From brian.nisbet at heanet.ie Tue May 6 10:45:53 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 06 May 2014 09:45:53 +0100 Subject: [anti-abuse-wg] AA-WG Minutes - RIPE 66 Message-ID: <5368A141.1010102@heanet.ie> Colleagues, It appears, a few months ago, I'd convinced myself that the minutes of RIPE 66 had been circulated and I asked the WG to approve them in Athens. In fact neither the 66 nor 67 minutes have been circulated. I include the minutes from our meeting in Dublin below and I hope to bring you the minutes from Athens in the next few days. While these have been formally approved, please let me know if you have any objections and they can be changed as needed. RIPE 66 Anti-Abuse Working Group 16 May 2013 14:00 - 15:30 WG Co-Chairs: Brian Nisbet, Tobias Knecht Scribe: Rumy Spratley-Kanis A. Administrative Matters ? Welcome ? Scribe, Jabber, Stenography ? Microphone Etiquette ? Approve Minutes from RIPE 65 ? Finalise agenda Brian welcomed attendees to the session, thanked the RIPE NCC staff for scribing and chat monitoring. B. Update ? B1. Recent List Discussion There were no list discussions mentioned. ? B2. CleanIT Project Close-Off The project was closed in March, the document was posted on-line and the URL was sent to the mailing list. Brian mentioned that the document explicitly states that they do not believe that filtering and blocking is a way to deal with on-line terrorism and the promotion of terrorist activities that the project was trying to solve. There were no comments on the project. ? B3. AA-WG Charter Brian gave an update on the WG Charter and proposed that he and Tobias will review the charter. The core principles will not change, and the WG will not cover things like copyright theft or the Digital Millennium Copyright Act. Brian also mentioned that they would not embed a definition of ?abuse?. Michele Neylon, Blacknight, mentioned the importance of reviewing the types of abuse. He also mentioned being supportive of keeping away from intellectual property copyright. It?s not something that the Anti-Abuse WG should try to solve. He suggested to mention this as a footnote in the charter. Brian replied that it is in the charter. Sasha Luck, Rapid Broadband, mentioned not having major issues with the WG defining what they think is abuse, but he does have a problem with the proposed charter update, because it would mean that the RIPE community would empower the RIPE NCC to become an enforcer of content, or even a censor. Brian mentioned that he understands his objection and mentioned it is important to phrase things to make sure that this is not the case. The point is not to have the AA WG force the NCC to become a sensor or any form of Internet Police. Peter Koch, DENIC, asked what the problem was with the current charter. Brian replied that the intention is for the WG to act against abuse of networks, particularly spam but all forms of network abuse. According to Brian this is too far for this WG to go because it would lead to the WG saying the NCC should be shutting people down. Peter Koch asked if the suggestion to broaden the charter was the preempt the decision on another ongoing proposal Brian replied that there is no proposal Peter Koch: so why change the charter if there is no reason to? Brian replied that it was asked for, and it was time to look at the charter and maybe broaden a couple of things, send it to the WG for review and see where to go from there. Peter Koch suggested that if there is a proposal with significant support and people feel it is not in the remit of the WG, then a charter should be reconsidered. Brian replied that he was not suggesting changing the charter, but that this was something that was asked for, didn?t get significant support, but it was clear that it needed to be looked at. He added that there will be no fundamental change, but since it was mentioned on the list the appropriate thing to do was mention it during the session. C. Policies ? RIPE Policy 2011-06 Denis Walker, RIPE NCC, gave an update on the implementation of ABUSE-C The presentation is available at: https://ripe66.ripe.net/presentations/254-Abuse-c_update-66.pdf Patrick Tarpey, OFCOM, asked what the consequences would be if someone didn?t fill in the ABUSE-C contacts. Denis replied that the requirement was that all LIRS must have added this by the end of September. If not, the RIPE NCC would add the LIR contacts email address and create the ABUSE-C for the contact. Patrick Tarpey mentioned that it could be that the emails concerning abusive behaviour would end up going to the network team that manages that allocation. Denis replied that this can be changed in the LIR Portal. Brian Nisbet explained that if an ISP has a customer who hasn?t filled this in, the ISP?s contact address will go in there, and this would act as an encouragement to the ISP to encourage their customers to fill in their correct details. Kaveh Ranjbar, RIPE NCC, gave a quick outline: by the end of September, all LIRs will have an ABUSE-C contact. In the meantime, every month the RIPE NCC will send a reminder to LIRs who haven?t added the ABUSE-C. The second phase of the project will focus on PI space, there is a one year deadline for that. Sebastian, Net Connects, asked via chat if an object has both an admin email and an abuse email listed, which one they should use for ABUSE-C? Denis replied that according to policy, the abuse role object must have an abuse mailbox attribute. The policy does not define what e-mail address you add. ? RIPE Policy Proposal 2013-01 D. Interactions ? D1. Working Groups Brian talked about an idea for a policy proposal he and Tobias thought of that would be presented in the Database or RIPE NCC Services WG. The aim would be to start doing regular data verification of the ABUSE-C details. The idea would be that there would be an automated check to see if someone is reading the used email address. The next step could be to have the ?admin-c? and ?text-c? attributes behave in a similar way to the ABUSE-C and to also apply data verification for those attributes. Brian finished by saying that the Anti Abuse WG would be kept informed of the progress of this proposal. Michele Neylon mentioned as additional information that ICANN has a similar problem, and that it would be a good idea for the NCC to talk to ICANN to see if there is some kind of data sharing they can do in this area. Sasha Luck expressed his surprise that the Anti-Abuse WG was proposing to spam all the LIR contacts and forcing them to reply, too. Brian replied that he was just informing the Anti-Abuse WG of a proposal going on in another working group and that he did not see this as spam. He added that if the community is against the proposal, they will have the opportunity to oppose it. ? D3. RIPE NCC Gov/LEA Interactions Update Marco Hogewoning, RIPE NCC, gave an update on Outreach to Law Enforcement. The presentation is available at: https://ripe66.ripe.net/presentations/300-RIPE-NCC-LEA-AA-final.pdf There were no questions. ? D4. An Introduction to European Cybercrime Centre ? Richard Leaning Richard Leaning gave an introduction to the European Cybercrime Centre. The presentation is available at: https://ripe66.ripe.net/presentations/246-An_Introduction_to_European_Cybercrime_Centre.zip Michele Neylon mentioned that ICE was an unfortunate choice of wording since the US government has a rather large federal body that is called ICE. Richard replied that he is open to suggestions on different names. Richard asked hoe many in the audience have had contact with law enforcement. There were not many, but some. He added that if someone feels the need to engage with law enforcement community to come to him and he would be able to put them in contact with the right departments. Alexander Isavnim mentioned that being from a Russian Federation he does not fall under the Europol jurisdiction. He mentioned that the Russian police department has not been very successful in the area of cybercrime prevention. He asked how the EC3 was planning to control this? Richard replied that EC3 does not have any executive power but are there to coordinate and support the Member States. Paul Rendek thanked Richard for his presentation and added that it?s great to see the European Commission and the EC3 reaching out and wanting to engage with our community. Richard added that the idea would be for him to come to the next RIPE meeting in Athens, and after that every other RIPE meeting. A. Presentation ? E1. ?Save Money Online Without Killing Yourself? ? Michele Neylon & ASOP The presentation is available at: https://ripe66.ripe.net/presentations/255-ripe66-fakepharma.pdf Peter Koch from DENIC asked what the expectation was. What was the engagement being asked for. Michele replied that nobody is being forced to act, but that it would be helpful to agree on certain things. For example when/why should somebody be taken offline? If someone started abusing your Whois server, I assume you would take action? Peter refused to reply. Michele replied that that is not fair. The reality is that the Internet is a resource and we all have to play nice in the playground to a certain degree. He added that they had signed an agreement with LegitScript - and that he is not asking everybody else to do that, but he is asking for everybody to engage and help raise issues. Peter apologised for his previous answer. He mentioned that in case of abuse they would take appropriate measures to protect the interests of their customers. He added that he did not see the immediate link between the two. The abuse, or over-abuse of a Whois server isn?t immediately related to this. Michele replied that the Whois server was an example, and they could continue their conversation later on. Benedikt Stockebrand from Stepladder IT Training and Consulting mentioned that the actual problem is that this is very international, so it?s a lot of work for the EC3 and other instances, and that if you want to deal with this, we should address the actual problem. What is needed is to make it more expensive or less lucrative for people to do illegal activities on the internet. He added that he didn?t know how much the community could do about that. Patrick from OFCOM asked if the distribution of Pharma sites are on conventional hosted platforms. Michele replied that he doesn?t have the exact breakdown but that there seems to be a mixture. Some sites aren?t the actual end distributor, but a complex affiliate network. A lot of them use the bulletproof hosting - using providers who will not look at their activities closely. In terms of domain name distribution, some country codes are attractive to them because they are low cost, but you probably see the biggest concentration in .com and .net. I. A.O.B. There was no AOB Z. Agenda for RIPE 67 Brian Nisbet asked for early agenda items for RIPE 67 in Athens in October and encouraged the attendees to mail him or Tobias or the mailing list for agenda items. Brian thanked everyone for their participation and closed the session. From brian.nisbet at heanet.ie Tue May 6 15:49:00 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 06 May 2014 14:49:00 +0100 Subject: [anti-abuse-wg] RIPE 67 AA-WG Meeting Minutes Message-ID: <5368E84C.2090303@heanet.ie> Colleagues, More minutes! Here are the minutes from RIPE 67 for your approval. Anti-Abuse Working Group Date: 17 October 2013, 14:00-15:30 Chairs: Brian Nisbet and Tobias Knecht Scribe: Anand Buddhdev A. Administrative Matters Brian Nisbet, Working Group Chair, welcomed the attendees and the minutes from RIPE 66 were approved. B. Policies RIPE Policy 2011-06 Update, RIPE NCC Denis Walker, RIPE NCC This presentation is available at: https://ripe67.ripe.net/presentations/335-RIPE67abuseCv2.pdf Piotr Strzyzewski, Silesian University of Technology, Poland, requested advance notice of the addition of abuse-c attributes to PI address space objects. Brian suggested that would be appreciated. Gilles Massen, Fondation RESTENA, questioned the practice of duplicating data in the RIPE Database. Denis agreed that duplication is a bad idea, but that this database was designed with duplication in mind ? not just for abuse-c but in other areas as well. He said there was no good solution yet and asked the audience to let the RIPE NCC think about this and come back with some ideas. Bill Boughton asked via chat whether the tool being developed for PI holders will work with PGP-signed objects. Denis replied that it probably will not, because it?s difficult signing web forms and PGP works best with email, but said he will think about it. Peter Koch, DENIC eG, said he agreed with Gilles, and couldn't see why the RIPE Database was designed with duplication in mind. He said that changing to a more specific object will confuse people, and the main point is figuring out who the target audience is for the whole abuse-c project, such as end users, automated systems, tool writers, etc. Denis responded that there are tools to find the abuse contact information. The problem with putting these contacts in different places is that it will become difficult to maintain and will make it more difficult for the exiting finder tools to find the abuse contacts. Peter thanked Denis for his explanation, but said that attaching the abuse-c attribute to the organisation object is a serious breach of the RIPE Database paradigm. He said that, if that?s confusing the maintainers, maybe it?s time to rethink the strategy and, if end users are confused, maybe tools are required to help them, which he said the RIPE NCC is already implementing. Denis suggested that there may be a need to take a step forward with the admin-c and tech-c and others. Brian said that there was not time to discuss that idea in the session, or in the working group. He said that there?s more for the RIPE NCC to consider when it comes to the implementation of abuse-c. Brian Nisbet asked about a message from the Database Working Group Mailing List about contradictory abuse contacts and statistics. Denis said that, before abuse-c existed, abuse contacts were allowed in five different object types, and that these references still exist, so it?s possible that the 4,000 members who have added abuse-c haven?t removed the old abuse mailboxes. He said things are now in a confusing transition period because of this. He said that there is no easy answer, and that mass emails asking people to clean up their old references might not be the best solution. He asked those in attendance to please clean up their old references. Brian agreed that more emails might not be the answer but added that, at some time in the future, the strategy should be revisited and discussed on the mailing list. Denis explained that an automatic cleanup of the RIPE Database is not possible because of the complexity involved. Brian thanked Denis for his presentation. Update: RIPE Policy Proposal 2013-01 Sander Steffan, SJM Steffann Sander Stefann said that there have been no comments on the mailing list about the latest version of RIPE Policy Proposal 2013-01, ?Openness about Policy Violation?. He stated that he will ask for a final call for comments and that if he doesn?t see any within a few weeks, he will assume that there?s no support and will withdraw the proposal. Brian encouraged participants to provide feedback. C. Updates C1. Recent List Discussion Brian Nisbet talked about ongoing mailing list discussions. He noted that there were hardly any messages about specific issues that needed solving. He said that there were often messages to the list from people with problems, who aired them hoping for someone to propose a policy or do some other work on it, but that's not how things work. Wilfried W?ber, UniVie/ACOnet, said that it was actually a good thing that messages to the list did not automatically turn into actions for someone else. Brian agreed, noting that there were procedures in place to start work. He stressed that the chairs do read all the messages, and hear peoples' concerns. C2. Anti-Abuse Working Group Charter Brian Nisbet said that the new text for the Anti-Abuse Working Group Charter had not yet been written, but that no major changes were planned. It will be prepared well before RIPE 68 in Warsaw and circulated on the mailing list. D. Interactions D1. Working Groups Brian Nisbet said that nothing had been written yet regarding interacting with other working groups. He said that he and Tobias Knecht have some ideas about certain policies, which may be better suited to the Database Working Group. D2. RIPE NCC Government/LEA Interactions Update Brian noted that the RIPE NCC was continuing to interact with law enforcement agencies (LEAs), and that there was nothing new lately. He noted that it was good to see LEAs attend meetings. E. Presentation E1. ACDC (Advanced Cyber Defence Center) Project Thorsten Kraft, eco e.V. This presentation is available at: https://ripe67.ripe.net/presentations/347-ACDC_Presentation_RIPE_67.pdf Alexander Lyamin (HLL) asked whether the main source of data was end user reports. Thorsten said it wasn't just end user reports but also notifications from ISPs and server operators. Alexander was happy to see that this project was not only focused on end user PCs. He asked what ACDC would do about things like set-top boxes and DSL modems whose firmware is not easy to update, and which are often used in DDoS attacks. Thorsten said that they would talk to the CERT closest to the vendor to pass on the information. He said currently there were no vendors (except Cisco) participating in ACDC. Alexander asked about ACDC's strategy in the face of new-generation botnets without command and control servers, and Thorsten said that, since it was funded by the EU, they will not be shooting any updates on the boxes because it's not permitted by law. Brian Nisbet asked what the end goal of this project is and what happens after the initial funding period. Thorsten said the project is here to stay and that they want to develop more tools and let others run this kind of project independently. He also said he wants to develop a proposal for the European Commission about running this project themselves after the funding period, and find business models to keep the project running. He said the project is open and welcomes ideas from everyone. Patrick Tarpey, Ofcom, asked whether this data can be shared with other people, and Thorsten confirmed that the data can be shared. Brian asked about the definition of legitimate parties, and Thorsten said that most data would be open unless a contributor requests that it be restricted. Brian asked how open this project was going to be, and Thorsten said it would be totally open, so others can also use it. An audience speaker noted that there were more initiatives like this, such as SpamHaus, and asked how ACDC is better than them. Thorsten said they do not want