IRT object postal address
Colleagues During the conversion we had some time ago about contacts we concluded that no one is going to visit a contact or post them a letter. The IRT object also had a mandatory address attribute that is defined in the documentation as: "This is a full postal address for the business contact represented by this irt object." Does anyone think we actually need a postal address for a contact for a CSIRT team? Cheers denis
denis walker via db-wg wrote on 19/07/2022 17:16:
Does anyone think we actually need a postal address for a contact for a CSIRT team?
the irt object was requested by the CSIRT community. It would be good to get input from them about this. Nick
In message <CAKvLzuFZDSk11aW=j0ufpNs5i+-2bmDHFkJ7pQfaUu-nhhEiFQ@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
During the conversion we had some time ago about contacts we concluded that no one is going to visit a contact or post them a letter.
No, "we" didn't. Unless you are using the term "we" here in the royal sense.
The IRT object also had a mandatory address attribute that is defined in the documentation as:
"This is a full postal address for the business contact represented by this irt object."
Does anyone think we actually need a postal address for a contact for a CSIRT team?
Yes. I do. You haven't yet answered _any_ of the fundamental questions I've asked about your ongoing efforts to hide information, to wit: *) Other than you and Cynthia, who is asking for and/or demanding these various deliberate obfuscation steps? *) Why is the hiding of information even a priority? *) What is the plan? Who is going to do the work, when, and what is the cost? *) Are these deliberate obfsucation steps still being justified on the basis of GDPR, or do you now accept as fact that GDPR is irrelevant in the context of the RIPE data base, and that it does not currently compel RIPE to make any changes to the public WHOIS data base whatsoever? *) If the goal is to hide information, then why not just take the entire RIPE WHOIS data base offline and hide the whole thing behind some sort of permission-wall that can only be pierced with a legal warrant? (That last question is, of course, the essential point, since that endpoint seems rather clearly to be the direction in which this is all headed.) Regards, rfg P.S. I really don't care if I am the only one on this mailing list who is representing the interests of law enforcement and legitimate security researchers, or if I have to endure the slings and arrows that come with that. It's a tough job, but somebody has to push back against all of these subtle incremental efforts to hide the WHOIS by chipping away at it, little by little.
Hi Ronald, Please see replies below. On Wed, Jul 20, 2022 at 4:52 AM Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote:
In message <CAKvLzuFZDSk11aW=j0ufpNs5i+-2bmDHFkJ7pQfaUu-nhhEiFQ@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
During the conversion we had some time ago about contacts we concluded that no one is going to visit a contact or post them a letter.
No, "we" didn't. Unless you are using the term "we" here in the royal sense.
The IRT object also had a mandatory address attribute that is defined in the documentation as:
"This is a full postal address for the business contact represented by this irt object."
Does anyone think we actually need a postal address for a contact for a CSIRT team?
Yes. I do.
You haven't yet answered _any_ of the fundamental questions I've asked about your ongoing efforts to hide information, to wit:
*) Other than you and Cynthia, who is asking for and/or demanding these various deliberate obfuscation steps?
It might mostly be me and Denis advocating for this policy change, however there hasn't been a lot of people active on the db-wg lately in any discussions. Additionally I have only seen you and one other person primarily argue against this proposal. I seem to recall some people being supportive to this idea at RIPE84 but I do not remember the details so take that with a grain of salt.
*) Why is the hiding of information even a priority?
Hiding information is good from a privacy standpoint so you have to weigh the benefit of having the data public against the privacy implications of publishing it. (and consider any potential legal issues/requirements)
*) What is the plan? Who is going to do the work, when, and what is the cost?
The implementation details would be discussed later as Denis has said, however obviously it would be the RIPE NCC that would do the work of actually implementing it.
*) Are these deliberate obfsucation steps still being justified on the basis of GDPR, or do you now accept as fact that GDPR is irrelevant in the context of the RIPE data base, and that it does not currently compel RIPE to make any changes to the public WHOIS data base whatsoever?
