It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote : http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bi... http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804 I claim operational content for this as, on the basis of court orders, i..e. a "temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities" it requires that, for foreign domain names, "(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;" This expedited DNS cutoff is only available for copyright violations, not for other illegalities. Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely. Regards Marshall
On 11/19/2010 03:45 PM, Marshall Eubanks wrote:
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote :
http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bi...
http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804
I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
So I suppose operation of a recursor requires one to check with the government to see what names its okay to resolve.. They can have my dns recursor when they pry it from my cold dead hands. Otherwise no. /me waits for the knock at the door and the yell of "Search warrant, we hear you're running an uncensored BIND" -- Joe Sniderman <joseph.sniderman@thoroquel.org>
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites. There are also of course the various great firewalls of various countries. In case you'd prefer that to having to blacklist them at your end .. Doing this for trademark infringement is going to be a bit thick though. On Mon, Nov 22, 2010 at 2:02 AM, Joe Sniderman <joseph.sniderman@thoroquel.org> wrote:
So I suppose operation of a recursor requires one to check with the government to see what names its okay to resolve.. They can have my dns recursor when they pry it from my cold dead hands. Otherwise no.
/me waits for the knock at the door and the yell of "Search warrant, we hear you're running an uncensored BIND"
-- Suresh Ramasubramanian (ops.lists@gmail.com)
* Suresh Ramasubramanian (ops.lists@gmail.com) wrote:
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites.
Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries. The list is maintained by the police (rikskriminalen), they have also published statistics on how many evil access attempts to child porn that they have blocked, i.e. legitimating their existence. They do however fail to mention that browsers usually resolve all links on the webpage it loads so it only takes a look at a page that links to an illegal site for the filter to score a hit... and pr0n pages tend to have a lot of links.. And once you get these things in place you never know where it will end... Cheers, /jkm
Joakim Aronius <joakim@aronius.com> writes:
* Suresh Ramasubramanian (ops.lists@gmail.com) wrote:
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites.
Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries.
Yes, this has alrady spread to a number of European countries: http://circamp.eu/
And once you get these things in place you never know where it will end...
Unfortunately, yes. We already have a pretty ugly example of that: Telenor (Norwegian ISP) was sued by the music and film industry with a demand that Telenor should block all access to The Pirate Bay. The suggested method was abusing this DNS filter to block access to a number of Pirate Bay domains. Luckily the Norwegian court system do sometimes work: http://www.reuters.com/article/idUS401576177920091106 But history usually repeats itself, so I assume this idea will come up again. And again. And again. Bjørn
On Thu, 25 Nov 2010, Bjørn Mork wrote:
Joakim Aronius <joakim@aronius.com> writes:
* Suresh Ramasubramanian (ops.lists@gmail.com) wrote:
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites.
Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries.
Yes, this has alrady spread to a number of European countries: http://circamp.eu/
And once you get these things in place you never know where it will end...
Now i know NANOG should not carry political discussion, but really, we should not even -need- to lobby. Unlike the self-proclaimed "entertainment industry" we, the isps, OWN AND OPERATE a critical infrastructure, of which the governments in the past have proven incapable of running something like that themselves (you end up with a 1970s style telephone network every time they try ;) They simply need to be explained that the internet is a take it or leave it deal. Countries that work against us, should simply be LEFT. close your offices, fire everyone, pay your taxes somewhere else, fuck them. option B is a hostile takeover on the entire entertainment industry, in order to get rid of them, by using the massive amounts of cashflow available in our industry, all of those companies, disney, vivendi (universal) viacom, etc are on the stock exchange, and therefore vulnerable to hostile takeovers and fucking around with their listing by means of options. They have started a war with the wrong motherfuckers... just that the wrong motherfuckers need to figure out that not all "connected parties" are working in the interest of the internet, several (disney, time warner) are trying to take control over the internet and make it a one way broadcast system that only carries THEIR content to THEIR viewers. We still are in a position to stop them, i say we should. Besides, court orders only hold any value for specific countries, i'm quite sure you're all quite capable of just shifting your activities/billing to another one, as are we (and pretty much in real time as well :P should the situation require that.
Subject: Re: Blocking International DNS Date: Thu, Nov 25, 2010 at 12:55:56PM +0100 Quoting Joakim Aronius (joakim@aronius.com):
* Suresh Ramasubramanian (ops.lists@gmail.com) wrote:
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites.
Swedish ISPs are required to enforce a DNS blacklist for childporn,
<snip> No, they are not _required_ to. Several ISPen market themselves by not implementing the blocking. The larger, family-oriented ISPen do enforce the list on their resolvers. Circumvention is trivial, though.
And once you get these things in place you never know where it will end...
That, OTOH, is true. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Pardon me, but do you know what it means to be TRULY ONE with your BOOTH!
And once you get these things in place you never know where it will end... That, OTOH, is true.
Actually, we do. Every time a country creates a list, even though you wouldn't expect it from these respectable countries, politicians and policemen with their good intentions, somehow things end up on these lists which should not be every single time. Obviously, these lists are secret because otherwise the bad people can use them as a pointer where to go. So there is no oversight. They do however end up on Wikileaks and then you see that their are lots of other things on these lists. To start with the websites of the people who oppose such lists and political movements (even though the countries are democracies). Or websites like the Pirate Bay, Wikileaks or even Wikipedia. As we all know, these lists don't work anyway. So it does not prevent the people who are looking for this content to get to this content and the people who are performing these acts with these children are not stopped by this. One of the most heard arguments the politicians (or more likely from the lobbyists) is that is it hard to get websites removed or deleted when they are in other countries. Which may sound plausible until you look at what Paypal and the banks can a chief, they get websites removed in a day or 2, mostly hours. Most of the time by just sending an e-mail or picking up the phone. I know people can have really heated discussions about these subjects "think of the kinds", but that does not mean we should not make clear headed decisions in the end. An other often heard argument is, but we should prevent all the other people and especially children from running in to this filth on the Internet. Which is also an interesting argument, because people who share this kind of content do not do this openly, they don't want to be discovered. They don't use misleading advertisement where people might click on to lure them in. As I understand it, they password protect their content or use VPN's and share links by word of mouth. Doesn't matter how you look at it, it is much more effective to go after the people that do this then to argue about or set up these blacklists. Have a nice day, Leen.
