[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

In message <alpine.LRH.2.21.1903312003441.29965 at gauntlet.corp.fccn.pt>, 
=?ISO-8859-15?Q?Carlos_Fria=E7as?= <cfriacas at fccn.pt> wrote:

>2019-03 aims to create an inexistent rule, that could lead to 
>consequences...

Speaking of which, I wonder if anyone here might happen to know the
penality, under Dutch law, for knowingly receiving stolen property,
or cash?

I only ask because I did notice, just yesterday, the fact that AS205869,
aka Universal IP Solution Corp. is apparently still, to this day, a
member in good standing (and dues-paying member) of RIPE.  And this is
true even MONTHS after the company was publicly identified as having
been one of two entities behind a large scale "ad fraud" scheme, publicly
documented by Google and their partners, WhiteOps, and which netted the
criminals behind it an alleged $29 million of ill-gotten gains:

https://arstechnica.com/information-technology/2018/12/how-3ves-bgp-hijackers-eluded-the-internet-and-made-29m/

This entire sophisticated ad fraud scheme resulted in multiple U.S. federal
grand jury indictments:

https://www.justice.gov/usao-edny/press-release/file/1114576/download

Unfortunately, many of those criminally charged are still at large, and
thus, they are able to continue doing business with, and paying dues to RIPE.

To say that any such funds now being paid to RIPE are "tainted" would be a
rather gross understatement.

This is the elephant in the room that none of the opponents of 2019-03
wants to talk about, i.e. the rather inconvenient fact that RIPE, due
to its intransigent lethargy, is quite apparently doing business, even
as we speak, with known and well-identified cyber-criminals.

So, when it comes time for RIPE to answer, in a Dutch court, for this
continued and ongoing support of known criminals, what will be RIPE's
response?  I can see it all now...

"Oh!  Gee!  Sorry your honor!  We are an association, under Dutch law, and
our by-laws require us not to adopt any policies that do not obtain 100%
consensus of ALL of our members, and thus, because our members are a
rambunctious lot, and because at least some of them don't really mind
that much being associated with criminals, we have been unable to adopt
any new governing rules for our association that would actually prohibit
us from receiving stolen money.  Can we go now?"

Yea.  *That* defense is sure to work... NOT!

Perhaps some of the people here who have speculated aloud about the (dim)
possibility that RIPE might someday accrue some civil liability for having
kicked out members who are hijackers could perhaps spare a moment or two
in their busy schedules to give at least some thought to the vastly greater
potential liability, both civil and criminal, that might accrue to RIPE if
it continues, as it is now doing, to support and sell services to known
cyber-criminals.

Note that when and if a day of legal judgement finally arrives for *these*
failures, RIPE will also not be able to avail itself of either of the two
other traditional defenses that have been trotted out, in the past, to try
to excuse the inexcusable.  I am speaking of course of the "we didn't know"
defense and the "we were just following orders" defense.  RIPE clearly
*does* know about the nature and purpose of Universal IP Solution Corp.,
and if it doesn't know, then it can only be because RIPE is -willfully-
electing to remain ignorant.  Separately, RIPE can certainly attempt to
claim that it was "just following the orders" of its membership, but that
defense is likely to fall on deaf ears also... as it has in the past.

So where are all of the members who earlier, and right here on this mailing
list, worried aloud about legal liability?  Why are they apparently NOT
worrrying about the legal liability that may arise from seeing evil and
doing nothing whatsoever to impede it, or to even stop doing business with
it?

Apparently, the potential for legal liability is only an issue when concern
abou the potential for that is used as an argument to support those
conservatives who wish to do nothing at all.  When viewed objectively and
even-handedly however, arguments in favor of doing nothing which are based
on the "legal liability" bogeyman can be easily seen to be rather entirely
disingenuous, because it is self-evident that the *real* and far more serious
potential for legal liability lies with continuing to have RIPE support and
sell services to cyber-criminals, as it is now, quite apparently, doing.


Regards,
rfg