So on this conversation, we're going to talk a little bit about DNS abuse, which is an interesting conversation because as, as we discussed Internet governance in the very first session, and how I can, which is something that comes up so frequently in the conversation about Internet governance is still just one part of Internet governance. The DNS is just one part of cybercrime, or cyber abuse, or whatever you might want to call it, right. So part of the issues surrounding this concept of DNS abuse is how best to define it, right? There's sort of a technical version of DNS abuse, that involves man in the middle attacks and things and then there's a sort of semantic version of DNS abuse where you have you know, phishing website names that look very similar to to the, to the name of your bank, or something like that, that draws you away from where you're trying to go. So there's, there's there's things that are sort of focused within the DNS. And when we talk about ICANN as an institution, and as we're sort of finding our way, hour by hour toward the AI, the start of the ICANN meeting, these conversations become more pointed, because the actors within the ICANN community are very concerned about whose responsibility it is to fight which different kinds of abuse. And that's part of the discussion that takes place. And that, you know, I think Graham regularly finds himself in the middle of is this definitional issue. And so that's, that's part of it. There's this idea of cybercrime and cyber abuse is something that I think everyone concedes is this huge problem, what we're going to try to talk about in this session is specifically DNS abuse, which is something that if you say it outside this room, and no one will know what you're talking about, because it's very specific to the DNS, as opposed to these more generalized terms that we've come to use, like identity theft, or even phishing, or cybercrime more generally. So we have a great panel here. Because we have two researchers, Lucien Taylor and grant Bunton, they both do a lot of work on trying to just understand the scope and scale of DNSSEC abuse and its implications then on Internet trust. So they each have short presentations to give him or let each of them go ahead and do that. And then we'll we'll start an open conversation. So with that, I'll go right to listen to start things off.
Thank you very much. Thank you, everybody. It's great to be here. And a real privilege to be able to speak at gneissic about about what we're doing. Just wanted to say hello, Graham, good to see ya. I thought you were gonna be here. And next I thought you're gonna read something yesterday that we rushed into see you. Just to give a quick introduction, I'm going to read my phone because I can't remember the detail of my mission. And it's really quite compact. We're a relatively new organization called the DNS research Federation. D DNS RF for short, and you can get more information about us on DNS rf.org. The DNS Rf is a UK nonprofit whose mission is to advance the understanding of the domain name systems impact on cybersecurity policy and technical standards through education and research, access to data and engagement in technical standards. So they are that's the mouth when I tried to remember that for years. But basically, we are a new not for profit that set up to provide better data for everybody and to help researchers and to help get your head around the Internet and how it works at a structural level. For transparency, I will say that we were seed funded by metta. We now have a number of other funders included including PIR, the global anti scam Alliance are in partnership with us. We have academic partnerships with American University. Thank you Derek, wherever he is, University College London, and Oxford University. We are a cross sector group of stakeholders that we're dealing with and we had a fantastic discussion yesterday about the challenges of people with conflicting interests coming in trying to work together. So we have other stakeholders who are also in the game VeriSign ISOC Foundation. The ri Rs are in and ripe. They are all funding projects for us. We work with CrowdStrike UK Government, Australian government and ICANN. So I'm really I'm not I'm not saying that ever growing list to just boast. I'm very proud of that. But to also say that we're dealing with stakeholders with different interests trying to come together to solve the issues around the topic of today, which is DNS abuse. And our job in that game is to citizen not not for profits in the middle with no skin in the game. And we're interested in the research the academia. And actually my part in that is as a software engineer and database expert is to provide the data sharing platform, the actual technical platform, we have 20 years of software, we've made those open source. And we've been doing research and data processing and DNS stuff for 20 years plus last year in Gaza, the global anti scam Alliance, so I need to emphasize and spell out at the moment, Gaza, Lisbon symposium last year, a group of banks and brands were coming together and decided that they something needs to change abuses going up. And they they charged Yuri, Abraham's the CEO of Gaza to come up with a data sharing platform, a global data sharing platform, he is now come to us to provide that and we are launching the Cybercrime exchange next month, this is based upon our DAP dot live research platform. So that's just a bit of background. Now what I wanted to do was just show a few slides or very short case studies about 20 slides that just illustrate the effect that the DNS the DNS abuse has on what we call the trustworthiness of the Internet that's the topic for today so if we can get my slides up I believe I can change them here Oh yeah. I can now see Graham and a on one side of the screen on another slide. So if I can change this