Hi Piotr On 13/04/2016 22:18, Piotr Strzyzewski wrote:
On Tue, Apr 12, 2016 at 12:52:30AM +0200, denis wrote:
Denis
So how do they claim to be the owner? They change the details in the PERSON object, including the PERSON name, and maybe add their own MNTNER to it. But the key element here is the name. In the past you could not change the PERSON object name. This is a change that was implemented a couple of years ago and has led to this current issue. ONLY by changing the name of the PERSON object can you claim to be the 'owner' of this address space. If you can't change the name and you can't produce any ID to show you are the named person, then you have no claim over the address space. Hijacking in this way is not possible. So if you had rolled back that change to allow changes to the PERSON object name you would have fixed this problem.
Leaving aside rest of your email, this is plain wishful thinking.
It is not a problem to find and pay/bribe someone with the same name to be a mere front man. Or change a name at some jurisdictions. Or marry someone and then change the name. This has been "invented" years ago.
Maybe I am missing something here. But considering what you have just said....what have you fixed by locking almost a million objects? Consider 3 address blocks: 1/ admin-c and tech-c are properly maintained 2/ admin-c and tech-c were unmaintained 3/ admin-c and tech-c are now locked If you consider that a hijacker can 'get' id to show they are the referenced person, what difference does it make which of these three cases the address space is? The locked is now the same as properly maintained to a hijacker. So instead of simply changing the name they have to 'get' id. So you have solved nothing, but created a massive, long term problem. In fact you have created a new data protection problem. Almost a million personal data sets cannot be changed by the data subject. The RIPE NCC will not recognise anyone as the 'person' referenced in one of these objects. If they are not in a position to remove the reference what will you do? More generally you have a million personal data sets that you cannot claim to be accurate personal data. But as long as they remain referenced there is nothing the RIPE NCC can do about it. So I will say again, the action you have taken is not the answer to this problem. cheers denis
For those who understand a bit of polish, a cut from the well known polish commedy from 1980 with the same idea: https://youtu.be/ApLfbr89ssk?t=1m18s
Piotr