Denis has already mentioned in an email regarding 2022-01 that he will not address any more GDPR issues until there has been a legal review as many of us are not lawyers. While I can't speak for Denis, you have not convinced me that GDPR is somehow irrelevant in the context of personal data but I also don't want to discuss it further until the NCC legal team has done their legal review.
*) If the goal is to hide information, then why not just take the entire RIPE WHOIS data base offline and hide the whole thing behind some sort of permission-wall that can only be pierced with a legal warrant?
(That last question is, of course, the essential point, since that endpoint seems rather clearly to be the direction in which this is all headed.)
This question is not really an "essential point" in my opinion as there is a big difference between hiding postal addresses and hiding abuse email addresses and route(6) objects. I would argue that a postal address is very rarely needed in the context of networks while abuse email addresses and route(6) objects are important to the operation of many networks.
Regards, rfg
P.S. I really don't care if I am the only one on this mailing list who is representing the interests of law enforcement and legitimate security researchers, or if I have to endure the slings and arrows that come with that. It's a tough job, but somebody has to push back against all of these subtle incremental efforts to hide the WHOIS by chipping away at it, little by little.
-Cynthia
In message <CAKw1M3MEHHC63+BfS7P365F0Cw6hcGuOKKq0ZaTS+evtdiZDoQ@mail.gmail.com> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= <me@cynthia.re> wrote:
*) Why is the hiding of information even a priority?
Hiding information is good from a privacy standpoint so you have to weigh the benefit of having the data public against the privacy implications of publishing it. (and consider any potential legal issues/requirements)
Transparency is good from an accountability standpoint. And in my opinion, we have far far too little accountability on the Internet. Practically every day now one can find stories about "hackers" and "cybercriminals" and everyone just shrugs and goes back to work as if this is the way that thing have to be, or that they are supposed to be. My position is simple: If youy want to be anonymous, then get yourself a pseudonym account on Twitter, or Facebook, or YouTube, or whatever, and then blast away. Or alternatively, get yourself a domain name with all of the WHOIS data redacted and then arrange wweb site hosting for that, either on one IP of one hosting company, or several. But somewhere up the chain there needs to be accountability, always. It is *not* a God- given right to have an IP address block or an ASN. It is a privilege. And that special privilege should be reserved for those who are willing to be held accountable for what goes on upon their networks. You and Denis are trying to _remove_ accountability from the equation, and I remain steadfast in asserting that this will only benefit criminals.
*) Are these deliberate obfsucation steps still being justified on the basis of GDPR, or do you now accept as fact that GDPR is irrelevant in the context of the RIPE data base, and that it does not currently compel RIPE to make any changes to the public WHOIS data base whatsoever?
Denis has already mentioned in an email regarding 2022-01 that he will not address any more GDPR issues until there has been a legal review as many of us are not lawyers.
I'm sure that I saw someone post here quite recently that he had checked with RIPE legal already, and had already been assured that RIPE is _not_ facing any current or imminent legal jeopardy with the status quo as it now exists, either in relation to GDPR or in relation to any other applicable law or regulation. If you need me to do so, I will find that posting in the archives and I'll copy it here.
While I can't speak for Denis, you have not convinced me that GDPR is somehow irrelevant
I don't see how or why it should be incumbant upon either me or anyone else to persuade either you or Denis that no change needs to be made. You and he are putting forward and supporting this proposal for a _change_ in the current status quo. It is thus necessary for you folks to make a persuasive case that a change _is_ needed, rather than for me or anyone else to make a case that it isn't.
*) If the goal is to hide information, then why not just take the entire RIPE WHOIS data base offline and hide the whole thing behind some sort of permission-wall that can only be pierced with a legal warrant?
(That last question is, of course, the essential point, since that endpoint seems rather clearly to be the direction in which this is all headed.)
This question is not really an "essential point" in my opinion as there is a big difference between hiding postal addresses and hiding abuse email addresses and route(6) objects.