to be better, but just want something that is open and community driven. Brian asked about the target users of this project and whether they would be end users, companies or law enforcement. Thorsten said that it is for everyone. Thorsten said this is a very important project, and needs data. He appealed to participants for help. E2. x-arf (Extended Abuse Reporting Format) Tobias Knecht, abusix GmbH The presentation is available at: https://ripe67.ripe.net/presentations/342-abusix_RIPE.pdf Brian Nisbet asked how stable the x-arf specification was. Tobias said that it is quite standard now, and being used by large companies. He added that he was talking to people within the IETF to make it a standard within the next two to three years. Brian asked Tobias to come back and talk more about it when changes have been made to it. Brian asked the room if many people were using this, and Bengt G?rd?n, Resilans AB, said they were ?sort of? using it. Bengt added that he was looking for ways to standardise abuse reporting, and was looking at x-arf, but is not quite there yet. Brian asked one of the participants, Richard Leaning, Europol, about the automation of these kinds of tools and information, and if anything fits in with what Europol is doing. Richard responded that they were using tools at Europol, but not x-arf. He stated that he didn?t know much about it and would therefore talk to Brian about it. X. AOB Bengt G?rd?n, Resilans, talked about issues with American ISPs blacklisting PI address space, and failing to delist it or delisting it very slowly. He asked how the working group or the RIPE NCC can help. Tobias Knecht replied that it's a known problem, especially with ISPs such as AOL. He said that addresses that were clean end up on blacklists because of botnet command and control servers, for example, and hosting and VPS providers have the same problem. He explained that their addresses change hands frequently and can easily become blacklisted. Tobias said the issue of detecting whether address space is clean is an important one, but not easy to solve. He said it was not enough to just have a flag in the RIPE Database to indicate that IP address space had changed hands. Bengt said that the IP addresses were not bad, but had a poorer reputation because someone had blocked them. Thomas cited examples of hosting providers who had to change customers' IP addresses because their old addresses were unusable. Thomas asked how IP address reputation could be measured. Brian Nisbet said that, in this context, the accuracy of the registry is very important. He mentioned RIPEstat as producing good information about when address space changes hands. He said that if users wanted the RIPE NCC to help more with this, they could talk to the RIPE NCC about it. Z. Agenda for RIPE 68 Brian Nisbet urged participants to think about agenda items for RIPE 68, to be held in May, in Warsaw. He thanked the RIPE NCC staff, stenographers and participants before closing the session. From michele at blacknight.com Tue May 6 16:00:24 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Tue, 6 May 2014 14:00:24 +0000 Subject: [anti-abuse-wg] AA-WG Minutes - RIPE 66 In-Reply-To: <5368A141.1010102@heanet.ie> References: <5368A141.1010102@heanet.ie> Message-ID: Look good to me Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59? 9183072 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland? Company No.: 370845 -----Original Message----- From: anti-abuse-wg-bounces at ripe.net [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of Brian Nisbet Sent: Tuesday, May 06, 2014 9:46 AM To: anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] AA-WG Minutes - RIPE 66 Colleagues, It appears, a few months ago, I'd convinced myself that the minutes of RIPE 66 had been circulated and I asked the WG to approve them in Athens. In fact neither the 66 nor 67 minutes have been circulated. I include the minutes from our meeting in Dublin below and I hope to bring you the minutes from Athens in the next few days. While these have been formally approved, please let me know if you have any objections and they can be changed as needed. RIPE 66 Anti-Abuse Working Group 16 May 2013 14:00 - 15:30 WG Co-Chairs: Brian Nisbet, Tobias Knecht Scribe: Rumy Spratley-Kanis A. Administrative Matters . Welcome . Scribe, Jabber, Stenography . Microphone Etiquette . Approve Minutes from RIPE 65 . Finalise agenda Brian welcomed attendees to the session, thanked the RIPE NCC staff for scribing and chat monitoring. B. Update . B1. Recent List Discussion There were no list discussions mentioned. . B2. CleanIT Project Close-Off The project was closed in March, the document was posted on-line and the URL was sent to the mailing list. Brian mentioned that the document explicitly states that they do not believe that filtering and blocking is a way to deal with on-line terrorism and the promotion of terrorist activities that the project was trying to solve. There were no comments on the project. . B3. AA-WG Charter Brian gave an update on the WG Charter and proposed that he and Tobias will review the charter. The core principles will not change, and the WG will not cover things like copyright theft or the Digital Millennium Copyright Act. Brian also mentioned that they would not embed a definition of "abuse". Michele Neylon, Blacknight, mentioned the importance of reviewing the types of abuse. He also mentioned being supportive of keeping away from intellectual property copyright. It's not something that the Anti-Abuse WG should try to solve. He suggested to mention this as a footnote in the charter. Brian replied that it is in the charter. Sasha Luck, Rapid Broadband, mentioned not having major issues with the WG defining what they think is abuse, but he does have a problem with the proposed charter update, because it would mean that the RIPE community would empower the RIPE NCC to become an enforcer of content, or even a censor. Brian mentioned that he understands his objection and mentioned it is important to phrase things to make sure that this is not the case. The point is not to have the AA WG force the NCC to become a sensor or any form of Internet Police. Peter Koch, DENIC, asked what the problem was with the current charter. Brian replied that the intention is for the WG to act against abuse of networks, particularly spam but all forms of network abuse. According to Brian this is too far for this WG to go because it would lead to the WG saying the NCC should be shutting people down. Peter Koch asked if the suggestion to broaden the charter was the preempt the decision on another ongoing proposal Brian replied that there is no proposal Peter Koch: so why change the charter if there is no reason to? Brian replied that it was asked for, and it was time to look at the charter and maybe broaden a couple of things, send it to the WG for review and see where to go from there. Peter Koch suggested that if there is a proposal with significant support and people feel it is not in the remit of the WG, then a charter should be reconsidered. Brian replied that he was not suggesting changing the charter, but that this was something that was asked for, didn't get significant support, but it was clear that it needed to be looked at. He added that there will be no fundamental change, but since it was mentioned on the list the appropriate thing to do was mention it during the session. C. Policies . RIPE Policy 2011-06 Denis Walker, RIPE NCC, gave an update on the implementation of ABUSE-C The presentation is available at: https://ripe66.ripe.net/presentations/254-Abuse-c_update-66.pdf Patrick Tarpey, OFCOM, asked what the consequences would be if someone didn't fill in the ABUSE-C contacts. Denis replied that the requirement was that all LIRS must have added this by the end of September. If not, the RIPE NCC would add the LIR contacts email address and create the ABUSE-C for the contact. Patrick Tarpey mentioned that it could be that the emails concerning abusive behaviour would end up going to the network team that manages that allocation. Denis replied that this can be changed in the LIR Portal. Brian Nisbet explained that if an ISP has a customer who hasn't filled this in, the ISP's contact address will go in there, and this would act as an encouragement to the ISP to encourage their customers to fill in their correct details. Kaveh Ranjbar, RIPE NCC, gave a quick outline: by the end of September, all LIRs will have an ABUSE-C contact. In the meantime, every month the RIPE NCC will send a reminder to LIRs who haven't added the ABUSE-C. The second phase of the project will focus on PI space, there is a one year deadline for that. Sebastian, Net Connects, asked via chat if an object has both an admin email and an abuse email listed, which one they should use for ABUSE-C? Denis replied that according to policy, the abuse role object must have an abuse mailbox attribute. The policy does not define what e-mail address you add. . RIPE Policy Proposal 2013-01 D. Interactions . D1. Working Groups Brian talked about an idea for a policy proposal he and Tobias thought of that would be presented in the Database or RIPE NCC Services WG. The aim would be to start doing regular data verification of the ABUSE-C details. The idea would be that there would be an automated check to see if someone is reading the used email address. The next step could be to have the "admin-c" and "text-c" attributes behave in a similar way to the ABUSE-C and to also apply data verification for those attributes. Brian finished by saying that the Anti Abuse WG would be kept informed of the progress of this proposal. Michele Neylon mentioned as additional information that ICANN has a similar problem, and that it would be a good idea for the NCC to talk to ICANN to see if there is some kind of data sharing they can do in this area. Sasha Luck expressed his surprise that the Anti-Abuse WG was proposing to spam all the LIR contacts and forcing them to reply, too. Brian replied that he was just informing the Anti-Abuse WG of a proposal going on in another working group and that he did not see this as spam. He added that if the community is against the proposal, they will have the opportunity to oppose it. . D3. RIPE NCC Gov/LEA Interactions Update Marco Hogewoning, RIPE NCC, gave an update on Outreach to Law Enforcement. The presentation is available at: https://ripe66.ripe.net/presentations/300-RIPE-NCC-LEA-AA-final.pdf There were no questions. . D4. An Introduction to European Cybercrime Centre - Richard Leaning Richard Leaning gave an introduction to the European Cybercrime Centre. The presentation is available at: https://ripe66.ripe.net/presentations/246-An_Introduction_to_European_Cybercrime_Centre.zip Michele Neylon mentioned that ICE was an unfortunate choice of wording since the US government has a rather large federal body that is called ICE. Richard replied that he is open to suggestions on different names. Richard asked hoe many in the audience have had contact with law enforcement. There were not many, but some. He added that if someone feels the need to engage with law enforcement community to come to him and he would be able to put them in contact with the right departments. Alexander Isavnim mentioned that being from a Russian Federation he does not fall under the Europol jurisdiction. He mentioned that the Russian police department has not been very successful in the area of cybercrime prevention. He asked how the EC3 was planning to control this? Richard replied that EC3 does not have any executive power but are there to coordinate and support the Member States. Paul Rendek thanked Richard for his presentation and added that it's great to see the European Commission and the EC3 reaching out and wanting to engage with our community. Richard added that the idea would be for him to come to the next RIPE meeting in Athens, and after that every other RIPE meeting. A. Presentation . E1. "Save Money Online Without Killing Yourself" - Michele Neylon & ASOP The presentation is available at: https://ripe66.ripe.net/presentations/255-ripe66-fakepharma.pdf Peter Koch from DENIC asked what the expectation was. What was the engagement being asked for. Michele replied that nobody is being forced to act, but that it would be helpful to agree on certain things. For example when/why should somebody be taken offline? If someone started abusing your Whois server, I assume you would take action? Peter refused to reply. Michele replied that that is not fair. The reality is that the Internet is a resource and we all have to play nice in the playground to a certain degree. He added that they had signed an agreement with LegitScript - and that he is not asking everybody else to do that, but he is asking for everybody to engage and help raise issues. Peter apologised for his previous answer. He mentioned that in case of abuse they would take appropriate measures to protect the interests of their customers. He added that he did not see the immediate link between the two. The abuse, or over-abuse of a Whois server isn't immediately related to this. Michele replied that the Whois server was an example, and they could continue their conversation later on. Benedikt Stockebrand from Stepladder IT Training and Consulting mentioned that the actual problem is that this is very international, so it's a lot of work for the EC3 and other instances, and that if you want to deal with this, we should address the actual problem. What is needed is to make it more expensive or less lucrative for people to do illegal activities on the internet. He added that he didn't know how much the community could do about that. Patrick from OFCOM asked if the distribution of Pharma sites are on conventional hosted platforms. Michele replied that he doesn't have the exact breakdown but that there seems to be a mixture. Some sites aren't the actual end distributor, but a complex affiliate network. A lot of them use the bulletproof hosting - using providers who will not look at their activities closely. In terms of domain name distribution, some country codes are attractive to them because they are low cost, but you probably see the biggest concentration in .com and .net. I. A.O.B. There was no AOB Z. Agenda for RIPE 67 Brian Nisbet asked for early agenda items for RIPE 67 in Athens in October and encouraged the attendees to mail him or Tobias or the mailing list for agenda items. Brian thanked everyone for their participation and closed the session. From denis at ripe.net Tue May 6 17:01:52 2014 From: denis at ripe.net (Denis Walker) Date: Tue, 06 May 2014 17:01:52 +0200 Subject: [anti-abuse-wg] Options for extending "abuse-c:" Message-ID: <5368F960.8010404@ripe.net> Dear colleagues, At RIPE 67 in Athens, the RIPE NCC agreed to take another look at the implementation of RIPE Document ripe-563, "Abuse Contact Management in the RIPE Database." Two issues have been identified that are seen to be difficult to handle with the current model - partitioned subnets within one organisation and adding abuse contacts to more specifics for End Users. The RIPE NCC has considered these two issues and found what we believe to be practical solutions, available within the current model. More information about these solutions and the implementation of "abuse-c:" is available on RIPE Labs: https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling This topic will also be raised during the Anti-Abuse Working Group session at RIPE 68 in Warsaw. Regards, Denis Walker Business Analyst RIPE NCC Database Team From ripe-ml-2012 at ssd.axu.tm Wed May 7 03:27:25 2014 From: ripe-ml-2012 at ssd.axu.tm (Aleksi Suhonen) Date: Wed, 07 May 2014 04:27:25 +0300 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <5368F960.8010404@ripe.net> References: <5368F960.8010404@ripe.net> Message-ID: <53698BFD.3040002@ssd.axu.tm> Hello, On 05/06/2014 06:01 PM, Denis Walker wrote: > Two issues have been identified that are seen to be difficult to handle > with the current model - partitioned subnets within one organisation and > adding abuse contacts to more specifics for End Users. The RIPE NCC has > considered these two issues and found what we believe to be practical > solutions, available within the current model. > More information about these solutions and the implementation of > "abuse-c:" is available on RIPE Labs: > https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling I find this suggestion clumsy. It adds hard to parse extraneous information to simple objects. The organization object for a very large organization would become unmanageable and unintelligible quickly. I would much rather like to see a new inetnum and inet6num object status "INFORMATIONAL" that only requires authorization of the immediately larger enclosing inet(6)num object, and doesn't represent an assignment or allocation at all. Such objects can then be used to redirect technical, administrative and abuse contacts to the proper places, as well as present their own remarks and descriptions. This solution would cover PI, PA and all other styles of address blocks equally well. I know this has been suggested many times before, but I still think it would be a much more elegant solution to this problem. Yours, -- Aleksi Suhonen From denis at ripe.net Wed May 7 12:52:59 2014 From: denis at ripe.net (Denis Walker) Date: Wed, 07 May 2014 12:52:59 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <53698BFD.3040002@ssd.axu.tm> References: <5368F960.8010404@ripe.net> <53698BFD.3040002@ssd.axu.tm> Message-ID: <536A108B.8090108@ripe.net> Dear Aleksi Thank you for your comments. I have replied in more detail in line below. Sorry for another long email, but there really are a lot more discussion points about abuse-c implementation than you think...so I highlighted the important bit which was the last paragraph below and moved it to here: ****** The important bit ******* I may be going off at a tangent here, but I am trying to explain some of the background thinking as to why we implemented the abuse-c the way we did. We are trying to centralise the 'management' data in the database and link it to the organisation and allow it to be inherited by other data. In the long term this should reduce the amount of the management data in the database. We don't want to go the other way and increase the amount of duplicated management data. Right now the database has far more management data in it than operational data. With proper use of inheritance and better management tools, there could be a massive reduction of this management data. ***************************** Regards Denis Walker Business Analyst RIPE NCC Database Team On 07/05/2014 03:27, Aleksi Suhonen wrote: > Hello, > > On 05/06/2014 06:01 PM, Denis Walker wrote: >> Two issues have been identified that are seen to be difficult to handle >> with the current model - partitioned