atom feed46 messages in edu.merit.nanogRe: US DOJ victim letter
FromSent OnAttachments
Jay HenniganJan 19, 2012 12:59 pm 
Michael HareJan 19, 2012 1:01 pm 
Tim JacksonJan 19, 2012 1:02 pm 
Dave EllisJan 19, 2012 1:03 pm 
Jay HenniganJan 19, 2012 1:04 pm 
Michael J McCaffertyJan 19, 2012 1:04 pm 
MLJan 19, 2012 1:05 pm 
Randy CarpenterJan 19, 2012 1:05 pm 
Alan CleggJan 19, 2012 1:08 pm 
Andrew D. DibbleJan 19, 2012 1:15 pm 
Chris AdamsJan 19, 2012 1:16 pm 
Chris AdamsJan 19, 2012 1:18 pm 
Lane PowersJan 19, 2012 1:27 pm 
PCJan 19, 2012 1:33 pm 
Carlos AlcantarJan 19, 2012 1:34 pm 
Simon LockhartJan 19, 2012 1:35 pm 
Todd LyonsJan 19, 2012 1:37 pm 
Ryan GelobterJan 19, 2012 2:36 pm 
-Hammer-Jan 20, 2012 6:06 am 
Mike AndrewsJan 20, 2012 6:55 am 
Robert BonomiJan 20, 2012 11:05 am 
Carlos AlcantarJan 27, 2012 10:11 am 
Bryan Horstmann-AllenJan 27, 2012 10:16 am 
Randy EpsteinJan 27, 2012 10:20 am 
MikeJan 27, 2012 10:21 am 
Vald...@vt.eduJan 27, 2012 10:22 am 
Randy EpsteinJan 27, 2012 10:31 am 
Carlos AlcantarJan 27, 2012 10:45 am 
Sean DonelanJan 27, 2012 10:52 am 
Jon LewisJan 27, 2012 12:22 pm 
Harry HoffmanJan 27, 2012 12:29 pm 
Martin HanniganJan 27, 2012 7:19 pm 
bman...@vacation.karoshi.comJan 28, 2012 8:30 am 
John PeachJan 28, 2012 8:39 am 
Ryan GelobterJan 28, 2012 7:11 pm 
Jack BatesJan 30, 2012 7:53 am 
Matthew S. CrockerJan 30, 2012 7:55 am 
Carlos AlcantarJan 31, 2012 2:30 pm 
Phil DyerJan 31, 2012 4:38 pm 
Ryan PavelyJan 31, 2012 4:43 pm 
Ronald BonicaJan 31, 2012 5:29 pm 
Carlos AlcantarJan 31, 2012 6:52 pm 
TFMLFeb 1, 2012 7:32 am 
PCFeb 1, 2012 11:53 am 
Robert E. SeastromFeb 2, 2012 2:57 am 
bman...@vacation.karoshi.comFeb 2, 2012 3:22 am 
Subject:Re: US DOJ victim letter
From:bman...@vacation.karoshi.com (bman@vacation.karoshi.com)
Date:Feb 2, 2012 3:22:56 am
List:edu.merit.nanog

On Thu, Feb 02, 2012 at 05:57:23AM -0500, Robert E. Seastrom wrote:

bman@vacation.karoshi.com writes:

I missed the part where ARIN turned over its address database w/ associatedd registration information to the Fed ... I mean I've always advocated for LEO access, but ther has been significant pushback fromm the community on unfettered access to that data. As I recall, there are even policies and processes to limit/restrict external queries to prevent a DDos of the whois servers. And some fairly strict policies on who gets dumps of the address space. As far as I know (not very far) bundling the address database -and- the registration data are not available to mere mortals.

So - just how DID the Fed get the data w/o violating ARIN policy?

Hi Bill,

In case you're not trolling here (occam's razor says I'm giving you too much credit), a few points:

1) There has been substantial involvement by Federal LE at ARIN PPMs in terms of pushing for policy that makes WHOIS data more accurate... including one person who served on the ARIN AC after he went to work in the private sector.

2) LE can type "show ip bgp" too and only needs to hit a whois server once per ASN.

3) There is a bulk whois policy. Whether "hi, we now have the reins of a compromised botnet or whatever and want to reach out to let people know that they're pwn3d" falls under the rubric of "Internet operational or technical research purposes pertaining to Internet operations" is left as an exercise to the reader.

Section 3.1 of the NRPM says that Bulk Whois "... point of contact information will not include data marked as private."

As I outlined in #2 above, a full or partial dump is not really something that's necessary.

https://www.arin.net/resources/agreements/bulkwhois.pdf

I'm pretty confident there were no policy violations here.

sigh... will have to look elsewhere for the tri-lateral commission.

/bill