You are doing just what Denis has done so far in relation to this whole thing... You are evading the question. If transparency is "bad" and secrecy is "good" then why not take that general principal to its final and logical conclusion? Why not just take the whole WHOIS data base offline entirely? It's a simple question. I'd like to see either you or Denis answer it, rather than evade it. Regards, rfg
Ronald (For those who don't read long emails...) The bottom line is that this proposal recommends to remove postal addresses of contacts, not publish the 'full' postal address of natural persons holding resources, replace personal data with business data and generally bring the contents of the RIPE Database into line with the defined purposes. --- Now to answer Ronald's points... You have your own (hidden) agenda Ronald, which is fine. But don't expect everyone to fall into line behind you. Most people know your tactics. Repeat the same nonsense and conspiratorial theories over and over and over again until people believe they must be true. You lock onto a phrase or even a word and create an entire fear mongering story around it. Then keep asking the same irrelevant questions and demanding answers. This is not how to have a professional discussion, it is a Trump/Johnson style campaign. Let's kill off some of your fear stories. I am NOT against accountability, NOT helping cybercriminals, NOT proposing anonymity, NOT obfuscating half the database, NOT proposing secrecy and NOT avoiding transparency. As for GDPR, the only person obsessed with it is you Ronald. It is not even mentioned in the proposed policy text. You use it to confuse all discussions on the content of the database. GDPR is only one of the factors concerning the content of the RIPE Database. There are defined purposes for the database. As the RIPE Database Task Force pointed out, we should minimise the amount of data needed to fulfil those defined purposes. That is the overriding principle governing what should go into the database and what remains in the database. Most people did accept that in order to resolve internet operational issues (one of the main purposes of the database) no one is going to visit or post a letter to a contact in the RIPE Database. Therefore contacts don't need postal addresses. Whilst you may feel there is a need for a postal address for a contact for an IRT object, as Nick said, the opinions of CSIRT teams are more relevant. You have said yourself many times that the database is full of garbage. When you demand irrelevant data and force people to enter information they prefer not to provide which is not even covered by the database purposes, you increase the chances of some people entering false or misleading information. The only 'crusade' I am on is to bring the contents of the RIPE Database into line with the minimum information required to fulfil the defined purposes of the database and any legal requirements. We can have a healthy discussion on interpretations of that minimum information, but we should not be arguing over the principle. Forcing people (with mandatory attributes) to enter 'interesting' but not relevant information leads to a corrupt and diluted database that is less useful to anyone. Even optional attributes that are not relevant, dilute the important information. You can wish for any information you like to be in the RIPE Database Ronald, but if it is not essential for the defined purposes, it is not going to be there. Feel free to propose your own policies to change the purposes of the database and store certified photos of all contacts and their families if you believe that is necessary for your use of the database...or set up your own database. cheers denis proposal author On Thu, 21 Jul 2022 at 06:01, Ronald F. Guilmette via db-wg <db-wg@ripe.net> wrote:
In message <CAKw1M3MEHHC63+BfS7P365F0Cw6hcGuOKKq0ZaTS+evtdiZDoQ@mail.gmail.com> =?UTF-8?Q?Cynthia_Revstr=C3=B6m?= <me@cynthia.re> wrote:
*) Why is the hiding of information even a priority?
Hiding information is good from a privacy standpoint so you have to weigh the benefit of having the data public against the privacy implications of publishing it. (and consider any potential legal issues/requirements)
Transparency is good from an accountability standpoint. And in my opinion, we have far far too little accountability on the Internet. Practically every day now one can find stories about "hackers" and "cybercriminals" and everyone just shrugs and goes back to work as if this is the way that thing have to be, or that they are supposed to be.
My position is simple: If youy want to be anonymous, then get yourself a pseudonym account on Twitter, or Facebook, or YouTube, or whatever, and then blast away. Or alternatively, get yourself a domain name with all of the WHOIS data redacted and then arrange wweb site hosting for that, either on one IP of one hosting company, or several. But somewhere up the chain there needs to be accountability, always. It is *not* a God- given right to have an IP address block or an ASN. It is a privilege. And that special privilege should be reserved for those who are willing to be held accountable for what goes on upon their networks.
You and Denis are trying to _remove_ accountability from the equation, and I remain steadfast in asserting that this will only benefit criminals.
