NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Comcast files "recommended practices" draft RFC with IETF for DNS Redirection
I view these queries by David as entirely legitimate, not a troll, and I encourage continued discussion of related issues. --Lauren-- NNSquad Moderator - - - On 07/10 13:22, David P. Reed wrote: > Thank you for answering my questions in some detail. Your answers don't > alleviate my concerns, but my investigation of OpenDNS's web site did > not provide answers to some of the more troubling concerns about aspects > of your business. > > I will share some of my remaining concerns, which surround some of the > more clever and non-standard aspects of your service. > > 1. Since you apparently have significant investors and also have a > business model based on "free" service and the implication of high > reliability and a fair number of employees to be paid, one wonders where > the ROI comes from. Your site doesn't explain this, and several of the > features pose significant concerns. In your mail below, you suggest > that you do not record or use any of the data that you capture about > customers' DNS usage, and you never will. How, then, do your investors > intend to make money? I am skeptical of implications of eleemosynary > purity. And the following from your Privacy Policy would seem to > contradict this: > >> Affiliated Businesses >> We are affiliated with a variety of businesses and work closely >> with them in order to provide our services to users. We will only >> share personal information with affiliates to the extent that is >> necessary for such affiliates to provide the services. For >> example, when a website visitor searches on OpenDNS, the IP >> address and query are shared with OpenDNS's advertising partners. >> We require our affiliates to provide the same level of privacy >> protection that we do and they do not have the right to share or >> use personal information for any purpose other than for an >> authorized transaction. Some of our affiliates may be located >> outside of your home country; by using OpenDNS's websites, you >> consent to the transfer of such information to them. >> > > > 2. Your claim is that you provide protection against content types and > so forth. Yet you do this at the DNS level, not at the > content-addressing and naming layer. What this means is that "adult" > content on a website can cause failures to reach, for example, a > non-HTTP service that is intended ONLY to accept data that happens to be > hosted in the same DNS domain as some adult content. How do you > explain to your customers this "overbroad" protection associated with > "host names" rather than websites? All of your documentation focuses on > "websites", which is fundamentally confusing your customers as to the > actual technical impact. Regarding this "overbroadness" there is a less > intrusive solution: You could have offered a web-proxy service, rather > than a DNS service, which targets only web site lookups rather than all > DNS lookups. Such a solution would have perhaps been slightly more > complex to implement, but would have had a variety of benefits and far > fewer downsides. I would recommend it. > > 3. There are deep questions about how your policies of what sites are > blocked are determined. Controversial political issues such as "gay > marriage" and the Armenian mass killings or discussions that target > certain religious believers are not easily decided, yet your company > puts itself in the position of making decisions based on these matters. > This puts your company in a legal position where it must take on > liability. Does it take this liability seriously? When do you disclose > your decisions to customers? How? > > - David > > > On 07/10/2009 11:49 AM, David Ulevitch wrote: >> Despite what appears to be a troll, I'll reply: >> >> 1. We're the safest DNS option around. We're the only DNS service in >> existence blocking the 0-day MS vulnerability ( >> http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer_ex.html?wprss=securityfix >> ) and we were the only DNS service that protected users with the >> Conficker A/B worms from having their infected computers phone home >> the botnet C&C. This is in addition to all the other security >> measures we've placed in the DNS. It's also worth nothing that >> outside of DJBDNS (DNS software for workstations) and PowerDNS (a >> niche DNS software) we were the only major DNS provider on the entire >> Internet, including ALL major ISPs, that was never vulnerable to the >> Kaminsky attack of last year. Unlike any other DNS service or >> provider in the world, we let our users twiddle the knobs and buttons >> to get the DNS experience they want. We don't log and sell their >> data, or anything like that. >> >> 2. Of course people Opt-In to use OpenDNS. We deliberately don't >> work with ISPs. I suggest you try us out for yourself and see. Or if >> you're too lazy, just use google to see what folks say about us. The >> benefit of having so many users is that a large percentage of them >> blog and tweet about us. You'll see the positive reviews dramatically >> outweigh the negative reviews. >> >> As