In message <20200127052621.GJ36653@vurt.meerval.net>, Job Snijders <job@ntt.net> wrote:

The dates, the website at https://www.thriftdrug.org/, the non-US origin of the announcement all seem to suggest that someone discovered the block was dangling, the domain unregistered, and some quick registration & forgery could lead to treasure.

Yes. My apologies to all. I made a bit of a mistake here. Note that I no longer use the term "hijacked" because it is too imprecise. These days I only use the terms "squatted" or "stolen" where the latter is a term that I reserve for cases where the relevant WHOIS record has actually been fiddled. Upon further review, this block (206.195.224.0/19) now appears to have been stolen, i.e. with the (assumed unwitting) participation of ARIN. As Job has noted, multiple aspects of the WHOIS record are most certainly non-conformant with common sense. I highlight these below. (I have attempted to call the new contact phone number and it is dead/disconnected.) It is my hope, of course, that the apparent illicit take-over of this block was a product of garden variety incompetence @ ARIN, rather than, you know, the alternative. It appears from ARIN WhoWas data that this takeover began on 2019-08-12 with additional fradulent changes to the WHOIS also on 2019-08-14, 2019-08-15, and lastly 2019-09-24, when the OriginAS was fiddled to its present state. ================================================================== [Source: whois://whois.arin.net 2020-01-27 04:18:39 UTC] NetRange: 206.195.224.0 - 206.195.255.255 CIDR: 206.195.224.0/19 NetName: THRIFT-NET-1 NetHandle: NET-206-195-224-0-1 Parent: NET206 (NET-206-0-0-0-0) NetType: Direct Assignment OriginAS: AS12679 <========================= Russia ???? Organization: Thrift Drug, Inc. (THRIFT) RegDate: 1995-08-03 Updated: 2019-09-24 Ref: https://rdap.arin.net/registry/ip/206.195.224.0 OrgName: Thrift Drug, Inc. OrgId: THRIFT Address: 100 Delta Drive City: Pittsburgh StateProv: PA PostalCode: 15238 Country: US RegDate: 1994-03-15 Updated: 2019-08-14 Ref: https://rdap.arin.net/registry/entity/THRIFT OrgAbuseHandle: WEBBK16-ARIN OrgAbuseName: Webb, Kristi OrgAbusePhone: +1-885-923-1290 <================ dead/bogus OrgAbuseEmail: kwebb@thriftdrug.org <=============== bogus/parked OrgAbuseRef: https://rdap.arin.net/registry/entity/WEBBK16-ARIN OrgTechHandle: WEBBK16-ARIN OrgTechName: Webb, Kristi OrgTechPhone: +1-885-923-1290 <================ dead/bogus OrgTechEmail: kwebb@thriftdrug.org <=============== bogus/parked OrgTechRef: https://rdap.arin.net/registry/entity/WEBBK16-ARIN

In message <20200127055550.GK36653@vurt.meerval.net>, Job Snijders <job@ntt.net> wrote:

I think it is very counter-productive to frame things as 'incompetence @ ARIN', we rather should assume positive intent. If this indeed is a case of theft, the attacker was sophisiticated enough to understand the rules of the game and how to cheat them. The various registries may be tricked at times, that's part of life, the real failure would be if they don't act after the registration problem is reported to them. I have no reason to believe this will be the case. Please be nice ronald! :-)