Yeah, what what we're going to look at is a scam that I encountered last week and I thought this was quite an interesting use case because we actually did quite a lot of tracking around this. In preparation for this basic meeting, I ordered a pair of trousers on next I don't know if anyone uses the next retailer here but basically I was wearing those trousers yesterday I ordered there quite a quite good trousers actually blue chinos they don't don't cost much I'm taking no commission from next but anyway they were due to be delivered to me on the Sunday and I place my order on Saturday the 17th of February you can see there the next day I got a text on Sunday the 18th of February from every the delivery company dealing with that next product and you can see on it a domain name in the middle now Yes, thank you it can anybody spot anything wrong with this text? Just a quick shout out if you can. Now there are a couple of signals on this that anybody who is a security expert should be able to spot straight away is this serious nobody in this house can spot the problem with this tax. Okay, the top your No thank you. Yeah, okay. Yeah. Okay, I've highlighted a couple of things on there. We've got we've got a phone number, I don't know which country that's from and not a verified sender over SMS and often now organizations have their own name at the top of text messages. The other is that we've got an every domain name purporting to be relating to every is every hi for new K dot VIP. In in, in part of our research, we're talking to consumers and here I'm I've we've got a YouTube channel where we discuss a number of issues around scams and the anatomies of scams and the typical way that scams unfold including those involving domain names. And in this particular interview, I'm discussing with our CEO Emily some some studies that we did with consumers directly with consumer focus groups, looking at what makes them click on particular text messages. And many of them referred to the names of brands in text messages. Okay, so here this one is saying that it's about I haven't got MIT eyeglasses and this is from off off, Jim, I think so they're recognizing that it's, it's something that's important for them. This one is from HMRC, and the tax collector. Now, what we found is that it doesn't really matter where in the domain name, they see those familiar names and brands, they get a lot of trust and reassurance from brand names inside domain names. What we're doing is we're putting are the domain names that appeared in that in that text message through a new service that we're launching called the trust checker, which looks at links that have been sent to people, they can enter it into a box, and they can get the results. And if they, this is basically saying, Have has this domain name appeared in various block lists, okay, which are security lists that are maintained by third party companies that we ingest into our system? And we say, does it have a history? It's a bit like a bad credit check on a car, does it have a bad history, and here we're looking at this every hyphen UK dot VIP domain name, and we can see that it's got a clean history. So we're saying that's got an A rating of trusted however, it was registered on on Saturday, the 17th of February it was, that is a really, that is a threat signal. This is a Betta service, and people are talking to us about how we should handle brand new domains. Some people say they're just inherently threatening, but there again, you've got to accommodate for new businesses and new brands that are emerging and you can't really describe those as threatening or bad. So there's, there's there's more work to be done in this area. Okay. On Wednesday, yesterday, it started to appear on our trust checker, and funnily enough, it was picked up for spam and it's still not appearing on any of the threatened abuse and malware lists.
We maintain a league table of top level domain name providers things like.com. There are many of them now hundreds of them now, the dot VIP is pretty low. On the league table. If you're looking at domain name providers who provide more than half a million domain names, so they have money for security dot VIP is nearly at the bottom of the list, it means that domain names under its management are appearing on a lot of malware lists. On the list of all TLD providers, irrespective of their number of domains in stock dot VIP is pretty much near the bottom of the list. We looked at the WHOIS records for that the registry services, our GoDaddy set up in the United States, the registrar services are set up in Hong Kong, and the registrant is a Chinese individual. The name servers we've got Cloudflare name servers, still serving that traffic and copying those those assets. And what we found on the on the following Monday, Firefox was already blocking that domain. Safari was blocking that domain. Microsoft Edge was blocking that domain. And Chrome was still serving that domain, but the site had been taken down. So 80% of the world's world's browser traffic was still being was still serving that domain. The block list providers, this is very small print sorry, you're looking at AP WG and open fish. They have different stocks of abuse and threats. So they're not you know, you need you need, you need all of them to find out what's happening out there. AP WG its daily stock of threats was 240 for abuse of malware. And open fish was nearly 10 times that. So what we're saying is you need an awful lot of data to really monitor this stuff. So part of our mission is to get more and more data. And our mission over the next three years is to become the biggest data provider for DNS abuse and threat monitoring in the world. I think that that helps, I hope, illustrate the point. I've finished my presentation now. Sorry to give you death by PowerPoint. And I'd like to hand over to Graham now. Thanks.