subnets within one organisation and >> adding abuse contacts to more specifics for End Users. The RIPE NCC has >> considered these two issues and found what we believe to be practical >> solutions, available within the current model. > >> More information about these solutions and the implementation of >> "abuse-c:" is available on RIPE Labs: >> https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling >> > > I find this suggestion clumsy. It adds hard to parse extraneous > information to simple objects. The organization object for a very > large organization would become unmanageable and unintelligible quickly. Who do you believe is going to parse this object for this information? The RIPE NCC already has an Abuse Finder tool which can be accessed directly or via RIPEstat. As I said in the last paragraph of my article, people should start to move away from the old fashioned idea of digging directly into the RIPE Database themselves to find data, parse it and interpret it. If you need information the RIPE NCC will provide web tools and API calls to supply that information. We will do all the digging, parsing and interpretation for you. We will also provide tools for maintainers of the data to provide you with a neat overview of who handles abuse throughout your whole network. We also proposed a wizard for adding and removing abuse contact details for your End Users. We can also add functionality to the overview page to add/remove further abuse details for your subnets. In the end it should not matter to you where this data is stored in the database. You deal in information, we deal in data storage and retrieval. To be honest we don't even need to put this data into any object. We can just store it as meta data associated with your organisation. As long as we provide you with tools to view and manage the information and for the public to find what they need....leave the storage to us. > > I would much rather like to see a new inetnum and inet6num object > status "INFORMATIONAL" that only requires authorization of the > immediately larger enclosing inet(6)num object, and doesn't represent > an assignment or allocation at all. Such objects can then be used to > redirect technical, administrative and abuse contacts to the proper > places, as well as present their own remarks and descriptions. I believe this is going in completely the wrong direction. This means creating more 'management' objects and replicating even more data all over the database. We already have 3.8 million INETNUM objects all with a mandatory admin-c and tech-c. That is 7.6M bits of replicated data! We only have 10k members. These members manage the majority of the end user resources as well as their own networks. What this database is really missing is inheritance. Most of this management information could be stored with your organisation, as the abuse-c is, and then inherited by most of the operational data. Just did some quick stats...we have 7.4M objects in the database and 1.96M unique nic-hdls used in the admin-c, tech-c and zone-c attributes. We know some large users have a business model to create a nic-hdl for every customer. They certainly account for a few hundred thousand of these nic-hdls. So probably we have about 1.5M nic-hdls replicated over 7.4 million objects. That is a lot of data duplication. > > This solution would cover PI, PA and all other styles of address > blocks equally well. I know this has been suggested many times before, > but I still think it would be a much more elegant solution to this > problem. > > Yours, > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Piotr.Strzyzewski at polsl.pl Thu May 8 11:51:24 2014 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 8 May 2014 11:51:24 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <5368F960.8010404@ripe.net> References: <5368F960.8010404@ripe.net> Message-ID: <20140508095124.GB18514@hydra.ck.polsl.pl> On Tue, May 06, 2014 at 05:01:52PM +0200, Denis Walker wrote: Dear Denis > At RIPE 67 in Athens, the RIPE NCC agreed to take another look at the > implementation of RIPE Document ripe-563, "Abuse Contact Management in > the RIPE Database." > > Two issues have been identified that are seen to be difficult to > handle with the current model - partitioned subnets within one > organisation and adding abuse contacts to more specifics for End > Users. The RIPE NCC has considered these two issues and found what we > believe to be practical solutions, available within the current model. > > More information about these solutions and the implementation of > "abuse-c:" is available on RIPE Labs: > https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling > > This topic will also be raised during the Anti-Abuse Working Group > session at RIPE 68 in Warsaw. First of all thanks for the proposed solution. I would like to comment both issues: 1. A solution to the subnet issue I perceive this proposed solution as a way of making a lot of mess whenever some customer marked with additional abuse-c leaves LIR. 2. A solution to the End User issue I like this idea. However I'm not sure why at the third screen there is RIPE-NCC-MNT mentioned, contrary to the LIR-MNT put on the fourth screen. Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From Piotr.Strzyzewski at polsl.pl Thu May 8 11:57:46 2014 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 8 May 2014 11:57:46 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <536A108B.8090108@ripe.net> References: <5368F960.8010404@ripe.net> <53698BFD.3040002@ssd.axu.tm> <536A108B.8090108@ripe.net> Message-ID: <20140508095746.GC18514@hydra.ck.polsl.pl> On Wed, May 07, 2014 at 12:52:59PM +0200, Denis Walker wrote: Dear Denis >> I find this suggestion clumsy. It adds hard to parse extraneous >> information to simple objects. The organization object for a very large >> organization would become unmanageable and unintelligible quickly. > > Who do you believe is going to parse this object for this information? The Users. ;-) > RIPE NCC already has an Abuse Finder tool which can be accessed directly or RIPE NCC already has two Abuse Contact Finders, which already misleads the users. :| And yes, I know that one of them will be obsoleted. > via RIPEstat. As I said in the last paragraph of my article, people should > start to move away from the old fashioned idea of digging directly into the > RIPE Database themselves to find data, parse it and interpret it. If you > need information the RIPE NCC will provide web tools and API calls to > supply that information. We will do all the digging, parsing and > interpretation for you. And sadly speaking, what I understand here, between the lines, is let's abandon whois in some point of time. I hope I misunderstood you. Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From denis at ripe.net Thu May 8 12:03:02 2014 From: denis at ripe.net (Denis Walker) Date: Thu, 08 May 2014 12:03:02 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <20140508095124.GB18514@hydra.ck.polsl.pl> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> Message-ID: <536B5656.8070609@ripe.net> Dear Piotr Looking at your reply and others I think either I am misunderstanding the problem, or everyone is misunderstanding my proposed solutions. I understood the subnet issue to mean an organisation has more than one default abuse handling team within their organisation. For example they may have three allocations and have a different abuse team for each allocation. I did not expect an organisation to have hundreds of abuse teams, so I don't think this solution would create too much of a problem. The ORGANISATION object is not going to grow too large. For End User customers who are handling abuse, they are taking over part of the management of that internet resource. They should therefore have their own ORGANISATION object referenced from that resource and an "abuse-c:" referenced from the ORGANISATION object. For this we are offering the wizard solution that will create and delete these extra objects as required. We will also provide a management tool that will provide an overview of all additional "abuse-c:" setups within your network. Regards Denis Walker Business Analyst RIPE NCC Database Team On 08/05/2014 11:51, Piotr Strzyzewski wrote: > On Tue, May 06, 2014 at 05:01:52PM +0200, Denis Walker wrote: > > Dear Denis > >> At RIPE 67 in Athens, the RIPE NCC agreed to take another look at the >> implementation of RIPE Document ripe-563, "Abuse Contact Management in >> the RIPE Database." >> >> Two issues have been identified that are seen to be difficult to >> handle with the current model - partitioned subnets within one >> organisation and adding abuse contacts to more specifics for End >> Users. The RIPE NCC has considered these two issues and found what we >> believe to be practical solutions, available within the current model. >> >> More information about these solutions and the implementation of >> "abuse-c:" is available on RIPE Labs: >> https://labs.ripe.net/Members/denis/suggestions-for-improving-abuse-handling >> >> This topic will also be raised during the Anti-Abuse Working Group >> session at RIPE 68 in Warsaw. > First of all thanks for the proposed solution. I would like to comment > both issues: > > 1. A solution to the subnet issue > > I perceive this proposed solution as a way of making a lot of mess > whenever some customer marked with additional abuse-c leaves LIR. > > 2. A solution to the End User issue > > I like this idea. However I'm not sure why at the third screen there is > RIPE-NCC-MNT mentioned, contrary to the LIR-MNT put on the fourth > screen. > > Piotr > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Piotr.Strzyzewski at polsl.pl Thu May 8 12:16:14 2014 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 8 May 2014 12:16:14 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <536B5656.8070609@ripe.net> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> Message-ID: <20140508101614.GE18514@hydra.ck.polsl.pl> On Thu, May 08, 2014 at 12:03:02PM +0200, Denis Walker wrote: Dear Denis > Looking at your reply and others I think either I am misunderstanding the > problem, or everyone is misunderstanding my proposed solutions. > > I understood the subnet issue to mean an organisation has more than one > default abuse handling team within their organisation. For example they may > have three allocations and have a different abuse team for each allocation. > I did not expect an organisation to have hundreds of abuse teams, so I > don't think this solution would create too much of a problem. The > ORGANISATION object is not going to grow too large. I get it. I have mixed up both issues into one. Please excuse me, there is students party next to my office window ;-) Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From denis at ripe.net Thu May 8 12:25:01 2014 From: denis at ripe.net (Denis Walker) Date: Thu, 08 May 2014 12:25:01 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <20140508095746.GC18514@hydra.ck.polsl.pl> References: <5368F960.8010404@ripe.net> <53698BFD.3040002@ssd.axu.tm> <536A108B.8090108@ripe.net> <20140508095746.GC18514@hydra.ck.polsl.pl> Message-ID: <536B5B7D.7040406@ripe.net> Dear Piotr We are not suggesting anything, certainly not abandoning whois. What we are trying to do is start to raise questions. This database design/model is 15 years old. We can say for sure it is not efficient, relationships are not good, there is massive duplication of data. But does it still do what people want? Could it be (much) better? Could we provide alternative ways to interface with it (and keeping the old ways)? Could we provide better features and services? Can we make your daily/regular tasks with the database easier and quicker and less error prone? There are many people within the community who have 'grown up' with this database and RPSL. They understand it, know how to use it, have work arounds for it's limitations, have lots of software that integrates with it. But so many new users struggle to do all these things. We see the same problems on training courses. We see the same questions being asked so many times in support tickets. We hear the same issues being raised in the background at meetings. We know these are big issues and nothing is going to be fixed/improved in one single step. But there is a big knowledge/usability gap between long term/experienced users and new users. In general many of the experienced users don't appreciate the way new users struggle with the complexity of the RIPE Database. So we are trying to raise awareness of this and find a way to move forward. Regards Denis Walker Business Analyst RIPE NCC Database Team On 08/05/2014 11:57, Piotr Strzyzewski wrote: > On Wed, May 07, 2014 at 12:52:59PM +0200, Denis Walker wrote: > > Dear Denis > >>> I find this suggestion clumsy. It adds hard to parse extraneous >>> information to simple objects. The organization object for a very large >>> organization would become unmanageable and unintelligible quickly. >> Who do you believe is going to parse this object for this information? The > Users. ;-) > >> RIPE NCC already has an Abuse Finder tool which can be accessed directly or > RIPE NCC already has two Abuse Contact Finders, which already misleads > the users. :| And yes, I know that one of them will be obsoleted. > >> via RIPEstat. As I said in the last paragraph of my article, people should >> start to move away from the old fashioned idea of digging directly into the >> RIPE Database themselves to find data, parse it and interpret it. If you >> need information the RIPE NCC will provide web tools and API calls to >> supply that information. We will do all the digging, parsing and >> interpretation for you. > And sadly speaking, what I understand here, between the lines, is let's > abandon whois in some point of time. I hope I misunderstood you. > > Piotr > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Piotr.Strzyzewski at polsl.pl Thu May 8 12:35:38 2014 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 8 May 2014 12:35:38 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <536B5B7D.7040406@ripe.net> References: <5368F960.8010404@ripe.net> <53698BFD.3040002@ssd.axu.tm> <536A108B.8090108@ripe.net> <20140508095746.GC18514@hydra.ck.polsl.pl> <536B5B7D.7040406@ripe.net> Message-ID: <20140508103538.GF18514@hydra.ck.polsl.pl> On Thu, May 08, 2014 at 12:25:01PM +0200, Denis Walker wrote: Dear Denis > We are not suggesting anything, certainly not abandoning whois. What we are Good to know. > trying to do is start to raise questions. This database design/model is 15 > years old. We can say for sure it is not efficient, relationships are not > good, there is massive duplication of data. But does it still do what > people want? Could it be (much) better? Could we provide alternative ways > to interface with it (and keeping the old ways)? Could we provide better > features and services? Can we make your daily/regular tasks with the > database easier and quicker and less error prone? > > There are many people within the community who have 'grown up' with this > database and RPSL. They understand it, know how to use it, have work > arounds for it's limitations, have lots of software that integrates with > it. But so many new users struggle to do all these things. We see the same > problems on training courses. We see the same questions being asked so many > times in support tickets. We hear the same issues being raised in the > background at meetings. > > We know these are big issues and nothing is going to be fixed/improved in > one single step. But there is a big knowledge/usability gap between long > term/experienced users and new users. In general many of the experienced > users don't appreciate the way new users struggle with the complexity of > the RIPE Database. So we are trying to raise awareness of this and find a > way to move forward. Please excuse me for not being effusive here. I just want to state that I highly appreciate the way you are trying to clean up all this mess. Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From brian.nisbet at heanet.ie Fri May 9 15:55:47 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 09 May 2014 14:55:47 +0100 Subject: [anti-abuse-wg] Working Group Charter Message-ID: <536CDE63.6070605@heanet.ie> Colleagues, For the past couple of RIPE meetings the charter (as per http://www.ripe.net/ripe/groups/wg/anti-abuse ) has bee mentioned on the agenda, but not much has happened. While I note that there hasn't been a huge call for change (nor do I believe much change is required), I'd like to propose a slightly altered Charter in advance of our meeting on Thursday. Of course that is not to suggest that discussion should be limited to that meeting. The discussion should take place here, mainly because this is the right place for it, but also given the time limitations we have at RIPE68. The change I'm suggesting is to this section: "It is considered difficult for this charter to include an exhaustive list of abuse types that would be considered within the scope of this working group, not least because this is expected to change over time. However an initial list can be stated and any necessary additions can be made. Spam via SMTP Spam via VoIP (SPIT) Spam via IM Webforum/blog Abuse All systems and mechanisms, technical and non-technical used to create, control and make money from such abuse. It is important to note that areas such as cybersquatting or hosting illegal content are not seen to be part of the remit of the working group." I would instead propose: "It is considered difficult for this charter to include an exhaustive list of abuse types that would be considered within the scope of this working group, not least because this is expected to change over time. The list below is relevant at time of writing, but any necessary additions, subtractions or changes can be made. Spam via any medium Webforum/blog Abuse Denial-of-service attacks All systems and mechanisms, technical and non-technical used to create, control and make money from network abuse. While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may well be areas of interest." I believe this properly reflects the work the WG has undertaken thus far and the discussion both on list and at meetings. Brian Co-Chair, RIPE AA-WG From brian.nisbet at heanet.ie Fri May 9 17:19:26 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 09 May 2014 16:19:26 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <20140509145826.GA87032@cilantro.c4inet.