On 11/19/2010 3:45 PM, Marshall Eubanks wrote:
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote :
http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bi...
http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804
I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
This expedited DNS cutoff is only available for copyright violations, not for other illegalities.
Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely.
Regards Marshall
I wonder what would happen if the Comcasts and Verizons of the world threatened a $10 rate hike to cover the added administration and headaches of this silliness? Would joe six pack care?
On 22/11/2010, at 3:37 PM, ML <ml@kenweb.org> wrote:
On 11/19/2010 3:45 PM, Marshall Eubanks wrote:
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote :
http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bi...
http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804
I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
This expedited DNS cutoff is only available for copyright violations, not for other illegalities.
Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely.
Regards Marshall
I wonder what would happen if the Comcasts and Verizons of the world threatened a $10 rate hike to cover the added administration and headaches of this silliness? Would joe six pack care?
I wonder if simply adding a second, off-shore resolver to Joe six pack's DHCP settings wouldn't circumvent this silliness anyway. It would be Joe's son or daughter who wants to resolve limewire.com (et. al.), but wouldn't be that hard. jy
Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe </sarcasm> Jeff On Sun, Nov 21, 2010 at 11:54 PM, Jeffrey S. Young <young@jsyoung.net> wrote:
On 22/11/2010, at 3:37 PM, ML <ml@kenweb.org> wrote:
On 11/19/2010 3:45 PM, Marshall Eubanks wrote:
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote :
http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bi...
http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804
I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
This expedited DNS cutoff is only available for copyright violations, not for other illegalities.
Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely.
Regards Marshall
I wonder what would happen if the Comcasts and Verizons of the world threatened a $10 rate hike to cover the added administration and headaches of this silliness? Would joe six pack care?
I wonder if simply adding a second, off-shore resolver to Joe six pack's DHCP settings wouldn't circumvent this silliness anyway. It would be Joe's son or daughter who wants to resolve limewire.com (et. al.), but wouldn't be that hard.
jy
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Mon, Nov 22, 2010 at 12:00:43AM -0500, Jeffrey Lyon said:
Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe </sarcasm>
When I ran a bunch of quake servers last century, I was endlessly frustrated by everyone using the IP addresses and never DNS. I have no idea why. Obviously it wasnt too much of a pain to do that, cuz eveyrone did it for a long time. So people will just use other resolvers, or direct IP addresses. (but then so much for http/1.0 virtual hosting, I suppose... not a big deal.) Dont know what the next law will be - mandatory blackholing of IPs? So then the sites move randomly around /24s or /22s or whole /16s at ISPs. So then blackhole the whole /16 by law? That'll be an interesting internet. /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
My two cents is that something like this won't pass until at least 2016 if not 2020. Jeff On Mon, Nov 22, 2010 at 12:11 AM, Ken Chase <ken@sizone.org> wrote:
On Mon, Nov 22, 2010 at 12:00:43AM -0500, Jeffrey Lyon said: >Indeed, offshore resolvers, offshore DNS infrastructure and the >progressive's futile attempts at interference with free markets is >once again thwarted. We all know that U.S. law helps keep the internet >safe </sarcasm>
When I ran a bunch of quake servers last century, I was endlessly frustrated by everyone using the IP addresses and never DNS. I have no idea why.
Obviously it wasnt too much of a pain to do that, cuz eveyrone did it for a long time.
So people will just use other resolvers, or direct IP addresses. (but then so much for http/1.0 virtual hosting, I suppose... not a big deal.)
Dont know what the next law will be - mandatory blackholing of IPs? So then the sites move randomly around /24s or /22s or whole /16s at ISPs. So then blackhole the whole /16 by law? That'll be an interesting internet.
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
as for the alt root servers idea, in case you didnt see this: http://twitter.com/brokep/status/8779363872935936 (Nods to Richard Sexton :) /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Super unnecessary. If you want to be outside the grasp of U.S. law find yourself a ccTLD. Jeff On Mon, Nov 29, 2010 at 11:56 PM, Ken Chase <ken@sizone.org> wrote:
as for the alt root servers idea, in case you didnt see this:
http://twitter.com/brokep/status/8779363872935936
(Nods to Richard Sexton :)
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Tue, Nov 30, 2010 at 12:52:50AM -0500, Jeffrey Lyon said:
Super unnecessary. If you want to be outside the grasp of U.S. law find yourself a ccTLD.
Perhaps for his reasons at the time yes, but I'm applying it to the topic of the suspended-for-now-bill that allows blocking of any domain in the US. Alt root servers, as mentioned, would solve this. (And an encrypted p2p alt root system perhaps running on dynamic ports would be harder to block.) /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On Tue, Nov 30, 2010 at 12:52:50AM -0500, Jeffrey Lyon said:
Super unnecessary. If you want to be outside the grasp of U.S. law find yourself a ccTLD.
Perhaps for his reasons at the time yes, but I'm applying it to the topic of the suspended-for-now-bill that allows blocking of any domain in the US. Alt root servers, as mentioned, would solve this. (And an encrypted p2p alt root system perhaps running on dynamic ports would be harder to block.) /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. randy
On 12/01/2010 10:41 PM, Randy Bush wrote:
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments.
randy
Before we do this, I do have some other questions: Wasn't this exactly why people suggested ICANN should just move to Switzerland and become an independent international organization ? Would this still be possibility ? An other question, how much does ICANN really have to say about the content of the root ? Isn't their a long process to get something in/out of the root and isn't it the root operators that decide to actually deploy the zone ?
Wasn't this exactly why people suggested ICANN should just move to Switzerland and become an independent international organization ? Would this still be possibility ?
You can move ICANN to Mars but unless you move the "root", IANA is and will still be under USG control as it is today. Also ICANN didn't touch any operational knobs related to the latest domain names seized by DHS-ICE. - J
Randy Bush wrote:
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments.
randy
Might be of interest: http://digitizor.com/2010/12/01/the-pirate-bay-co-founder-starting-a-p2p-bas...