*) Are these deliberate obfsucation steps still being justified on the basis of GDPR, or do you now accept as fact that GDPR is irrelevant in the context of the RIPE data base, and that it does not currently compel RIPE to make any changes to the public WHOIS data base whatsoever?
Denis has already mentioned in an email regarding 2022-01 that he will not address any more GDPR issues until there has been a legal review as many of us are not lawyers.
I'm sure that I saw someone post here quite recently that he had checked with RIPE legal already, and had already been assured that RIPE is _not_ facing any current or imminent legal jeopardy with the status quo as it now exists, either in relation to GDPR or in relation to any other applicable law or regulation. If you need me to do so, I will find that posting in the archives and I'll copy it here.
While I can't speak for Denis, you have not convinced me that GDPR is somehow irrelevant
I don't see how or why it should be incumbant upon either me or anyone else to persuade either you or Denis that no change needs to be made. You and he are putting forward and supporting this proposal for a _change_ in the current status quo. It is thus necessary for you folks to make a persuasive case that a change _is_ needed, rather than for me or anyone else to make a case that it isn't.
*) If the goal is to hide information, then why not just take the entire RIPE WHOIS data base offline and hide the whole thing behind some sort of permission-wall that can only be pierced with a legal warrant?
(That last question is, of course, the essential point, since that endpoint seems rather clearly to be the direction in which this is all headed.)
This question is not really an "essential point" in my opinion as there is a big difference between hiding postal addresses and hiding abuse email addresses and route(6) objects.
You are doing just what Denis has done so far in relation to this whole thing... You are evading the question. If transparency is "bad" and secrecy is "good" then why not take that general principal to its final and logical conclusion? Why not just take the whole WHOIS data base offline entirely?
It's a simple question. I'd like to see either you or Denis answer it, rather than evade it.
Regards, rfg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg
My apologies to all for this tardy reply. I am juggling too many alligators. In message <CAKvLzuE+RoNgGXL8TU3r4E5dOtOd3uweB9UzFJhgnOmpBruU+g@mail.gmail.com> denis walker <ripedenis@gmail.com> wrote:
{... snipped...}
There's a famous line from the classic Paul Newman movie "Cool Hand Luke" (1967) that I am often reminded of: "What we have here iis a failure to communicate." Although I place the odds of my being able to rectify this unfortunate state of affairs at no better than 50/50 I am obliged now to at least make the attempt, which I shall do by providing some brief context about myself and my background which may help to explain my outlook and viewpoint(s). I will then expend a fw electrons also on explaining exactly why the data that is being proposed for redaction is of value to open source researchers, and thus, by implication, why none of it should actually be redacted. Many people on this list, and elsewhere, don't know a thing about me and thus don't know why I tilt so strongly in the direction of transparency and accountability over personal privacy, at least in some contexts. Briefly, I have been on the Internet since before it was the Internet. After graduating MS/CS, in the year 1984 I took a software development job with a small software company in Silicon Valley that was developing educational software for what was then the recently introduced IBM PC. (That company has long since gone bust.) I had several job offers to choose from at that time, but I specifically elected to join that company because they had a shiny new DEC VAX 11/750 _and_ a connection to what was then still called the Arpanet. I had a strong suspicion, even back then, that networking of computers would become an important thing to know about in the future. Fast forward to around 1999/2000 and you'll find me at home in Sunnyvale, California doing contract software development work in the second bedroom of my apartment on my personal Sun workstation which had its own unique node name on what was called USENET, which was somewhat of a forerunner of the Internet, at least for a lot of us who could only afford dial-up connections at that time. At around this time, email spam became a thing. I was horrified. In that era, back before the arrival of the many "instant messenger" apps that we know today, email _was_ our "instant messaging" and I usually responded to incoming emails within seconds. You may all thus understand my irritation at being frequently interrupted from what I was doing by the latest piece of incoming email spam... those frequent interruption producing in me a state of mind that was arguably similar to a type of enraged psychosis. I knew then as I know now that mass email spamming could be the death knell of email as a useful interpersonal communications medium if left unchecked. And indeed, in some of the years since, some estimates have put the percentage of total emails sent that are spam as high as 95%. I resolved way back at the dawn of the new millennium to do all that I could to fight back against this