This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Verifiability (was: WHOIS (AS204224))
- Previous message (by thread): [anti-abuse-wg] WHOIS (AS204224)
- Next message (by thread): [anti-abuse-wg] Verifiability (was: WHOIS (AS204224))
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jeffrey Race
jrace at attglobal.net
Tue Nov 3 03:15:36 CET 2015
This is trivially and virtually costlessly done in an automated way, taking about a day of a good programmer's time. Thereafter zero/minimal maintenance except for 'exception' followups. One informs registrants that CONTINUOUSLY working contact modes (e-mail, fax, phone, postal, say at least three of four) are mandatory to avoid suspension/rescission. Then one automates a routine to transmit tokenized letters/faxes/ calls/e-mails on a periodic but random basis, with the covering message stating that the token must be returned on a website within x days according to the terms of registration. If sufficient tokens to not appear, suspension occurs automatically, just as if you don't pay your credit card bill or pay your phone bill. This is easy stuff. Jeffrey Race On Mon, 2 Nov 2015 23:50:25 +0100, Sander Steffann wrote: >Hi Roland, > >>>> The issue isn't the announcement of out-of-region IP space. The issue >>>> is the self-evidently fradulent nature of the registration of, and the >>>> WHOIS record for, AS204224. >>> >>> Again that lousy "self-evidently" argument. Please don't use that, it is >>> often used by people who don't have any better arguments and want to >>> fool the casual reader into agreeing with them without thinking. Real >>> data please. >> >> Here is the contact data for AS204224: >> >> person: Boris Soloviev >> address: 192284, city Sankt-Peterburg, av.Kosmonavtov 47, k.2B >> phone: +7-812-3630014 >> nic-hdl: BS8826-RIPE >> mnt-by: CJSCMMS-MNT >> created: 2015-07-21T17:43:59Z >> last-modified: 2015-07-21T17:43:59Z >> source: RIPE >> >> Someone needs to CALL the phone number listed there and simply ask if >> Mr. Soloviev is available. Once he is on the line, someone needs to ask >> if he even works for Mashzavod Marketing Services, and if so, whether or >> not he or his company requested an AS from RIPE NCC in early July. > >The spammer putting in a fake/temporary/etc mobile of VoIP number there is easy, and the person answering the phone would just confirm everything. If you want to do real verification then you'd have to start from an independent source and work your way down to the person in the RIPE DB. And even then you would have only verified that this person works at that company, not that the person is actually authorised to make decisions on requesting ASNs for the company. So it could still be a fake registration. It would make it harder though to fake stuff. > >> I would do it myself, but I don't speak Russian. (And I suspect that >> there is no firm requirement that contact persons listed in RIPE WHOIS >> records be even minimally profficient in English.) > >The ASNs were requested through a sponsoring LIR. They are the one that should do the verification bit. The contractual link is RIPE NCC to LIR, and LIR to end-user. It might be that the LIR is a victim as well or it may be that the LIR is an accomplice. Difficult to tell. > >For your phone verification system to work the RIPE NCC would have to ignore the LIR and the data provided by the LIR and trace down the contacts starting at an independent source that can not be faked by the LIR or its customer. > >>> How do you know that they don't have the right to announce those >>> addresses? Is it unallocated space? In that case it's easy. >> >> It _is_ unallocated (bogon) space in this case, so yes, it is easy. > >network operators should be filtering better on announced prefixes anyway. It's always frustrating to see so many are still letting bad routes through (plug: https://www.routingmanifesto.org/manrs/) > >>> Maybe suspicious with hindsight. Nothing that RIPE NCC could/should have >>> acted on when the request was made. >> >> I disagree. >> >> As noted above, I believe that a simple phone verification system, much >> like the one already used by Google Voice, by CraigsList, by credit >> card companies, and by countless other businesses would have prevented >> what appears to be a clear-cut case of identity fraud. > >It's certainly something we should think about. I'm just thinking that using the phone number from the RIPE DB doesn't prove anything as the spammer will provide that data for themselves. Any ideas on how to make sure we get a valid phone number that belongs to the company/organisation/etc that the resources are being assigned to? > >> (In this country, everyone is told from an early age that they ought to >> be honest. But people still do lock up their bicycles anyway.) > >You don't have to tell a Dutchman that ;) > >>> The RIPE Address Policy Working groups are where THE DECISIONS are made. >>> It uses the Policy Development Process to reach those DECISIONS in an >>> open and transparent way. If you don't care about the process: fine. But >>> if you want to change policies then that's how you do it. >> >> I have only learned/realized, during the course of this discussion, that >> what I was suggesting (phone verification of the validity of new WHOIS >> records) might represent a new policy. And quite frankly, I am >> stunned, amazed, and appalled to learn that existing RIPE policy >> does not, apparently, already mandate that RIPE NCC should do at least >> _something_ to verify the accuracy of WHOIS records. > >We have already improved