On Dec 1, 2010, at 11:41 AM, Randy Bush wrote:
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments.
Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... Regards, -drc
On Dec 1, 2010, at 8:18 42PM, David Conrad wrote:
On Dec 1, 2010, at 11:41 AM, Randy Bush wrote:
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments.
Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem...
I think that the Pirate Bay announcement was triggered by http://www.npr.org/templates/story/story.php?storyId=131678432 plus the COICA bill (http://www.eff.org/coica) -- though it, at least, appears to be dead for this session and who knows what the new Congress will do. That said, I think the problem is primarily political, not technical. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Steve, On Dec 1, 2010, at 3:35 PM, Steven Bellovin wrote:
Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem...
I think that the Pirate Bay announcement was triggered by http://www.npr.org/templates/story/story.php?storyId=131678432
Which is, of course, unrelated to ICANN (see http://domainincite.com/icann-had-no-role-in-seizing-torrent-domains/) and is a result of VeriSign following US law in the management of two of the top-level domains they operate.
plus the COICA bill (http://www.eff.org/coica)
Yeah, COICA is a barrel of fun. As is LOPPSI-2 in France and the equivalent regulations in places like Sweden, Germany, etc. However, my impression (but will admit not having looked into this very much) is that the guy from Pirate Bay is merely pissed off because he lost a UDRP complaint when he obtained the IFPI.COM domain after the International Federation of the Phonograph Industry let it expire, misunderstood (perhaps purposefully) what happened at VeriSign, and decided to capitalize on it.
That said, I think the problem is primarily political, not technical.
Right, but that wasn't what I was questioning. I suspect that no matter what legal venue you put something as tasty as the "control of the DNS", there will be folks who will attempt to exercise that control for their own political purposes. Even internationalizing it doesn't seem to be a good idea to me (based on my impression of how politics get involved in places like the ITU). I'd love to see a non-hierarchical naming system that didn't suck more than the DNS, but as I said, it seems that's a very hard problem... Regards, -drc
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root)
see smb's url re rightsholders having alleged bad sites blocked. randy
On Dec 1, 2010, at 4:41 PM, Randy Bush wrote:
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments.
Dear Randy; I am beginning to get the same impression, but I see difficulties moving forward. International agencies come to mind (the ITU or WIPO), as they are not subject to government warrants, but I think that the existing ones have their own issues. And I have too many bad memories of Alternic to feel comfortable about Peter Sunde's P2P ideas. Balancing all of that, internationalizing ICANN may be the best solution. Regards Marshall
randy
internationalizing ICANN may be the best solution.
for sure! if it is truly removed from the states and not put in genf. gedanken experiment: who would i trust more to not interfere with **other people's** data, the usg, icann, the itu, or the pirate bay party? my conclusion makes me very sad. but playing with the current dns is a short term solution. in the long run, centralization/rootification of control is equivalent to monopoly. and we have seen time and again that this leads to despotism, often cloaked in false protectionism and false "we represent the community.". we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception. randy
On Dec 2, 2010, at 10:10 AM, Randy Bush wrote:
we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception.
<http://en.wikipedia.org/wiki/PNRP> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
but playing with the current dns is a short term solution.
in the long run, centralization/rootification of control is equivalent to monopoly. and we have seen time and again that this leads to despotism, often cloaked in false protectionism and false "we represent the community.".
we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception.
I see no drafts, no white or any color papers, no research, no background, good intentions and a napkin list of specs/requirements, no substance. -J
And I have too many bad memories of Alternic to feel comfortable about Peter Sunde's P2P ideas.
IMHO, there is a basic and fundamental flaw on many of the "alternate" schemes. The current "DNS ecosystem" has been feeding the pockets of many for many years and became what a ~$7B? industry ? many folks are making a living out of it, so any alternate solution that doesn't take seriously in account the economic side will encounter high resistance to change. Also, who you will really trust to run it ?
Balancing all of that, internationalizing ICANN may be the best solution.
ICANN is not the problem. It is itself a problem because over the years instead of being a technical coordinator for names and numbers became the playground and clearinghouse for IP (Intellectual Property) groups, all sorts of color, sizes and shapes of attorneys milking from the "DNS ecosystem" and Internet Governance wanna be politiks. Also while different segments may have some level of participation (including folks that claim they represent the users which they do not) by design ICANN is a membership less organization so the multi stake holder model is a lie and the bottom up process when the bottom does not have the same level of resources to participate as some of the big corp/lobby groups, ends being a fiasco. With the current architecture what you need to internationalize is IANA, but who you will trust with that ? ITU ? As I commented in other forums, I believe that what we need is a novel and well thought resource directory and location service/protocol where central authority and uniqueness are not fundamental requirements, and as said before something that on the long run can be monetized in a way that creates an economic incentive for people to use it. Meanwhile, as Randy said, our only option is to keep dealing with the current system. Regards Jorge
*wonders where his fidonet archives are..... dusty. Any system needs to be designed to be open to anyone at any level of the economic chart and a minimum of technical knowledge to implement. This does not necessarily need to encompass the identification requirements for commerce, that may well become a separate system. cheers Jeff On Wed, Dec 1, 2010 at 7:42 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) < lyndon@orthanc.ca> wrote:
Also, who you will really trust to run it ?
The UUCP network chugged along quite nicely for many years without any central authority. (Pathalias and the maps weren't an authority, just a hint.)
--lyndon
In message <fff8c38cc39c430c0eee25db57a6c177@gandalf.orthanc.ca>, "Lyndon Neren berg (VE6BBM/VE7TFX)" writes:
Also, who you will really trust to run it ?
The UUCP network chugged along quite nicely for many years without any central authority. (Pathalias and the maps weren't an authority, just a hint.)
And there would have been total confusion if there had been multiple uunet's and a few other well known nodes. UUCP had anchor points. Just different ones to the DNS.
