In message <20200127055550.GK36653@vurt.meerval.net>, Job Snijders <job@ntt.net> wrote:
I think it is very counter-productive to frame things as 'incompetence @ ARIN', we rather should assume positive intent. If this indeed is a case of theft, the attacker was sophisiticated enough to understand the rules of the game and how to cheat them. The various registries may be tricked at times, that's part of life, the real failure would be if they don't act after the registration problem is reported to them. I have no reason to believe this will be the case. Please be nice ronald! :-)
Ok, just a couple of points: #1) I *was* being nice! I *am* being nice. I am taking it as an apriori given that this is NOT another AFRINIC situation. That is only sheer generosity and kindness and deep regard on my part. I am applying Hanlon's razor. #2) No, this is *not* just "part of life". The people at the RIRs are being paid to do a job. The job is to make allocations and keep track of who has them. Everything else they do, including all of the time and effort they all spend, e.g. arranging lavish conferences and explaining to everyone why they are not the routing police... all that stuff is secondary. Maybe this simple graphic will underscore my point: https://i.kym-cdn.com/entries/icons/original/000/012/300/you-had-one-job34-5... I'll tell you what Job, I'll make you a deal. You tell me what ARIN did to properly review and vet this request (i.e. for a change to who controls this legacy block) and then, if I am persuaded that they did that *and* that what they did was both reasonable and sufficient, then I'll grovel and beg forgivness from all, including ARIN. But from where I am sitting it does appear that there was exactly and only -zero- review of this take-over request. I mean that it appears that absolutely *nothing* was done in the way of vetting in this case. The age of the new contact domain... which would have been a BIG red flag... quite apparentkly wasn't checked. The web site associated with that domain name wasn't checked. And clearly nobody ever even tried dialing the new contact phone number, as I did, which took me all of ten seconds. So what did the vetting consist of in this case, exactly? Whatever it was, please persuade me that I could not have hired a well-educated and well-qualified chimpanzee with a top-notch resume and paid him less money to perform the same job, thereby saving the ARIN membership thousands or tens of thousands per year. Given that ARIN walks around, all day every day, with a huge "Kick me! I won't sue you if you do!" sign on its back, I think they need to take this vetting stuff a wee bit more seriously. It would be a different story if they had a reputation for coming down hard, in a legal sense, on anybody who tries to screw with them by pulling these kinds of fraud games on them. But in point of fact, and in the dark Internet underground where all of us decent people never go, they, ARIN, and indeed all of the RIRs have the exact opposite reputation, i.e. a reputation for their standing policy of always wanting to "catch and release" when it comes to fraudsters. And what is the predictable outcome of this longstanding policy, when combined with inadequate due diligence in the vetting process? I'll tell you what it is. Rught now, as we speak, the U.S. Department of Justice is spending my tax dollars to prosecute not one but -two- active criminal fraud prosecutions against two separate groups of fraudsters who ARIN allowed to snooker it. Is shifting this burden onto the taxpayers fair? Is it made fair just because the respective memberships of each of the five RIRs do not wish to get their hands dirty by legally going after the fraudsters who mess with the RIRs, and because they do not wish to absorb the time, expense, and risk of handling these kinds of problems themselves, like most other businesses have to do? Sorry, Job, but you hit a raw nerve as you can see. As far as I am concerned, the RIRs, and their ultimate parent, ICANN, seem to want to have their cake and eat it too. They don't want to spend the time or effort to do proper vetting, and yet when things like this happen, and when they are then, predictably, defrauded, they want someone else to fight their legal battles for them... using taxpayer money instead of member money. This cereats a situation that is often referred to as "moral hazard", i.e. where one party doesn't have to absorb the actual costs if they recklessly gamble and then lose. Thanks to the late great Jack Valenti, the MPAA and the RIAA already managed to successfully lobby to get the government to treat content piracy as a criminal offense, thus allowing the FBI to become the unpaid police force of the content producers while relieving said content producers of any obligation to solve their own damn problems. So now, I ask you, how is the situation with the five RIRs any different? Nobody wants the RIRs to be the routing police. OK. Fine. But could they at least maybe take care fo their own **** when it comes to their own data bases and the integrity thereof? Is that really too much to ask? Regards, rfg