Thanks a lot, and a lot of interesting new services. It's going to be interesting how it fits in some of the other tools that are becoming available to users and how people should decide what tools they should use. When they receive a phishing email or something of that sort. Uh, Graham, do you want to go ahead? I think you're able to share your screen.
I am. I will. Thank you. First of all, But before I do that, the big thank you to the North American School of Internet governance for having me. I love participating in this sort of event and enjoy taking the opportunity in this sort of context to like, maybe be a little bit more speculative. Try out some big ideas. And try and do less like sort of hard fact. And more like sort of spur discussion, I think is sort of what I'm trying to do here today. Apologies for not being there in person, I was supposed to be there in person. And then between early days of planning, and now I got elected to the board of.ca And have a conflict with that. But I landed in Puerto Rico tomorrow afternoon, and look forward to seeing everybody as soon as I can. So let me share my screen. And nope, that's been disabled. Maybe we can enable that. And I'll just keep talking.
Yeah. So let's start. And I'll catch up on my slides when we get there. Jonathan started it off, started us off with a little bit of discussion of some of the definitional issues around DNS abuse. It is, am co hosting. That sounds like a good thing. Let me try and share my screen again. There it is. Great. Okay. So brief overview of what I'm going to do. I'm going to try and do it quickly. We started a little late, I want to make sure we have time for discussion. So apologies if I'm running a bit zippy, especially in the context where everybody's language, first language might not be English. So I'm gonna go through what is DNS abuse. I'm going to talk a bit about the scale of harm. I want to talk about what we mean by trust, I want to talk about what kind of impact DNS abuse has on that in terms of the Internet, and then talk a little bit about what we can do. So Jonathan, started us off with a with a little bit of discussion about DNS abuse and its definition. This has been a long running debate within ICANN. It is in practical terms, I think, quite settled at the moment, I can't has a definition of contract, parties have additional definition those definitions align, that is malware, botnets, farming, fishing and spam, where spam is a vehicle for those preceding four harms. I think just about everybody's agreed that that is the minimum set of harms that we would consider DNS abuse. I think there's room to argue about what else might be in that definition. But I don't think we need to do that right away. Because I think there's lots of room to do lots of good work on those or identified harms, we can make real progress on those things without having to argue about the edges. And so I try and push away a bunch of those definitional debates, because they can slow us down from making from doing good work. But a key piece that I think is also really important in some of these discussions that is often missed, is that abusive domain names come in sort of two flavors, they can be maliciously registered very much like the example that Lucien just showed us, where it was the every dash UK dot VIP that was clearly intended registered with an intent to deceive, that would be a malicious registration. On the other side, we have compromised websites that are also used for these types of harm. So it's benign website, it's barbershop, their WordPress got hacked, someone installed a phishing campaign or a malware campaign on it. And it's being used for online harm. That is, in a way DNS abuse. But the resolution is very different for a compromised versus a malicious, malicious there's, there's virtually no risk to turning off the domain name at the registrar. If there's an existing website there, you very much want the host to help them clean it up, or the registrar or the website owner to clean it up. Rather than acting at the DNS, you have to do a very careful balance of harms before you act at the DNS layer for a compromised website. It's a good chunk, you know, 25 to 45%, give or take of malware and phishing websites are compromised, you know, a compromised website rather than a malicious domain name. But boy, if you're thinking about, you know, what can the generic the general public do about DNS abuse, keeping your WordPress up to date and being careful about where you get your plugins? It's a very easy concrete thing to do. Make sure your passwords are secure. Keep your stuff up to date, and you'll reduce DNS abuse. Okay, So how do we understand the scale of this problem if we're going to talk about how it