[anti-abuse-wg] Notice: Fradulent RIPE ASNs

In message <20130121105243.04109468 at shane-desktop>, 
Shane Kerr <shane at time-travellers.org> wrote:

>It does not seem to me that merely recording reclaimed resources is
>really going to get to the heart of the transparency problem.

Well, it would be a good start.  Better than nothing.

As should be apparent, now, to anyone who seriously investigates the
report I made here recently, there are fraudsters on the Internet.
(DUH!)  And some of them have found, and clearly do find (present
tense) that RiRs are enormously easy marks.

Some might be inclined to rage against the various RiR staffs for this,
but not me.  I understand why hyper-vigilance against this sort of thing
is probably not the best way for RiRs to spend their limited resources.
(Nor is it particularly likely that they will.)

Still, there ought to be some way to making this particular sort of
crime ether less easy or else less attaractive.  Assuming that the
former is not really in the cards, I would suggest that more thought
be put into the latter.

I can't remember where anymore, but somewhere, a long time ago, I
read something about crime & punishment that basically said that
for crimes that are particularly easy to pull off, it can be easily
seen that those specific types of crimes will run rampant _unless_
the punishment for those few who get caught is made extremely harsh...
you know, so that anyone in their right mind would really have to
think twice before trying it, even in the odds are only one in a
hundred of ever actually getting caught.

Based on various situations, past and present, that I have brought
to light, in the ARIN region, and now in the RIPE region, although
I mean no offense to any RiR staff member(s), I have to say that from
where I am sitting it appears to me that defrauding an RiR sure looks
like it is as easy as pie, _and_ that the probability of ever even
getting caught is extremely small.  The implications of those facts
for any policy that seeks to deter such abuses is, in my mind at
least, self evident.  The punishment for this sort of hanky panky
should be severe, and a head or two on pikes would go a long way
towards reducing the likelihood of these events in the future.

Public naming and shaming of any and all parties involved should be
a part of that, in my opinion, and furthermore I think that a pro-
vision which explicitly allows this should be written into all RIPE
contracts from now on.... as in "If we catch you doing this, then
no, you DON'T get to hide behind any confidentiality provisions
within this contract that might otherwise apply."  (This would be
a good thing to add, going forward, but actually, depending on the
wording of existing contracts, that might not even be necessary,
i.e. in order for RIPE to be able to name and shame anybody who
has an existing contract with RIPR NCC _today_, because any fraud
on their part, or any failure... e.g. on the part of an LIR, to
properly vet the lower level entities they dole out resources to...
is, I would guess, a material breach of contract.  And a breach of
contract by the other party means, I think, that RIPE NCC is no
longer legally obliged to hold up its end of the contract...
specifically with respect to confidentiality of the other party.)

With respect to this fraudulent scheme I outted the other day, it
is possible that one or more LIRs were either behind it or at the
very least were happy to collude with the real perps in order to
make it possible... as long as they also go a cut of the profits
to be made out of this scheme.  (And make no mistake about it...
spamming is _highly_ profitable.)  Me personally?  I would like to
see the perps named and shamed, _and_ I'd also like to see any LIR
that didn't do its job... to properly vet applications for reasources 
according to established guidelines... or that actively colluded with
the real perps... named and shamed, publically, also.

To me, this is the absolute least that both prudence and an ordinary
sense of justice and fair play would demand.  But if it were up to me,
I would certainly go further... making criminal referrals, wherever
possible and filing civil suits for breach of contract (and the con-
cominant damage to RIPE NCC's reputation).

Of course, in my ideal universe, one could achieve much the same ends,
but much more efficiently, economically, and expediently simply by
revoking a up-front performance bond that all parties contracting
with RIPE NCC would be required to post before being allocated
resources.  (Having said that however, let me assure all that I _do_
understand that most probably a majority of all current RIPE members
would howl at even the suggestion of what I just said, and that thus,
it would never fly, politically, in practice.  Nontheless, that doesn't
mean it is a bad idea.  RIPE has resources which it loans out to other
parties to use for a time, and those resources can be damaged, or can
be made off with fradulently.  Don't they demand a credit card number
from you before you drive off in a rental car?)

>Perhaps something more like a couple of checkboxes on the complaint form
>which say:
>
>[ ] I wish this complaint to be public.
>  [ ] I wish my name to be included in the public report.

Color me flumoxed.

I _thought_ that we were talking about the (unfortunate) confidentiality
now being routinely and contractually provided to RIPE members... even,
apparently, utterly fictitious and fradulent ones... who make off with
resources, counter to current allocation policies, via fraud, deceit,
or artifice.  All of a sudden you seem to be worried about _my_ confi-
dentiality, or lack thereof, or forfiture thereof.

Allow me to be clear.  I never asked for, nor ever expected that anything
about my report... including but not limited to my name... would be held
in any sort of confidence.  Indeed quite the opposite.  Ever since I
found that big fat Romanian spam empire/cesspit I have been staying
awake at nights, trying to figure out how to get news of it publicised
and circulated even more widely than what I have so far been able to
accomplish on my own.  (And I _do_ hope that any reporting on this will
mention my name somewhere, in a favorable light, as the guy who discovered
this mess.)

I suspect that most folks making reports to RIPE about abusive/deceptive
violations of RIPE allocation policies, like me, will be only too happy
to have the information they report... and their names... trumpted on
every streetcorner.  In short, your suggested checkboxes are, I think,
utterly superfluous and unnecessary.

>This way we could have an opt-in public archive of all abuse reports
>that the RIPE NCC has received.

See above.

You have a solution in search of a problem.

Has _any_ person who has _ever_ reported any kind of fraud or "abuse"
to RIPE NCC _ever_ seriously desired _any_ anonymity and/or confidentialty
in connection with any such report?

I rather doubt it.

The people who need to hide in the shadows are the abusers... not the
public spirited samaritans who merely report their skulduggery.  Speaking
for myself, I can assure you that _I_ don't feel any need to hide.


Regards,
rfg