mailing list archives
Re: US DOJ victim letter
From: bmanning () vacation karoshi com
Date: Thu, 2 Feb 2012 11:23:19 +0000
On Thu, Feb 02, 2012 at 05:57:23AM -0500, Robert E. Seastrom wrote:
bmanning () vacation karoshi com writes:
I missed the part where ARIN turned over its address database
w/ associatedd registration information to the Fed ... I mean
I've always advocated for LEO access, but ther has been
significant pushback fromm the community on unfettered access
to that data. As I recall, there are even policies and
processes to limit/restrict external queries to prevent a DDos
of the whois servers. And some fairly strict policies on who
gets dumps of the address space. As far as I know (not very
far) bundling the address database -and- the registration data
are not available to mere mortals.
So - just how DID the Fed get the data w/o violating ARIN policy?
In case you're not trolling here (occam's razor says I'm giving you
too much credit), a few points:
1) There has been substantial involvement by Federal LE at ARIN PPMs
in terms of pushing for policy that makes WHOIS data more accurate...
including one person who served on the ARIN AC after he went to work
in the private sector.
2) LE can type "show ip bgp" too and only needs to hit a whois server
once per ASN.
3) There is a bulk whois policy. Whether "hi, we now have the
reins of a compromised botnet or whatever and want to reach out to
let people know that they're pwn3d" falls under the rubric of
"Internet operational or technical research purposes pertaining to
Internet operations" is left as an exercise to the reader.
Section 3.1 of the NRPM says that Bulk Whois "... point of contact
information will not include data marked as private."
As I outlined in #2 above, a full or partial dump is not really
something that's necessary.
I'm pretty confident there were no policy violations here.
sigh... will have to look elsewhere for the tri-lateral commission.