impacts our trust in the Internet. So there is basically the same mechanism to measure DNS abuse that's used across the board, it's very similar to what Bucha is doing it the DNS IRF. What ICANN is doing with their domain abuse activity reporting project, and we have our own project called compass that we use to measure abuses, well, they all follow a very similar path, which is you get a bunch of lists of bad domain names, also called Block lists. You duplicate them, you add them up, and then you compare them against the domains in the zone, or you'd add up the number of abusive domain names. There are some issues with this. Lists aren't made for mitigating abuse. They're really not made for measuring abuse, they're made for network blocking, primarily. And so they tend to have a very different tolerance for false positives. They don't remove compromised domains that have been cleaned up very reliably. And so they're not often fit for purpose, but they are the best source an opportunity we've got right now. The other bit about this is that, especially as it relates to trust in the Internet, is that counting domain names is a very poor substitute for measuring harm. You know, any one individual phishing website can really impact a lot of people. And that's a captured and counting a single domain name, you know, doesn't measure the financial impact, the emotional impacts, things like that, I have never seen a good mechanism of doing that of linking, you know, abuse as we can measure it, to the harm it causes to people. If anybody has good ideas on how to do that, I would love to hear it. But it's just an inherent weakness in this sort of project. So let's go to some ballpark figures, I'm actually going to use not our own from our compass project here, our compass project to measure abuse, which if you I'll post the link in the chat when I'm done talking, we really optimized for accuracy in that project, we wanted to make sure that the abuse we're measuring was verifiable. And so we use a generally smaller data set. But what I wanted to do here with this sort of ballpark figure was really see if we can grab, you know, put our arms around this problem as a whole. And I can start as a pretty good job of that I think they collected data from all a bunch of sources. And, you know, give us some pretty high level stats. So dar counts, for their most recent report from December, about 527 528,000, abusive domain names out of 219 point 2 million that they looked at, which is about point two 4%. So not quite 4%, or 2.4%, point two 4%. If you look at their data, they include spam in their reporting. And so 80% of that abuse is spam. And it's pretty hard to distinguish between generic spam, and spam is a vehicle for phishing. So if we pull spam out from the darn numbers, that's gonna leave us with about 106,000 domains used for malware, phishing, and botnets. That were discovered in December, or at least we're in the December report that might be for a previous month, doesn't matter. That's about point oh, 5% of the domains that Doris got. If we take these figures and apply them as ratios to all the domains that exist, there's about 360 million total domains registered. They're not all in Dar, because most of those remaining ones are our country code ccTLDs. That would give us about 180,000 domains used for malware, phishing, and botnets. out of 360 million. A couple of things to think about when we see that number, it's a lot of domains. It's a lot of new domains every month. It is a minuscule fraction of the total domains that exist. That's good news. The other good news is it's not such I think, a crazy big number. That number is a problem that I think we can make a real impact on. And we'll talk a little bit more later on how we're going to do that. And even you know, you know, a failure of all of this is that this is only domains that are discovered and reported. There's going to be more out there. But I think even if this is wrong by you know, it's half of the total, it's a quarter of the total. I still don't think that change is the fundamental message that there's a lot of abuse out there. And it's not a good measure of harm. But this is a problem that I think we can make a difference on Okay, now the second piece of this, what do we mean when we're talking about a trusted Internet? And who is doing that trust? Because I think that makes a difference in what we're talking about. Are we talking about like, people's trust in the infrastructure of the Internet, when they see DNS abuse? Do they think all domain names are bad? Are they thinking about the protocols of DNS, you know, how data is transferred, you know, TCP IP, or access to the Internet? Do you lose trust in it when your local ISP goes out?