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> Message-ID: <536CF1FE.7030708@heanet.ie> Sasha, Sascha Luck wrote the following on 09/05/2014 15:58: > Brian, > > On Fri, May 09, 2014 at 02:55:47PM +0100, Brian Nisbet wrote: >> All systems and mechanisms, technical and non-technical used to >> create, control and make money from network abuse. > > to begin with, this sentence appears to fail grammatically even > in the original text. Does "create, control and make" really refer to > "money"? > I also consider the new text over-broad. Without defining what "network > abuse" is, you are potentially putting any commercial activity on the > Internet under the remit of this WG. Well, it's essentially the same sentence that nobody has had a problem with, so I feel the meaning has been clear. To create abuse, to control abuse and to make money from abuse. >> While areas such as cybersquatting or hosting illegal content are not >> seen as a central part of the working group's remit, they are >> unquestionably bound up in other aspects of network abuse and, as >> such, may well be areas of interest." > > This is a statement without any evidence to back it up. Why should > "hosting illegal content" (illegal in which jurisdiction, under which > laws?) be "unquestionably" bound up with "other forms of network abuse"? > > As an example from the RIPE service region, hosting a gay website is > now, AIUI, illegal in Russia. How, exactly, would this be "bound up with > other forms of network abuse"? IANAL, neither are you, but I feel positive the Russian Federation would disagree with that blanket statement. :) That said, I do take your point. We could just go with: "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, nor does the WG presume to pass judgement on such activity, aspects of these subjects may overlap with forms of network abuse and so may, from time to time, form part of the WG's activities & discussions." > Without a clear definition, arrived at by way of consensus, of what > "network abuse" is, I would strenuously object to such an expansion of > the scope of this WG. And we're never going to get this. My intention here is to recognise some of the discussion and work done within the WG has already touched on these items. Also, new members of the community often wish to speak to the WG or WG Chairs about them. It is not an attempt (as always) to be any sort of network police, nor to pass judgement on such activities in different jurisdictions. Please suggest other text if you have it. Thanks, Brian, Co-Chair, RIPE AA-WG From lists-ripe at c4inet.net Fri May 9 17:57:02 2014 From: lists-ripe at c4inet.net (Sascha Luck) Date: Fri, 9 May 2014 16:57:02 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <536CF1FE.7030708@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536CF1FE.7030708@heanet.ie> Message-ID: <20140509155701.GB87032@cilantro.c4inet.net> Brian, On Fri, May 09, 2014 at 04:19:26PM +0100, Brian Nisbet wrote: >Well, it's essentially the same sentence that nobody has had a >problem with, so I feel the meaning has been clear. To create abuse, >to control abuse and to make money from abuse. textbook case for the oxford comma then: "to create, control, and make money from, abuse" :) I seriously was confused about the meaning of the sentence. >"While areas such as cybersquatting or hosting illegal content are >not seen as a central part of the working group's remit, nor does the >WG presume to pass judgement on such activity, aspects of these >subjects may overlap with forms of network abuse and so may, from >time to time, form part of the WG's activities & discussions." What do you think about this: "Areas, such as cybersquatting or hosting illegal content are not part of the remit of the WG. Insofar as they overlap with other forms of network abuse, they may, from time to time, become part of the WG's activities and discussions." >>Without a clear definition, arrived at by way of consensus, of what >>"network abuse" is, I would strenuously object to such an expansion of >>the scope of this WG. >And we're never going to get this. My intention here is to recognise >some of the discussion and work done within the WG has already >touched on these items. Also, new members of the community often wish >to speak to the WG or WG Chairs about them. It is not an attempt (as >always) to be any sort of network police, nor to pass judgement on >such activities in different jurisdictions. I'm not sure that sentiment is shared universally... There may be attempts again, to create policy to sanction abuse and if the definition should derive from the Charter, this could be pretty ugly. A bridge to be burned when we get there though, I guess. definition, cheers, Sascha Luck PS: I might be talking to you alone here, for some reason, while I get the list mails, my replies don't show. From brian.nisbet at heanet.ie Fri May 9 18:05:31 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 09 May 2014 17:05:31 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <20140509155701.GB87032@cilantro.c4inet.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536CF1FE.7030708@heanet.ie> <20140509155701.GB87032@cilantro.c4inet.net> Message-ID: <536CFCCB.50403@heanet.ie> Sascha Luck wrote the following on 09/05/2014 16:57: > Brian, > > On Fri, May 09, 2014 at 04:19:26PM +0100, Brian Nisbet wrote: >> Well, it's essentially the same sentence that nobody has had a problem >> with, so I feel the meaning has been clear. To create abuse, to >> control abuse and to make money from abuse. > > textbook case for the oxford comma then: "to create, control, and make > money from, abuse" :) I seriously was confused about the meaning of the > sentence. Again, this has been in place for ~3 years, so while I'm open to changing it, it doesn't appear to have tripped anyone up yet. :) >> "While areas such as cybersquatting or hosting illegal content are not >> seen as a central part of the working group's remit, nor does the WG >> presume to pass judgement on such activity, aspects of these subjects >> may overlap with forms of network abuse and so may, from time to time, >> form part of the WG's activities & discussions." > > What do you think about this: > > "Areas, such as cybersquatting or hosting illegal content are not part > of the remit of the WG. Insofar as they overlap with other forms of > network abuse, they may, from time to time, become part of the WG's > activities and discussions." I think that's a little softer than I'd like, but obviously I'm not the only opinion here, let's see what others think? >>> Without a clear definition, arrived at by way of consensus, of what >>> "network abuse" is, I would strenuously object to such an expansion of >>> the scope of this WG. > >> And we're never going to get this. My intention here is to recognise >> some of the discussion and work done within the WG has already touched >> on these items. Also, new members of the community often wish to speak >> to the WG or WG Chairs about them. It is not an attempt (as always) to >> be any sort of network police, nor to pass judgement on such >> activities in different jurisdictions. > > I'm not sure that sentiment is shared universally... There may be > attempts again, to create policy to sanction abuse and if the definition > should derive from the Charter, this could be pretty ugly. A bridge to > be burned when we get there though, I guess. There may be, but it's up to the WG and community to discuss those. The Charter doesn't mean that something has to happen. As you say, a bridge to burn. > PS: I might be talking to you alone here, for some reason, while I get > the list mails, my replies don't show. Looks like they're all going to the list to me, so I think you're good. Procmail does funny things with lists sometimes. Brian From gert at space.net Fri May 9 19:26:37 2014 From: gert at space.net (Gert Doering) Date: Fri, 9 May 2014 19:26:37 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <536B5656.8070609@ripe.net> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> Message-ID: <20140509172637.GG43641@Space.Net> Hi, On Thu, May 08, 2014 at 12:03:02PM +0200, Denis Walker wrote: > I understood the subnet issue to mean an organisation has more than one > default abuse handling team within their organisation. For example they > may have three allocations and have a different abuse team for each > allocation. I did not expect an organisation to have hundreds of abuse > teams, so I don't think this solution would create too much of a > problem. The ORGANISATION object is not going to grow too large. > > For End User customers who are handling abuse, they are taking over part > of the management of that internet resource. They should therefore have > their own ORGANISATION object referenced from that resource and an > "abuse-c:" referenced from the ORGANISATION object. For this we are > offering the wizard solution that will create and delete these extra > objects as required. I pointed out in the past that creation of an extra organization object just to get an abuse-c: referenced is something I consider "too much hassle". It's a "database people think so" solution. Having an optional abuse-c: in the more-specific inet(6)num: would be a nice and low-effort solution. > We will also provide a management tool that will provide an overview of > all additional "abuse-c:" setups within your network. Nice and shiny query tools are also missing the point. Creation of a needless object just to fulfill "abuse-c: may only be referenced from an organization: object" designs is not being made less effort by nice query tools. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 811 bytes Desc: not available URL: From denis at ripe.net Sat May 10 05:46:56 2014 From: denis at ripe.net (Denis Walker) Date: Sat, 10 May 2014 05:46:56 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <20140509172637.GG43641@Space.Net> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> <20140509172637.GG43641@Space.Net> Message-ID: <536DA130.3060003@ripe.net> On 09/05/2014 19:26, Gert Doering wrote: > Hi, > > On Thu, May 08, 2014 at 12:03:02PM +0200, Denis Walker wrote: >> I understood the subnet issue to mean an organisation has more than one >> default abuse handling team within their organisation. For example they >> may have three allocations and have a different abuse team for each >> allocation. I did not expect an organisation to have hundreds of abuse >> teams, so I don't think this solution would create too much of a >> problem. The ORGANISATION object is not going to grow too large. >> >> For End User customers who are handling abuse, they are taking over part >> of the management of that internet resource. They should therefore have >> their own ORGANISATION object referenced from that resource and an >> "abuse-c:" referenced from the ORGANISATION object. For this we are >> offering the wizard solution that will create and delete these extra >> objects as required. > I pointed out in the past that creation of an extra organization object > just to get an abuse-c: referenced is something I consider "too much > hassle". It's a "database people think so" solution. > > Having an optional abuse-c: in the more-specific inet(6)num: would > be a nice and low-effort solution. I think you are missing the point in both cases here. This is not "just to get an abuse-c referenced". The ORGANISATION object was added to the database back in 2004 for a reason. The database always showed 'what'. This was to show 'who'. The ORGANISATION object was designed to provide some information about 'who' manages and has control of and is accountable for Internet resources. When this responsibility is shared between organisations there should be ORGANISATION objectSSS to show the organisation details for these parties. But as with so many ideas/designs/philosophies with this database no one thinks about how these principles can be enforced. The ORGANISATION (and ROLE) objects were introduced with certain ideas in mind. But no business rules were added to enforce those ideas. It is very easy to mis-use them. Then it becomes too much hassle to do it right. If there is a low effort way to do something, without any constraints, people will do it - even if it breaks the database model. If you are not concerned with accountability in the database for management of Internet resources, we can do anything. Right now we have a default abuse handler for the LIR. We know who you are and you are accountable. Once you start adding abuse-c attributes all over a large network, referencing ROLE objects that we don't know who maintains (as MNTNER objects are pretty much anonymous), then we have lost a degree of accountability. It is very easy to hide behind an email address when you don't have to provide any other information in the public domain. What you want means all we have in the public domain for these End Users who manage the abuse reports for a resource is an email address. So we don't have any information about the End User organisation who is now managing one aspect of this resource - abuse handling. We only have an abuse email address. How do you want the Abuse Finder service to work? What do we do when this End User does not respond? We can't return any further certain information about this organisation, like alternative email address, real address, phone number, company name, as we don't have anything. So do we return the LIRs abuse email? Do we start following chains of references of other objects (like we did before and get it wrong). For example the abuse ROLE object, it's MNTNER object, any referenced PERSON objects, their MNTNERs.....Should we give out the LIRs default abuse contact with the End User's contact at the same time, in case the End User address does not work? When someone is held publicly accountable and has to provide additional information, which the LIR can validate as you know who the End User is, they are more likely to provide a working email address. We can always provide a low effort solution....but they have consequences. > >> We will also provide a management tool that will provide an overview of >> all additional "abuse-c:" setups within your network. > Nice and shiny query tools are also missing the point. Creation of a > needless object just to fulfill "abuse-c: may only be referenced from > an organization: object" designs is not being made less effort by nice > query tools. Again you are missing the point here. Whatever solution we end up with means there will be many abuse contacts distributed over a network. The number of levels of indirection does not matter. The point is there are many of them spread across a large network. If you want to know where localised abuse contacts have been set up in your network (by whatever method we end up with), how are you going to find them? How can you get a clear overview of abuse handling in your network? Currently there is no query that gives you this overview. That is because queries return low level data, not high level information. The reason abuse-c was introduced is because what we had before was an unmanageable mixture of earlier solutions. If we allow abuse-c to be distributed across a network without proper tools to manage it, then people simply will not manage it. It will become too much hassle. Contact references will be left when not needed because they have been forgotten and can't be easily seen. Reports will go to the wrong places and be ignored. In a couple of years time we will start again with a new idea to clean up the next problem. Modern interfaces and tools to manage information in a system like the RIPE Database are pretty much standard these days. That is why other systems don't need a full day training course just to teach the basics of how to enter data into a database, protect it and retrieve it. Regards Denis Walker Business Analyst RIPE NCC Database Team > > Gert Doering > -- NetMaster From ripe-lists at c4inet.net Fri May 9 16:58:26 2014 From: ripe-lists at c4inet.net (Sascha Luck) Date: Fri, 9 May 2014 15:58:26 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <536CDE63.6070605@heanet.ie> References: <536CDE63.6070605@heanet.ie> Message-ID: <20140509145826.GA87032@cilantro.c4inet.net> Brian, On Fri, May 09, 2014 at 02:55:47PM +0100, Brian Nisbet wrote: >All systems and mechanisms, technical and non-technical used to >create, control and make money from network abuse. to begin with, this sentence appears to fail grammatically even in the original text. Does "create, control and make" really refer to "money"? I also consider the new text over-broad. Without defining what "network abuse" is, you are potentially putting any commercial activity on the Internet under the remit of this WG. >While areas such as cybersquatting or hosting illegal content are not >seen as a central part of the working group's remit, they are >unquestionably bound up in other aspects of network abuse and, as >such, may well be areas of interest." This is a statement without any evidence to back it up. Why should "hosting illegal content" (illegal in which jurisdiction, under which laws?) be "unquestionably" bound up with "other forms of network abuse"? As an example from the RIPE service region, hosting a gay website is now, AIUI, illegal in Russia. How, exactly, would this be "bound up with other forms of network abuse"? Without a clear definition, arrived at by way of consensus, of what "network abuse" is, I would strenuously object to such an expansion of the scope of this WG. rgds, Sascha Luck From ops.lists at gmail.com Sat May 10 18:18:46 2014 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sat, 10 May 2014 21:48:46 +0530 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <20140509145826.GA87032@cilantro.c4inet.