scourge of spam. In the period 2005-2008 I was among the first people in the United States to actually sue spammers under the relatively new state and federal anti-spam laws. This effort was unfortunately hamstrung by my relatively ineffective legal representation at the time, but it did produce at least some deterrent effect, and also at least some positive results in the way of putting some spammers out of business. One of the first lessons my attorney taught me during this time period was one that seems self-evident when you know anything about legal processes: Before you can sue someone you have to know both who they are and where they are... so that you can name them and serve them with papers. Because spammers, both then and now, go to extraordinary lengths to hide both who they are and where they are, it was.. and remains... far more of a challenge to find this information than most people would imagine. And since my lawyer was a relative neophyte at doing what has since become known as "open source research" it fell to me to try to suss out the identities and locations of various spammers so that we could sue them, based mostly on whatever small scraps of information and inference could be had in relation to any given case/spammer. I dove into this task head first and over the years have became pretty good at teasing out the identities of these Internet miscreants to the point where nowadays, due to various data bases I have access to and various software tools I have written, I can positively identify upwards of 90% of all spammer operations, because even though they try their best to obfsucate both who they are and where they are, almost all of them make a number of small mistakes -- small slip-ups in their OPSEC that can be leveraged against them. More recently, I have applied a lot of these same techniques and open source research approaches to finding and outing other type of Internet miscreants, and I have had many good success at this also. But to return to the beginning, as noted above, I started down this path because _my_ privacy was being routinely violated... by email spammers. I am an ardent believer in personal privacy, but I also believe fervently in transparency and accountability, specifically for those Internet miscreants who abuse the privacy of others, as spammers routinely do, as well as any and all criminals on the Internet. They deserve no quarter and I give them none. In the old days, if one was being spammed from some domain name `D', and if one wanted to ind out who was doing this, then one could begin by simply looking at the WHOIS record for domain `D' to find out who registered that domain name. This was, of course, most helpful to any effort to hold the relevant spammer(s) accountable. All that began to change when ICANN, in its infinite wisdom (and under pressure from greedy and unprincipled commercial interests) decided to approve a scheme under which people could use proxy agents to register domain names on their behalf, paying the proxy agent some small fee in return for the proxy agent putting _their_ contact information into the relevant WHOIS records instead of the {name,address,phone,email} info that belonged to the actual domain name registrant. Naturally, this new ICANN- approved "feature" quickly became a huge leap forward and a huge advantage to spammers and other Internet miscreants who wished to hide themselves from any and all public accountability. And vast numbers of them have since leveraged this ICANN-approved "feature" to the hilt. More recently, an even more deleterious and damaging innovation has arisen, this time with only the tacit and implicit blessing of ICANN, which, we should remember, is funded 100% via domain registration fees. In a nutshell, the arrival of GDPR has allowed most domain name registrars, both large and small, to make two claims, only the first of which is even arguably true: *) GDPR compels us to redact out of the domain name WHOIS records that we publish the normal contact information in cases where the domain name registrant is a natural person. *) It is too hard for us to figure out which domain names are registered to entities other than natural persons, so we're just going to redact out ALL information from ALL of the WHOIS records that we publish (and if ICANN doesn't like the fact that this is a clear breach of our accreditation agreement then they can sue us). The result of these two claims, and of ICANN's reluctance to actually hold any of the accredited registrar companies that send them fat checks every month accountable means that today, and for some several years now, many/most domain name registrars have redacted out all or nearly all useful information from all or essentially all domain name WHOIS records. This is true for GoDaddy, for Enom, and for many many others. Quite obviously, this makes the task of holding domain name registrants publicly accountable essentially impossible, short of a full blown lawsuit, and expensive _preliminary_ discovery, just to find out who the hell the real domain name registrant even is. In effect, any small-time crime associated with a given domain name is not worth anyone going to court over unless the loss involved amounts to at least a five figure sum, in either dollars or euros. All of the small time crooks and all spammers thus get what amounts to a free pass, all