US DOJ victim letter

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Thu Feb 2 05:23:19 CST 2012


On Thu, Feb 02, 2012 at 05:57:23AM -0500, Robert E. Seastrom wrote:
> 
> bmanning at vacation.karoshi.com writes:
> 
> > I missed the part where ARIN turned over its address database
> > w/ associatedd registration information to the Fed ... I mean
> > I've always advocated for LEO access, but ther has been
> > significant pushback fromm the community on unfettered access
> > to that data.  As I recall, there are even policies and
> > processes to limit/restrict external queries to prevent a DDos
> > of the whois servers.  And some fairly strict policies on who
> > gets dumps of the address space.  As far as I know (not very
> > far) bundling the address database -and- the registration data
> > are not available to mere mortals.
> >
> > So - just how DID the Fed get the data w/o violating ARIN policy?
> 
> Hi Bill,
> 
> In case you're not trolling here (occam's razor says I'm giving you
> too much credit), a few points:
> 
>    1) There has been substantial involvement by Federal LE at ARIN PPMs
>    in terms of pushing for policy that makes WHOIS data more accurate...
>    including one person who served on the ARIN AC after he went to work
>    in the private sector.
> 
>    2) LE can type "show ip bgp" too and only needs to hit a whois server
>    once per ASN.
> 
>    3) There is a bulk whois policy.  Whether "hi, we now have the
>    reins of a compromised botnet or whatever and want to reach out to
>    let people know that they're pwn3d" falls under the rubric of
>    "Internet operational or technical research purposes pertaining to
>    Internet operations" is left as an exercise to the reader.
> 
>    Section 3.1 of the NRPM says that Bulk Whois "... point of contact
>    information will not include data marked as private."
> 
>    As I outlined in #2 above, a full or partial dump is not really
>    something that's necessary.
> 
>    https://www.arin.net/resources/agreements/bulkwhois.pdf
> 
> I'm pretty confident there were no policy violations here.
> 
> -r

	sigh... will have to look elsewhere for the tri-lateral commission.

/bill



More information about the NANOG mailing list