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> Message-ID: That is a hair that need not be split. The meaning and intent are perfectly clear. And the meaning of abuse is varied enough, and ever changing, that it would not be wise to get bogged down in definitions. On 10-May-2014 9:09 pm, "Sascha Luck" wrote: > Brian, > > On Fri, May 09, 2014 at 02:55:47PM +0100, Brian Nisbet wrote: > >> All systems and mechanisms, technical and non-technical used to create, >> control and make money from network abuse. >> > > to begin with, this sentence appears to fail grammatically even > in the original text. Does "create, control and make" really refer to > "money"? > I also consider the new text over-broad. Without defining what "network > abuse" is, you are potentially putting any commercial activity on the > Internet under the remit of this WG. > > While areas such as cybersquatting or hosting illegal content are not >> seen as a central part of the working group's remit, they are >> unquestionably bound up in other aspects of network abuse and, as such, may >> well be areas of interest." >> > > This is a statement without any evidence to back it up. Why should > "hosting illegal content" (illegal in which jurisdiction, under which > laws?) be "unquestionably" bound up with "other forms of network abuse"? > > As an example from the RIPE service region, hosting a gay website is > now, AIUI, illegal in Russia. How, exactly, would this be "bound up with > other forms of network abuse"? > Without a clear definition, arrived at by way of consensus, of what > "network abuse" is, I would strenuously object to such an expansion of > the scope of this WG. > > rgds, > Sascha Luck > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dhc at dcrocker.net Sat May 10 19:20:14 2014 From: dhc at dcrocker.net (Dave Crocker) Date: Sat, 10 May 2014 10:20:14 -0700 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> Message-ID: <536E5FCE.5090105@dcrocker.net> On 5/10/2014 9:18 AM, Suresh Ramasubramanian wrote: > That is a hair that need not be split. > > The meaning and intent are perfectly clear. > > And the meaning of abuse is varied enough, and ever changing, that it > would not be wise to get bogged down in definitions. Perhaps small re-wordings, to capture the above, without (intending to) change the substance of the existing charter: Draft revision of As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control and make money from such abuse. Outside of scope are areas such as cybersquatting or hosting illegal content. The working group considers both technical and non-technical aspects of abuse, with the following goals: Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. -- Dave Crocker Brandenburg InternetWorking bbiw.net From ops.lists at gmail.com Sun May 11 02:22:57 2014 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 11 May 2014 05:52:57 +0530 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <536E5FCE.5090105@dcrocker.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> Message-ID: +1 On Saturday, May 10, 2014, Dave Crocker wrote: > On 5/10/2014 9:18 AM, Suresh Ramasubramanian wrote: > > That is a hair that need not be split. > > > > The meaning and intent are perfectly clear. > > > > And the meaning of abuse is varied enough, and ever changing, that it > > would not be wise to get bogged down in definitions. > > > Perhaps small re-wordings, to capture the above, without (intending to) > change the substance of the existing charter: > > > > Draft revision of > > > As the Internet has evolved, so has the scope and scale of network > abuse. Unsolicited bulk email (spam) is often merely a symptom of > deeper abuse such as viruses or botnets. Consequently the Anti-Spam > Working Group has a wide scope, to include all relevant kinds of abuse. > > The technical details of spam and other abuse constantly vary, in terms > of application channel and technique. Channel examples include SMTP, > SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to > social engineering. > > Within scope are all systems and mechanisms, both technical and > non-technical, that are used to create, control and make money from such > abuse. > > Outside of scope are areas such as cybersquatting or hosting illegal > content. > > The working group considers both technical and non-technical aspects of > abuse, with the following goals: > > Produce and continue to update a BCP (Best Common Practice) document > for ISPs similar in nature to RIPE-409 but covering a wider range of > possible abusive behaviours. > > Provide advice (beyond that of the BCP) to relevant parties within > the RIPE region such as ISPs, Governments and Law Enforcement Agencies > on strategic and operational matters. > > Discuss and disseminate information on technical and non-technical > methods of preventing or reducing network abuse. > > > > > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: From pk at DENIC.DE Sun May 11 08:58:18 2014 From: pk at DENIC.DE (Peter Koch) Date: Sun, 11 May 2014 08:58:18 +0200 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <536CFCCB.50403@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536CF1FE.7030708@heanet.ie> <20140509155701.GB87032@cilantro.c4inet.net> <536CFCCB.50403@heanet.ie> Message-ID: <20140511065818.GK8488@x28.adm.denic.de> On Fri, May 09, 2014 at 05:05:31PM +0100, Brian Nisbet wrote: > >textbook case for the oxford comma then: "to create, control, and make > >money from, abuse" :) I seriously was confused about the meaning of the > >sentence. > > Again, this has been in place for ~3 years, so while I'm open to > changing it, it doesn't appear to have tripped anyone up yet. :) being equally non-native, I had similar difficulties parsing the sentence (and don't remember whether or why not I'd have had the same issue 3 years ago or since) I would appreciate that clarification. > >What do you think about this: > > > >"Areas, such as cybersquatting or hosting illegal content are not part > >of the remit of the WG. Insofar as they overlap with other forms of > >network abuse, they may, from time to time, become part of the WG's > >activities and discussions." > > I think that's a little softer than I'd like, but obviously I'm not the > only opinion here, let's see what others think? I prefer the status quo. The topic of illegal content is a slippery slope and while ... > >>on these items. Also, new members of the community often wish to speak > >>to the WG or WG Chairs about them. It is not an attempt (as always) to > >>be any sort of network police, nor to pass judgement on such > >>activities in different jurisdictions. ... this might be true, I'd prefer keeping strong boundaries even at the cost of confusion of said new members of the community. It's OK for people to want to talk about anything, just a WG in the RIPE context might not always be the proper venue. > Looks like they're all going to the list to me, so I think you're good. > Procmail does funny things with lists sometimes. Or the mailing list SW "helpfully" suppressing duplicates. -Peter From ops.lists at gmail.com Sun May 11 19:26:57 2014 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Sun, 11 May 2014 22:56:57 +0530 Subject: [anti-abuse-wg] Delivery Status Notification (Delay) In-Reply-To: <001a11c2e9ccfe041f04f92313d3@google.com> References: <001a11c2e9ccfe041f04f92313d3@google.com> Message-ID: Saschas mailserver is one dead:d00d, as it's IP suggests.. Must be some new fangled 100% effective measure to block all spam, by rejecting all mail :) On 11-May-2014 10:52 pm, "Mail Delivery Subsystem" < mailer-daemon at googlemail.com> wrote: > This is an automatically generated Delivery Status Notification > > THIS IS A WARNING MESSAGE ONLY. > > YOU DO NOT NEED TO RESEND YOUR MESSAGE. > > Delivery to the following recipient has been delayed: > > ripe-lists at c4inet.net > > Message will be retried for 2 more day(s) > > Technical details of temporary failure: > Google tried to deliver your message, but it was rejected by the server > for the recipient domain c4inet.net by mail.c4inet.net. > [2a02:2078:100:dead:d00d::25]. > > The error that the other server returned was: > 450 4.1.1 : Recipient address rejected: User > unknown in local recipient table > > ----- Original message ----- > > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; > d=gmail.com; s=20120113; > > h=mime-version:in-reply-to:references:date:message-id:subject:from:to > :cc:content-type; > bh=ezofrR9Jly/3K8mE1UqmUHR/6n8DMV0kIwu3A/4i2Gc=; > > b=MSgQCM7DYjHp5YOSPrfsb8iZ/yQQqREoH6I9a/OAMiQkheW/5A6t4oVVaIITFA4TvX > > u/WFlhbn6IcLAzy49jKqJDc8PSWolwFtvOPOZQ9JyXhUekb6L+hk9c9msFXmmNOXLN+6 > > eTznBX+DFnvI39YnbpEH2dqjOvQ9TeaKuP72tHJNr7I5Yyht2MotnE874bF5ZTIK5/gD > > WFnCl3KODF0r3bSJVqjFU4FK4K8MOhoBt7rB5Qwsn2Cv0aJuBWeJEiWxj54BdKqvJ/hy > > 0uW4e65bITM7QzKI5nbNMSAoMOPnDtjX4sr8FSPxf6oKC3VWCrUZa2q+1CsYAsncyFZP > ifaA== > MIME-Version: 1.0 > X-Received: by 10.182.236.229 with SMTP id > ux5mr22650408obc.12.1399738727296; > Sat, 10 May 2014 09:18:47 -0700 (PDT) > Received: by 10.60.11.195 with HTTP; Sat, 10 May 2014 09:18:46 -0700 (PDT) > Received: by 10.60.11.195 with HTTP; Sat, 10 May 2014 09:18:46 -0700 (PDT) > In-Reply-To: <20140509145826.GA87032 at cilantro.c4inet.net> > References: <536CDE63.6070605 at heanet.ie> > <20140509145826.GA87032 at cilantro.c4inet.net> > Date: Sat, 10 May 2014 21:48:46 +0530 > Message-ID: < > CAArzuos+Cz0jcoXaiqo3Mjwjo09espso4+aPeTYkp0gk6u9hQA at mail.gmail.com> > Subject: Re: [anti-abuse-wg] Working Group Charter > From: Suresh Ramasubramanian > To: Sascha Luck > Cc: anti-abuse-wg at ripe.net, Brian Nisbet > Content-Type: multipart/alternative; boundary=001a11c2e9cc9e759f04f90e110f > > That is a hair that need not be split. > > The meaning and intent are perfectly clear. > > And the meaning of abuse is varied enough, and ever changing, that it would > not be wise to get bogged down in definitions. > On 10-May-2014 9:09 pm, "Sascha Luck" wrote: > > > Brian, > > > > On Fri, May 09, 2014 at 02:55:47PM +0100, Brian Nisbet wrote: > > > >> All systems and mechanisms, technical and non-technical used to create, > >> control and make money from network abuse. > >> > > > > to begin with, this sentence appears to fail grammatically even > > in the original text. Does "create, control and make" really refer to > > "money"? > > I also consider the new text over-broad. Without defining what "network > > abuse" is, you are potentially putting any commercial activity on the > > Internet under the remit of this WG. > > > > While areas such as cybersquatting or hosting illegal content are not > >> seen as a central part of the working group's remit, they are > >> unquestionably bound up in other aspects of network abuse and, as such, > may > >> well be areas of interest." > >> > > > > This is a statement without any evidence to back it up. Why should > > "hosting illegal content" (illegal in which jurisdiction, under which > > laws?) be "unquestionably" bound up with "other forms of network abuse"? > > > > As an example from the RIPE service region, hosting a gay website is > > now, AIUI, illegal in Russia. How, exactly, would this be "bound up with > > other forms of network abuse"? > > Without a clear definition, arrived at by way of consensus, of what > > "network abuse" is, I would strenuously object to such an expansion of > > the scope of this WG. > > > > rgds, > > Sascha Luck > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gert at space.net Sun May 11 20:54:56 2014 From: gert at space.net (Gert Doering) Date: Sun, 11 May 2014 20:54:56 +0200 Subject: [anti-abuse-wg] Delivery Status Notification (Delay) In-Reply-To: References: <001a11c2e9ccfe041f04f92313d3@google.com> Message-ID: <20140511185456.GO43641@Space.Net> Hi, On Sun, May 11, 2014 at 10:56:57PM +0530, Suresh Ramasubramanian wrote: > > The error that the other server returned was: > > 450 4.1.1 : Recipient address rejected: User > > unknown in local recipient table Now that's a truly interesting variant... a temporary code for unknown user... "try again tomorrow, maybe we have hired someone with this name by then?" :-o gert -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 811 bytes Desc: not available URL: From gilles.massen at restena.lu Mon May 12 16:09:09 2014 From: gilles.massen at restena.lu (Gilles Massen) Date: Mon, 12 May 2014 16:09:09 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <536DA130.3060003@ripe.net> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> <20140509172637.GG43641@Space.Net> <536DA130.3060003@ripe.net> Message-ID: <5370D605.1010908@restena.lu> Hello, Thanks for looking into the 'more specific abuse-c', and presenting a solution. Technically it would solve the "subnet issue" in our case. However, the proposed solution strikes me as really weird: it does not scale, is hard to parse, and breaks with almost everything I'd expect from the RIPE DB syntax- and usage-wise. Scaling might not be important for the projected use-case - but with every extension you could run into trouble (cf. extending the abuse role project, from your upcoming presentation). If I understood your earlier mails correctly, having stronger heritage and less different objects is intentional (and I can certainly agree with that idea). But I would apply that thinking rather to all contact objects, and not single the abuse-c out. Please keep the contact syntax coherent. On 05/10/2014 05:46 AM, Denis Walker wrote: > On 09/05/2014 19:26, Gert Doering wrote: >> Having an optional abuse-c: in the more-specific inet(6)num: would >> be a nice and low-effort solution. And I'd add: low-effort for everyone: the one running with the default org-attached abuse-c, the one needing more specific, and the data-requester with the whois client. I'd also believe that it is an additional workload NOT to use the default, and that's why I find it difficult to share you concern of bad data. Besides, why is the abuse-c so special that is warrants all the added technical barriers around it? After all, it is just a contact. Yes, it is mandatory, but that alone does not make it special. And whatever rules you put around it, you cannot force an abuse-c to be useful - which by the end of the day is the only thing that matters. > If you are not concerned with accountability in the database for > management of Internet resources, we can do anything. Right now we have > a default abuse handler for the LIR. We know who you are and you are > accountable. Once you start adding abuse-c attributes all over a large > network, referencing ROLE objects that we don't know who maintains (as > MNTNER objects are pretty much anonymous), then we have lost a degree of > accountability. It is very easy to hide behind an email address when you > don't have to provide any other information in the public domain. What > you want means all we have in the public domain for these End Users who > manage the abuse reports for a resource is an email address. Personally I don't feel strongly about the described accountability in the database. I'd rather have flexible ease of use, along with a comprehensive toolset for the RIPE NCC to enforce policy. You can put useless data in the DB anyway, so if any data is so important that it deserves special care or even validation, make the validation out of band: you'd have to anyway, so you can be more liberal on the business logic and not annoy the rest of the rule-abiding world. > When someone is held publicly accountable and has to provide additional > information, which the LIR can validate as you know who the End User is, > they are more likely to provide a working email address. We can always > provide a low effort solution....but they have consequences. [...] > If you want to know where > localised abuse contacts have been set up in your network (by whatever > method we end up with), how are you going to find them? How can you get > a clear overview of abuse handling in your network? Currently there is > no query that gives you this overview. Which, in turn, would be nice feature for the lirportal. Along with the 'do it right'-wizard. Actually, the proposed solution for the "subnet-issue" is very appealing to do the "end-user issue" wrong: what would prevent a LIR to put an abuse-c per end-user assignment in it's org-object? It would probably be easier than to create the organisation objects... All in all, fragmenting the syntax of objects depending on their intented use seems a too high cost for the presented benefits... Best regards, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 From denis at ripe.net Mon May 12 17:32:19 2014 From: denis at ripe.net (Denis Walker) Date: Mon, 12 May 2014 17:32:19 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <5370D605.1010908@restena.lu> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> <20140509172637.GG43641@Space.Net> <536DA130.3060003@ripe.net> <5370D605.1010908@restena.lu> Message-ID: <5370E983.2050801@ripe.net> Dear Gilles Sorry, another long email. Maybe at some point we have to accept that email discussions are not going to resolve this matter :) To take your last point first - "All in all, fragmenting the syntax of objects depending on their intented use seems a too high cost for the presented benefits...". We have already done this in a way, which is why we are having this whole discussion. The ROLE and ORGANISATION objects had an intended use. But no business rules were added to the software to enforce the use and there were not even any best common practise rules documented. 10+ years down the line and most people have forgotten why these objects are there. Now we are trying to build a case to 'do things right' and it's seen as too much hassle. More comments in line below.... On 12/05/2014 16:09, Gilles Massen wrote: > Hello, > > Thanks for looking into the 'more specific abuse-c', and presenting a > solution. Technically it would solve the "subnet issue" in our case. > > However, the proposed solution strikes me as really weird: it does not > scale, is hard to parse, and breaks with almost everything I'd expect > from the RIPE DB syntax- and usage-wise. Scaling might not be important > for the projected use-case - but with every extension you could run into > trouble (cf. extending the abuse role project, from your upcoming > presentation). As I understand it, the subnet case is not a large usage requirement, so scaling is not an issue. The same syntax is used by "mnt-routes:" so there is a precedent for the syntax and we already have the software to parse it. If scaling became an issue we could solve that with proper tooling. I know we have not yet put a good case for tools to help you work with the RIPE Database and experienced users don't see a need for 'simple' tools. After all, you can do everything you want with a few keystrokes on a command line, right? I come from a generation that just about remembers writing software in assembler. Then we moved to high level (C like) languages. At the time programmers thought they were losing some power and control over the processor and it's internal registers. Then high level languages became the norm and now we have fully integrated development environments.....but you can still write in assembler if you want. We can always present you with a view of your low level data in RPSL format and accept input from you in that way. But don't forget what the 'RP' stands for - 'Routing Policy'. It does not mean 'Address Management'. To finally sum up this point for now - we can build and provide you with many tools to help you with address management information that don't have to work with RPSL format data (but can do). > > If I understood your earlier mails correctly, having stronger heritage > and less different objects is intentional (and I can certainly agree > with that idea). But I would apply that thinking rather to all contact > objects, and not single the abuse-c out. Please keep the contact syntax > coherent. I agree absolutely with this and have said so on many occasions. A small organisation may only have one technical or admin team, but may still have many resources in the database. There is no need to duplicate these contact details every where. They can be managed in the same way as abuse contacts. > > > On 05/10/2014 05:46 AM, Denis Walker wrote: >> On 09/05/2014 19:26, Gert Doering wrote: >>> Having an optional abuse-c: in the