[anti-abuse-wg] [db-wg] RIPE Policy Proposal 2017-02 Validates Database Attributes

On Thu, 7 Sep 2017 17:54:04 +0100
"Sascha Luck [ml]" <dbwg at c4inet.net> wrote:
<snip>
> >The lack of reliable accurate and validated information in the
> >database negatively impacts legitimate uses of the RIPE Database,
> >including:  
> An *email adress* that doesn't reply once a year does NOT equate
> to a "lack of reliable accurate and validated information". I

too many of the privileged "owners" of public resources sends email sent
to abuse-c,  to dev/null

not only could that be seen as non ethical behavior, but it is a
form of abuse in itself.

there is also no point to have a phone number or an email address if the
phone is never answered or the email address is heavily filtered and
deleted.

> find this statement somewhat insulting to the NCC team who do
> make the effort to keep the ripedb data accurate and do audit
> resource holders.

no. the NCC team is not responsible for the abusive behavior of
resource holders.

they want to have resources but they do not want to be responsible.

it is my opinion that there has to be a balance found between rights
and responsibility.

and imnsho regular verification of responsive abuse-c is a step in the
correct direction.

> There is an issue with the reliability of out-of-region and
> legacy resource data but as the NCC has no "enforcement" powers
> over these resource holders, in these cases this proposal
> snatches at thin air. 
> 
sure, some legacy resources are not even in use and are "parked" so
what?

> >Assuring the security and reliability of the network by
> >identifying points of contact for IP addresses for network
> >operators, ISPs, and certified computer incident response teams;  
> 
> "org:", "admin-c:", "tech-c:", "mnt-by:" and, yes, "abuse-c:" exist.
> 
> >Ensuring that IP address holders are accountable, so individuals,
> >consumers and the public are empowered to resolve abusive
> >practices that impact safety and security;
> >Assisting businesses, consumer groups, healthcare organisations
> >and other organisations that are combating fraud (some of which
> >have mandates to electronically save records) to comply with
> >relevant legal and public safety safeguards;  
> 
> The contact object that does (or *should*) stand for the person(s) who
> can speak for a LIR, legally, is "admin-c:". "abuse-c:" is some role
> account in a NOC or even a ticket system unlikely to have any
> decision-making power. An attempt to make these roles (perhaps
> even personally) responsible for the behaviour of a LIR and its
> customers is counter-productive. I for one would flatly refuse to
> do any abuse report handling under these circumstances.
> 
> >Complying with national, civil and criminal due process laws in
> >support of investigations and providing justice for victims.  
> 
> Would the proposers please amplify exactly which law or due
> process is violated by the NCC not sending an email once a year
> to an abuse-c:? Myself, and I'm sure the NCC legal team, would be
> interested to know.
> 
fake abuse-c
non responsive or non functional abuse-c
automatic deletion of anything to abuse-c

what is the point of having an object at all if it is faux?

> On a technical note, email is neither a secure nor a reliable
> transport for such verification. In the day of blocklists and
> large email providers imposing arbitrary restrictions on email
> senders it is not guaranteed that a verification email reaches
> the intended address or that a reply reaches the sender. The NCC
> ARC procedure, however employs both email and personal contact
> via telephone to verify the accuracy of the ripedb information.
> 

technical note for whom? technical note for technical illiterates? 

phones also do not work reliably, there are sunspots, tower outages,
bad signal areas, signal blocks.

Re: email, you are trying to argue that email deliverability to and
from the NCC could be an issue? Do you have any proof of this? 

Example: If you are a spammer and you are blocked by the NCC email
server, surely you would correct your abusive behavior and contact the
NCC to lift your block? 

If the NCC refuses your communications you could always change your
abuse-c to low_life_scumbag at ethical-example.com


> In toto, this proposal would impose unneccessary work on LIRs and
> the NCC, using unsuitable means to rectify a non-existing issue, 
> and I therefore oppose it.
> 

It is work that should already be done and a 5 second confirm, is hardly "work"

Andre