[anti-abuse-wg] WHOIS (AS204224)

In message <31D31283-06BF-40D7-AFDF-6BED4B11961F at steffann.nl>, 
Sander Steffann <sander at steffann.nl> wrote:

>> Someone needs to CALL the phone number listed there and simply ask if
>> Mr. Soloviev is available.  Once he is on the line, someone needs to ask
>> if he even works for Mashzavod Marketing Services, and if so, whether or
>> not he or his company requested an AS from RIPE NCC in early July.
>
>The spammer putting in a fake/temporary/etc mobile of VoIP number there
>is easy, and the person answering the phone would just confirm
>everything.

As a *general* matter, yes.  A bad actor could IN GENERAL put his own
cell number into the WHOIS record, and by so doing, could, in theory
at least, utterly foil _simple_ attempts to learn his true identity...
at least if he used a so-called "unlisted" telephone number that could
not be looked up in a public data base.  (Do you folks in Europe even
still have such things as both "listed" and "unlisted" phone numbers
anymore?)

But we weren't discussing the problem IN GENERAL.  Rather, we were
discussing the specific case of AS204224 and the specific contact
phone number that appears in its RIPE WHOIS record, i.e. +7-812-3630014.

In this specific case, all one has to do is to google that phone
number.  When you do, you'll see that this number isn't by any means
just some miscreant's anonymous cell number that was only issued this
past July, when the fradulent records for AS204224 were created.  If
it were, then there would be few if any google search results.  But
that's not what we see.

Rather, in this specific case you get around 255 different google
search results for that number, many of them dating back years, and
all of them from web pages that make specific reference to Mashzavod
Marketing Service.  In short, +7-812-3630014 *is* the actual phone
number of the *actual* Mashzavod Marketing Service company.  Nothing
could be more clear.

Furthermore, one of the hits you get from a google search on that
phone number even gives the domain name of the actual company's web
site, i.e. www.zaomms.ru.  Looking at that web site (in Google Translate)
and simply going to the "Contacts" page, we find not only a perfect
match for the phone number (+7-812-3630014) but also (translated) the
name of the head of the company, Boris A. Solovyov, which also happens
to be a perfect match for what is in the WHOIS record for AS204224.

This is a lot like checking that forward and reverse DNS for a given
IP address match.  It is easy to do, and in this case, everything
checks out completely.  Everything is a perfect match.

That leaves us with only a few possibilities:

1)  The actual 16-year-old oil & gas equipment company Mashzavod Marketing
Service itself actually _did_ obtain a new AS number from RIPE NCC this
past July, and the company itself, whether by mistake/accident or due to
actual malevolent intent, _did_ itself actually start announcing routes
to several /19 bogons. (The bogons in question just happen to be in APNIC
space, but that fact is not at all important.)

2)  The actual 16-year-old oil & gas equipment company Mashzavod Marketing
Service itself actually _did_ obtain a new AS number from RIPE NCC this 
past July, but then VERY SHORTLY thereafter, SOMEONE ELSE started using
that AS number to announce a bunch of bogon routes, for reason or reasons
unknown (but most probably for spamming, or something else even more evil).

3)  The actual 16-year-old oil & gas equipment company Mashzavod Marketing
Service is a victim of identity theft.  Either someone outside who is not
now and who never has been associated with the company, or else someone
on the inside, who does not and did not have any permission to do so,
asked RIPE NCC for a new AS number in July, and then programmed some
router somewhere to start announcing various /19 bogon routes, using
that new AS number, very shortly thereafter.  (If this is what in fact
happened, then it is almost certainly malevolent and intentional, *not*
merely a "fat finger" accident.)

Possibility #2, is absurd on the face of it.  We can dismiss that one
out of hand.  That leaves only #1 and #3.

We can easily distinguish between #1 and #3 by calling the company,
asking to speak to the person who is, after all, *THE* listed and
official contact for the company's RIPE-registered AS number, i.e.
Mr. Boris A. Solovyov, who is Director of the company, as confirmed
by the company's own current corporate web site.

If Mr. Solovyov is unavailable and elects to never retun phone
messages left for him at the company after a reasonable time, say,
one week, then I would pose the question:  What is the bloody point
of insisting on having phone numbers into the RIPE WHOIS records anyway?