Ok, just a couple of points: #1) I *was* being nice! I *am* being nice. I am taking it as an apriori given that this is NOT another AFRINIC situation. That is only sheer generosity and kindness and deep regard on my part. I am applying Hanlon's razor. #2) No, this is *not* just "part of life". The people at the RIRs are being paid to do a job. The job is to make allocations and keep track of who has them. Everything else they do, including all of the time and effort they all spend, e.g. arranging lavish conferences and explaining to everyone why they are not the routing police... all that stuff is secondary. Maybe this simple graphic will underscore my point: https://i.kym-cdn.com/entries/icons/original/000/012/300/you-had-one-job34-5... I'll tell you what Job, I'll make you a deal. You tell me what ARIN did to properly review and vet this request (i.e. for a change to who controls this legacy block) and then, if I am persuaded that they did that *and* that what they did was both reasonable and sufficient, then I'll grovel and beg forgivness from all, including ARIN. But from where I am sitting it does appear that there was exactly and only -zero- review of this take-over request. I mean that it appears that absolutely *nothing* was done in the way of vetting in this case. The age of the new contact domain... which would have been a BIG red flag... quite apparentkly wasn't checked. The web site associated with that domain name wasn't checked. And clearly nobody ever even tried dialing the new contact phone number, as I did, which took me all of ten seconds. So what did the vetting consist of in this case, exactly? Whatever it was, please persuade me that I could not have hired a well-educated and well-qualified chimpanzee with a top-notch resume and paid him less money to perform the same job, thereby saving the ARIN membership thousands or tens of thousands per year. Given that ARIN walks around, all day every day, with a huge "Kick me! I won't sue you if you do!" sign on its back, I think they need to take this vetting stuff a wee bit more seriously. It would be a different story if they had a reputation for coming down hard, in a legal sense, on anybody who tries to screw with them by pulling these kinds of fraud games on them. But in point of fact, and in the dark Internet underground where all of us decent people never go, they, ARIN, and indeed all of the RIRs have the exact opposite reputation, i.e. a reputation for their standing policy of always wanting to "catch and release" when it comes to fraudsters. And what is the predictable outcome of this longstanding policy, when combined with inadequate due diligence in the vetting process? I'll tell you what it is. Rught now, as we speak, the U.S. Department of Justice is spending my tax dollars to prosecute not one but -two- active criminal fraud prosecutions against two separate groups of fraudsters who ARIN allowed to snooker it. Is shifting this burden onto the taxpayers fair? Is it made fair just because the respective memberships of each of the five RIRs do not wish to get their hands dirty by legally going after the fraudsters who mess with the RIRs, and because they do not wish to absorb the time, expense, and risk of handling these kinds of problems themselves, like most other businesses have to do? Sorry, Job, but you hit a raw nerve as you can see. As far as I am concerned, the RIRs, and their ultimate parent, ICANN, seem to want to have their cake and eat it too. They don't want to spend the time or effort to do proper vetting, and yet when things like this happen, and when they are then, predictably, defrauded, they want someone else to fight their legal battles for them... using taxpayer money instead of member money. This cereats a situation that is often referred to as "moral hazard", i.e. where one party doesn't have to absorb the actual costs if they recklessly gamble and then lose. Thanks to the late great Jack Valenti, the MPAA and the RIAA already managed to successfully lobby to get the government to treat content piracy as a criminal offense, thus allowing the FBI to become the unpaid police force of the content producers while relieving said content producers of any obligation to solve their own damn problems. So now, I ask you, how is the situation with the five RIRs any different? Nobody wants the RIRs to be the routing police. OK. Fine. But could they at least maybe take care fo their own **** when it comes to their own data bases and the integrity thereof? Is that really too much to ask? Regards, rfg

In message <20200127071712.GN36653@vurt.meerval.net>, Job Snijders <job@ntt.net> wrote:

Hold on a second, are you sure there ever *was* a request to change who controls this legacy block? I am not so sure.

I suspect what happened is that the 'thriftdrug.org' domain name registration expired, and the alleged thief registered thriftdrug.org...

Nope. I have already looked at the ARIN WhoWas report. Here are the relevant records, with date stamps: https://pastebin.com/raw/M3fDR7nh

...

But from where I am sitting it does appear that there was exactly and only -zero- review of this take-over request.

There was no take-over request, I'd call this impersonation or a compromised account.

I agree that "impersonation" occurred. I *do not* agree that this was enabled by any kind of account compromise. Furthermore, I have no reason to believe that suddenly, after a couple of decades of utter dormancy, someone just guessed the acocunt password needed to take control over this ARIN WHOIS record. (And in this instance I apply Occam's razor.)

...