quite a lot. Until https://www.ripe.net/participate/policies/proposals/2007-01 there was no link between the end user and the RIPE NCC at all for independent resources (ASN, PI). > >>>> Or were you trying, in a back-handed sort of way, to tell me that >>>> the verification of phone and address parts of RIPE WHOIS records >>>> isn't being done because it wasn't even ever considered as being either >>>> necessary or useful enough to even insert the idea into the front >>>> end of the meat grinder known as "The Policy Development Process" ? >>> >>> Policy usually doesn't contain details like that explicitly. It defines >>> that registration data has to be up-to-date, and the implementation is >>> done by RIPE NCC. >> >> I take the strongest possible exception to your characterization of >> WHOIS data accuracy as a mere "detail". > >My apologies. I didn't mean to imply that accuracy of the RIPE DB is a mere detail. That accuracy has been the reason behind quite a few policies! I meant to say that policy doesn't contain implementation details. The way a policy is implemented is left to the RIPE NCC. The policy just says that contact information has to be up to date. > >> In the case of street addresses, it is also simple. RIPE NCC could ask >> either UPS, or any one of the myriad companies that are in business >> exactly and only to supply other parties with software and/or services >> to check the legitimacy and accuracy of postal addresses. > >I'm just wondering what the existence of a postal address (or a phone number) actually proves. I could provide some random address in Amsterdam and a disposable VoIP phone number. They would be real, but they wouldn't actually prove anything about who is requesting resources. > >But you are right: we shouldn't tolerate completely bogus information. > >> And you'll have to excuse me for saying so, but this nonsense you raise >> about "political instability" is just that, nonsense. > >I am more thinking about e.g. business records. I have been told that in regions of Ukraine both the Ukraine government and the Russian government are claiming authority on chamber of commerce stuff. And I have no idea who is authoritative on business registration in different regions in Syria. > >> Are people and >> entities to whom RIPE resources have been given required to have a working >> phone number or not? Are all of the phone lines down in either Ukraine >> or Syria? And if they are, if these people don't even have working >> telephones, then what the hell do they need the Internet for?? It would >> seem that they have bigger problems to worry about. Should we worry also >> that the penguins in Antartica won't be able to obtain RIPE number >> resources because they also don't have working phones? > >Don't make this into a ridiculous argument please. I am very serious. Having a working phone number for a short period of time doesn't really prove anything. Accepting bogus phone numbers is not good, but we also shouldn't attach too much value to having a valid phone number. > >What needs to be verified is the entity requesting resources, and to determine if a company or person exists and who is authorised to request resources for that entity are the difficult bits. > >> You have thoughtfully replied, for which I thank you. I believe that I >> have done likewise. > >You have! Thank you for that. I am glad we can have a serious discussion about this. I still see many more problems than you see, but let's see how we can resolve those. > >> But at the very last minute you have elected to throw the ultimate >> spanner (or as we here say, monkey wrench) into the works, i.e. "privacy". >> (And you'll have to excuse me, but I cannot help but think that you did >> so in order to derail any progress on WHOIS accuracy.) > >Wow. Stop it right there! I was enjoying having a good discussion with you. Now don't start ruining it by making wild accusations. > >> Is "privacy" actually a consideration when discussing the accuracy (or >> lack thereof) of RIPE WHOIS records? If so, when exactly did THAT happen? > >RIPE NCC has to comply with data protection laws. > >> Are we going to wake up one morning in the very near future and find that >> the RIPE WHOIS data base, like the domain name WHOIS data base before it, >> has fallen victim to the religious fervor and zelotry of the "privacy" >> lobby, and that most RIPE WHOIS records, particularly ones behind which >> lurk criminal activities, are masked and concealed behind dubious "services" >> which cloak the true identity of the true registrant? > >I personally think that someone holding resources should at least be identifiable in the DB, and as far as I know that is still the case for the RIPE DB. If you look up my data (SJMS1-RIPE) you'll have my home address, home and mobile phone numbers, private email address etc. I look at this from a network operator's point of view, and I want people to be able to reach me in case something goes wrong. I don't have a problem with that but I am not sure how much of that we are legally allowed to require from people requesting resources. > >> Is this kind of ludicrous and counter-productive "privacy" already a >> stated RIPE policy goal? > >Nope, just the law protecting information about individuals. I'll leave the details to the RIPE NCC lawyers because IANAL etc. > >Cheers, >Sander > > >
- Previous message (by thread): [anti-abuse-wg] WHOIS (AS204224)
- Next message (by thread): [anti-abuse-wg] Verifiability (was: WHOIS (AS204224))
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]