Re: [ga] Re: Massive, Coordinated Patch To the DNS Released

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

George and all,

  Of course George is quite right here.  Oversight in this area
seems to be gray, but should remain with DOC/NTIA whom
for some time and presently is ill or not properly equiped/staffed
to do this oversight, leaving professionals such as myself and many
others to do our due diligence as the situations arise or present
themselves and do what we can to advise and inform relevant
government agencies of these incidents and situations in a timely
and as accurate manner as possible.

  It's clear without a doubt that the "Watchers" need watching closely.
This would of course include ICANN, any and all registries and
registrars, constituency members of the GNSO, ISP's, and IP
registries accordingly.

  We hope that in the future that ICANN's SSAC will at some time
in the future will become up to the task in a non-partisan and neutral
manner, be able to do it's part of oversight in augment to DOC/NTIA
in this DNS security and other IT security regards.  Thus far, they are
obviously unable to do so adequately at this time as overwhelming
documented evidence has clearly shown.

  It is also quite clear that Registries and Registrars including IP
registries are also unable to self regulate especially but not limited
to security matters and issues that remain outstanding.

  Our users *will not* stand idely by and be victimized by reletive
inability or incompatance, regardless of whom is the responsible
party or parties.

George Kirikos wrote:

> Hi Stephane,
>
> --- Stephane Bortzmeyer <bortzmeyer@xxxxxx> wrote:
> > On Tue, Jul 08, 2008 at 01:02:22PM -0700,
> >  George Kirikos <gkirikos@xxxxxxxxx> wrote
> >  a message of 33 lines which said:
> >
> > > This is exactly why registry operators should NEVER be judge, jury
> > and
> > > executioners when it comes to alleged domain abuse, as they could
> > > inflict damage upon innocent victims. Read the advisory --- ANY
> > name
> > > server (and thus all the domains on that nameserver) could have
> > been
> > > compromised.
> >
> > Read the real advisory (not the Slashdot article) yourself: the
> > vulnerability is on recursive name servers, not on the authoritative
> > ones.
> >
> > http://www.kb.cert.org/vuls/id/800113
>
> I did read the real advisory. The fact remains, often the vigilantes
> who accuse people of abuse shoot first and ask questions later, and
> that security vulnerabilities can remain secret for quite some time. If
> they saw a phishing attack on a domain, etc., they often will not have
> checked that maybe their own ISP's nameservers were compromised, or
> that there was an unpatched vendor flaw, one that perhaps was yet to be
> disclosed. With vigilantes, one is presumed "guilty" until proven
> innocent, when due process would work the other way around.
>
> See for example:
>
> http://www.infoworld.com/article/07/05/18/21OPsecadvise_1.html
> http://www.paulgraham.com/spamhausblacklist.html
>
> "Blacklists have a structural flaw: there is no one to watch the
> watchers."
>
> in the context of spam and real-time block lists.
>
> There will ALWAYS be security issues that affect innocent domain
> registrants. Do a search in Google for "BIND security updates" or
> "Apache security updates" or "PHP security updates" or "wordpress
> security updates", etc. --- should domain registrants fear losing their
> domain, entirely at the discretion of the registry operator, when these
> things happen, without any due process? I say "No."
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827