ICANN/DNSO
DNSO Mailling lists archives

[ga-sys]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [ga-sys] Re: Registrants Charter -- FREEDOMS -- part 1


> From: babybows.com [mailto:webmaster@babybows.com]
> Sent: Tuesday, May 15, 2001 7:18 PM
> 
> William,
> 
> I understand the argument regarding "a listing where they can 
> be reached for
> any legal purpose".  I do not understand why such 
> information, which is
> retained in the registrars billing records (usually verified 
> via a credit
> card services provider) needs to be put out for public 
> display when for
> legal purposes the registrar could assuredly be contacted.

It adds another layer to slow things down when you're trying to stop a DDOS
attack (as ONE specific example). One that the domain in question may be
involved with. Possibly because their host was cracked.

> You have alluded to practices such as the use of Postal 
> service boxes and
> similar services to protect one's address. 

Actually, I think that was me. It involved a thread that Chris Ambler and
myself created in NSI's DOMAIN-POLICY list, years ago, when he was ranting
about the same thing. Role accounts were new then. We were all up in arms
about privacy wrt the whois system. Some of it even overflowed to NANOG.

Right around then, Yahoo, eBay, Netscape, and others, got taken down by
DDOS. The whois, such that it is, was invaluable in tracing down contact
info for some domains that had whole herds of zombies. The experience made a
believer out of me. Some of those guys, on the sharp end, were my clients.
Some zombie owners were "not available", others were clueless, yet others
munged their whois info such that the only way to stop their boxen was to
/dev/null their routes until they noticed that their Internet connection was
non-existant (with their upstream's cooperation, of course. That took
Wwwaaayyy longer to do. Some didn't notice for weeks).

Every server on the Internet is a potential cyber-weapon. From an operations
perspective, we MUST be able to contact its owner directly. At the very
least, someone with the authority to shut it down. That's what the tech and
admin contacts are for.

> Most registrants go through a
> registrar that uses credit card identity verification 
> procedures that will
> not accept addresses other than those shown on a registrant's 
> credit card.

For a corp, that's a no-brainer. I strictly use my corp cards for this ...
with the corporate address. See below for individuals.

> This results in registrants revealing certain data to the 
> Public Whois even if they have PO boxes.

Not true, see above. Incidently, for general security and convenience,
internet or no internet, one should never use personal residence information
on a credit card or other public document. Setup a separate mailing address
just for that purpose. Even my drivers license has a PO box on it. It
reduces the risk of identity theft and enhances physical security for your
family. You should do this whether you want a domain or not. As a pleasant
side-effect, should you move, it is a LOT easier because you only have to
update one or two forwarding addresses. In addition, they will also filter
your junk mail for you.

Only give them what they need to know, not what they want. You alone are
responsible for controlling your private information, no one else. If they
want a mailing address, give them your box address, if they want your phone
number, setup a second line for that purpose (I have 8 lines, two of them
are voice. ISDN gives you two phone numbers [almost] for the price of one).
If they want a credit card, make sure that ALL of your credit cards have the
same  PO box address and that it works.

The point is, build a perimeter, and a safety buffer zone, between your
residence and the wild and woolly Internet kooks out there. Then you can go
to www.locateme.com with peace of mind. Yes, this costs more than a dollar.
OTOH, I no longer worry about my job, physical person, or my family, being
threatened by some whack-job-looney-tunes kook.

> Yes, there are provisions to "hide" Whois data, but
> most new registrants are not aware of their options in this 
> regard.  The registrar community has done little to inform
> registrants of their options to edit their contact information.

Sure, they figure that registrants are adults. They don't realize that they
need anti-naiveté training.

> Perhaps a registrants "Bill of Rights" would be in order.

Perhaps, it depends on the contents.
--
This message was passed to you via the ga-sys@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-sys" in the body of the message).
Archives at http://www.dnso.org/archives.html



<<< Chronological Index >>>    <<< Thread Index >>>