ietf-asrg
[Top] [All Lists]

Re: [Asrg] Round 2 of the DNSBL BCP - "collateral damage"

2008-04-02 03:13:46
On Tue, Apr 01, 2008 at 10:38:12PM -0700, Steve Atkins wrote:
The other is to cause damage, financial and otherwise, to
the owner of the IP address. That is the stated goal of many
blacklists, for at least some subset of their listings.

I'm aware that's sometimes a stated goal.  But "stated goals" don't
define reality.  (For example, I cite the canonical "We take privacy
seriously" boilerplate which now routinely appears in the press releases
of every entity which has disclosed a major data leak.)  While this
might be a stated goal, it's not an achievable goal, because DNSBL
listings (or use of those to deny privileges) can't possibly inflict
damage on anyone.


( This is not to say, by the way that damage isn't possible in such
situations.  Perhaps it is.  But if that comes to pass, please note that
all such damage is completely self-inflicted by organizations which
have made three serious errors:

First, they have conflated their transient, limited privileges (e.g.,
access to FTP services) with perpetual, unlimited rights.   Or perhaps
with contractual obligations which, absent a contract, don't exist.

Second, they have presumed that HTTP or other service providers will
generously continue to provide those privileges even though they're
not obligated to and may cease doing so (in whole or part) at any time
without notice, or may unilaterally change the terms under which they
offer such services, or may restrict such offerings as they see fit.

And third, they've built deeply-flawed cognitive/operational/business
models around the first two errors.  We've seen this in other contexts
-- for example, search engine listings/rankings.

So if, for example, I build a web site which contains tens of thousands
of pages of useful information, and someone decides to launch a
business based on repackaging that information for sale -- and enters
into contractual agreements with its customers to provide same -- and
then I decide one day to block their access to my site, or to turn it
off entirely, have I "damaged" them?  No.  I have merely exercised my
ownership of my resources.  They may be disappointed, upset, angry,
worried, etc., and so might their customers, and this may translate
into some form of damage (to goodwill or to profits or something else),
but I'm not the cause of it: their own errors -- see above -- are the
cause of it.  Substitute SMTP for HTTP and the same applies. )

---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>