Home page logo
/

nanog logo nanog mailing list archives

Re: US DOJ victim letter
From: bmanning () vacation karoshi com
Date: Thu, 2 Feb 2012 11:23:19 +0000

On Thu, Feb 02, 2012 at 05:57:23AM -0500, Robert E. Seastrom wrote:

bmanning () vacation karoshi com writes:

I missed the part where ARIN turned over its address database
w/ associatedd registration information to the Fed ... I mean
I've always advocated for LEO access, but ther has been
significant pushback fromm the community on unfettered access
to that data.  As I recall, there are even policies and
processes to limit/restrict external queries to prevent a DDos
of the whois servers.  And some fairly strict policies on who
gets dumps of the address space.  As far as I know (not very
far) bundling the address database -and- the registration data
are not available to mere mortals.

So - just how DID the Fed get the data w/o violating ARIN policy?

Hi Bill,

In case you're not trolling here (occam's razor says I'm giving you
too much credit), a few points:

   1) There has been substantial involvement by Federal LE at ARIN PPMs
   in terms of pushing for policy that makes WHOIS data more accurate...
   including one person who served on the ARIN AC after he went to work
   in the private sector.

   2) LE can type "show ip bgp" too and only needs to hit a whois server
   once per ASN.

   3) There is a bulk whois policy.  Whether "hi, we now have the
   reins of a compromised botnet or whatever and want to reach out to
   let people know that they're pwn3d" falls under the rubric of
   "Internet operational or technical research purposes pertaining to
   Internet operations" is left as an exercise to the reader.

   Section 3.1 of the NRPM says that Bulk Whois "... point of contact
   information will not include data marked as private."

   As I outlined in #2 above, a full or partial dump is not really
   something that's necessary.

   https://www.arin.net/resources/agreements/bulkwhois.pdf

I'm pretty confident there were no policy violations here.

-r

        sigh... will have to look elsewhere for the tri-lateral commission.

/bill


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]