If on the other hand, Mr. Solovyov _can_ be reached, and if he _can_
be communicated with (in some mutually understood language), then he
can simply be asked if he requested a new RIPE AS number in July.  If
he denies having done so, then that will effectively confirm what I,
for one, already believe to be either obvious or, at the very least,
far more likely than not, i.e. that Mr. Solovyov's company has been
the victim of identity theft, perhaps even by a company insider.

Of course, on the other hand, in the unlikely event that Mr. Solovyov
asserts that yes, indeed, his company *did* request a new AS number
from RIPE in July, then the person speaking to him, although by no means
having any obligation to do so, could, in the public interest, ask
Mr. Solovyov an entirely reasonable follow-up question, i.e. "Well,
if that _is_ your AS, were you aware of the fact that it is announcing
a bunch of bogons?"  (Of course, that question should most definitely
*not* be asked with an accusatory tone, but rather with a helpful one.
Perhaps these bogon announcements are in fact the result of a simple
fat-finger mistake, or perhaps even a small misunderstanding about the
normative rules of behavior and etiquette for RIPE members.  In such
cases, whoever makes the phone call could perhaps asist Mr. Solovyov's
network engineer to sort out the problem.)

>If you want to do real verification then you'd have to start
>from an independent source and work your way down to the person in the
>RIPE DB. And even then you would have only verified that this person
>works at that company, not that the person is actually authorised to
>make decisions on requesting ASNs for the company. So it could still be
>a fake registration. It would make it harder though to fake stuff.

I agree with all these points.

The old saying is "The best is the enemy of the good".  Validation and/or
verification of RIPE WHOIS data can be improved, even though any system
which attempts to do so most probably cannot be made foolproof.

And I emphasize again that I *do not* propose for daily or routine use
anything even remotely like the manual, labor-intensive googling process
I have described above for the day-to-day validation of RIPE WHOIS data.
That would be absurd.  In this day and age, nobody in their right mind
would seriously propose *any* process involving *any* manual steps for
the routine processing of large amounts of data.  This is what we have
computers for!  But fully automated phone verification systems exist
and have been in practical day-to-day use by a number of companies for
many years already.  Likeiwse, the APIs made available from various
service bureau type companies that assist the mailing industry can be
used in a totally automated fasion to validate at least the form and
content of mailing address records, if not actually their semantic
validity for the context in which they are used.

>The ASNs were requested through a sponsoring LIR. They are the one that
>should do the verification bit.

OK.

It seems less efficient, and also less pragmatically possible to delegate
out the responsibility for address & phone validation to all of the various
individual LIRs than it would be to centralize this function at RIPE NCC,
but if that's the only way it could get done, then that's the way it should
get done.

I'm a pragmatist and I'd be happy to see _anyone_ performing proper
validation on _all_ RIPE WHOIS records.  I doubt that all LIRs are
technically competent enough to perform this function reliably, and
if responsibility for getting it done were ever formally assigned
to them, I suspect that many LIRs wuld be more than happy to delegate
this responsibility back to RIPE NCC, which has much better technical
capabilities, but perhaps I'm wrong about that.  As I say, I don't
care who does it as long as it gets done.  Right now that doesn't
seem to be happening, at least not with any consistancy.

>The contractual link is RIPE NCC to LIR,
>and LIR to end-user. It might be that the LIR is a victim as well or it
>may be that the LIR is an accomplice. Difficult to tell.

Yet another reason to assign the responsibility to RIPE NCC, which can
do the job in a consistant, even-handed, and across-the-board manner,
rather than foisting the responsibility down onto the LIRs.

>For your phone verification system to work the RIPE NCC would have to
>ignore the LIR and the data provided by the LIR and trace down the
>contacts starting at an independent source that can not be faked by the
>LIR or its customer.

No.  You're still thinking in terms of constructing an iron-clad and
absolutely foolproof system that utterly prevents all fraud.  I'm
suggesting a system with vastly less ambitious goals, one which would
simply check that the voice phone number for a given person or entity
listed in the RIPE WHOIS db *isn't* simply disconnected, out-of-service,
the number of a FAX machine, the number of a company or individual whose
identity has been stolen, or the number of an unrelated brothel in
Amsterdam.   That alone would be a vast improvement over the current
status quo, I think.

Similarly, in the case of mailing addresses, either RIPE NCC or the LIRs
could check the data base of one of the aforementioned service bureaus
that serve that mailing industry, to see if the addresses in RIPE WHOIS
records even exist.  A clever crook will still put in the address of
some vacant lot somewhere, or maybe his local meat market or police
station, but at least we wouldn't be looking at "123 Galaxy St., Mars,
The Universe" and such utter nonsense as that.