an aside, some of our users do turn of the nxdomain redirection >> service, and still use us; and that's completely fine. It's my goal >> to give users the ability to control their DNS experience as they see >> fit. I'm not sure how you missed that as you seem like a fairly smart >> dude. >> >> But like I said at the top, I think this was a troll, so this is my >> one and only "bite." :-) >> >> HAND, >> David >> >> >> >> On Jul 9, 2009, at 6:05 PM, David P. Reed wrote: >> >>> Mr. Ulevitch - I suspect "spin": >>> >>> 1. Please explain the odd meaning of the word "safer" implied by your >>> statement. If the FTC were to explore whether there is a true >>> "safety" benefit for people, please explain the risk. implied by >>> getting an error message from a browser that the site named does not >>> exist? >>> >>> 2. And for that matter, I am not aware of 12 million people opting >>> "in" to OpenDNS via a legally meaningful customer choice selection >>> where the "benefit" of having names resolved to non-existent sites is >>> explained. It would be misleading to make the statement you make >>> below if they were "slammed" by ISPs or other companies without their >>> explicit consent beforehand. Your case would be reasonable if indeed >>> you have records of 12 million individual names who will indeed agree >>> that they chose to use OpenDNS as a matter of free positive action. >>> I doubt you can produce an auditable list of such names that one can >>> contact to verify your claim, but feel free to produce one. >>> >>> On 07/09/2009 07:12 PM, David Ulevitch wrote: >>>> I can't speak for the ISPs motivations, but you're right that they >>>> are probably driven by profits (though I'd argue they are going to >>>> be getting short-term profits and the expense of long-term unhappy >>>> customers) but I will point out that there are lots of legitimate >>>> reasons people want to do DNS error redirection. 12 million + >>>> people have opted to use the services of my company, OpenDNS, to >>>> make their internet safer and more reliable. That's why I was >>>> willing to lend a few thoughts to the IETF document. >>>> >>>> -David >>>> >>>> >>>> On Jul 9, 2009, at 2:06 PM, David P. Reed wrote: >>>> >>>>> >>>>> >>>>> http://tools.ietf.org/html/draft-livingood-dns-redirect-00 >>>>> >>>>> I note that this draft RFC proposes practices that routinely return >>>>> *valid* responses to erroneous DNS lookups, and encourage an opt-out >>>>> policy rather than an opt-in policy. >>>>> >>>>> The sole justification is that the default way that a browser such as >>>>> Firefox or IE would present an error message is inadequate for users, >>>>> thus an ISP should take matters into its own hands to fix that >>>>> cosmetic >>>>> problem, rather than asking the browser vendors to do a better job! >>>>> >>>>> And the side effects identified do not include the impact on http >>>>> requests not generated by typing into web browsers, but instead >>>>> used as >>>>> part of "web 2.0" service apis and other uses of port 80 that do not >>>>> arise from end users typing into the url bar of their browser. >>>>> >>>>> One might ask why the sole justification given for this misuse of DNS >>>>> to patch an application weakness is the only one? >>>>> >>>>> And even more so, why this is such an urgent problem that ISPs >>>>> must fix >>>>> it via a flawed and risky solution, rather than the makers of browsers >>>>> fixing it in the most logical place? >>>>> >>>>> The potential to disrupt non web-browser features is noted in the >>>>> "draft >>>>> RFC", but instead of a balanced analysis of benefits and costs to >>>>> other >>>>> uses, the draft is silent. In fact, the draft refers to this as >>>>> "enhanced" functionality. >>>>> >>>>> I expect the wiser heads at the IETF to prevail.... This is a >>>>> solution >>>>> to a non-existent "problem", with bad side effects. >>>>> >>>>> While this is not exactly the same as directing a misdialed phone call >>>>> to call a Caribbean phone company number with the consequent and >>>>> unavoidable billing charge to the user, it seems very close to >>>>> that sort >>>>> of thing - a surprise to all application developers, and a >>>>> modification >>>>> to the expected semantics of directory lookup. >>>>> >>>>> [ I agree with David. If IETF goes along with this proposal, there >>>>> is something very rotten in Denmark. What's really amusing about >>>>> the referenced document though is that for all its verbiage in >>>>> which it tries to establish a "need" for such DNS redirect >>>>> services -- mostly focused on highly questionable assumptions >>>>> about malware protection and legal mandates -- it fails to >>>>> mention the primary reason that ISPs implement DNS redirects. >>>>> >>>>> This is of course use of such DNS diversion services to create >>>>> profit centers, by shunting users to ISP-affiliated search >>>>> engines and affililated ad delivery services, attemping to >>>>> monetize users' interactions with the broader Internet by >>>>> capturing low-level transactional communications to which the ISP >>>>> has privileged access. >>>>> >>>>> -- Lauren Weinstein >>>>> NNSquad Moderator ] >>>>> >>>> >>