In message <20200127071712.GN36653@vurt.meerval.net>, Job Snijders <job@ntt.net> wrote:
Hold on a second, are you sure there ever *was* a request to change who controls this legacy block? I am not so sure.
I suspect what happened is that the 'thriftdrug.org' domain name registration expired, and the alleged thief registered thriftdrug.org...
Nope. I have already looked at the ARIN WhoWas report. Here are the relevant records, with date stamps: https://pastebin.com/raw/M3fDR7nh
But from where I am sitting it does appear that there was exactly and only -zero- review of this take-over request.
There was no take-over request, I'd call this impersonation or a compromised account.
I agree that "impersonation" occurred. I *do not* agree that this was enabled by any kind of account compromise. Furthermore, I have no reason to believe that suddenly, after a couple of decades of utter dormancy, someone just guessed the acocunt password needed to take control over this ARIN WHOIS record. (And in this instance I apply Occam's razor.)
I mean that it appears that absolutely *nothing* was done in the way of vetting in this case. The age of the new contact domain... which would have been a BIG red flag... quite apparentkly wasn't checked.
Have you considered asking ARIN to take the 'domain name creation' date into consideration when usernames are retrieved or passwords are reset? Perhaps there are some simple heuristics that can be applied to improve the password reset process.
Thank you for a nice laugh Job! No, I have not suggested to ARIN how to do their jobs in this kind of a context. And no, I *do not* think that I should even have to suggest that such factors should be considered when giving someone control over a nice juicy legacy block that has sat dormant for a couple of decades. Nor do I think that -I- should have to suggest such a step to the ARIN folks for the simple reason that it is JUST TOO EFFING OBVIOUS... a fact which this present case renderes even more bloody obvious than it already was.
ARIN has a fine working process to publicly log enhancement requests called the 'ACSP' https://www.arin.net/participate/community/acsp/
Gee. Thanks Job. I just love to spend time jumping through mindless bureaucratic hoops, just so that I can claim the privilege of informing some folks of what should have been bloody obvious to those same folks from the get-go anyway.
ARIN would not be unique in having trouble preventing account compromises when the control over the domain name falls in the wrong hands.
See above. That's not what happened in this case. Regards, rfg