[anti-abuse-wg] [routing-wg] AS12679 -- 206.195.224.0/19

In message <20200127071712.GN36653 at vurt.meerval.net>, 
Job Snijders <job at ntt.net> wrote:

>Hold on a second, are you sure there ever *was* a request to change who
>controls this legacy block? I am not so sure.
>
>I suspect what happened is that the 'thriftdrug.org' domain name
>registration expired, and the alleged thief registered thriftdrug.org...

Nope.  I have already looked at the ARIN WhoWas report.  Here are the
relevant records, with date stamps:

https://pastebin.com/raw/M3fDR7nh

>> But from where I am sitting it does appear that there was exactly and
>> only -zero- review of this take-over request.
>
>There was no take-over request, I'd call this impersonation or a
>compromised account.

I agree that "impersonation" occurred.  I *do not* agree that this
was enabled by any kind of account compromise.

Furthermore, I have no reason to believe that suddenly, after a couple
of decades of utter dormancy, someone just guessed the acocunt password
needed to take control over this ARIN WHOIS record.  (And in this instance
I apply Occam's razor.)

>> I mean that it appears that absolutely *nothing* was done in the way
>> of vetting in this case.  The age of the new contact domain... which
>> would have been a BIG red flag...  quite apparentkly wasn't checked.  
>
>Have you considered asking ARIN to take the 'domain name creation' date
>into consideration when usernames are retrieved or passwords are reset?
>Perhaps there are some simple heuristics that can be applied to improve
>the password reset process.

Thank you for a nice laugh Job!

No, I have not suggested to ARIN how to do their jobs in this kind
of a context.  And no, I *do not* think that I should even have to
suggest that such factors should be considered when giving someone control
over a nice juicy legacy block that has sat dormant for a couple of
decades.  Nor do I think that -I- should have to suggest such a step to
the ARIN folks for the simple reason that it is JUST TOO EFFING OBVIOUS...
a fact which this present case renderes even more bloody obvious than
it already was.

>ARIN has a fine working process to publicly log enhancement requests
>called the 'ACSP' https://www.arin.net/participate/community/acsp/

Gee.  Thanks Job.  I just love to spend time jumping through mindless
bureaucratic hoops, just so that I can claim the privilege of
informing some folks of what should have been bloody obvious to those
same folks from the get-go anyway.

>ARIN would not be unique in having trouble preventing account
>compromises when the control over the domain name falls in the wrong
>hands.

See above.  That's not what happened in this case.


Regards,
rfg