Proposal To Limit ISP Contact Data Draws Fire

← Back to Stories (view on slashdot.org)

Proposal To Limit ISP Contact Data Draws Fire

Posted by timothy on Thursday April 8, 2010 @09:00AM from the whatis-whois dept.

An anonymous reader writes "A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software, according to a story at Krebsonsecurity.com. From the piece: 'The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses — later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. Proponents of the plan couch it in terms of property rights and privacy, but critics say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.'"

22 of 100 comments (clear)

Min score:

Reason:

Sort:

Businesses... by Renraku · 2010-04-08 09:04 · Score: 4, Funny

Only for businesses, of course, since they have the money and don't mind paying extra to be untraceable. In fact, why not just go ahead and pass a law that bans popup blockers and mandates every citizen to an hour of forced ad viewing per day?

--
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
1. Re:Businesses... by mysidia · 2010-04-08 10:40 · Score: 5, Informative
  
  Almost correct... ARIN does not need IP addresses or contact data to be published for residential dial-in users, provided they are not assigned a /29 (or shorter prefix)
  Currently a /29 is the magic number. If you get a netblock that is larger, such as a netblock with 16, 32, 64, 256, or more contiguous IP address numbers, then the upstream provider has to publish re-assignment information and a contact.
This should be simple... by Oxford_Comma_Lover · 2010-04-08 09:12 · Score: 3, Interesting

Person A says to cops: "I received spam. Here is copy."
Cop identifies IP.
Cop says to provider "Give me billing info on this IP b/c of spam."
Provider gives billing info. If not, does so after quick court order. If still not, gets shut down.
Cop contacts business. If hijacked computer, refers to techies. If not hijacked, quick court case by DA. IF spam, gets shut down and pays large statutory damages and prohibited from using net again for X years.
Or something like that.
The problem is having a quick, efficient, and intelligent police response in place, and having people know where they can go to get it. We will never stop spam unless we decide to commit sufficient resources to doing so.
We might use civil causes of action, class actions, and/or private atty general statutes. (But have to be careful to limit abuse.)

--
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
1. Re:This should be simple... by Improv · 2010-04-08 09:15 · Score: 3, Insightful
  
  Not good enough. I don't want to bother the cops when I can bother the ISP, or the people hosting that ISP, and upwards. Besides, not everyone is in the US.
  Privacy is less important here than the potential for menace and the ability of people to kvetch directly at troublemakers.
  
  --
  For every problem, there is at least one solution that is simple, neat, and wrong.
2. Re:This should be simple... by ShakaUVM · 2010-04-08 09:27 · Score: 3, Insightful
  
  I know that for my company, I'd get a lot less spam if they couldn't trawl my email address out of the registry. Fortunately, a quick filter set up gets rid of most of it.
3. Re:This should be simple... by wowbagger · 2010-04-08 09:29 · Score: 2, Insightful
  
  Unfortunately, there are several problems with this:
  1) "We might use civil causes of action, class actions, and/or private atty general statutes. (But have to be careful to limit abuse.)"
  result: Cop says "Not breaking the law, not my problem, go away."
  So you have to make spamming truly against the law.
  Result: Cop says "Yea, I'll get right on that, after I go after a bunch of more interesting (read: higher fines) crimes." Considering how little the cops enforce crimes that are threats to life and limb like tailgating, I don't think there would be much interest.
  2) Jurisdiction: result: cop says "Nice, but not in my district, so not my problem. Go away." Cop in area where ISP is says "You willing to show up here to make a complaint? No? Not my problem. Go away."
  3) Assuming you make the cops care - they go to ISP "Give us the info. We have a warrant." ISP says "here's the address of the shell corporation in East Elbonia." Cop says "Not my jurisdiction. Not my problem. There a good donut shop around here?"
  The latter is what happens anyway - I used to try to go after the hundreds of IPs a day that try to infect my PC. ISPs don't care, and won't care unless you can change the law, and if you try to change the law, the ISPs will outspend you.
  
  --
  www.eFax.com are spammers
4. Re:This should be simple... by GeckoAddict · 2010-04-08 09:53 · Score: 2, Insightful
  
  Not good enough. I don't want to bother the cops when I can bother the ISP, or the people hosting that ISP, and upwards.
  Isn't that the RIAA thought as well?
5. Re:This should be simple... by Ornlu · 2010-04-08 10:29 · Score: 2, Interesting
  
  ... after quick court order. If still not, gets shut down. Cop contacts business. If hijacked computer, refers to techies. If not hijacked, quick court case by DA. IF spam, gets shut down and pays large statutory damages and prohibited from using net again for X years.
  The trouble is, that stuff costs money. And ignoring/filtering spam doesn't. I'd rather keep my money (and have to deal with spam) than pay higher taxes to fight it.
6. Re:This should be simple... by mysidia · 2010-04-08 10:48 · Score: 2, Interesting
  
