[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

In message <20200127055550.GK36653 at vurt.meerval.net>, 
Job Snijders <job at ntt.net> wrote:

>I think it is very counter-productive to frame things as 'incompetence @
>ARIN', we rather should assume positive intent. If this indeed is a case
>of theft, the attacker was sophisiticated enough to understand the rules
>of the game and how to cheat them. The various registries may be tricked
>at times, that's part of life, the real failure would be if they don't
>act after the registration problem is reported to them. I have no reason
>to believe this will be the case. Please be nice ronald! :-)

Ok, just a couple of points:

#1)  I *was* being nice!  I *am* being nice.  I am taking it as an apriori
given that this is NOT another AFRINIC situation.  That is only sheer
generosity and kindness and deep regard on my part.  I am applying Hanlon's
razor.

#2)  No, this is *not* just "part of life".  The people at the RIRs are
being paid to do a job.  The job is to make allocations and keep track
of who has them.  Everything else they do, including all of the time
and effort they all spend, e.g. arranging lavish conferences and explaining
to everyone why they are not the routing police... all that stuff is secondary.

Maybe this simple graphic will underscore my point:

https://i.kym-cdn.com/entries/icons/original/000/012/300/you-had-one-job34-580x425.jpg

I'll tell you what Job, I'll make you a deal.  You tell me what ARIN did
to properly review and vet this request (i.e. for a change to who controls
this legacy block) and then, if I am persuaded that they did that *and* that
what they did was both reasonable and sufficient, then I'll grovel and beg
forgivness from all, including ARIN.

But from where I am sitting it does appear that there was exactly and only
-zero- review of this take-over request.  I mean that it appears that
absolutely *nothing* was done in the way of vetting in this case.  The
age of the new contact domain... which would have been a BIG red flag...
quite apparentkly wasn't checked.  The web site associated with that
domain name wasn't checked.  And clearly nobody ever even tried dialing
the new contact phone number, as I did, which took me all of ten seconds.

So what did the vetting consist of in this case, exactly?  Whatever it
was, please persuade me that I could not have hired a well-educated and
well-qualified chimpanzee with a top-notch resume and paid him less
money to perform the same job, thereby saving the ARIN membership
thousands or tens of thousands per year.

Given that ARIN walks around, all day every day, with a huge "Kick me!
I won't sue you if you do!" sign on its back, I think they need to take
this vetting stuff a wee bit more seriously.  It would be a different
story if they had a reputation for coming down hard, in a legal sense,
on anybody who tries to screw with them by pulling these kinds of fraud
games on them.  But in point of fact, and in the dark Internet underground
where all of us decent people never go, they, ARIN, and indeed all of the
RIRs have the exact opposite reputation, i.e. a reputation for their
standing policy of always wanting to "catch and release" when
it comes to fraudsters.  And what is the predictable outcome of this
longstanding policy, when combined with inadequate due diligence in
the vetting process?  I'll tell you what it is.  Rught now, as we speak,
the U.S. Department of Justice is spending my tax dollars to prosecute
not one but -two- active criminal fraud prosecutions against two
separate groups of fraudsters who ARIN allowed to snooker it.

Is shifting this burden onto the taxpayers fair?  Is it made fair just
because the respective memberships of each of the five RIRs do not wish
to get their hands dirty by legally going after the fraudsters who mess
with the RIRs, and because they do not wish to absorb the time, expense,
and risk of handling these kinds of problems themselves, like most other
businesses have to do?

Sorry, Job, but you hit a raw nerve as you can see.  As far as I am
concerned, the RIRs, and their ultimate parent, ICANN, seem to want
to have their cake and eat it too. They don't want to spend the time
or effort to do proper vetting, and yet when things like this happen,
and when they are then, predictably, defrauded, they want someone else
to fight their legal battles for them... using taxpayer money instead of
member money.

This cereats a situation that is often referred to as "moral hazard",
i.e. where one party doesn't have to absorb the actual costs if they
recklessly gamble and then lose.

Thanks to the late great Jack Valenti, the MPAA and the RIAA already
managed to successfully lobby to get the government to treat content
piracy as a criminal offense, thus allowing the FBI to become the
unpaid police force of the content producers while relieving said
content producers of any obligation to solve their own damn problems.

So now, I ask you, how is the situation with the five RIRs any different?

Nobody wants the RIRs to be the routing police.  OK.  Fine.  But could
they at least maybe take care fo their own **** when it comes to their
own data bases and the integrity thereof?  Is that really too much to
ask?


Regards,
rfg