One of the biggest issues facing those that fight cybercrime, and perhaps “fight” sounds wrong, but it’s what we do, is arguing with hosts, registrars and AS’s, to get domains and servers, taken offline, whether it’s a single IP/server/domain or hundreds of thousands of them, as was the case with a fake meds case last year.
Usually, all we have to do, is send a report with the evidence, to a host/registrar/AS, to get action taken, but in cases where those attempts fail, we first go to the upstream, and if that fails, we then go to the registries or in the case of domains, ICANN.
It’s ICANN I want to talk about today, and the reason for this, is because they have ultimate control over EVERY SINGLE DOMAIN, regardless of it’s TLD, and this is very important. In one fell swoop, they could taken down malicious domains, and I don’t mean compromised domains, those MUST be treat completely separately (i.e. in cases of compromise, you contact those in charge of the domain/server, to get those resolved, which is usually successful, though sometimes takes alot of emails/phone calls).
ICANN however, has other ideas. They want overall control, with none of the responsibilities that go with that control, and it’s that that I have a problem with.
I’m rubbish with the examples and euphemisms, so bear with me, but let’s look at parenting as it’s the only other thing I know about (and don’t get me wrong, I screwed up my first chance at that – still no idea how I screwed it up, but I’m guessing I did, anyway, I’m getting off track), but in the case of parenting, you have a child – you’re responsible for the actions of that child, it’s as simple as that, you buy a car, you’re responsible if the car knocks someone over.
In ICANN’ case, they don’t believe they should have to do anything if a domain is involved in malicious activity, whether it’s directly infecting/phishing, or involved in other malicious/criminal activity.
The question is, why? Why are they getting away with this? This is something I’ve always had problems figuring out. I’m guessing it’s to do with money or politics, it usually is, but it’s troubling all the same, and is something that needs to change if we’re to do so much as make a difference. I personally get domains/IPs/servers taken offline every single day, and I know I’m just one person doing it, there’s thousands of others doing the same thing. However, for every one of us, there’s likely hundreds of criminals involved in malicious activity. Whether it’s “skiddies”, opportunists, or dedicated gangs, which means, if we’re to actually make a difference, then the first thing that needs to change, is for those in control, to start taking responsibility and taking action (and this also applies to the registries, as all they tend to do in most cases, is tell you to reach out to the AS – which is what’s been tried already, and led to contacting the registry in the first place).
I know this blog isn’t going to be read by them. Hell, it’s not exactly well known, so what I’d like to see done, is for people to start either asking their MPs to do something, or write to ICANN and the various registries (in the case of IPs as ICANN has no control over IP addresses), to get their stance to change, and start getting action taken.
I suppose this begs the question, of whether this is ICANN' failure, or ours (for letting things get to this point in the first place)? Either way, in the case of domains at least, ICANN are the only ones with the power to make a real difference.
And if you've got this far, thank you. I'll end my rant now.