--lyndon -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wednesday, December 01, 2010 10:57:40 pm Mark Andrews wrote:
And there would have been total confusion if there had been multiple uunet's and a few other well known nodes. UUCP had anchor points. Just different ones to the DNS.
Yeah, and with virtually everyone's bangpaths starting with uunet or one of those other anchors (I seem to rememer bangpaths starting at kremvax, but perhaps I'm senile...), it's still a hierarchy. I had a site in the maps years ago, and even had 'registered' a pseudo '.uucp' domain.... remember those? That said, it did work pretty well. SMTP and direct MX was supposed to make all that go away, and now we're talking about it again. Do I need to go back to using smail 2.5 to do mail routing? :-) Web browsing using uucico was rather, uh, interesting (but doable, thanks to the virtually text-only web at the time, and that assumed the target node/server was online at that time). Not really scalable to broadband, as part of the blockability issue is IP and IP routing hijackability (to coin a contrived phrase). It was a different world, especially on the user side. If you had multiple dialin accounts under the uucp system you could very easily bypass many blocks simply using dialup; but dialup is just too slow for today's content.
On Wednesday, December 01, 2010 10:57:40 pm Mark Andrews wrote:
And there would have been total confusion if there had been multiple uunet's and a few other well known nodes. UUCP had anchor points. Just different ones to the DNS. Yeah, and with virtually everyone's bangpaths starting with uunet or one of those other anchors (I seem to rememer bangpaths starting at kremvax, but perhaps I'm senile...), it's still a hierarchy.
boy, you folk sure remember a different uucp network than i do. randy
boy, you folk sure remember a different uucp network than i do.
Backbone Map from 1984 /-----------------------------\ | | | mcvax------------philabs | | / / | | tektronix-----------------decvax------------linus | | | \ | | | | | uw-beaver | | | | | | | | | | | ubc-vision seismo--harpo---ulysses | | | | | | | | | | | | alberta-------(-----ihnp4 hou3c | | | | | | | | | | | | we13----burl utzoo | | | | | | | | hplabs-------------hao clyde----watmath | | | | | | sdcrdcf---sdcsvax-----------------akgua----------mcnc-----/ pre uunet, we connected to seismo Jorge
/-----------------------------\ | | | mcvax------------philabs | | / / | | tektronix-----------------decvax------------linus | | | \ | | | | | uw-beaver | | | | | | | | | | | ubc-vision seismo--harpo---ulysses | | | | | | | | | | | | alberta-------(-----ihnp4 hou3c | | | | | | | | | | | | we13----burl utzoo | | | | | | | | hplabs-------------hao clyde----watmath | | | | | | sdcrdcf---sdcsvax-----------------akgua----------mcnc-----/
pre uunet, we connected to seismo
[ why did jaap call this europe 1984 in his preso? ] and seismo kinda became uunet and oresoft was off tektronix. and m2xenix was off oresoft. and ... and unido was ... so, what's the point? the uucp network was pretty ad hoc and anarchic, aside from horrific phone bills. and anyone who thinks that the fidonet was not hierarchic is not taking their meds. randy
On Thursday, December 02, 2010 11:19:33 am Randy Bush wrote:
boy, you folk sure remember a different uucp network than i do.
Well, I got in the uucp thing rather late, hooking up in 1991 or so. By then to get e-mail through uucico it was common practice to bangpath off uunet, or some other 'known' host that pathalias/smail could find in the maps. Or worse, to use a bangpath/FQDN frankenaddress. For news over uucp, at least with C-News, which I ran for a while, not so much a big deal as long as you properly passed the post upstream. Usenet is still the standard for decentralized information sharing, IMHO, and for better or for worse. To get files, you needed to know the path to the file; while you could bangpath all the way to the archive and uucp the file directly, it was more common to start at a known node (like uunet or decvax) and path from there, unless you had a full pathalias-aware uucp (I forget if HoneyDanBer did that or not, too many years since doing that). Web browsing through uucico was just a special case of getting a file, at least in the implementation I used. But would pathalias scale to billions of hosts? I don't know the answer; I know on the miniscule Apollo DN3500's I used at the time the pathalias part of the processing frequently took longer than the actual transfer. And even in those days of mostly text web pages, NCSA Mosaic took longer to render the pages into the pads than the other two parts.
All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :) http://www.everydns.com/ right hand side. (sorry to shift the discussion off of uucp... long live sizone.uucp...) /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase <ken@sizone.org> wrote:
All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :)
If they keep going that way, soon they will be running on nuclear power from the hidden centrifuges in some cave. Cheers Jorge
On Thu, Dec 02, 2010 at 10:16:23PM -0600, Jorge Amodio said:
On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase <ken@sizone.org> wrote:
All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :)
If they keep going that way, soon they will be running on nuclear power from the hidden centrifuges in some cave.
or p2p or tor or torrents of *.tbz's the other day bloomberg was having issues in their db only for stories about wikileaks and assange as per my quick testing, quite annoying, are major news mediae seeing ddos attempts at censorship (or just leaking at the seams infrastructure issues with the big hits on the topic?) /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase <ken@sizone.org> wrote:
All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :)
If they keep going that way, soon they will be running on nuclear power from the hidden centrifuges in some cave.
