Re: US DOJ victim letter

["Robert E. Seastrom" <rs () seastrom com>]

bmanning () vacation karoshi com writes:

> I missed the part where ARIN turned over its address database
> w/ associatedd registration information to the Fed ... I mean
> I've always advocated for LEO access, but ther has been
> significant pushback fromm the community on unfettered access
> to that data.  As I recall, there are even policies and
> processes to limit/restrict external queries to prevent a DDos
> of the whois servers.  And some fairly strict policies on who
> gets dumps of the address space.  As far as I know (not very
> far) bundling the address database -and- the registration data
> are not available to mere mortals.
>
> So - just how DID the Fed get the data w/o violating ARIN policy?

Hi Bill,

In case you're not trolling here (occam's razor says I'm giving you
too much credit), a few points:

   1) There has been substantial involvement by Federal LE at ARIN PPMs
   in terms of pushing for policy that makes WHOIS data more accurate...
   including one person who served on the ARIN AC after he went to work
   in the private sector.

   2) LE can type "show ip bgp" too and only needs to hit a whois server
   once per ASN.

   3) There is a bulk whois policy.  Whether "hi, we now have the
   reins of a compromised botnet or whatever and want to reach out to
   let people know that they're pwn3d" falls under the rubric of
   "Internet operational or technical research purposes pertaining to
   Internet operations" is left as an exercise to the reader.

   Section 3.1 of the NRPM says that Bulk Whois "... point of contact
   information will not include data marked as private."

   As I outlined in #2 above, a full or partial dump is not really
   something that's necessary.

   https://www.arin.net/resources/agreements/bulkwhois.pdf

I'm pretty confident there were no policy violations here.

-r