US DOJ victim letter
Robert E. Seastrom
rs at seastrom.com
Thu Feb 2 10:57:23 UTC 2012
bmanning at vacation.karoshi.com writes:
> I missed the part where ARIN turned over its address database
> w/ associatedd registration information to the Fed ... I mean
> I've always advocated for LEO access, but ther has been
> significant pushback fromm the community on unfettered access
> to that data. As I recall, there are even policies and
> processes to limit/restrict external queries to prevent a DDos
> of the whois servers. And some fairly strict policies on who
> gets dumps of the address space. As far as I know (not very
> far) bundling the address database -and- the registration data
> are not available to mere mortals.
>
> So - just how DID the Fed get the data w/o violating ARIN policy?
Hi Bill,
In case you're not trolling here (occam's razor says I'm giving you
too much credit), a few points:
1) There has been substantial involvement by Federal LE at ARIN PPMs
in terms of pushing for policy that makes WHOIS data more accurate...
including one person who served on the ARIN AC after he went to work
in the private sector.
2) LE can type "show ip bgp" too and only needs to hit a whois server
once per ASN.
3) There is a bulk whois policy. Whether "hi, we now have the
reins of a compromised botnet or whatever and want to reach out to
let people know that they're pwn3d" falls under the rubric of
"Internet operational or technical research purposes pertaining to
Internet operations" is left as an exercise to the reader.
Section 3.1 of the NRPM says that Bulk Whois "... point of contact
information will not include data marked as private."
As I outlined in #2 above, a full or partial dump is not really
something that's necessary.
https://www.arin.net/resources/agreements/bulkwhois.pdf
I'm pretty confident there were no policy violations here.
-r
More information about the NANOG
mailing list