Proposal To Limit ISP Contact Data Draws Fire 100
An anonymous reader writes "A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software, according to a story at Krebsonsecurity.com. From the piece: 'The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses — later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. Proponents of the plan couch it in terms of property rights and privacy, but critics say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.'"
This should be simple... (Score:4, Interesting)
Person A says to cops: "I received spam. Here is copy."
Cop identifies IP.
Cop says to provider "Give me billing info on this IP b/c of spam."
Provider gives billing info. If not, does so after quick court order. If still not, gets shut down.
Cop contacts business. If hijacked computer, refers to techies. If not hijacked, quick court case by DA. IF spam, gets shut down and pays large statutory damages and prohibited from using net again for X years.
Or something like that.
The problem is having a quick, efficient, and intelligent police response in place, and having people know where they can go to get it. We will never stop spam unless we decide to commit sufficient resources to doing so.
We might use civil causes of action, class actions, and/or private atty general statutes. (But have to be careful to limit abuse.)
Corporations have no privacy protections (Score:1, Interesting)
Corporations are NOT people. Therefore, they have no "privacy" expectations or rights to such.
They are PUBLIC corporations. I see no reason to extend the rights that individual PEOPLE enjoy to corporations, which by their inherent creation, are PUBLIC entities.
If they have nothing to hide, well, then why are they asking to be hidden? (I know this is a fallacious argument, but when corporations and the government (and their cheerleaders) apply it to people, why can't it be applied similarly to corporations?)
Corporations can't have it both ways, all the rights of actual living people without all of the OBLIGATIONS that actual living people must also comply with, including and up to that final eventuality of dying and ceasing to exist.
We have actually endorsed this proposal. (Score:1, Interesting)
At least with this proposal providers could implement their whois servers and actually leave them up and running all the time, rather than only turning them on when working with ARIN to receive another IP allocation (common practice in the industry), which doesn't really help anybody when they are down.
Re:Get rid of "private" domain registrations first (Score:5, Interesting)
You have a license plate on your car that's publicly viewable, and you don't have the right to obstruct/hide it. What's the problem with that?
A license plate is an indexed key. To actually obtain the data associated with the key, you have to be in a position of authority (e.g. a police officer).
You have an address on the door to your place that's publicly viewable. What's the problem with that?
You're already there.
You have a face that's publicly viewable when you go on the street - and you don't have the right to wear a mask to hide it, What's the problem with that?
You don't? Tell that to Anonymous.
You have your name, address, bank account number and signature on any cheques you write. What's wrong with that?
You can contest things that happen to your bank account. Nonetheless, I don't let just anyone have the information on my checks.
You have your medical condition and contact info listed on your MedicAlert bracelet. What's wrong with that?
No, I don't. :^P Further, even if I did, people have to get close enough to view it. It's not in a publicly accessible database, like WHOIS data for domains.
I like the ability to anonymously post information to the internets. Part of that is the ability to be free from WHOIS spam as part of a domain registration.
Re:This should be simple... (Score:2, Interesting)
... after quick court order. If still not, gets shut down. Cop contacts business. If hijacked computer, refers to techies. If not hijacked, quick court case by DA. IF spam, gets shut down and pays large statutory damages and prohibited from using net again for X years.
The trouble is, that stuff costs money. And ignoring/filtering spam doesn't. I'd rather keep my money (and have to deal with spam) than pay higher taxes to fight it.
Re:Get rid of "private" domain registrations first (Score:3, Interesting)
Spammers need a legit server to receive those clicks. See how I tracked down one spammer half an hour ago [slushdot.com] to learn more.
Pay particular attention to the section around the "Directory Listing Denied" segment.
You might also want to help ...
I'm still waiting for the "year of the linux desktop", so I don't hold out much hope for end-user education :-)
Re:This should be simple... (Score:2, Interesting)
Cop identifies IP.
And since the upstream has kept the ISP's information private, to prevent other providers from seeking their contact details, the Cop is going to have a very fun time.
Suppose the user was not a subscriber to a Tier 1 ISP.
Then there could be 3 or 4 levels of re-assignment involved, all private.
For example, the user subscribes to Mom and Pop ISP who buys data service from Xyz Co, who is a local exchange or local provider of data services in a very small region.
Said local provider buys all their internet service from Bigger Regional provider.
Finally, Bigger Regional provider buys all their transit service from UUnet.
Since none of the other ISPs are particularly large, and none multihomed, possibly none of them have an AS number, except UUnet.
Cops will find "UUnet" as the only listed owner of the IPs.
They will call UUnet and spend a few hours on the phone figuring out what regional provider the IPs belong to.
Then they get to call the regional provider and spend a few hours on the phone figuring out what local city data provider the IP address belongs to, and what their contact info is.
By the time they have gotten that info, it's off-hours, they try to call, but they are closed (small provider, no 24x7 administrative contact for the cops to call)
Next day, they call local city provider, to figure out small ISP's contact details. Only takes a few hours of the provider wading through paperwork to research that question and (hopefully) give an accurate answer.
Next day, they call Mom and Pop ISP, only to find, their records are in complete disarray, and they have no record or immediate way to identify what subscriber the IP belongs to.
If it was a dynamic IP, perhaps they only kept the record for a few hours, the info needed is long gone.
Re:Get rid of "private" domain registrations first (Score:2, Interesting)
Then use a subdomain on a responsible person's SLD registration.
Proper contact information really is a requirement for registering a domain name.
"Domain by proxy" services are sneaky, the practice should be banned, for among other reasons (due to the fact) that the proxy service is officially the legal owner of the domain name, as far as the internet domain registry is concerned.
Re:Get rid of "private" domain registrations first (Score:2, Interesting)
You have your medical condition and contact info listed on your MedicAlert bracelet. What's wrong with that?
A Medic...what??? Of course I do not.
You have your name, address, bank account number and signature on any cheques you write. What's wrong with that?
I have only name, bank account number, and issuing bank. No need for an address on a cheque, that's a security risk.
Also, don't write checks.... paper checks are a security risk, because they are easily forged, and should be kept locked up at all times and not used on a regular basis.
You have an address on the door to your place that's publicly viewable. What's the problem with that?
Some people do. Some people do not have an address printed on the door.
You have a face that's publicly viewable when you go on the street - and you don't have the right to wear a mask to hide it, What's the problem with that?
Huh? Of course you do. Although it may be at your peril [youtube.com]
Re:Get rid of "private" domain registrations first (Score:2, Interesting)
Real question because I don't honestly know: how much spam is actually sent from people with registered domain names who own blocks of IP addresses? How does this number compare to the spam sent from compromised Windows machines that participate in various botnets? If the latter is a much larger source, then this looks more like another ineffective feel-good measure.
You realize, these are not disjoint sets?
There are a lot of Windows machines on the networks of companies that hold IP addresses.
These are business networks, and often they are a source of spam. Often other people need to contact them to give them a friendly alert that some of their machines are sending spam, so they can deal with the infection.
Often residential users who are not on business networks with their own IP addresses, have ISPs that block or filter port 25.
Basically, if you have your own IP addresses, and your own network, then you have a responsibility to be contactable so you can mitigate abuse.
If you are a single user without IP addresses of your own, then your ISP is your network manager (to an extent, obviously they won't come to your house and clean the infection for you, and it's not ISP support's job to walk you through cleaning or fixing your infections, either, although some ISPs will offer this service, probably at substantial additional cost).