« Top 5 #InfoSec Reads June 16-23 | Main | Top 5 #infoSec Reads June 23-30 »

Wednesday, 25 June 2014

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Thanks for the clarifications. I've corrected.

I think we agree that "Finally, and most importantly, we have no sense of either the problem we are trying to solve or how this "solution" does anything to solve it."

You're absolutely right. And the purpose of my post was to (a) ask you to share data so that (b) security researchers could study the questions I've listed to determine whether we are solving a(ny) problem.

As importantly, you can't follow this up with:

"The harm, to hundreds of thousands of registrants is now demonstrable."

with credibility without sharing the data, as I ask. I'm sympathetic if a health care provider's web site goes offline but less so if they submitted a false email address: that's on the provider's IT staff. Is this an outlying case or have 1000s of health care providers been similarly affected? I can't tell without the data. What I can tell is that 10,000s of _new_ registrations are algorithmically generated for botnets, or generated for phishing, illegal pharma or other spam. I can ask Spamhaus, APWG, or SURBL to share these with you. And the whois is routinely inaccurate or incomplete.

Last point. Yes, bad actors will try to circumvent security measures. I've never imagined that any single security measure was a silver bullet and I don't think this one is, either. Ideally, we would continue to add validation measures to make it increasingly hard for circumvention and collectively they become formidable enough for bad actors to change behavior or make mistakes or both.

Dave, I was the one who presented the data. A couple things you say above are incorrect/misleading.

First, you say:

"The cause for these suspensions is inaccurate domain registration data, in particular, email addresses that do not satisfy the validation criteria in the new agreement."

This is not correct. The reason is that the registrants did not respond to the validation request. There are a ton of different reasons for this, most primarily because folks like you do good work educating (and scaring people) about the dangers of clicking a link in an email. Your statement is either an assumption or a bare assertion and certainly did not come from the data I presented or the comments that followed.

Second, you state:

"To put that 800,000 figure into context - and assuming a ballpark estimate of the total count of registered domains in the gTLDs is north of 150 million – that’s less than 1 per cent."

That is misleading and not relevant. The 800k is a materially significant % of the total NEW domains registered in the time period covered. You can do your own math on that as the zone files are public, but I think the percentage will shock you.

Finally, and most importantly, we have no sense of either the problem we are trying to solve or how this "solution" does anything to solve it. The harm, to hundreds of thousands of registrants is now demonstrable. The benefit is not even asserted. Our call was to those who asked for this, primarily LEA, to at least begin to try and document the benefit. There is no evidence whatsoever that more accurate whois data will address any ills.

You know better than we do that the bad guys will have no problem dealing with validation. It is the health care providers and community groups whose websites go down that will.

Always happy to discuss.

Keep in mind that this number will increase.
At the current speed we could be looking at 1.6 million domain names in 6 monnths and so on.

Just a clarification for the initial premise of your article.

The 800,000 suspensions are NOT due to inaccurate whois email addresses.

They simply reflect unverified email addresses. It is theoretically possible that all of them are accurate and the users simply did not click on the verification link.

Lets avoid a bias of assuming that a suspension was due to inaccurate data.


The comments to this entry are closed.

Find me on Mastodon and Facebook
My Photo