There are other and even better ways to validate the mailing addresses,
but we don't need to get into that now.

Of course, some will argue that any attempt to validate the WHOIS data
is a horrendous encroachment on liberty, and cannot be tolerated under
any circumstances by a freedom-loving people, and also that any attempts
to check the data will, in the end, prove imperfect, and thus, that it
isn't even worth doing.  These arguments identical in every important
respect to the arguments that are made continuously, in my own country,
against any regulation whatsoever of guns.  And so far, in my country,
these argument still hold sway, even though year after year we have the
highest per-capita rates of gun violence, by far, in the industrialized
world.  My impression however is that you Europeans are both civilized
enough and sohpisticated enough to reject such poor arguments, and to
choose instead a more enlightened path leading to greater civility.

>> It _is_ unallocated (bogon) space in this case, so yes, it is easy.
>
>network operators should be filtering better on announced prefixes

Yes, and people shouldn't be purchasing stolen bicycles.  It happens
anyway, and thus, we should still put locks on our bicycles.

>It's certainly something we should think about. I'm just thinking that
>using the phone number from the RIPE DB doesn't prove anything as the
>spammer will provide that data for themselves.

Validating the phone number _would_ prove something.  It would prove
that the phone numbers that appear in the RIPE WHOIS data base are,
at least at the time of the checking, *not* disconnected, *not* out
of service, *not* the numbers of FAX machines, or company switchboards
where nobody has any idea of who might know something about this Internet
thing,  and also *not* the numbers of unrelated brothels in Amsterdam.

I agree that validating the phone number would not prove _everything_
that we might want to verify, but it also does not prove nothing.

>Any ideas on how to make
>sure we get a valid phone number that belongs to the
>company/organisation/etc that the resources are being assigned to?

Yes, but I prefer to leave that discussion for another day.  There
seems no point in having it now, when at least some RIPE members
appear to feel that having to give their correct phone number to
RIPE NCC (who will then publish it) might represent an unforgivable
encrochment on their personal sovereignty, the UN's Universal
Declaration of Human Rights, or their reasonable commercial
interests in confidentiality.

If that is the majority view, then even the minimalist suggestions
I've made for validation of the data will not fly, and in that case
it is certain that any even more comprehensive approach wouldn't
either.

>We have already improved quite a lot.

Excellent.

I cannot help but be impatient for further improvements.  Unlike most
folks, I look in depth at the crooked and less savory parts of the
Internet virtually every day, and it is deeply disappointing for me,
as it must also be for law enforcement, to see how little proper
identification and attribution is helped by the (often inaccurate)
available resources.

>My apologies. I didn't mean to imply that accuracy of the RIPE DB is a
>mere detail. That accuracy has been the reason behind quite a few
>policies! I meant to say that policy doesn't contain implementation
>details. The way a policy is implemented is left to the RIPE NCC. The
>policy just says that contact information has to be up to date.

I want to understand.  Are you saying that RIPE NCC could unilaterally
just decide to start performing phone verification of contact points
listde in the WHOIS data base?

>I'm just wondering what the existence of a postal address (or a phone
>number) actually proves. I could provide some random address in
>Amsterdam and a disposable VoIP phone number. They would be real, but
>they wouldn't actually prove anything about who is requesting resources.

I've been to Europe only one time, in 2010.  I had to buy a cell phone
there to communicate, and when I did I was entirely surprised to learn
that one cannot do so without presenting some form of identification,
passport, driver's license, etc.  (We don't do that here.)  The inference
I draw is that in Europe, even more than other places, law enforcement
at least can trace a phone number to a particular person.  If true, that
represents both a deterrent to fraud, and a useful assist when and if
possible fraud in being investigated.

Even for amateur sleuths such as myself, every additional data point
helps during an investigation.  The example of AS204224 is illustrative.
If I knew for certain that someone had positively validated the phone
number when that AS has been assigned in July, then I would also know,
almost to a moral certainty, that the company itself, and not some
identity thief, was the party engaged in the recent routing hanky
panky.

Positive confirmation of phone and/or address data would eliminate a
lot of simple "fat finger" mistakes, a lot of casual (but not deternmined)
"drive by" fraud, and would help in after-the-fact investigations
which just simply try to determine who is misbehaving.