And just announced via Twitter ... no, just kidding. However, the events here are troublesome. On one hand, it's kind of predictable. You have some things in the real world, like the arrest alert and being placed on Interpol's "most wanted" for what appears to be not even a case of rape [*1], getting booted from EC2 for "intellectual property" reasons (when the materials in question are not and cannot be copyrighted), having their DNS service disrupted, etc. Assange has irritated a large beast: the US Government. On the other hand, this is the same government that has repeatedly fought to reduce and minimize privacy laws, seen recently in cases such as the GPS tracking fun out in the western states [*2]. None of that might seem relevant to netops, of course, but at some point, we're going to see, and maybe already are seeing, deliberate interference with the network in an effort to make the Internet work the way that the US Government would prefer. We've already seen some examples of this in seizures of domain names [*3], an activity that would doubtlessly explode under COICA, etc., which at the moment is probably the most vulnerable aspect of the Internet, but will this move on to more insidious things, such as redirection of or null routing of Wikileaks IP space "in response to a congressman's request", while simultaneously waving a patriotic flag? And at what point does that stop? Just for "big bad" things like Wikileaks? We seem to be sailing into an interesting new set of challenges. I'm not sure that it'll be healthy for the net for the government to be providing lists of IP addresses that have to be blocked; our routing tables are already quite challenged. [*1] http://www.aolnews.com/world/article/sex-by-surprise-at-heart-of-julian-assa... [*2] http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/ [*3] http://www.eff.org/deeplinks/2010/11/us-government-seizes-82-websites-dracon... ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Assange has irritated a large beast: the US Government.
s/a large beast/a couple of large beasts/ I believe that he is pissing off not only the USG, some other Govts dealing with the USG behind the veil of secrecy are probably getting very pissed with him too. -J
We seem to be sailing into an interesting new set of challenges. I'm not sure that it'll be healthy for the net for the government to be providing lists of IP addresses that have to be blocked; our routing tables are already quite challenged.
if - then welcome to china, we are also there. Kind regards, Ingo Flaschberger
On Dec 2, 2010, at 11:05 PM, Ken Chase wrote:
All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :)
right hand side.
(sorry to shift the discussion off of uucp... long live sizone.uucp...)
Seems to be down here http://www.everydns.com/ EveryDNS.net provided domain name system (DNS) services to the wikileaks.org domain name until 10PM EST, December 2, 2010, when such services were terminated. As with other users of the EveryDNS.net network, this service was provided for free. The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. [TME-MBP-2010:~] tme% dig wikileaks.org ; <<>> DiG 9.6.0-APPLE-P2 <<>> wikileaks.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37692 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;wikileaks.org. IN A ;; Query time: 13 msec ;; SERVER: 63.105.122.34#53(63.105.122.34) ;; WHEN: Thu Dec 2 23:47:19 2010 ;; MSG SIZE rcvd: 31 Regards Marshall
/kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
[TME-MBP-2010:~] tme% dig wikileaks.org
; <<>> DiG 9.6.0-APPLE-P2 <<>> wikileaks.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37692 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available
;; QUESTION SECTION: ;wikileaks.org. IN A
;; Query time: 13 msec ;; SERVER: 63.105.122.34#53(63.105.122.34) ;; WHEN: Thu Dec 2 23:47:19 2010 ;; MSG SIZE rcvd: 31
shows gone for me too . btw, excuse the blunt, but for an organization like this kind of extremely stupid to have all the secondaries with the same provider no ? -J
Everydns says on their page: "EveryDNS.net provided domain name system (DNS) services to the wikileaks.org domain name until 10PM EST, December 2, 2010, when such services were terminated. As with other users of the EveryDNS.net network, this service was provided for free. The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. More specifically, the services were terminated for violation of the provision which states that "Member shall not interfere with another Member's use and enjoyment of the Service or another entity's use and enjoyment of similar services." The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. Thus, last night, at approximately 10PM EST, December 1, 2010 a 24 hour termination notification email was sent to the email address associated with the wikileaks.org account. In addition to this email, notices were sent to Wikileaks via Twitter and the chat function available through the wikileaks.org website. Any downtime of the wikileaks.org website has resulted from its failure to use another hosted DNS service provider." -J
so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. if not, as a registrar, i guess i can no longer accept registrations where everydns is the ns delegatee. randy
Sort of weird theory, but it sounds really strange that knowing the kind of reactions that one could expect due the content being published in the site that they have such a naive dns setup for that given domain. Unless what you are looking for is actually getting booted so you can cry loud (which they already did via twitter few mins ago), "hey the US killed our domain". BTW, the domain still shows in the PIR WHOIS. -J
On Fri, Dec 03, 2010 at 02:26:35PM +0900, Randy Bush said:
so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos.
if not, as a registrar, i guess i can no longer accept registrations where everydns is the ns delegatee.
Let us know if they deviate from this isometric application of policy. I'll be happy to encourage people not to use them. Anyone have records of what wikileaks (RR, i assume) A record was? I should have queried my favourite open rDNS servers before they expired, assuming that the TTL was long enough (or modified to be long by a local cache policy). Quick, someone power up their hibernated laptop with the network unplugged and ping wikileaks (assuming you looked at it recently before hiberation, before it was pulled... :) Not sure that works in any windows (or other OS's for that matter) however. /kc -- Ken Chase - ken@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
On Fri, Dec 03, 2010 at 12:52:29AM -0500, Ken Chase <ken@sizone.org> wrote a message of 24 lines which said:
Anyone have records of what wikileaks (RR, i assume) A record was?
91.121.133.41 46.59.1.2 Translated into an URL, the first one does not work (virtual hosting, may be) but the second does. I've found also, thanks to a new name resolution protocol, TDNS (Tweeter DNS), 213.251.145.96, which works.
I should have queried my favourite open rDNS servers before they expired,
dig A wikileaks.org > backup.txt (from cron) is a useful method. Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer?
wikileaks.no and wikleaks.se seem to accept requests on port 80 but appear to be having troubles generating responses, perhaps just overloaded. On Dec 3, 2010, at 12:45 AM, Stephane Bortzmeyer wrote:
On Fri, Dec 03, 2010 at 12:52:29AM -0500, Ken Chase <ken@sizone.org> wrote a message of 24 lines which said:
Anyone have records of what wikileaks (RR, i assume) A record was?
91.121.133.41 46.59.1.2
Translated into an URL, the first one does not work (virtual hosting, may be) but the second does.
I've found also, thanks to a new name resolution protocol, TDNS (Tweeter DNS), 213.251.145.96, which works.
I should have queried my favourite open rDNS servers before they expired,
dig A wikileaks.org > backup.txt
(from cron)
is a useful method. Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer?
Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer?