I imagine I spelled identity Correct. I should review my slides were carefully, you know, the identity of the website we're dealing with of the person on the you know, other side of social media that we're dealing with, you know, is it the veracity of the content that we're engaging with? You know, do we lose trust when we feel deceived? Then how do we put DNS abuse in particular in the context of all these different sorts of types of protest? In the Internet as a thing? And so boy, I don't think this slide is, is right, and I'm gonna say right off the top, I think is probably wrong. But this is just me mucking around. And I put this out there really to spur sort of conversation about how do we think about where the types of online harms DNS abuse exist within online harms and their impacts? And what does that do in our trust on the Internet? So, boy, don't be outraged. If you think something is the wrong place. I think it's valuable discussion to begin putting putting stuff in the right place. But what this slide is trying to do is measure the impact on society, and the financial impact of these different types of harm. So in the bottom left, I have sort of generic spam, not spam as a vehicle for phishing. You know, generic spam, I think, generally has a pretty low financial and societal impact, I think most of us don't see too much of it in our inboxes every day, it's probably consuming resources that our mail service providers, but for most of us, it really isn't a material problem. You know, up at the very top of societal impact, we have child sexual abuse materials, they're devastating, they're terrible. You know, a clear problem that everybody recognizes, on the sort of really high end of the financial impact and societal impact, we've got things like ransomware, which are devastating, they're taking the hospitals offline, you know, critical infrastructure offline, it's generating billions of dollars for cybercrime, it's, it's clearly a real problem. You know, some of the stuff we haven't talked about, you know, it's not DNS abuse, but I have in here, blog, spam, the rise of, of large language models and generative content is happening at such a pace that I don't think we've really appreciated what that's going to do to the Internet as a whole yet. You know, for example, I was speaking with someone this week, whose company is trying to generate landing pages for basically every single industry in the world. And so used a large language model to produce content, they apparently have put more than a billion words be billion words online in the past two weeks. That's a quarter of all of Wikipedia, you know, in a week, and so what does it mean for us when the content on the Internet, you know, the majority of it is just, you know, generated and maybe not relevant? Maybe not true? And so we're just in this thicket of content that doesn't meet, you know, doesn't answer our questions, doesn't generate anything for society. And then we have sort of the rest of the DNS abuse in here, which I think generally has a pretty high financial impact. You know, phishing can be really devastating. Botnets can bring businesses offline, or distribute malware, but tend to have that sort of low impact on society that things like expression harms do like terrorism, content, things like that. And so how do those sorts of technical and financial things impact our trust in the Internet? You know, all online harms, I think erode our trust. They make us skeptical as we're engaging in the Internet. Do these sort of technical harms do that in a different way? Do they erode our trust in the sort of infrastructure of the Internet or the Internet itself rather than the content on it? And then do regular people, users of the Internet, probably people outside this room? You're the room you're all in not the reminded? It's just me here. Think about those things in different ways. And I would argue, probably not. I think, probably most users of the Internet have no ability to distinguish between sort of content harm what they're seeing, and the, you know, the technical harms that they're seeing the financial harms that they're seeing that to them is sort of cumulatively the Internet. So what can we do and I apologize for for taking quite too much time, I'll try and wrap this up pretty quickly. We need to understand the problem better, you know, take a look at our compass project, take a look at ICANN star, take a look at the work of the DNS, RF. All of these are insightful pictures into the scope of abuse. We can do things like new contractual obligations, which I can't just put in there. Here's something from you, Jonathan. Okay, I'll be quick. We can work on education, we can work on standards, we can work on improving our reactive processes, for dealing with DNS abuse projects like net peak and from the Institute, we can create proactive processes for identifying abuse before it's happening. And that's a really interesting space. And TLDR, if I'm gonna wrap all of this up, you know, of course, DNS abuse impacts our understanding of a trustworthy Internet. But I think, as a problem in context, it's not necessarily the biggest piece of the puzzle. But I do think we have in front of us a well defined piece of the puzzle of trust on the Internet, that we have the capability of making a difference on. And that to me, is very heartening. And so I'll skip some of this. We're doing some stuff is great work. Maybe I'll talk about it in a bit, because I've gone a bit long, I will stop sharing my screen and pass it back over to you, Jonathan.
Thanks, Graham, you're I don't know if you heard me your audio was starting to drop in and out a little bit. So hopefully, your connection remains stable. For the conversation. One of the things that you mentioned was you haven't seen any mechanism for measuring harm, and end it. Are there efforts that you're aware of to attempt to do that the one thing that I have a vague memory of was coming out of the FTC, which was reports in plus some kind of a multiplier based on what they thought, you know, the underreporting was, but I don't know where that number came from. And I don't know how reliable that was, but I don't is Have you seen other efforts at looking at sort of the measure of harm component of this?
So I've seen, and I don't have any good examples in front of me. But it typically comes from law enforcement who said, you know, we've seen this number of issues, you know, crimes, we think the impact is was of those was this, and we're going to extrapolate from there to the size of the problem. I think those those methods are probably dubious, and just require a bit more work. No offense to any law enforcement in the room who thinks that their work on that is amazing.
I don't see anyone taking offense. So so far, so good. So I guess my first question to both of you is that we see that there's a harm there. And and Graham very helpfully said that he thinks it's something that we can address that it's a, an approachable harm. What is it youth? Do? We think we ought to be doing that we aren't today to improve the situation surrounding? I guess, in particular, malicious registrations. Right. I mean, that's, that's really the core of the conversation. Because the the the compromised domains is a separate one that I will ask you about next. But what is what should we be doing to improve situation around malicious registrations today?