more-specific inet(6)num: would >>> be a nice and low-effort solution. > And I'd add: low-effort for everyone: the one running with the default > org-attached abuse-c, the one needing more specific, and the > data-requester with the whois client. I'd also believe that it is an > additional workload NOT to use the default, and that's why I find it > difficult to share you concern of bad data. > > Besides, why is the abuse-c so special that is warrants all the added > technical barriers around it? After all, it is just a contact. Yes, it > is mandatory, but that alone does not make it special. And whatever > rules you put around it, you cannot force an abuse-c to be useful - > which by the end of the day is the only thing that matters. Again you are right. The abuse contact is not special. It only seems special because we have applied the principles of the database model to it. These principles are sadly missing from so many other areas of the data. Although it has been forgotten after 10+ years the basic database model is - an organisation is the core of your data. That organisation has human resources and Internet resources. The human resources are grouped into roles and these roles manage the Internet resources. That is it in a nutshell. It sounds simple, but so many layers have been built on and around these principles, that the original principles have been partially lost. That core organisation is anyone/thing that manages (some aspect of) an Internet resource. If it is an outsourced 24/7 team, an abuse handler or an End User doing their own routing. There should be an ORGANISATION object to identify them. Everything else hangs off that object. For example, if an End User manages the routing for their resource, who do you want to contact if their is a routing problem? The End User who manages the routing or their LIR who assigned the resource? How are you going to contact that End User? From the MNTNER in the "mnt-routes:" of the assignment? Which email address should you use from the MNTNER or referenced PERSON objects? Or maybe the ROUTE object where all contact information is optional. Following the basic principles there should be an ORGANISATION object for the End User with clearly defined contact details. It makes sense to follow the basic design. It does not make sense to take short cuts and break the basic model. > > >> If you are not concerned with accountability in the database for >> management of Internet resources, we can do anything. Right now we have >> a default abuse handler for the LIR. We know who you are and you are >> accountable. Once you start adding abuse-c attributes all over a large >> network, referencing ROLE objects that we don't know who maintains (as >> MNTNER objects are pretty much anonymous), then we have lost a degree of >> accountability. It is very easy to hide behind an email address when you >> don't have to provide any other information in the public domain. What >> you want means all we have in the public domain for these End Users who >> manage the abuse reports for a resource is an email address. > Personally I don't feel strongly about the described accountability in > the database. I'd rather have flexible ease of use, along with a > comprehensive toolset for the RIPE NCC to enforce policy. You can put > useless data in the DB anyway, so if any data is so important that it > deserves special care or even validation, make the validation out of > band: you'd have to anyway, so you can be more liberal on the business > logic and not annoy the rest of the rule-abiding world. We can provide tools to make it easy to manage data without breaking the model. Anyone who agrees to the Terms and Conditions of use of the RIPE Database agrees to enter valid and correct information. > > >> When someone is held publicly accountable and has to provide additional >> information, which the LIR can validate as you know who the End User is, >> they are more likely to provide a working email address. We can always >> provide a low effort solution....but they have consequences. > [...] > >> If you want to know where >> localised abuse contacts have been set up in your network (by whatever >> method we end up with), how are you going to find them? How can you get >> a clear overview of abuse handling in your network? Currently there is >> no query that gives you this overview. > Which, in turn, would be nice feature for the lirportal. Along with the > 'do it right'-wizard. > > Actually, the proposed solution for the "subnet-issue" is very appealing > to do the "end-user issue" wrong: what would prevent a LIR to put an > abuse-c per end-user assignment in it's org-object? It would probably be > easier than to create the organisation objects... Yes it would be easier, but wrong. Some things can be managed by software business rules, other things need to rely on members following the rules. Regards Denis Walker Business Analyst RIPE NCC Database Team > > All in all, fragmenting the syntax of objects depending on their > intented use seems a too high cost for the presented benefits... > > Best regards, > Gilles > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gilles.massen at restena.lu Thu May 15 10:55:24 2014 From: gilles.massen at restena.lu (Gilles Massen) Date: Thu, 15 May 2014 10:55:24 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <5370E983.2050801@ripe.net> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> <20140509172637.GG43641@Space.Net> <536DA130.3060003@ripe.net> <5370D605.1010908@restena.lu> <5370E983.2050801@ripe.net> Message-ID: <537480FC.9000406@restena.lu> Hi Denis, On 05/12/2014 05:32 PM, Denis Walker wrote: > Sorry, another long email. Maybe at some point we have to accept that > email discussions are not going to resolve this matter :) I'd have loved to be in Warsaw and bug you directly :) Thanks for enlighten me, and from your answer I think we are not in wild disagreement. > To take your last point first - "All in all, fragmenting the syntax of > objects depending on their intented use seems a too high cost for the > presented benefits...". We have already done this in a way, which is why > we are having this whole discussion. The ROLE and ORGANISATION objects > had an intended use. But no business rules were added to the software to > enforce the use and there were not even any best common practise rules > documented. 10+ years down the line and most people have forgotten why > these objects are there. Now we are trying to build a case to 'do things > right' and it's seen as too much hassle. So your wish is to take the current abuse-c implementation as a model for other contacts, is that correct? I would see merit in that - but I'm still not wild about the fragmentation: either it is the way forward, then it should have been said so, and be brought explicitly before the DB-WG. Before the implementation. Because if it is not (or there is too much resistance against applying the model to other contacts) then you're stuck with the two kinds of contacts: to me as a user of the database (reader or writer) as well as part time DBA that is hugely annoying. Supposing I did not misread your intentions, and the abuse-c model is the right: > As I understand it, the subnet case is not a large usage requirement, so > scaling is not an issue. The same syntax is used by "mnt-routes:" so > there is a precedent for the syntax and we already have the software to > parse it. Ok, I didn't know about mnt-routes, and I agree that the subnet case _should_ be limited. However, it needs to scale if applied to admin-c and tech-c's, at least much more than for the abuse-c. Maybe the proposal is enough - you have better data on that than I do - but in any case we should end up with the same for all contacts. And keep the necessary flexibility to allow database user to represent their reality. For example, the possible copyright-abuse-mailbox you are about to present (I had a peak at the slides): great idea. But in our case (the 'subnet case') that would be a company wide contact, whereas the 'real' abuse-c is network specific. We are small enough that it does not really matter (i.e. I'd duplicate the data and be done with it) - but the use case for flexibility exists. [...] > To finally sum up this point for now - we can build and > provide you with many tools to help you with address management > information that don't have to work with RPSL format data (but can do). In my particular case we can live with about anything: not many objects, infrequent updates. But even then I'd really love coherence in the DB structure and logic. > Although it has been forgotten after 10+ years the basic database model > is - an organisation is the core of your data. That organisation has > human resources and Internet resources. The human resources are grouped > into roles and these roles manage the Internet resources. That is it in > a nutshell. It sounds simple, but so many layers have been built on and > around these principles, that the original principles have been > partially lost. Sounds like interesting times ahead :) What's wrong with trying to get back there? > That core organisation is anyone/thing that manages (some aspect of) an > Internet resource. If it is an outsourced 24/7 team, an abuse handler or > an End User doing their own routing. There should be an ORGANISATION > object to identify them. Everything else hangs off that object. As not all aspects of an organisation are alike (subnet case), and duplicating organisations is a mess (and even impossible in cases like anycast assignments) sub-organisations or departments would be an way to solve this, within the basic database model? > For example, if an End User manages the routing for their resource, who > do you want to contact if their is a routing problem? The End User who > manages the routing or their LIR who assigned the resource? How are you > going to contact that End User? From the MNTNER in the "mnt-routes:" of > the assignment? Which email address should you use from the MNTNER or > referenced PERSON objects? I'd always follow basic logic: the most specific contact adapted to my request. In this case: the tech-c related to the internet resource or it's closest parent, because that seems obvious without reading the database documentation. Any other address only in case of no-reaction / despair - and then all bets are off anyway. > Or maybe the ROUTE object where all contact > information is optional. Following the basic principles there should be > an ORGANISATION object for the End User with clearly defined contact > details. It makes sense to follow the basic design. It does not make > sense to take short cuts and break the basic model. I completely agree. On the other hand, and that might be personal preference, about the only thing I'd value above the database model is coherence in the entries. If only because it is easier to migrate a coherent mess than half a mess :) >> >> Actually, the proposed solution for the "subnet-issue" is very appealing >> to do the "end-user issue" wrong: what would prevent a LIR to put an >> abuse-c per end-user assignment in it's org-object? It would probably be >> easier than to create the organisation objects... > > Yes it would be easier, but wrong. Some things can be managed by > software business rules, other things need to rely on members following > the rules. My point exactly. And I'll always value flexibility about over-tight rules. If life has taught me anything it's that if the 'wrong' way is too easy compared to the 'right' (and doesn't come with serious inconvenience) it will be used. Sometimes only by ignorance. But that's not something I have to tell the RIPE NCC database team :) cheers, Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 From Piotr.Strzyzewski at polsl.pl Thu May 15 15:24:07 2014 From: Piotr.Strzyzewski at polsl.pl (Piotr Strzyzewski) Date: Thu, 15 May 2014 15:24:07 +0200 Subject: [anti-abuse-wg] [db-wg] Options for extending "abuse-c:" In-Reply-To: <5370E983.2050801@ripe.net> References: <5368F960.8010404@ripe.net> <20140508095124.GB18514@hydra.ck.polsl.pl> <536B5656.8070609@ripe.net> <20140509172637.GG43641@Space.Net> <536DA130.3060003@ripe.net> <5370D605.1010908@restena.lu> <5370E983.2050801@ripe.net> Message-ID: <20140515132407.GG9954@hydra.ck.polsl.pl> On Mon, May 12, 2014 at 05:32:19PM +0200, Denis Walker wrote: Dear Denis > Again you are right. The abuse contact is not special. It only seems > special because we have applied the principles of the database model to it. > These principles are sadly missing from so many other areas of the data. > > Although it has been forgotten after 10+ years the basic database model is > - an organisation is the core of your data. That organisation has human > resources and Internet resources. The human resources are grouped into > roles and these roles manage the Internet resources. That is it in a > nutshell. It sounds simple, but so many layers have been built on and > around these principles, that the original principles have been partially > lost. > > That core organisation is anyone/thing that manages (some aspect of) an > Internet resource. If it is an outsourced 24/7 team, an abuse handler or an > End User doing their own routing. There should be an ORGANISATION object to > identify them. Everything else hangs off that object. So, do we have to start thinking about making admin-c/tech-c of INET(6)NUM (and others) optional and then deprecated at some point in time? Do we have to start thinking about moving whole contact details to the ORGANISATION objects? Piotr -- gucio -> Piotr Strzy?ewski E-mail: Piotr.Strzyzewski at polsl.pl From mir at ripe.net Wed May 21 14:03:49 2014 From: mir at ripe.net (Mirjam Kuehne) Date: Wed, 21 May 2014 14:03:49 +0200 Subject: [anti-abuse-wg] New on RIPE Labs: Survey on Mitigation and Response of Network Attacks Message-ID: <537C9625.2050703@ripe.net> Dear colleagues, Network-based attacks pose a strong threat to the Internet landscape. In her PhD Jessica Steinberger is investigating different approaches on attack mitigation and response. She developed a survey that aims at gaining insight in real-world processes, structures and capabilities of IT companies and the computer networks they run. Please find more information on RIPE Labs: https://labs.ripe.net/Members/jessica_steinberger/survey-on-mitigation-and-response-of-network-attacks Kind regards, Mirjam Kuehne RIPE NCC From mir at ripe.net Thu May 22 11:58:42 2014 From: mir at ripe.net (Mirjam Kuehne) Date: Thu, 22 May 2014 11:58:42 +0200 Subject: [anti-abuse-wg] New on RIPE Labs: Better Crypto Message-ID: <537DCA52.7010603@ripe.net> Dear colleagues, We have published a new article on RIPE Labs which you might find of interest: Better Crypto - Applied Cryptography Hardening (by Aaron Kaplan) https://labs.ripe.net/Members/aaron_kaplan/better-crypto Aaron presented this at the RIPE 68 Meeting last week. Kind regards, Mirjam Kuehne RIPE NCC From brian.nisbet at heanet.ie Tue May 27 11:07:24 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 27 May 2014 10:07:24 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <536E5FCE.5090105@dcrocker.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> Message-ID: <538455CC.8060806@heanet.ie> Dave, Thanks for this, Dave Crocker wrote the following on 10/05/2014 18:20: > On 5/10/2014 9:18 AM, Suresh Ramasubramanian wrote: >> That is a hair that need not be split. >> >> The meaning and intent are perfectly clear. >> >> And the meaning of abuse is varied enough, and ever changing, that it >> would not be wise to get bogged down in definitions. > > > Perhaps small re-wordings, to capture the above, without (intending to) > change the substance of the existing charter: > > > > Draft revision of > > > As the Internet has evolved, so has the scope and scale of network > abuse. Unsolicited bulk email (spam) is often merely a symptom of > deeper abuse such as viruses or botnets. Consequently the Anti-Spam > Working Group has a wide scope, to include all relevant kinds of abuse. > > The technical details of spam and other abuse constantly vary, in terms > of application channel and technique. Channel examples include SMTP, > SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to > social engineering. Anti-Abuse Working Group, but other than this, it's great, thanks. > Within scope are all systems and mechanisms, both technical and > non-technical, that are used to create, control and make money from such > abuse. > > Outside of scope are areas such as cybersquatting or hosting illegal > content. The problem I see here (but the WG might disagree) is that we do talk about the above and the WG has expressed interest in same, hence my wish to at least acknowledge this. Sasha's language here was: "Areas, such as cybersquatting or hosting illegal content are not part of the remit of the WG. Insofar as they overlap with other forms of network abuse, they may, from time to time, become part of the WG's activities and discussions." which I quite like. > The working group considers both technical and non-technical aspects of > abuse, with the following goals: > > Produce and continue to update a BCP (Best Common Practice) document > for ISPs similar in nature to RIPE-409 but covering a wider range of > possible abusive behaviours. > > Provide advice (beyond that of the BCP) to relevant parties within > the RIPE region such as ISPs, Governments and Law Enforcement Agencies > on strategic and operational matters. > > Discuss and disseminate information on technical and non-technical > methods of preventing or reducing network abuse. So I suppose my proposal here would be to run with Dave's text, except for the part about cybersquatting & illegal content, where I would drop in Sascha's. What do you all think? Thanks, Brian From dhc at dcrocker.net Tue May 27 13:50:42 2014 From: dhc at dcrocker.net (Dave Crocker) Date: Tue, 27 May 2014 04:50:42 -0700 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <538455CC.8060806@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> Message-ID: <53847C12.10906@dcrocker.net> On 5/27/2014 2:07 AM, Brian Nisbet wrote: >> Outside of scope are areas such as cybersquatting or hosting illegal >> content. > > The problem I see here (but the WG might disagree) is that we do talk > about the above and the WG has expressed interest in same, hence my wish > to at least acknowledge this. Sasha's language here was: > > "Areas, such as cybersquatting or hosting illegal content are not part > of the remit of the WG. Insofar as they overlap with other forms of > network abuse, they may, from time to time, become part of the WG's > activities and discussions." > > which I quite like. I quite like the tone of the language. It's almost lyrical and literary. However as for utility in a working group charter, I don't know what the second sentence means. A more general form of that sentence highlights the problem with the construction and it's vagueness: Insofar as something that is outside the wg scope 'overlaps' with something inside the wg scope, it's ok for the wg to discuss it. My guess is that it's the something inside the scope that is what will really be talked about, where the other stuff might be 'mentioned' but isn't really what will (or should) be talked about. And what does it mean to "overlap", in technical or operations terms? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From brian.nisbet at heanet.ie Tue May 27 15:47:11 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Tue, 27 May 2014 14:47:11 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <53847C12.10906@dcrocker.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> Message-ID: <5384975F.4060902@heanet.ie> Dave Crocker wrote the following on 27/05/2014 12:50: > On 5/27/2014 2:07 AM, Brian Nisbet wrote: >>> Outside of scope are areas such as cybersquatting or hosting illegal >>> content. >> >> The problem I see here (but the WG might disagree) is that we do talk >> about the above and the WG has expressed interest in same, hence my wish >> to at least acknowledge this. Sasha's language here was: >> >> "Areas, such as cybersquatting or hosting illegal content are not part >> of the remit of the WG. Insofar as they overlap with other forms of >> network abuse, they may, from time to time, become part of the WG's >> activities and discussions." >> >> which I quite like. > > > I quite like the tone of the language. It's almost lyrical and literary. > > However as for utility in a working group charter, I don't know what the > second sentence means. > > A more general form of that sentence highlights the problem with the > construction and it's vagueness: > > Insofar as something that is outside the wg scope 'overlaps' with > something inside the wg scope, it's ok for the wg to discuss it. > > My guess is that it's the something inside the scope that is what will > really be talked about, where the other stuff might be 'mentioned' but > isn't really what will (or should) be talked about. > > And what does it mean to "overlap", in technical or operations terms? It's a fair question, especially as me knowing what it means isn't the most useful thing, I wrote most of this charter and it's all in my head. :) I'll also let Sascha respond as well, of course. What I'm trying to capture is the delicate balance between not wanting to make the WG about copyright etc, but to be able to talk about the effects that these issues can have on networks and the novel methods/interesting procedures operators and others use to find them, remove them and reveal other badness around them. This is of interest to the community and to law enforcement, but it's difficult to class as network abuse. This is the original language I used here: "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may well be areas of interest." but there were comments about that, so trying to find a different form of text to thread that needle. Brian From dhc at dcrocker.net Tue May 27 16:11:44 2014 From: dhc at dcrocker.net (Dave Crocker) Date: Tue, 27 May 2014 07:11:44 -0700 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <5384975F.4060902@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> Message-ID: <53849D20.2030304@dcrocker.net> On 5/27/2014 6:47 AM, Brian Nisbet wrote: > This is the original language I used here: > > "While areas such as cybersquatting or hosting illegal content are not > seen as a central part of the working group's remit, they are > unquestionably bound up in other aspects of network abuse and, as such, > may well be areas of interest." Hmmm... oddly, that could turn out to be the more useful wording. It is descriptive and does not really try to be prescriptive (or proscriptive), though of course it walks right up to that point. As such, it paints a a bit of territory that might be 'related', but does neither requires nor prohibits traveling in the territory. I would therefore expect wg management to determine salience according to other criteria in the charter... d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From dcrocker at bbiw.net Tue May 27 16:11:18 2014 From: dcrocker at bbiw.net (Dave Crocker) Date: Tue, 27 May 2014 07:11:18 -0700 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <5384975F.4060902@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> Message-ID: <53849D06.4000500@bbiw.net> On 5/27/2014 6:47 AM, Brian Nisbet wrote: > This is the original language I used here: > > "While areas such as cybersquatting or hosting illegal content are not > seen as a central part of the working group's remit, they are > unquestionably bound up in other aspects of network abuse and, as such, > may well be areas of interest." Hmmm... oddly, that could turn out to be the more useful wording. It is descriptive and does not really try to be prescriptive (or proscriptive), though of course it walks right up to that point. As such, it paints a a bit of territory that might be 'related', but does neither requires nor prohibits traveling in the territory. I would therefore expect wg management to determine salience according to other criteria in the charter... d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From lists-ripe at c4inet.net Thu May 29 22:31:52 2014 From: lists-ripe at c4inet.net (Sascha Luck) Date: Thu, 29 May 2014 21:31:52 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <53849D20.2030304@dcrocker.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> Message-ID: <20140529203152.GG87032@cilantro.c4inet.net> On Tue, May 27, 2014 at 07:11:44AM -0700, Dave Crocker wrote: >On 5/27/2014 6:47 AM, Brian Nisbet wrote: >> "While areas such as cybersquatting or hosting illegal content are not >> seen as a central part of the working group's remit, they are >> unquestionably bound up in other aspects of network abuse and, as such, >> may well be areas of interest." > > >Hmmm... oddly, that could turn out to be the more useful wording. > >It is descriptive and does not really try to be prescriptive (or >proscriptive), though of course it walks right up to that point. > >As such, it paints a a bit of territory that might be 'related', but >does neither requires nor prohibits traveling in the territory. I would >therefore expect wg management to determine salience according to other >criteria in the charter... I am not very comfortable with prescribing limits to what people can discuss, but I'm even less comfortable with any policy that may result from an over-broad mandate. From my POV, the ideal charter would be one that states "the wg can discuss and make recommendations on, anything it feels like; but has no mandate to make policy resulting from those discussions or recommendations. In short, I'm trying to prevent a small cabal of "anti-abuse" people from instrumentalising RIPE or the NCC as some sort of enforcer of allowable content or copyrights, etc. rgds, Sascha Luck From dhc at dcrocker.net Thu May 29 23:10:36 2014 From: dhc at dcrocker.net (Dave Crocker) Date: Thu, 29 May 2014 14:10:36 -0700 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <20140529203152.GG87032@cilantro.c4inet.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> Message-ID: <5387A24C.3020100@dcrocker.net> On 5/29/2014 1:31 PM, Sascha Luck wrote: > I am not very comfortable with prescribing limits to what people can > discuss, but I'm even less comfortable with any policy that may result > from an over-broad mandate. A charter is a contract. It should say what will be done and what won't be done. For group discussion contracts like this, also saying what is relevant or not is an extremely helpful management tool. If the group needs to talk about something that is out of scope, relative to the charter, it's unlikely that anyone will go to jail due to the violation. On the other hand, being explicit that the discussion is needed and getting group agreement, is merely good process hygiene. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From brian.nisbet at heanet.ie Fri May 30 10:25:30 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 30 May 2014 09:25:30 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <20140529203152.GG87032@cilantro.c4inet.net> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> Message-ID: <5388407A.4030209@heanet.ie> Sascha, Sascha Luck wrote the following on 29/05/2014 21:31: > On Tue, May 27, 2014 at 07:11:44AM -0700, Dave Crocker wrote: >> On 5/27/2014 6:47 AM, Brian Nisbet wrote: >>> "While areas such as cybersquatting or hosting illegal content are not >>> seen as a central part of the working group's remit, they are >>> unquestionably bound up in other aspects of network abuse and, as such, >>> may well be areas of interest." >> >> >> Hmmm... oddly, that could turn out to be the more useful wording. >> >> It is descriptive and does not really try to be prescriptive (or >> proscriptive), though of course it walks right up to that point. >> >> As such, it paints a a bit of territory that might be 'related', but >> does neither requires nor prohibits traveling in the territory. I would >> therefore expect wg management to determine salience according to other >> criteria in the charter... > > I am not very comfortable with prescribing limits to what people can > discuss, but I'm even less comfortable with any policy that may result > from an over-broad mandate. From my POV, the ideal charter would be one > that states "the wg can > discuss and make recommendations on, anything it feels like; but has no > mandate to make policy resulting from those discussions or > recommendations. Why would you want to remove the ability to make policy from a WG? It's a fundamental piece of work that they do, even if it's never used. > In short, I'm trying to prevent a small cabal of "anti-abuse" people > from instrumentalising RIPE or the NCC as some sort of enforcer of > allowable content or copyrights, etc. Just because something is in the charter doesn't mean people will make policy about it. Equally, just because it isn't in the charter, that doesn't stop someone in the community coming up with some policy. I will, of course, agree it makes conversation easier. I could even remove the word 'well' from the paragraph above to soften it. Policy is never made in isolation. We shout it loud and wide when a policy is submitted and people react to things they don't like. Some things do change over time (I was amazed when we eventually reached consensus on abuse-c), but it should not follow from that that all things will. All of that said, so far we've had a couple of pieces of text proposed. There have been (a small number of) voices on either side of the discussion around copyright etc. Are there any other opinions on this? Brian From michele at blacknight.com Fri May 30 13:07:21 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Fri, 30 May 2014 11:07:21 +0000 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <5388407A.4030209@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> Message-ID: Brian Is there a proposed updated text incorporating the feedback so far? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59? 9183072 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland? Company No.: 370845 From brian.nisbet at heanet.ie Fri May 30 15:00:05 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 30 May 2014 14:00:05 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> Message-ID: <538880D5.3080902@heanet.ie> Michele, There is, or there is, bar really the paragraph we're still discussing. I'd like to thank both Sascha and Dave for their text so far: As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control, and make money from, such abuse. While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest. The working group considers both technical and non-technical aspects of abuse, with the following goals: Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. ***************** The core of the discussion at this point is over: "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest." Brian Michele Neylon - Blacknight wrote the following on 30/05/2014 12:07: > Brian > > Is there a proposed updated text incorporating the feedback so far? > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Domains > http://www.blacknight.co/ > http://blog.blacknight.com/ > http://www.technology.ie > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > From michele at blacknight.com Fri May 30 15:04:03 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Fri, 30 May 2014 13:04:03 +0000 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <538880D5.3080902@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> <538880D5.3080902@heanet.ie> Message-ID: Thanks Brian I was trying to understand what the bit of text that was potentially causing problems was .. I'd drop "cybersquatting" as it's a term that most people don't really understand and is often misused. If you want to talk about copyright matters in a broader sense then the terminology should be different, "cybersquatting" refers to domain names only and is not within RIPE's remit. Hosting illegal content in my opinion should definitely be in scope. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59? 9183072 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland? Company No.: 370845 -----Original Message----- From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] Sent: Friday, May 30, 2014 2:00 PM To: Michele Neylon - Blacknight Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] Working Group Charter Michele, There is, or there is, bar really the paragraph we're still discussing. I'd like to thank both Sascha and Dave for their text so far: As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control, and make money from, such abuse. While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest. The working group considers both technical and non-technical aspects of abuse, with the following goals: Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. ***************** The core of the discussion at this point is over: "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest." Brian Michele Neylon - Blacknight wrote the following on 30/05/2014 12:07: > Brian > > Is there a proposed updated text incorporating the feedback so far? > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Domains > http://www.blacknight.co/ > http://blog.blacknight.com/ > http://www.technology.ie > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > From brian.nisbet at heanet.ie Fri May 30 15:46:08 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 30 May 2014 14:46:08 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> <538880D5.3080902@heanet.ie> Message-ID: <53888BA0.9000702@heanet.ie> Hey, The aim is to reflect things like your talk from 66 and Peter Forsman's piece on counterfeit websites from 65. So, copyright, hosting illegal content (not trying to make content illegal, but reflecting, where appropriate, national and international laws) etc. It's tricky to say that names aren't in the remit of the RIPE community, I know what you mean, but there is still significant crossover and interest, so while I don't believe we should be making policy about them (let's leave aside how difficult it would be fore the community to do so), we may want to talk about them. Brian Michele Neylon - Blacknight wrote the following on 30/05/2014 14:04: > Thanks Brian > > I was trying to understand what the bit of text that was potentially causing problems was .. > > I'd drop "cybersquatting" as it's a term that most people don't really understand and is often misused. If you want to talk about copyright matters in a broader sense then the terminology should be different, "cybersquatting" refers to domain names only and is not within RIPE's remit. > > Hosting illegal content in my opinion should definitely be in scope. > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Domains > http://www.blacknight.co/ > http://blog.blacknight.com/ > http://www.technology.ie > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > -----Original Message----- > From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] > Sent: Friday, May 30, 2014 2:00 PM > To: Michele Neylon - Blacknight > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Working Group Charter > > Michele, > > There is, or there is, bar really the paragraph we're still discussing. > > I'd like to thank both Sascha and Dave for their text so far: > > As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. > > The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. > > Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control, and make money from, such abuse. > > While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest. > > The working group considers both technical and non-technical aspects of abuse, with the following goals: > > Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. > > Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. > > Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. > > ***************** > > The core of the discussion at this point is over: > > "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest." > > Brian > > Michele Neylon - Blacknight wrote the following on 30/05/2014 12:07: >> Brian >> >> Is there a proposed updated text incorporating the feedback so far? >> >> Regards >> >> Michele >> >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Domains >> http://www.blacknight.co/ >> http://blog.blacknight.com/ >> http://www.technology.ie >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> >> From michele at blacknight.com Fri May 30 16:19:18 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Fri, 30 May 2014 14:19:18 +0000 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <53888BA0.9000702@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> <538880D5.3080902@heanet.ie> <53888BA0.9000702@heanet.ie> Message-ID: Brian Then be explicit "Cybersquatting" is a pure names It's nothing to do with the actual content if you want to talk about copyright infringement etc., then that's fine Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59? 