The RIPE REX tool provides something like this, at least for the reverse tree. <http://rex.ripe.net/> <http://albatross.ripe.net/cgi-bin/rex.pl?type=all&res=213.251.145.0/24&stime=2009-12-02&etime=2010-12-02&page=dns&cf=1&af=1> Of course, it appears that none of the three cabelgate IP addresses you cite have reverse records provisioned that point to wikileaks (just bahnhof.se and ovh.net). --Richard
On 03/12/10 00:52 -0500, Ken Chase wrote:
On Fri, Dec 03, 2010 at 02:26:35PM +0900, Randy Bush said:
so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos.
if not, as a registrar, i guess i can no longer accept registrations where everydns is the ns delegatee.
Let us know if they deviate from this isometric application of policy. I'll be happy to encourage people not to use them.
Anyone have records of what wikileaks (RR, i assume) A record was? I should have queried my favourite open rDNS servers before they expired, assuming that the TTL was long enough (or modified to be long by a local cache policy).
Quick, someone power up their hibernated laptop with the network unplugged and ping wikileaks (assuming you looked at it recently before hiberation, before it was pulled... :) Not sure that works in any windows (or other OS's for that matter) however.
Their A records on Sunday were: #46.51.186.222 wikileaks.org #46.151.171.90 wikileaks.org -- Dan White
On Fri, Dec 03, 2010 at 08:27:57AM -0600, Dan White <dwhite@olp.net> wrote a message of 28 lines which said:
Their A records on Sunday were:
(No longer working.) Several people are keeping track of working IP addresses and avertise them in the DNS (wikileaks.something.example). Other have full mirrors. A current list: http://etherpad.mozilla.org:9000/wikileaks copy it, so you can access the DNS mirrors even if mozilla.org is taken down... <operational>It's a very interesting exercice in resiliency.</operational>
On 12/2/2010 11:26 PM, Randy Bush wrote:
so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos.
Given "These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites." I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain. I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop. Jack
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Dec 2, 2010 at 11:29 PM, Jack Bates <jbates@brightok.net> wrote:
On 12/2/2010 11:26 PM, Randy Bush wrote:
so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos.
Given "These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites." I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain.
I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop.
FYI: http://www.techdirt.com/articles/20101202/22322512099/wikileaks-says-its-si te-has-been-killed.shtml - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+J6Vq1pz9mNUZTMRAocNAKCxe3rX9bz1L7tliKdCJfPOvZZybACgrrRF w3whP9J/zHlrWa/yJDMeRQs= =ZT0w -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
I guess the USG's cyberwar program does work (very dryly said). -----Original Message----- From: Paul Ferguson [mailto:fergdawgster@gmail.com] Sent: Friday, December 03, 2010 1:39 AM To: Jack Bates Cc: North American Network Operators Group Subject: Re: wikileaks dns (was Re: Blocking International DNS) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Dec 2, 2010 at 11:29 PM, Jack Bates <jbates@brightok.net> wrote:
On 12/2/2010 11:26 PM, Randy Bush wrote:
so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos.
Given "These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites." I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain.
I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop.
FYI: http://www.techdirt.com/articles/20101202/22322512099/wikileaks-says-its-si te-has-been-killed.shtml - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+J6Vq1pz9mNUZTMRAocNAKCxe3rX9bz1L7tliKdCJfPOvZZybACgrrRF w3whP9J/zHlrWa/yJDMeRQs= =ZT0w -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Friday 03 December 2010 13:22:19 Frank Bulk wrote:
I guess the USG's cyberwar program does work (very dryly said).
They missed ;) http://wikileaks.ch http://twitter.com/wikileaks
I guess the USG's cyberwar program does work (very dryly said).
It was reported in the last couple of days that Wikileaks could have been taken off the net but the govt decided not to do it. As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of. But think about it ... if someone had, for example, deep internal corporate confidential financial information on a company and published that on the web, that company might also attempt to "pressure" the publishing entity to stop it. To expect someone not to "pressure" someone to remove potentially damaging material is probably naïve.
For the record, I would never remove a customer because a congressman or senator asked for it, however, I would deny service to persons with outstanding felony warrant(s). Jeff On Fri, Dec 3, 2010 at 12:38 PM, George Bonser <gbonser@seven.com> wrote:
I guess the USG's cyberwar program does work (very dryly said).
It was reported in the last couple of days that Wikileaks could have been taken off the net but the govt decided not to do it.
As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of.
But think about it ... if someone had, for example, deep internal corporate confidential financial information on a company and published that on the web, that company might also attempt to "pressure" the publishing entity to stop it.
To expect someone not to "pressure" someone to remove potentially damaging material is probably naïve.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
On Fri, Dec 3, 2010 at 12:38 PM, George Bonser <gbonser@seven.com> wrote:
As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of.
It may be naive, but I expect due process from the USG. Just sayin' -Randy Fischer
The patriot act did away with due process. On 12/3/2010 3:10 PM, Randy Fischer wrote:
On Fri, Dec 3, 2010 at 12:38 PM, George Bonser<gbonser@seven.com> wrote:
As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as "damaging", and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply "pressure" but I have no idea what that "pressure" might have consisted of. It may be naive, but I expect due process from the USG.
Just sayin'
-Randy Fischer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Curtis! On Fri, 3 Dec 2010, Curtis Maurand wrote:
The patriot act did away with due process.
Yep. More on that today: http://www.wired.com/threatlevel/2010/12/realtime/ RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFM+Vm0BmnRqz71OvMRAsPlAJ9erzScO4+Lsixa3Rk33OS9+X0tPQCeJvqh TASxqIjnaNm+CDVLpS+UEcs= =uFTG -----END PGP SIGNATURE-----
To expect someone not to "pressure" someone to remove potentially damaging material is probably naïve.
i believe that the material was not stored on amazon, only torrent pointers. and to cave to that pressure absent of actual legal requirement cost amazon my business. randy
* Jack Bates (jbates@brightok.net) wrote:
Given "These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites." I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain.
This is then important information that should be spelled out in their terms of service. 'If your domain generate to much traffic we will terminate your service'.. It might very well be reasonable for a free service to have these restrictions but as a customer it could be an important differentiator when choosing service provider. ..assuming that the DOS actually took place.. (tinfoil hat on..:) /Joakim
I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop.