I mean that it appears that absolutely *nothing* was done in the way of vetting in this case. The age of the new contact domain... which would have been a BIG red flag... quite apparentkly wasn't checked.

Have you considered asking ARIN to take the 'domain name creation' date into consideration when usernames are retrieved or passwords are reset? Perhaps there are some simple heuristics that can be applied to improve the password reset process.

Thank you for a nice laugh Job! No, I have not suggested to ARIN how to do their jobs in this kind of a context. And no, I *do not* think that I should even have to suggest that such factors should be considered when giving someone control over a nice juicy legacy block that has sat dormant for a couple of decades. Nor do I think that -I- should have to suggest such a step to the ARIN folks for the simple reason that it is JUST TOO EFFING OBVIOUS... a fact which this present case renderes even more bloody obvious than it already was.

ARIN has a fine working process to publicly log enhancement requests called the 'ACSP' https://www.arin.net/participate/community/acsp/

Gee. Thanks Job. I just love to spend time jumping through mindless bureaucratic hoops, just so that I can claim the privilege of informing some folks of what should have been bloody obvious to those same folks from the get-go anyway.

ARIN would not be unique in having trouble preventing account compromises when the control over the domain name falls in the wrong hands.

See above. That's not what happened in this case. Regards, rfg

In message <CACWOCC-=kRCxGMO7sodDBWXM9o9kFbdeKW+RK9B1Tihf7cWDOA@mail.gmail.com>, Job Snijders <job@instituut.net> wrote:

All snide aside, did you report this prefix=E2=80=99s current state to ARIN through their fraud form? If not, I'm happy to do so.

Negative. I did not do so and I shall not do so. Like all of the RIRs, ARIN's forms and their procedures for dealing with these kinds of issues are, by intent, black holes. I give them the product of my hard work and my diligent effort and research and what do I get back? Do I get a bug bounty? No. Do I get a 10% finders fee for finding the facts that allow some block to be returned to its rightful (legacy) owner or to the RIR free pool? No. Do I get any kind of reward whatsoever? No. Do I at least get a courtesy follow-up after a certain period of time has elapsed, telling me whether they think I am right or wrong? NO! I don't get squat! I don't get either a confirmation, or a rebuttal. In fact I don't get anything at all. I don't even get a polite thank you. But let's just forget about that. Do you really think that me filling some bloody stupid form is really going to chage the process -or- the outcomes? Do you seriously think that YOU filling out the form will have any better effect? If so, I'm going to have to ask you to defend that belief in light of the known facts. Do you really think that ARIN is utterly ignorant about this, even though I got an on-the-record ``no comment'' comment directly from John Curran about it before I even posted it? https://mailman.nanog.org/pipermail/nanog/2019-August/102791.html If not, then how do you explain the fact that after 5 months ARIN hasn't lifted a finger to do a damn thing about it? Looking forward to you explaining this to me Job. I'm all ears. Regards, rfg P.S. I don't need to seek out any web forms or any RIR if I want to experience first-hand this level of lethargic and studied inaction. As I like to tell people, if I ever want to experience this kind of utter lack of productive activity... well... I have relatives for that!

It appears changes have been made to the record, perhaps by ARIN staff. $ whois -h whois.arin.net 206.195.224.0 NetRange: 206.195.224.0 - 206.195.255.255 CIDR: 206.195.224.0/19 NetName: THRIFTD NetHandle: NET-206-195-224-0-1 Parent: NET206 (NET-206-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Thrift Drug, Inc. (THRIFT) RegDate: 1995-08-03 Updated: 2020-01-28 Ref: https://rdap.arin.net/registry/ip/206.195.224.0 The 'OriginAS:' attribute is now empty, also the 'Updated:' date changed. Kind regards, Job

On Mon, Jan 27, 2020 at 07:17:12AM +0000, Job Snijders <job@ntt.net> wrote a message of 50 lines which said:

Perhaps there are some simple heuristics that can be applied to improve the password reset process.

"Simple heuristics"? That's not marketing enough. We want machine deep learning and Artificial Intelligence!