I'll tell you that first. Yeah. Well, the reason we exist is that we're not just focusing on DNS abuse, we're looking at anything that can impact on the DNS. So content and other other things. Just whatever, really, we're letting we're looking at the data and letting the data talk to us. There's a problem with data data. We have 86 fields that we're bringing in, we're combining them, we're normalizing them, but they're still not telling us the full picture. We're developing new ways of getting data, particularly around passive DNS. I don't want to get too technical here. But it's a way of looking at domain names in the traffic. And new new suppliers of data are coming to us, because they're seeing this as a winning project. So there is a problem with the data because the data providers, the detectors, the people who are sending data, the people who monetarist data are pushing pushing the data out there, but nobody's evaluating those lists. assists. So we're not actually there's no feedback loop about about that. So we're trying to introduce a feedback system to measure the fidelity of those feeds. Those word on the street that some of the feed providers are just making money out of numbers of domains on their domains that have been deregistered are still on some of the lists. So basically, some of the lists are good, and some of the lists are bad. So we've got to start measuring the lists, and we need more and more lists to look at. So.
Graham was no hats. So how do we deal with malicious registrations is fun. I think the community has taken a really big step in recent history with the adoption of the new contractual obligations on malicious registrations, they come into effect, I think, in early April. And it'd be really interesting to see what impacts those have, we'll meet the measuring them and share that data with the community. But that's a great step. So preop, prior to those amendments to war, really real enforceable obligations and registrar contracts to deal with these sorts of domain names. And now they will have, and so that I think is going to set a new floor. But the sort of fundamental problem to me is that the economics of the domain registration industry don't lend themselves well to strong proactive measures, anti abuse measures. And that's because domains are a globally competitive and very thin margin, and the money you're spending on anti abuse, is money a competitor anywhere in the world isn't. And that's been that's sort of the collective action problem that the industry has. And so how do we go about and this is, this is the crux of the work that the Institute does the DNS abuse Institute, I'm not trying to introduce myself super properly, is finding the places of friction and complexity in the ecosystem and dealing with abuse, and registrar, self interest, and things that we can go into. And so to me, if I'm thinking about malicious registrations, I think the lowest hanging fruit right now is going to be at the intersection of anti fraud and abuse. I think a lot of malicious registrations, probably the vast majority are registered with stolen credit cards, and registrar's are gonna have a natural self interest in reducing their fraud and their credit card chargebacks. And being able to really understand the overlap between that fraud and that abuse, and encourage registrar's to look at it from that perspective, I think is going to have real good bang for our buck and reducing malicious registrations.
Thanks, Graham. And as you mentioned, the collective action problem has many layers to it, right? There's people that are more likely to participate than others. And but there's also I guess, the problem of real size differential between many of these parties, and their ability to participate varies as well. So I wonder if there's a role for the anti-abuse Institute, or ICANN itself to play in providing tools that are usable by everyone somehow. So just because you're small, but well intentioned, you've become part of that collective action, whether it has to do with doing the kind of analysis you're describing, or the other thing that gets talked about quite a bit is a little bit of predictive analysis around around domains. Based on trademark lists, there's lots of kinds of predictive analysis. So I'm curious whether you think there's a room for tools there that are that that help normalize the collective action.
I think there's a lot of room for tools in this space. If I'm going to toot our own horn very briefly, we run a service called net beacon@beacon.org. It allows anybody to report abuse and DNS abuse, and it enriches that abuse with useful information, standardizes it and sends it to the registrar. And so what that does, especially for the long tail of smaller registrar's is they get an abuse report that has just about all of the information they need to make a decision on that domain name and hopefully reducing their investigatory burden, which for a lot of the smaller ones, you know, it normally be high, and they may not have those tools or capabilities or experience. I think there's a lot of room for ICANN to work on education. It's something that we work on. I know others in the space are working on that. I think to Gertz from realtime register has done some really interesting presentations on this sort of open source tools that he's using to understand abuse on his own platform. And how do we begin to sort of democratize that or share that with the rest of the industry especially when they may not have you know, probably most registrar's don't have a dedicated abuse team or you know, abused person. And so how do we begin to give them? You know, expertise, appropriate tools, lots of room for work and discussion there.