9183072 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland? Company No.: 370845 -----Original Message----- From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] Sent: Friday, May 30, 2014 2:46 PM To: Michele Neylon - Blacknight Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] Working Group Charter Hey, The aim is to reflect things like your talk from 66 and Peter Forsman's piece on counterfeit websites from 65. So, copyright, hosting illegal content (not trying to make content illegal, but reflecting, where appropriate, national and international laws) etc. It's tricky to say that names aren't in the remit of the RIPE community, I know what you mean, but there is still significant crossover and interest, so while I don't believe we should be making policy about them (let's leave aside how difficult it would be fore the community to do so), we may want to talk about them. Brian Michele Neylon - Blacknight wrote the following on 30/05/2014 14:04: > Thanks Brian > > I was trying to understand what the bit of text that was potentially causing problems was .. > > I'd drop "cybersquatting" as it's a term that most people don't really understand and is often misused. If you want to talk about copyright matters in a broader sense then the terminology should be different, "cybersquatting" refers to domain names only and is not within RIPE's remit. > > Hosting illegal content in my opinion should definitely be in scope. > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Domains > http://www.blacknight.co/ > http://blog.blacknight.com/ > http://www.technology.ie > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > -----Original Message----- > From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] > Sent: Friday, May 30, 2014 2:00 PM > To: Michele Neylon - Blacknight > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Working Group Charter > > Michele, > > There is, or there is, bar really the paragraph we're still discussing. > > I'd like to thank both Sascha and Dave for their text so far: > > As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. > > The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. > > Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control, and make money from, such abuse. > > While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest. > > The working group considers both technical and non-technical aspects of abuse, with the following goals: > > Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. > > Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. > > Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. > > ***************** > > The core of the discussion at this point is over: > > "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest." > > Brian > > Michele Neylon - Blacknight wrote the following on 30/05/2014 12:07: >> Brian >> >> Is there a proposed updated text incorporating the feedback so far? >> >> Regards >> >> Michele >> >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Domains >> http://www.blacknight.co/ >> http://blog.blacknight.com/ >> http://www.technology.ie >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> >> From brian.nisbet at heanet.ie Fri May 30 16:22:54 2014 From: brian.nisbet at heanet.ie (Brian Nisbet) Date: Fri, 30 May 2014 15:22:54 +0100 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> <538880D5.3080902@heanet.ie> <53888BA0.9000702@heanet.ie> Message-ID: <5388943E.0@heanet.ie> Michele, As mentioned, we don't make policy for names, but a lot of people in the community care about them, however, would something like "While areas such as hosting illegal content or copyright infringement" be better? Or shall we just leave it as "While areas such as hosting illegal content..." Brian Michele Neylon - Blacknight wrote the following on 30/05/2014 15:19: > Brian > > Then be explicit > > "Cybersquatting" is a pure names > > It's nothing to do with the actual content > > if you want to talk about copyright infringement etc., then that's fine > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Domains > http://www.blacknight.co/ > http://blog.blacknight.com/ > http://www.technology.ie > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty > Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > -----Original Message----- > From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] > Sent: Friday, May 30, 2014 2:46 PM > To: Michele Neylon - Blacknight > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Working Group Charter > > Hey, > > The aim is to reflect things like your talk from 66 and Peter Forsman's piece on counterfeit websites from 65. So, copyright, hosting illegal content (not trying to make content illegal, but reflecting, where appropriate, national and international laws) etc. It's tricky to say that names aren't in the remit of the RIPE community, I know what you mean, but there is still significant crossover and interest, so while I don't believe we should be making policy about them (let's leave aside how difficult it would be fore the community to do so), we may want to talk about them. > > Brian > Michele Neylon - Blacknight wrote the following on 30/05/2014 14:04: >> Thanks Brian >> >> I was trying to understand what the bit of text that was potentially causing problems was .. >> >> I'd drop "cybersquatting" as it's a term that most people don't really understand and is often misused. If you want to talk about copyright matters in a broader sense then the terminology should be different, "cybersquatting" refers to domain names only and is not within RIPE's remit. >> >> Hosting illegal content in my opinion should definitely be in scope. >> >> Regards >> >> Michele >> >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Domains >> http://www.blacknight.co/ >> http://blog.blacknight.com/ >> http://www.technology.ie >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> >> >> -----Original Message----- >> From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] >> Sent: Friday, May 30, 2014 2:00 PM >> To: Michele Neylon - Blacknight >> Cc: anti-abuse-wg at ripe.net >> Subject: Re: [anti-abuse-wg] Working Group Charter >> >> Michele, >> >> There is, or there is, bar really the paragraph we're still discussing. >> >> I'd like to thank both Sascha and Dave for their text so far: >> >> As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. >> >> The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. >> >> Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control, and make money from, such abuse. >> >> While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest. >> >> The working group considers both technical and non-technical aspects of abuse, with the following goals: >> >> Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. >> >> Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. >> >> Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. >> >> ***************** >> >> The core of the discussion at this point is over: >> >> "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest." >> >> Brian >> >> Michele Neylon - Blacknight wrote the following on 30/05/2014 12:07: >>> Brian >>> >>> Is there a proposed updated text incorporating the feedback so far? >>> >>> Regards >>> >>> Michele >>> >>> >>> -- >>> Mr Michele Neylon >>> Blacknight Solutions >>> Hosting & Colocation, Domains >>> http://www.blacknight.co/ >>> http://blog.blacknight.com/ >>> http://www.technology.ie >>> Intl. +353 (0) 59 9183072 >>> Direct Dial: +353 (0)59 9183090 >>> Twitter: http://twitter.com/mneylon >>> ------------------------------- >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >>> Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >>> >>> From michele at blacknight.com Fri May 30 16:24:26 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Fri, 30 May 2014 14:24:26 +0000 Subject: [anti-abuse-wg] Working Group Charter In-Reply-To: <5388943E.0@heanet.ie> References: <536CDE63.6070605@heanet.ie> <20140509145826.GA87032@cilantro.c4inet.net> <536E5FCE.5090105@dcrocker.net> <538455CC.8060806@heanet.ie> <53847C12.10906@dcrocker.net> <5384975F.4060902@heanet.ie> <53849D20.2030304@dcrocker.net> <20140529203152.GG87032@cilantro.c4inet.net> <5388407A.4030209@heanet.ie> <538880D5.3080902@heanet.ie> <53888BA0.9000702@heanet.ie> <5388943E.0@heanet.ie> Message-ID: Yeah that'd work for me :) Just as long as I don't see the term "cybersquatting" I'm happier -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59? 9183072 Direct Dial: +353 (0)59 9183090 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland? Company No.: 370845 -----Original Message----- From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] Sent: Friday, May 30, 2014 3:23 PM To: Michele Neylon - Blacknight Cc: anti-abuse-wg at ripe.net Subject: Re: [anti-abuse-wg] Working Group Charter Michele, As mentioned, we don't make policy for names, but a lot of people in the community care about them, however, would something like "While areas such as hosting illegal content or copyright infringement" be better? Or shall we just leave it as "While areas such as hosting illegal content..." Brian Michele Neylon - Blacknight wrote the following on 30/05/2014 15:19: > Brian > > Then be explicit > > "Cybersquatting" is a pure names > > It's nothing to do with the actual content > > if you want to talk about copyright infringement etc., then that's > fine > > Regards > > Michele > > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Domains > http://www.blacknight.co/ > http://blog.blacknight.com/ > http://www.technology.ie > Intl. +353 (0) 59 9183072 > Direct Dial: +353 (0)59 9183090 > Twitter: http://twitter.com/mneylon > ------------------------------- > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business > Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 > > > -----Original Message----- > From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] > Sent: Friday, May 30, 2014 2:46 PM > To: Michele Neylon - Blacknight > Cc: anti-abuse-wg at ripe.net > Subject: Re: [anti-abuse-wg] Working Group Charter > > Hey, > > The aim is to reflect things like your talk from 66 and Peter Forsman's piece on counterfeit websites from 65. So, copyright, hosting illegal content (not trying to make content illegal, but reflecting, where appropriate, national and international laws) etc. It's tricky to say that names aren't in the remit of the RIPE community, I know what you mean, but there is still significant crossover and interest, so while I don't believe we should be making policy about them (let's leave aside how difficult it would be fore the community to do so), we may want to talk about them. > > Brian > Michele Neylon - Blacknight wrote the following on 30/05/2014 14:04: >> Thanks Brian >> >> I was trying to understand what the bit of text that was potentially causing problems was .. >> >> I'd drop "cybersquatting" as it's a term that most people don't really understand and is often misused. If you want to talk about copyright matters in a broader sense then the terminology should be different, "cybersquatting" refers to domain names only and is not within RIPE's remit. >> >> Hosting illegal content in my opinion should definitely be in scope. >> >> Regards >> >> Michele >> >> >> -- >> Mr Michele Neylon >> Blacknight Solutions >> Hosting & Colocation, Domains >> http://www.blacknight.co/ >> http://blog.blacknight.com/ >> http://www.technology.ie >> Intl. +353 (0) 59 9183072 >> Direct Dial: +353 (0)59 9183090 >> Twitter: http://twitter.com/mneylon >> ------------------------------- >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >> Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >> >> >> -----Original Message----- >> From: Brian Nisbet [mailto:brian.nisbet at heanet.ie] >> Sent: Friday, May 30, 2014 2:00 PM >> To: Michele Neylon - Blacknight >> Cc: anti-abuse-wg at ripe.net >> Subject: Re: [anti-abuse-wg] Working Group Charter >> >> Michele, >> >> There is, or there is, bar really the paragraph we're still discussing. >> >> I'd like to thank both Sascha and Dave for their text so far: >> >> As the Internet has evolved, so has the scope and scale of network abuse. Unsolicited bulk email (spam) is often merely a symptom of deeper abuse such as viruses or botnets. Consequently the Anti-Spam Working Group has a wide scope, to include all relevant kinds of abuse. >> >> The technical details of spam and other abuse constantly vary, in terms of application channel and technique. Channel examples include SMTP, SIP, XMPP and HTTP. Examples of techniques range from buffer overrun to social engineering. >> >> Within scope are all systems and mechanisms, both technical and non-technical, that are used to create, control, and make money from, such abuse. >> >> While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest. >> >> The working group considers both technical and non-technical aspects of abuse, with the following goals: >> >> Produce and continue to update a BCP (Best Common Practice) document for ISPs similar in nature to RIPE-409 but covering a wider range of possible abusive behaviours. >> >> Provide advice (beyond that of the BCP) to relevant parties within the RIPE region such as ISPs, Governments and Law Enforcement Agencies on strategic and operational matters. >> >> Discuss and disseminate information on technical and non-technical methods of preventing or reducing network abuse. >> >> ***************** >> >> The core of the discussion at this point is over: >> >> "While areas such as cybersquatting or hosting illegal content are not seen as a central part of the working group's remit, they are unquestionably bound up in other aspects of network abuse and, as such, may be areas of interest." >> >> Brian >> >> Michele Neylon - Blacknight wrote the following on 30/05/2014 12:07: >>> Brian >>> >>> Is there a proposed updated text incorporating the feedback so far? >>> >>> Regards >>> >>> Michele >>> >>> >>> -- >>> Mr Michele Neylon >>> Blacknight Solutions >>> Hosting & Colocation, Domains >>> http://www.blacknight.co/ >>> http://blog.blacknight.com/ >>> http://www.technology.ie >>> Intl. +353 (0) 59 9183072 >>> Direct Dial: +353 (0)59 9183090 >>> Twitter: http://twitter.com/mneylon >>> ------------------------------- >>> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business >>> Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 >>> >>> From h.lu at anytimechinese.com Sat May 31 14:39:17 2014 From: h.lu at anytimechinese.com (Lu) Date: Sat, 31 May 2014 14:39:17 +0200 Subject: [anti-abuse-wg] Receiving police order on not in use IP Message-ID: <738ECE2D-FB8F-4847-9ECF-71EE67044737@anytimechinese.com> Hi We recently receive a Dutch police order requesting us providing customer info on an ip in which was not in use for past 6 month, we do not have record for the usage of the ip 6 month ago( so we don't know who used it 6 month ago as we simply don't record it). Police claim it has to do with crime without giving any details. How should we react on this? Any suggestions? This transmission is intended solely for the addressee(s) shown above. It may contain information that is privileged, confidential or otherwise protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From ebais at a2b-internet.com Sat May 31 15:40:36 2014 From: ebais at a2b-internet.com (Erik Bais) Date: Sat, 31 May 2014 15:40:36 +0200 Subject: [anti-abuse-wg] Receiving police order on not in use IP In-Reply-To: <738ECE2D-FB8F-4847-9ECF-71EE67044737@anytimechinese.com> References: <738ECE2D-FB8F-4847-9ECF-71EE67044737@anytimechinese.com> Message-ID: <67E367C3-0D1F-43EB-A80B-FF076C99E7EB@a2b-internet.com> Hi Hang Lu, According to Duch and EU, you have to keep track of usage of customer records, due to the fact that the Dutch goverment hasn't abandoned the eu data retention Act (bewaarplicht) yet. If you want specific Dutch guidance on how to react in these cases, I would suggest that you take council from Ot van Daalen at Digital Defence ( https://digitaldefence.net/kantoor/ ). Ot is the former ceo of Bits of Freedom, or contact Solv Advocaten in Amsterdam. There are enough reasons why such order might not be valid or if the info is simply not availlable, a good lawyer / legal assistant with a background in these topics, should be able to provide you with the answer that you are not going to find on a public mailing list. Regards, Erik Bais Verstuurd vanaf mijn iPad > Op 31 mei 2014 om 14:39 heeft Lu het volgende geschreven: > > Hi > > We recently receive a Dutch police order requesting us providing customer info on an ip in which was not in use for past 6 month, we do not have record for the usage of the ip 6 month ago( so we don't know who used it 6 month ago as we simply don't record it). Police claim it has to do with crime without giving any details. > > How should we react on this? Any suggestions? > > This transmission is intended solely for the addressee(s) shown above. > It may contain information that is privileged, confidential or > otherwise protected from disclosure. Any review, dissemination or use > of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received. From h.lu at anytimechinese.com Sat May 31 15:59:06 2014 From: h.lu at anytimechinese.com (H.Lu) Date: Sat, 31 May 2014 15:59:06 +0200 Subject: [anti-abuse-wg] Receiving police order on not in use IP In-Reply-To: <67E367C3-0D1F-43EB-A80B-FF076C99E7EB@a2b-internet.com> References: <738ECE2D-FB8F-4847-9ECF-71EE67044737@anytimechinese.com> <67E367C3-0D1F-43EB-A80B-FF076C99E7EB@a2b-internet.com> Message-ID: Hi Thanks for replying and sorry for the noise, My Chinese lawyer told me we should simply ignore it as eu law does not apply to our Chinese operation, but I think abuse people here might have different idea about it. But again thanks and Sorry for disturbing everyone. Kind regards Lu > ? 2014?5?31????3:40?Erik Bais ??? > > Hi Hang Lu, > > According to Duch and EU, you have to keep track of usage of customer records, due to the fact that the Dutch goverment hasn't abandoned the eu data retention Act (bewaarplicht) yet. > > If you want specific Dutch guidance on how to react in these cases, I would suggest that you take council from Ot van Daalen at Digital Defence ( https://digitaldefence.net/kantoor/ ). Ot is the former ceo of Bits of Freedom, or contact Solv Advocaten in Amsterdam. > > There are enough reasons why such order might not be valid or if the info is simply not availlable, a good lawyer / legal assistant with a background in these topics, should be able tprovide you with the answer that you are not going to find on a public mailing list. > > Regards, > Erik Bais > > Verstuurd vanaf mijn iPad > >> Op 31 mei 2014 om 14:39 heeft Lu het volgende geschreven: >> >> Hi >> >> We recently receive a Dutch police order requesting us providing customer info on an ip in which was not in use for past 6 month, we do not have record for the usage of the ip 6 month ago( so we don't know who used it 6 month ago as we simply don't record it). Police claim it has to do with crime without giving any details. >> >> How should we react on this? Any suggestions? >> >> This transmission is intended solely for the addressee(s) shown above. >> It may contain information that is privileged, confidential or >> otherwise protected from disclosure. Any review, dissemination or use >> of this transmission or its contents by persons other than the intended addressee(s) is strictly prohibited. If you have received this transmission in error, please notify this office immediately and e-mail the original at the sender's address above by replying to this message and including the text of the transmission received.