Jack
On 3/12/10 3:05 PM, Ken Chase wrote:
All our topics of discussion are merging... (soon: "does Wikileaks run on 208V?" :)
right hand side.
(sorry to shift the discussion off of uucp... long live sizone.uucp...)
There is a list of mirror sites here: http://wikileaks.info/ There are three IPv4 addresses listed for the cablegate site: 91.194.60.90, 91.194.60.112 and 204.236.131.131. Of these, the first one is not responding (from Australia), the third is an Amazon IP and won't host the site now. The second one is responding, but is not up to date with the full release so far (it has 294 cables, up to November 30). I'm surprised they don't have a proper mirror using a .se, .ch or .is domain. Regards, Ben
ICANN is not the problem. It is itself a problem because over the years instead of being a technical coordinator for names and numbers became the playground and clearinghouse for IP (Intellectual Property) groups, all sorts of color, sizes and shapes of attorneys milking from the "DNS ecosystem" and Internet Governance wanna be politiks.
there were two other proposals for the structure of the new entity. ira's left verisign with a great deal of control over outcomes, a situation that continues to the present day. we've no data on how either of the other forms would have functioned, or would function now. -e
Also while different segments may have some level of participation (including folks that claim they represent the users which they do not) by design ICANN is a membership less organization so the multi stake holder model is a lie and the bottom up process when the bottom does not have the same level of resources to participate as some of the big corp/lobby groups, ends being a fiasco.
the dissolution of the protocol supporting organization in december 2002 removed it as an entity contributing voting seats to the icann board. the advisory role survived in the technical liaison group, now the target of a proposal that could eliminate it too as a entity contributing non-voting seats to the icann board [1]. and as i've pointed out previously, no later than icann-10, in montavideo, no isp, nsp, asp, ... operational interests were present in the "internet service provider constituency", only the trademark interests of the participating operators, e.g., verizon. some responsibility for the non-effectiveness, even of the public-private-multi-stakeholder-bottom-up-consensus-driven model chosen for the new entity, goes to the industry actors which either withdrew their participation, or limited their participation to non-operational, non-technical participation. btw, i spent quite a bit of my time with the berkman center researchers working on accountability and transparency on just the issue of how users can be represented and i think it a hard problem. -e [1] http://icann.org/en/public-comment/#tlg-review-2010
btw, i spent quite a bit of my time with the berkman center researchers working on accountability and transparency on just the issue of how users can be represented and i think it a hard problem.
I bet it is not a trivial enterprise to put together and give shape to an organization like ICANN. My biggest concern is that somewhere in the painful process of building this organization something got completely derailed from its original intents. I'll not deny that there are positives and some accomplishments, not trying to do a substantial balance check, but on a 50Kfeet quick snapshot, I see ICANN as a non-profit org with a ~$60+M annual budget, and I always rise this question on my mind: what it actually produces at that cost for the "common good" of the Internet community ? (lets make clear that the domain registrants are the ones mostly paying for all this). Yes, it has the contract (by now) from DoC to provide the IANA services, it has some DNS operational and coordination role, the folks involved with the DNSSEC implementation did a great job, but the bulk of the budget is not going there, most of it goes to finance the smoke and mirrors processes and the traveling circus. No wonder why in the letter sent today by DoC/NTIA to ICANN, on the very first line Asisstant Secretary Strickling says "I am writing to express my concern regarding the apparent failure of ICANN to carry out its obligations as specified in the Affirmation of Commitments" ... http://forum.icann.org/lists/5gtld-guide/pdf4SSmb5oOd5.pdf I believe that there is a lot of people very concerned with what ICANN is doing and what it is supposed to do, and trying to fix it from within is not an easy task either, getting involved in ICANN's processes and ecosystem is very demanding, and unless you have a big chunk of dough in the bank or are being paid (which brings on front line the interests of who pays you) there is not an easy way to make free volunteer work effective. I guess we are sliding OT for this list ...sigh Best Regards Jorge
Jorge, On Dec 2, 2010, at 6:02 PM, Jorge Amodio wrote:
I bet it is not a trivial enterprise to put together and give shape to an organization like ICANN. My biggest concern is that somewhere in the painful process of building this organization something got completely derailed from its original intents.
I suppose it depends on your view of "its original intents" (and what you mean by "ICANN").
I believe that there is a lot of people very concerned with what ICANN is doing and what it is supposed to do, and trying to fix it from within is not an easy task either, getting involved in ICANN's processes and ecosystem is very demanding, and unless you have a big chunk of dough in the bank or are being paid (which brings on front line the interests of who pays you) there is not an easy way to make free volunteer work effective.
My view (having been on both sides now) is that despite numerous missteps, particularly early in its life, ICANN really is trying to do "the right thing". There are lots of challenges, not least of which is that given ICANN's structure, the definition of "the right thing" depends on who participates most actively in the myriad ICANN processes.
I guess we are sliding OT for this list ...sigh
Yep, and that's unfortunate as folks who participate in NANOG generally have opinions that could counterbalance the folks who usually show up at ICANN meetings. Regards, -drc
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now,
This particular domain grab had nothing to do with the root or ICANN. If you look at the name servers and WHOIS of the domains that were seized, you can easily see that the USG served papers on Verisign, who did what the papers told them to, because they're the .COM registry. Anyone who registers a .COM really shouldn't be surprised to find out that Verisign is headquartered in California, and is 100% subject to US law, not to mention still having a side agreement with DoC about .COM due to its history. For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. If you want a USG-proof domain, use a ccTLD. I am somewhat more concerned about the possiblity that the government would have a mandatory do-not-resolve list for networks in the US. That would be unlikely to stand up in court, viz. the quick failure of the Pennsylvania child porn IP blacklist, but the process would be painful while it unfolded. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR.
possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds. randy
Randy, Can you cite specific examples of USG interfering with ccTLDs? Jeff On Wed, Dec 1, 2010 at 11:53 PM, Randy Bush <randy@psg.com> wrote:
For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR.
possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds.
randy
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Can you cite specific examples of USG interfering with ccTLDs?