One of the questions I had was about the blocklists. It seems like there's general agreement that they're, they're not exactly fit for purpose, but there isn't an alternative. Is there an evolution to them being a better alternative? And I guess, a subsidiary question to that is that I often hear from the contracted parties, how they're overestimating abused, but I get given the short duration of most sort of phishing attacks, it seems like most of these malicious domains are turned off, or part most of the time, and only turned on for very brief instances, you know, for a particular attack, specifically to stay off of these lists. And so I mean, it seems there's ways that they could be under reporting as well.
I feel like looting will should come in first analysts.
Yeah. The lists have been, there's been data out there for a long time. Why are some of the largest organizations in the world, like MIT, and Microsoft are not able to solve these problems is because the data needs to be shared. ICANN has had the data for a long time, and people have come to us because the DA has been seen to be serving the DNS industry. Metta itself has its own threat exchange, but it seems to be on platform. And it seems to be about meta. So there's a need to sort of bring the, the data outside into a mediated environment where competing and conflicting parties can, can come together. And rather than focusing on each other and attacking each other, because the problem is getting bigger, they can actually argue about the data, and the data is a safer thing to argue about. And then it becomes about the fidelity of those lists. And that still needs to be tested.
So moving Brammer, a little bit, you know, again, in the sort of like, you know, areas of friction and complexity within this ecosystem, this is a key one. The people who generate lists are generally security companies, those lists are used for network locking. Their economic incentives are to say they have the biggest list that blocks the most things, because that's what their primary customers want to hear. But for us to use them as an industry, what we want are accurate lists for domains that we can reliably take off the Internet, reducing our risk at the same time. And those list providers aren't really incented to remove, you know, a false positives, clean domains from those lists. And so I don't have a solution for this, I think Luciana is making some interesting suggestions, which is, let's get into a place of trust, talk about the data. And understand that more reliable data is better for everyone. But there's, there's like market problems here that, to me don't have an obvious solution.
Thanks, Graham, I want to open it up to the group as well. But the one other thing that I wanted to ask about, that you mentioned briefly, or at the top, we mentioned this distinction between maliciously registered domains. In other words, where I go and register a domain for the purpose of doing harm, versus a compromised website, where there's just one deep link in it that's used as the place to be the farming sites for your phishing attack, right? You know, where you're, you're giving a deep link into somebody's you know, home recipes website or something like that as the location for actually collecting the credit card information, etc. So that's an otherwise innocent site that's been compromised in a in a very specific way. And so the mitigation of that is generally going to be through hosting providers. And so I guess what I'm asking is, is there more we need to do to bring the hosting providers to into this conversation, right. And one of the questions I have and then you may know, the answer to Graham is what percentage of websites are hosted by the registrar in which the website is registered? As opposed to a completely separate one like square or something like that? I mean, do we do we have enough of the hosting community already in the conversation because they're registrar's to do both or do we need to make another effort to make the hosters be a part of this conversation on mitigating the abuse? I'll
take that first. I think the hosting providers This is it. I think Squarespace is now a registrar as well, but I think To start by having an audit of hosting providers, and Graham and I were talking about that at our last meeting is a really challenging thing to do. There's no ICANN, there's no governance mechanism for hosting providers. And one of our missions is to try and audit that hosting providers and find out who's out there controlling the majority of the Internet. We know, we know some of them. And some of them are appearing again. And again, some of the bad ones duck DNS, I don't know if there any people from there here, but you know, there are some that are really neat looking at. And we need to start by having a register of hosting providers, that's that's badly missing. And then who is who is actually managing or governing that so that we can start to coordinate efforts with them.
