The safe, legal way to contact everyone is to publish in the commons. Establish prior art and do not claim intellectual property protections for the idea.
The most important thing is to raise this to the level of legislation and national policy, so courts are clear that uninvolved third parties, particularly non-profit operators of core Internet infrastructure, cannot be conscripted to the private benefit of companies like Sony.
In the short term, of course, donations to the legal defense fund always help:
Quad9 is a public-benefit not-for-profit. Our purpose is to improve privacy and security. What else did you have in mind?
Quad9 is special in that it's the only recursive resolver of any size that's not headquartered in the jurisdiction of the Northern District of California federal courts. All three others of the "big four" are, and Quad9 was until it moved to Switzerland so as to be bound by criminal privacy law, and to get out from under USG data-collection requirements.
But Quad9 is _not_ the only one being attacked by Sony. Sony has already won against Cloudflare in other venues, but that's a much easier target.
Quad9 doesn't sell hosting services to pirate sites, so has no connection with the alleged infringers. Which is the point of all this. Quad9 is being attacked _because_ it has no relationship with infringing parties. If Sony can establish a precedent that Quad9 can be forced to censor, then that precedent is, in principle, applicable to all parties. Firewall manufacturers. Operating system publishers. Wifi hotspot manufacturers. Open-source software authors. Etc.
If Quad9 were based in the US, it could just ignore the whole thing. But then, if Quad9 were based in the US, it wouldn't have happened in the first place, because any US court, particularly the US District Court for Northern California, which is the jurisdiction Google and Cloudflare are in, would have thrown it right out.
But Quad9 moved from that same jurisdiction in Northern California to Switzerland, and three days later, Sony attacked. Because of something called the Lugano Convention.
The Lugano Convention is a spectacularly ill-conceived treaty that allows plaintiffs to go jurisdiction-shopping in _any_ signatory country, even though it has no connection to either plaintiff or defendant, and then have the judgment enforced in _all_ signatory countries, even if it contradicts the national laws of those countries.
Unfortunately, Switzerland is a Lugano Convention signatory, as it Germany. So although Swiss law is clear that Quad9 is in the right, and that was actually just tested and upheld by the Swiss supreme court a couple of years ago, that doesn't matter, because the Lugano Convention takes precedence over national law.
Which is why people tend to get pretty upset about these kinds of treaties. The Trans-Pacific Partnership (TPP) was a similar sort of deal, which the US did _not_ sign, since it was so widely protested.
But, to get back to your specific question, if Quad9 were to just ignore this, Sony would go back to the court in Germany, and get some sort of finding that Quad9 was maliciously failing to comply, it would get damages, and it would request Swiss law enforcement to extract those damages from Quad9. Swiss law would not be able to protect Quad9, and Swiss LE would be obligated to act on Sony's behalf. At that point, Quad9 could only continue to exist by relocating its headquarters to a non-Lugano-Convention signatory country. When we evaluated national legal regimes for privacy protection, Switzerland was best, the Netherlands second-best, and Iceland third-best... All three are Lugano signatories, unfortunately. I'm not sure where we'd wind up, but it would be a huge blow for privacy.
Nope, Quad9 was not started by IBM. It was an internal project of PCH, started in 2014 in response first to European privacy regulators who were being lobbied by Google for a one-off exemption for 8.8.8.8 in the run-up to GDPR implementation; then in 2015 a number of cybersecurity organizations were contacting us to do another (we'd built several global recursive resolvers before, while nobody else had done more than one, so it was reasonable for people to be coming to us for more) that did malware/phishing/tracking blocking. Since if we did two separate ones, people would have to choose between privacy and security, we decided to just roll the two projects into one. Because it was public-facing, in 2016 we spun it out into its own separate non-profit originally called "CleanerDNS." From past experience, we knew that a memorable IP address was crucial. We were working with APNIC, and they got us a good v6 address, but then, depending on your mood, we were either sincerely flattered, or tortious interference happened, and so we had to try for other of the other easy-to-remember ones. My friend Jeff Jonas was, at that time, an SVP at IBM, and stepped up and got us 9.9.9.0/24. That process started in July of 2017 and IBM's sponsorship wasn't publicly announced until November of 2017.
Hi. I'm on the board of the Quad9 Foundation, if anyone has any questions about all this. But, by and large, the folks commenting in this thread are saying about what I would: when Sony goes after the DNS, AND NOT the site hosting what they say is infringing, it gives you a pretty clear picture of their goals.
Hi. I'm with Packet Clearing House, which @elp mentioned. I would second all of their technical advice, but note that PCH is a public-benefit non-profit, so exists to provide service at no cost to governments (ccTLDs) and critical infrastructure operators (mostly IXPs and CERTs) but, as required by the IRS, charges market rate to for-profit private-benefit organizations.
A few additional notes:
- You should keep what's un-politically-correctly generally referred to as a "hidden master" for your zone data on a machine that's somewhere that won't be targeted by a DDoS that's aimed at you or your ISP, and have an ACL that only permits zone transfers to your authorized secondary authoritative servers.
- You should probably get a few other organizations to act as public-facing authoritative servers for you, so all your authoritatives don't share any avoidable common failure modes. Different people administering them, different technology stacks on different hardware in different places.
- For servers you run, consider running DNSdist in front of them. It's a DNS load balancer which has very efficient internal caching, and which will allow you to answer a lot more queries per core than a full-fledged nameserver would. Run it in front, even on the same machine, to get more bang for your buck.
- A high TTL will indeed help a lot with DDoS against your nameservers (since everyone will cache answers rather than being dependent on getting a live connection to your nameservers. But it will also make you less nimble in responding to a DDoS against your actual content servers, since you won't be able to move them quickly to a different provider. I tend to favor high TTLs, but reasonable people support both sides of that argument.
I'm on the board of directors. If we were going to start blocking anything, I'd know. There are two domain names blocked by legal order in Germany, neither of them actually hosting pirated content. A whole lot of Internet and free-speech non-profits are helping us fight that. We'll see what happens once the German courts have made up their minds and the dust has cleared. This doesn't affect anyone outside Germany, and it doesn't prevent anyone from getting to those two domains. So, probably not worth having a heart-attack over, unless you're concerned with the state of the German legal system, rather than access to pirated music.
They went after Quad9 (and not Google, Cisco, and Cloudflare) because Google, Cisco, and Cloudflare are all still hiding behind the Northern California District Court, where there are no consequences for privacy violations. And the US isn't a signatory to the Lugano Convention, whereas Switzerland is. Sony began this attack just a few days after Quad9 re-domiciled to Switzerland. An unexpected and unfortunate cost of having a binding privacy policy. I gave a talk about this at the last DEF CON:
Nothing has yet been proposed which is technically possible to comply with, to the best of our knowledge. There has been no mechanism proposed whereby we could be in compliance, nor has anyone proposed a way of meeting the very substantial cost of making it happen. Nor has anyone yet addressed issues of proportionality, which I gather are central to this part of German law. Nor, as a public-benefit foundation, is it even legal for us to convert resources from the public benefit to Sony's private benefit, and that hasn't yet been addressed. So it is, for many reasons, very premature to be talking about compliance with the injunction.
For now, there's the filing of objection in the Hamburg court, then the appeal to a superior court... There are many steps here, and the first have barely been taken.
https://i.pinimg.com/originals/c0/fd/c8/c0fdc8612e07d7562b25...