[members-discuss] Registry Services Ticket Response Time

Hi Kurtis,

On 9/19/21 11:44 PM, Kurtis Lindqvist wrote:
> 
> 
> 	Elvis,
> 
> 
>> On 20 Sep 2021, at 06:00, Elvis Daniel Velea <elvis at v4escrow.net> wrote:
>>
>>>
>>> Wait times per member request are determined by a number of factors and
>>> where additional checks are required, the request will take longer. And
>>> while some requests take longer to process than others, our staff need
>>> to apply all necessary due diligence measures rather than rely on
>>> assertions from the member involved. This is how we maintain a robust
>>> registry of member resources.
>>
>> Again, this is in line with your strategy change from 'we trust our members fully with the data they provide' to 'we suspect all our members are now committing fraud and we must protect their resources'. This change has been gradual but the level of the mistrust I see now is alarming. Maybe you should focus on passing the responsibility of keeping an SSO account secure to the LIRs and stop questioning the validity/legality of the information provided by the LIRs to the RIPE NCC.
>>
>> If someone provides illegal/falsified documentation you always have the option to revert the change you've made once a court has decided against your initial decision. You should not waste so much time of the RS department on manually verifying whether an ID is valid or whether a signature is similar to one you have on record.
> 
> I just wanted to pick up on this as I don’t agree at all. For a number of resons such as RPKI and increased value of resources, the importance of ensuring correct ownership and identification of the ultimate holder has gone up over time. As we have seen in other regions using courts to settle disputes afterwards can come at high cost and risk and will simply shift the workload of the NCC staff but more importantly might well be pointless if for example criminal activity has been enabled under a validated prefix until rectified by the courts.
> 
> OF course the processes needs to be streamlined and automated as far as possible but let’s not pretend that loose or no validation of prefixes as in the old days is an option today. It isn’t. That will drive complexity and cost and we should discuss how to make that less impactful instead of how to abolish it.

Maybe I over-simplified what I said and it came out wrong. I am not pro 
abolishing the fraud investigations, all I am wondering is whether the 
NCC's approach to do all these checks was a good idea.

What I meant to say was that all members should understand that what 
they hold in their accounts are numbers that have a high value and 
therefore they should do everything they can to secure their accounts 
because there are fraudsters out there trying to hack into their 
accounts to steal their prized assets.

It should not be the RIPE NCC wasting time to make sure that they have 
received the information from the right contact, that the account holder 
(SSO) of the company X transferring IPv4 addresses has not been hacked 
or that the requester may be a fraudster.
It should not be the NCC's job to police, for example, a weak password 
of an SSO holder or to verify that the document they have received from 
a trusted contact is signed by the same person that has signed the SSO 
years ago. They can't as they do not have the skills to do that, all 
they can do is delay every request and waste time that should be more 
usefully used to process all the requests within the SLA.

How can someone be sure that an ink signature is not fake always amazes 
me, there are highly skilled individuals that authenticate autographs 
that have done this for a life and can still make mistakes.. Why has the 
NCC gone this route with 30+ people, none with the right skills or 
training to do this?

- I applaud the attempted changes in automation the NCC is trying to 
make by using iDenfy in the future.. I am not sure this was needed, 
though, but I am not there to see all the fraud attempts the NCC deals with.

The owners of the LIR accounts should be responsible for their own 
passwords/authentication methods and who they give access to the 
resources to. They should also be responsible for the documentation 
provided by their company to the RIPE NCC and acknowledge that the NCC 
may refer cases to LEAs/justice when they have reasons to believe this 
information/documentation is fake.


So, to summarize, I don't believe the NCC should have gone the route of 
doubting the documentation received every time a request is sent but 
should have instead trusted in the documentation provided by the LIRs.
In cases where LIRs or end-users provide fake documentation, it is not 
the NCC that can really judge that but a court. The NCC does not have 
the skills for this and should not continue to go this route.


Elvis

-- 
Kind regards,
Elvis Daniel Velea
Chief Executive Officer
V4Escrow LLC
www.v4escrow.com
elvis at v4escrow.net
+1-702-970-0921