>> And you'll have to excuse me for saying so, but this nonsense you raise
>> about "political instability" is just that, nonsense.
>
>I am more thinking about e.g. business records. I have been told that in
>regions of Ukraine both the Ukraine government and the Russian
>government are claiming authority on chamber of commerce stuff. And I
>have no idea who is authoritative on business registration in different
>regions in Syria.

You are thinking about formal, government-held business records.  I myself
am not.  Official government business records, when available, are helpful
to investigations.  But if they aren't available, then they aren't, and
that's all there is to it.  You work with what you have.

>> Should we worry that
>> the penguins in Antartica won't be able to obtain RIPE number
>> resources because they also don't have working phones?
>
>Don't make this into a ridiculous argument please. I am very serious.

I'm sorry, but I have trouble taking seriously any argument that begins
with the false assumption that just because someone belongs to the
species homo sapiens, that RIPE then has some sort of a moral obligation
to give them number resources, regardless of whether or not they are
living in a war zone, and regardless of whether or not they are tribal
people in Papua New Guinea with nothing to their names except grass
skirts and mud huts.

There are certain minimal requriements for connecting to, and participating
in the modern Internet.  Among these is a supply of electricity.   Also
on the list is a working phone, usable for contact purposes.  Yes,
undoubtedly, on the eastern edges of Donetsk, and most neighborhoods
of Aleppo, phone coverage may range from spotty to non-existant.  But
as I've said, I think those people have bigger problems than worrying
about how to connect up to the Internet.  Finding enough to eat everyday
might be high on that list.

>Having a working phone number for a short period of time doesn't really
>prove anything. Accepting bogus phone numbers is not good, but we also
>shouldn't attach too much value to having a valid phone number.

OK.  I promise not to attach too much value to a validated phone
number.  Seriously, I agree with you that checking the phone number
isn't a panacea, but it's better than nothing.

>What needs to be verified is the entity requesting resources, and to
>determine if a company or person exists and who is authorised to request
>resources for that entity are the difficult bits.

As I said, this would be aiming for a much broader and higher goal than
what I personally am aiming at.  It's good, but you have to walk before
you can run.

>> But at the very last minute you have elected to throw the ultimate
>> spanner (or as we here say, monkey wrench) into the works, i.e.  "privacy".
>> (And you'll have to excuse me, but I cannot help but think that you did
>> so in order to derail any progress on WHOIS accuracy.)
>
>Wow. Stop it right there! I was enjoying having a good discussion with
>you. Now don't start ruining it by making wild accusations.

I apologize.  You are correct,   That comment on my part was utterly
uncalled for, and I would very much like to retract it.

But I hope that you understand my sensitivity.  "Privacy" is a double
edged sword.  There are many contexts where I personally demand it,
and others where it seems a reasonable bargain to give a little bit of
it up in exchange for certain privledges to which all homo sapiens are
_not_ automatically entitled, e.g. renting a car, getting on a commercial
airliner, or connecting my network to the Internet.  Neither any deity,
nor the United Nations, nor the United States, nor the State of California,
nor my local county or city have told me that I have an inalienable
right to do any of these things, in particular without giving up anything
at all in return, and I am neither silly enough nor arrogant enough to
insist that I do.

In contrast, I've seen signs, here and elswhere, of what could only
properly be called radical fundamentalist privacy advocates, zelots
who argue in favor of a ridiculous, impractical, and unworkable extreme
when trying to draw a reasonable balance between personal privacy and
personal privledges.  These extremists were apparently gleeful when
they succeded in preventing a multinational company from even giving
its own internal European employee phone directory to their other
employees in the U.S. who had perfectly legitimate business reasons
for needing to contact their European counterparts.

I agree with and applaud much of what Europe has done to advance the
cause of personal privacy.  But even the best ideas, taken to
ridiculous extremes, yield only lunacy.  Unfortunately, the hardest
of the hard-core privacy jihadists often seem to have grabbed the
reins in Europe, and I worry that in future, children born there
won't even be able to find out their own names without a court order.

>RIPE NCC has to comply with data protection laws.

But there _are_ ``outs'' and exemptions that allow certain information
to be published.  Elsewise port 43 @ whois.ripe.net wouldn't be answering,
right?

>I personally think that someone holding resources should at least be
>identifiable in the DB,

We agree, but apparently this sentiment is not universally shared.


Regards,
rfg