  Cop identifies IP.
  And since the upstream has kept the ISP's information private, to prevent other providers from seeking their contact details, the Cop is going to have a very fun time.
  Suppose the user was not a subscriber to a Tier 1 ISP.
  Then there could be 3 or 4 levels of re-assignment involved, all private.
  For example, the user subscribes to Mom and Pop ISP who buys data service from Xyz Co, who is a local exchange or local provider of data services in a very small region.
  Said local provider buys all their internet service from Bigger Regional provider.
  Finally, Bigger Regional provider buys all their transit service from UUnet.
  Since none of the other ISPs are particularly large, and none multihomed, possibly none of them have an AS number, except UUnet.
  Cops will find "UUnet" as the only listed owner of the IPs.
  They will call UUnet and spend a few hours on the phone figuring out what regional provider the IPs belong to.
  Then they get to call the regional provider and spend a few hours on the phone figuring out what local city data provider the IP address belongs to, and what their contact info is.
  By the time they have gotten that info, it's off-hours, they try to call, but they are closed (small provider, no 24x7 administrative contact for the cops to call)
  Next day, they call local city provider, to figure out small ISP's contact details. Only takes a few hours of the provider wading through paperwork to research that question and (hopefully) give an accurate answer.
  Next day, they call Mom and Pop ISP, only to find, their records are in complete disarray, and they have no record or immediate way to identify what subscriber the IP belongs to.
  If it was a dynamic IP, perhaps they only kept the record for a few hours, the info needed is long gone.
Why is it so hard? by Auroch · 2010-04-08 09:21 · Score: 3, Insightful

If GB is passing laws to cut off file sharers, who do so for personal use only, why can't they move quickly to impede spam?

... oh right. Spam is enterprise, brings in money. Piracy takes it away. Never mind that everyone loves piracy and hates spam ...

--
Quartz Extreme and Core Image. Are there any other real reasons to spend all that money on generic hardware?
1. Re:Why is it so hard? by D+Ninja · 2010-04-08 09:57 · Score: 2, Insightful
  
  ... oh right. Spam is enterprise, brings in money. Piracy takes it away. Never mind that everyone loves piracy and hates spam ...
  What people like and what people don't like should not dictate the laws of the government. I would LIKE free money given to me every single day of my life and I would LIKE not to ever pay taxes again.
  And, your reasoning is off. Piracy is getting such attention because interest groups (music industry, movie industry) are throwing money behind it to stop it from happening because they think (rightly or wrongly - not going into that here) that piracy is hurting their business. Most individuals don't think that much about spam. Heck, with Google's spam filters on, I see, maybe, one spam a month. Maybe.
Re:Get rid of "private" domain registrations first by tomhudson · 2010-04-08 09:35 · Score: 4, Insightful

You have a license plate on your car that's publicly viewable, and you don't have the right to obstruct/hide it. What's the problem with that?
You have an address on the door to your place that's publicly viewable. What's the problem with that?
You have a face that's publicly viewable when you go on the street - and you don't have the right to wear a mask to hide it, What's the problem with that?
You have your name, address, bank account number and signature on any cheques you write. What's wrong with that?
You have your medical condition and contact info listed on your MedicAlert bracelet. What's wrong with that?
You want to host something on the net? Fine - be prepared to post valid contact info. Otherwise, make arrangements for someone else to host it, or host it off the net.
Re:Get rid of "private" domain registrations first by Bakkster · 2010-04-08 09:47 · Score: 3, Insightful

In these cases, access is limited (by line-of-sight), or the information does not provide back-tracability. That no longer happens when posted online.
Or would you like to prove this isn't a big issue by posting your phone number, address, license plate number, and check routing/account numbers here for us?

--
Write your representatives! Repeal the 2nd Law of Thermodynamics!
Re:Get rid of "private" domain registrations first by causality · 2010-04-08 09:57 · Score: 3, Insightful

Or would you like to prove this isn't a big issue by posting your phone number, address, license plate number, and check routing/account numbers here for us?
STRANGELY ENOUGH the people who argue against privacy never seem to want to do that. They aren't terribly committed to their statements after all.

--
It is a miracle that curiosity survives formal education. - Einstein
Re:No. by blair1q · 2010-04-08 09:58 · Score: 2, Insightful

Ever think that it's the way you treat them online that convinces them to let out their inner demons?
Re:Get rid of "private" domain registrations first by TheSpoom · 2010-04-08 10:29 · Score: 4, Interesting

You have a license plate on your car that's publicly viewable, and you don't have the right to obstruct/hide it. What's the problem with that?
A license plate is an indexed key. To actually obtain the data associated with the key, you have to be in a position of authority (e.g. a police officer).

You have an address on the door to your place that's publicly viewable. What's the problem with that?
You're already there.

