Advisor
https://www.first.orghttps://www.ict4peace.org

Re: [anti-abuse-wg] Verification of abuse contact addresses ?

[Serge Droz via anti-abuse-wg]

Hi

I'm fairly new here. This is a formidable task, and not easily achieved.
So kudos to RIPE for doing this. The abuse contacts already there helped
me a lot.

I don't appreciate people who can't even stand up with their real names,
just pointing out that others are lame.

We make this a better world by helping with advice that empowers, not
with diminish comments.

Cheers
Serge


On 08.03.19 11:40, Shane Kerr wrote:
> Fi Shing,
> 
> I'm sure verifying the delivery of 70k e-mails (or however many is in
> the database) can be done in a few hours.
> 
> But Marco's response mentions to *correcting* the contact addresses, not
> just verifying them. That involves working with human beings, so it
> makes sense that it will take a while.
> 
> Cheers,
> 
> -- 
> Shane
> 
> On 08/03/2019 11.07, Fi Shing wrote:
>> If it takes more than a week to verify your entire database, there is
>> the first sign that something is wrong with your system.
>>
>>
>>      Original Message 
>>     Subject: Re: [anti-abuse-wg] Verification of abuse contact
>> addresses ?
>>     From: Marco Schmidt mailto:mschm...@ripe.net>>
>>     Date: Thu, March 07, 2019 10:03 pm
>>     To: "Ronald F. Guilmette" >     >,
>>     anti-abuse-wg@ripe.net 
>>
>>     Hello Ronald,
>>
>>     We are planning to publish an updated timeline soon.
>>
>>     Ultimately, our implementation will depend of the level of
>> cooperation
>>     we get from LIRs and the nature of issues that need to be fixed
>> before
>>     an abuse contact can be updated (for example, some organisations may
>>     need to reset their maintainer password).
>>
>>     Over the next few weeks we will be analysing our progress, to make a
>>     realistic estimation. From observations so far, we think we might be
>>     able to finish our initial validation of all abuse contacts within
>> six
>>     months - but it is still too early to make any strong predictions.
>>
>>     Kind regards,
>>     Marco Schmidt
>>     RIPE NCC
>>
>>
>>     On 05/03/2019 21:51, Ronald F. Guilmette wrote:
>>     > In message <9c95c110-d5a3-e94a-6b3c-b02030736...@ripe.net
>>     >,
>>     > Marco Schmidt mailto:mschm...@ripe.net>> wrote:
>>     >
>>     >> It is correct that the implementation phase is still ongoing.
>> Currently
>>     >> we are validating all the abuse contact information referenced
>> in LIR
>>     >> organisation objects. Then we will proceed with the validation
>> of abuse
>>     >> contacts referenced in LIR resource objects - the example that you
>>     >> mentioned belongs to this group. And finally all abuse contacts
>>     >> referenced in End User (sponsored) objects will be validated.
>>     > Thanks for the info Marco.
>>     >
>>     > I guess the only question I would ask is this:  Is there a
>> published
>>     > timeline for how this whole process is planned to play out, and for
>>     > when it is planned to be completed?
>>     >
>>     >
>>     > Regards,
>>     > rfg
>>     >
>>
>>
> 
> 

-- 
Dr. Serge Droz
Member of the FIRST Board of DirectorsSenior Advisor ICT4Peace
https://www.first.org https://www.ict4peace.org