On Sun, Jan 26, 2020 at 10:59:00PM -0800, Ronald F. Guilmette wrote:
In message <20200127055550.GK36653@vurt.meerval.net>, Job Snijders <job@ntt.net> wrote:
I'll tell you what Job, I'll make you a deal. You tell me what ARIN did to properly review and vet this request (i.e. for a change to who controls this legacy block) and then, if I am persuaded that they did that *and* that what they did was both reasonable and sufficient, then I'll grovel and beg forgivness from all, including ARIN.
Hold on a second, are you sure there ever *was* a request to change who controls this legacy block? I am not so sure. I suspect what happened is that the 'thriftdrug.org' domain name registration expired, and the alleged thief registered thriftdrug.org, created a *@thriftdrug.org mailbox. Then proceeded to recover the username [1], then performed a password reset [2], logged into the portal, and *only* changed the OriginAS attribute. The above procedure doesn't constitute a 'change of who controls it', but may be enough for AS12679 to get past some LOA/IRR barriers. [1]: https://account.arin.net/public/recoverusername [2]: https://account.arin.net/public/resetpassword
But from where I am sitting it does appear that there was exactly and only -zero- review of this take-over request.
There was no take-over request, I'd call this impersonation or a compromised account.
I mean that it appears that absolutely *nothing* was done in the way of vetting in this case. The age of the new contact domain... which would have been a BIG red flag... quite apparentkly wasn't checked.
Have you considered asking ARIN to take the 'domain name creation' date into consideration when usernames are retrieved or passwords are reset? Perhaps there are some simple heuristics that can be applied to improve the password reset process. ARIN has a fine working process to publicly log enhancement requests called the 'ACSP' https://www.arin.net/participate/community/acsp/ ARIN would not be unique in having trouble preventing account compromises when the control over the domain name falls in the wrong hands. Kind regards, Job