You have a face that's publicly viewable when you go on the street - and you don't have the right to wear a mask to hide it, What's the problem with that?
You don't? Tell that to Anonymous.

You have your name, address, bank account number and signature on any cheques you write. What's wrong with that?
You can contest things that happen to your bank account. Nonetheless, I don't let just anyone have the information on my checks.

You have your medical condition and contact info listed on your MedicAlert bracelet. What's wrong with that?
No, I don't. :^P Further, even if I did, people have to get close enough to view it. It's not in a publicly accessible database, like WHOIS data for domains.
I like the ability to anonymously post information to the internets. Part of that is the ability to be free from WHOIS spam as part of a domain registration.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Re:Get rid of "private" domain registrations first by tomhudson · 2010-04-08 10:43 · Score: 2, Informative

Or would you like to prove this isn't a big issue by posting your phone number, address, license plate number, and check routing/account numbers here for us?

STRANGELY ENOUGH the people who argue against privacy never seem to want to do that. They aren't terribly committed to their statements after all.

Follow the link to today's spammer tracking report, and see how handy the information can be to track down spam. Also, feel free to do a whois. My contact info is on-line. It's been on-line, under various domain registrations, since I registered my first domain in 1994.
Re:Get rid of "private" domain registrations first by tomhudson · 2010-04-08 10:46 · Score: 2, Interesting

Spammers need a legit server to receive those clicks. See how I tracked down one spammer half an hour ago to learn more.
Pay particular attention to the section around the "Directory Listing Denied" segment.
You might also want to help ...

Your only hope is to convince the users to give up their habits through education.

I'm still waiting for the "year of the linux desktop", so I don't hold out much hope for end-user education :-)
Re:Get rid of "private" domain registrations first by mysidia · 2010-04-08 10:55 · Score: 2, Interesting

Then use a subdomain on a responsible person's SLD registration.
Proper contact information really is a requirement for registering a domain name.
"Domain by proxy" services are sneaky, the practice should be banned, for among other reasons (due to the fact) that the proxy service is officially the legal owner of the domain name, as far as the internet domain registry is concerned.
Re:Get rid of "private" domain registrations first by mysidia · 2010-04-08 11:02 · Score: 2, Interesting

You have your medical condition and contact info listed on your MedicAlert bracelet. What's wrong with that?
A Medic...what??? Of course I do not.
You have your name, address, bank account number and signature on any cheques you write. What's wrong with that?
I have only name, bank account number, and issuing bank. No need for an address on a cheque, that's a security risk.
Also, don't write checks.... paper checks are a security risk, because they are easily forged, and should be kept locked up at all times and not used on a regular basis.
You have an address on the door to your place that's publicly viewable. What's the problem with that?
Some people do. Some people do not have an address printed on the door.
You have a face that's publicly viewable when you go on the street - and you don't have the right to wear a mask to hide it, What's the problem with that?
Huh? Of course you do. Although it may be at your peril
Re:Get rid of "private" domain registrations first by mysidia · 2010-04-08 11:27 · Score: 2, Interesting

Real question because I don't honestly know: how much spam is actually sent from people with registered domain names who own blocks of IP addresses? How does this number compare to the spam sent from compromised Windows machines that participate in various botnets? If the latter is a much larger source, then this looks more like another ineffective feel-good measure.
You realize, these are not disjoint sets?
There are a lot of Windows machines on the networks of companies that hold IP addresses.
These are business networks, and often they are a source of spam. Often other people need to contact them to give them a friendly alert that some of their machines are sending spam, so they can deal with the infection.
Often residential users who are not on business networks with their own IP addresses, have ISPs that block or filter port 25.
Basically, if you have your own IP addresses, and your own network, then you have a responsibility to be contactable so you can mitigate abuse.
If you are a single user without IP addresses of your own, then your ISP is your network manager (to an extent, obviously they won't come to your house and clean the infection for you, and it's not ISP support's job to walk you through cleaning or fixing your infections, either, although some ISPs will offer this service, probably at substantial additional cost).
Spam is sent by BOTNETs, not private domains by ShinmaWa · 2010-04-08 14:29 · Score: 2, Insightful

Getting rid of "private" domains won't do a damn thing except INCREASE the amount of spam that domain holders get. Spammers don't hide behind private domains, they hide behind huge botnets!
I used to not hide my whois information. In fact, I was proud to display my contact information in my whois entry when owning my own domain was a novel thing. Then the spam started on the contact accounts. Annoying, but I could handle it. Soon after, I started getting phone calls from people who barely spoke English claiming to be from my "hosting company" or from NetSol and they need access to my host right away or there was a "billing problem" and they need my credit card information to resolve it.
I set my domain information private right after that and never looked back.
No thank you. I use private domains to HIDE from spammers and scammers.

--
The /. Effect: Thousands of users simultaneously accessing a site to not read its content.