For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds.
i am not at liberty to do so. but, for a clue % dig +short cu. ns ns.ceniai.net.cu. ns-cu.ripe.net. ns.dns.br. rip.psg.com. <<-- ns2.gip.net. ns1.gip.net. ns2.ceniai.net.cu. randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
On 2010-11-22, at 00:00, Jeffrey Lyon wrote:
Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe </sarcasm>
You don't think "(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;" could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above? Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of "reasonable steps". I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers. Joe
On 11/22/2010 10:25 AM, Joe Abley wrote:
You don't think
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above?
Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of "reasonable steps".
I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers.
And where would the list that we need to block be gotten from? --Curtis
You don't think
"(i) a service provider, as that term is defined in section 512(k)(1) of = title 17, United States Code, or other operator of a domain name system = server shall take reasonable steps that will prevent a domain name from = resolving to that domain name=92s Internet protocol address;"
could be taken as a requirement for providers to intercept attempts to = use off-network DNS resolvers and manage such requests to meet the end = goal above?
Given that many providers already do this (for whatever reason), it's = not much of a stretch to see someone declaring that such behaviour falls = under the umbrella of "reasonable steps".
I'm not suggesting that I think any of this is reasonable or sensible, = but it does seem to imply an operational burden on service providers.
It's funny, isn't it, didn't we just finish convincing the government of the need for DNSSEC, making the DNS system more resistant to some forms of tampering? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On 2010-11-22, at 10:43, Joe Greco wrote:
It's funny, isn't it, didn't we just finish convincing the government of the need for DNSSEC, making the DNS system more resistant to some forms of tampering?
I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. This would in effect be a selective denial of service attack to DNS clients. DNSSEC provides no integrity protection over that type of interference -- you need to get an answer for the answer to have a signature, and without a signature there's nothing to check. Joe
On Nov 22, 2010, at 10:48 PM, Joe Abley wrote:
I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names.
Quantifying the negative performance impact of SERVFAIL on various stub resolvers might provide some useful data points in any 'official' discussions which arise on this topic. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
The more I think about this COICA deal the more I can't even fathom how it could be implemented. If an upstream server won't resolve, what's to stop a network admin from using an offshored DNS server, or even the root servers? Unless we're talking about keeping DNS traffic confined to the ISP's network. Then what's to stop a global HOSTS.TXT from circulating via torrent? It's shortsighted and problematic, which is usually what happens when technical discussions are dictated by politics. -wil On Nov 22, 2010, at 4:21 PM, Dobbins, Roland wrote:
On Nov 22, 2010, at 10:48 PM, Joe Abley wrote:
I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names.
Quantifying the negative performance impact of SERVFAIL on various stub resolvers might provide some useful data points in any 'official' discussions which arise on this topic.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
On 11/22/2010 07:47 PM, Wil Schultz wrote:
The more I think about this COICA deal the more I can't even fathom how it could be implemented.
If an upstream server won't resolve, what's to stop a network admin from using an offshored DNS server, or even the root servers?
The way I read it its specifically aimed at whoever is running the resolver, ISP or otherwise. Querying recursively starting at the root would be a violation then. (hence my comment earlier about taking my recursor from my cold dead hands.) So, short of actually searching out and confiscating or destroying uncensored resolvers (like the ones, 5th amendment notwithstanding, that will continue to run each of my notebooks, even if just for spite if the law passes.), or raiding ICANN guns drawn and ordering removal of "non compliant" ccTLDs from the root, IMHO enforcement would be pretty much impossible.
Unless we're talking about keeping DNS traffic confined to the ISP's network.
tunneled connections. unless all IP traffic is kept to a specific ISP, in which case the "I" would become a misnomer, and would be easier said done.
Then what's to stop a global HOSTS.TXT from circulating via torrent?
Hey as long is its not a DNS server. :P
It's shortsighted and problematic, which is usually what happens when technical discussions are dictated by politics.
Yup. -- Joe Sniderman <joseph.sniderman@thoroquel.org>
On Nov 22, 2010, at 7:25 AM, Joe Abley wrote:
On 2010-11-22, at 00:00, Jeffrey Lyon wrote:
Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe </sarcasm>
You don't think
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above?
Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of "reasonable steps".
I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers.
If it does, then, you'll find open tunnel servers providing tunnels to off-shore DNS services. Sigh. I really wish congress had better things to do than getting into a technology arms race with the people of the united states. Oh, wait, they do have better things to do, they just aren't doing them. Owen
On Nov 19, 2010, at 3:45 PM, Marshall Eubanks wrote:
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote :
COICA appears to be dead for this year. Ron Wyden (D Oregon) has put a hold on COICA, basically a threat of a Filibuster. This will probably kill it for now, as time is running out in this lame duck session. If this holds, the bill would have to start from scratch next year. http://www.unitethecows.com/content/321-coica-halted-following-controversy.h... Regards Marshall
http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bi...
http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804
I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
This expedited DNS cutoff is only available for copyright violations, not for other illegalities.
Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely.
Regards Marshall
participants (43)
-
Ben McGinnes -
Bjørn Mork -
Curtis Maurand -
Dan White -
David Conrad -
Dobbins, Roland -
Eric Brunner-Williams -
Frank Bulk -
Gary E. Miller -
George Bonser -
Ingo Flaschberger -
Jack Bates -
Jeff Johnstone -
Jeffrey Lyon -
Jeffrey S. Young -
Joakim Aronius -
Joe Abley -
Joe Greco -
Joe Sniderman -
John Levine -
Jorge Amodio -
Ken Chase -
Ken Chase -
Lamar Owen -
Leen Besselink -
Lyndon Nerenberg (VE6BBM/VE7TFX) -
Mans Nilsson -
Mark Andrews -
Marshall Eubanks -
Michael DeMan -
Michael Painter -
ML -
Owen DeLong -
Paul Ferguson -
Randy Bush -
Randy Fischer -
Richard Barnes -
Simon Waters -
Stephane Bortzmeyer -
Steven Bellovin -
Suresh Ramasubramanian -
Sven Olaf Kamphuis -
Wil Schultz