There a distinction to be drawn between a hosting provider and a reseller. And do resellers need to be brought in conversation? I mean, I know you've got a lot of experience with that come from two cows. Were the were there another level removed from the conversation that we're having, if they're in the reseller space? Grant, so
I'm a little bit less concerned about resellers. Mostly because a registrar can't push those their contractual obligations onto their resellers and say, Oh, no, this is my results from the contractual obligations, they get from ICANN land on the registrar, regardless of their business model or not. And so they're still constrained within the ecosystem by the rules we already have in place. Which is not to say that having some of them as part of the conversation wouldn't be useful. But they're less urgent to me than then what you were just saying, and Luton was saying about hosting companies. They're really not part of the discussion. I think there's maybe even similar to the animosity are around list providers, there is a bit of animosity, I think, between the domain registration industry and the hosting industry, and I don't have the stats on how much hosting registrar's are doing themselves. Be, it'd be very interesting to find out, I'm not, I'm not sure how we go about solving that one and bringing them into the conversation, I think that's going to be quite an effort, we're gonna have to work really hard to try and catch those flies with Bonnie rather than vinegar. And what I mean by that is we're being we're doing a lot of like, this abuse is all your problem right now. And then they've been like, but you've been enabling all of this for, you know, 20 years, you can't all of a sudden, you know, turn around and be like this is on us. And so there's some messiness there. One of the things that we're working on for net geek in our abuse reporting services that hopefully relatively shortly we're working on it is that anytime an abuse report comes in, regardless if it's malicious or compromised, we're going to send it to the owner of the IP address as well. And that means that we can begin to try and disrupt abuse, like especially malicious abuse at the host and at the domain at the same time, and really disrupt it, because it's only moderately effective to do one or the other. I know that that top DNS, which is a initiative from Ico is working on bringing the hosting industry in as well as the AI to coalition out of the US are starting to engage in those conversations. So I see movement in this space before I think there's a lot of work to do here.
Um, let me wander into the crowd here. I saw jokes and had a hand up to ask a question. Let's get some the audience engaged.
Thank you. And so I have a weird name. It's Jonathan and Jonathan and I, every time we're on a call, I'll think that they're talking to me when they talk to him or or vice versa. So hi, my name is Jonathan Frakes. And I had the privilege of joining you today I'm actually on the executive committee of the registrar stakeholder group. I'm not talking to that capacity, we just really want to plant a pen and success and getting some DNS abuse. amendments passed that are coming into effect that we're going to see some really hopefully delightful changes happen. I want to commend the work of of both the speakers and their organizations, Graham coming from the registrar space and having people I know involved with the initiative that you're representing have good backgrounds in the domain. market industry is very helpful. One of the things that we really struggle with commercially, I think this is one of the things that we struggle with commercially is the consequence.
The consequences, just lifted up in anger. Other than, there
we go, the consequences of friendly fire when these lists are a little too liberal i right now, as I sit here today, 30 days in on trying to get a name off of a list, that was consequences of friendly fire, the domain name, da y.uk. It's a ccTLD. Nothing bad on it. But it got added to Sophos, and then it cascaded out into the rest of the pool. So all the ink is purple now. And the challenge is, is that there was nothing wrong with that domain, and there's nothing going on. That's bad with it. I've attempted to get the name whitelisted with Sophos. And it's impossible, there is no way to correct that friendly fire. So what I have I'm the customer in this case, it is my own personal domain, but just a terrible effect of of me and disruption. To me as a domain owner. We as an industry have a lot of challenges when there's a domain compromise. We also have to deal with bad actors who are doing malicious work. But one thing that just doesn't come into the conversation at all is that we face as registrar's and industry and registrants are affected by the consequences of friendly fire in these scenarios. And there must be in that conversation, some form of appeal or remedy that can actually, you know, help make things correct for the actual registrant. I don't mind this problem, because I know that the work of all these people are really helping to take down bad guys and things. But I'm not a bad guy, and it wasn't doing anything bad. I just happen to have it forwarded by Cloudflare. They think, okay, that's a problem. They even in their own material, say, this is likely not a problematic domain. But we're going to flag it as phishing. And they have no consequence to that. Absolutely nothing. Just, you know, kill them all. Let God sort them out. And I don't like that approach. Make
sense? Thanks.
This is a passion project of mine to actually create a feedback loop to start measuring that. And we're forming a guiding coalition of registrar's but also platforms and others, and also public safety and the likes of Cloudflare. To actually come together and talk about how to measure the fidelity of the list and some way of registrar's and we operate a small registrar ourselves in the UK, just because we eat our own dog food. We've written our own domain name registration platform, we have 50,000 domain names. I'm not sure Graham, I'm quite with you on on the complexity around the reseller. I think a lot of resellers own their registrar's practically, we've got a huge number of reseller stocking hours. And to involve those in the discussion is absolutely critical, because they're big hosters as well. But yes, we need to measure the feeds, we need to give some feedback about the feeds so that we can start that conversation and challenge those feeds. And obviously the next step then when we're measuring it, is to develop systems of of protest and register objections and to then validate those feed items. Thank you.
Any other questions from the requires from the audience? All right, I had dominated the q&a portion. But we've run right up to the end of our time. So please join me in thanking Lucien and Graham for sharing expertise with us on this very complicated problem.