courtesy of reg domain registrars and their lapdog/lobbyist, ICANN. (Note that the one and only party that has legal "standing" to sue over these gross breaches of written and signed ICANN accreditation agreements is ICANN. None of us mere mortals can do a damn thing about any of this crap if ICAAN itself donesn't feel like doing anything about it. And ICANN clearly doesn't. It quite sensibly has elected not to bite the hands that feed it, i.e. the domain name registrar companies.) For years the domain name registrar companies have all wanted to make WHOIS records... which to them represent their customer lists... private. The reason is both simple and obvious. They don't want their competitors poaching their customers from them... something that might be possible if domain name WHOIS records were not redacted. And indeed, domain name registrars became a LOT more interested in the idea of suppressing the traditional domain name WHOIS records after one company among them (Verio) was caught red handed, poaching customers from a competing domain name registrar (Register.com) back in 2000: https://www.whoisfinder.com/news/200007/verio-poach-customers.html The bottom line is that for anyone doing "open source" research, the greed of the for-profit domain name registration industry, coupled with the obvious connivance of ICANN has rendered the entire WHOIS system for domain names utterly useless. And it has been in that state for several years already. The whole damn thing is just one big joke now... a sad and moribund echo of a forgotten era when people people of good will who believed in accountability made the rules on the Internet, rather than corporations, jelously guarding what they feel are their proprietary corporate secrets and interests. This... the utter destruction of the entire global WHOIS system for domain names... was all done using GDPR as a convenient and readily available excuse, even though by its clear terms GDPR only applies to the personal information of natural persons and _not_ to the contact information for corporate entities, or academic or government institutions. The dmain name registrar companies don't care. They happliy threw out the baby with the bathwater and have redacted _all_ domain name WHOIS records, regardless of the type of legal entity (natural or non-natural) of the associated registrant. (Meanwhile, ICANN stands around with its thumb firmly up its backside, because it suits ICANN's obvious financial interests not to make any waves about any of this.) The above is the backdrop against which everyone should consider these recent proposals to redact stuff out of the RIR WHOIS data bases. There is history and there is precedent to be mindful of, i.e. the global WHOIS system for domain names. That has ended as badly as possible, as any fair-minded and neutral observer with open eyes can readily see. The entire system was whittled away, little by little, until it was rendered entirely useless by the purely commercial interests that had an agenda to kill it by any means necessary (and GDPR became their convenient excuse to do exactly that). This end result may serve those narrow commercial interests. I would argue however that by reducing public accountability, this final death of the domain name WHOIS system has _not_ served the interests of the broader worldwide community of Internet end users, and that quite the opposite, we all got screwed. But let's get down to brass tacks and look at the specific claims that have been made in defense of these recent RIPE WHOIS redaction proposals. The easiest claim to dispense with is denis' claim that I have some sort of secret unspoken agenda. I have none. My only agenda is the same one that I have been quite publicly pursuing for more than 20 years now, i.e. transparency and public accountability for public acts. (And I should clarify that as far as I am concerned, ownership of a domain name or a block of IP addreses on the global Internet is inherently a very public act. Anyone wishing anonymity can easily obtain that by availing themselves of the ample opportunities for anonymous speech provided by any number of existing services and/or web sites on the Internet that cater to exactly that, and anyone who claims that they can't speak or interact freely on the Internet without owning their own domain name or IP block is simply lying in defense of an inherently and provably indefensible position.) Conversely, I believe that it is more than a little appropriate to raise the question of the unstated and private political agendas of the only two people who seem to be pushing these redaction proposals. I believe that their views on these matters may be rightly considered to be out of the mainstream, and perhaps even motivated by personal rather than public interests. Denis goes on to argue that because no one will ever physically visit any mailing address that is present in any RIPE WHOIS record, that these things are thus, and by definition, useless. He further argues that since any address or any other member-specific field in any RIPE WHOIS record may have been entered, by the member, with malice aforethought and to be intentionally and deliberately wrong and misleading, that this information cannot be either used or useful. Speaking as one who has twenty+ years of open source research to his credit I assert most adamantly that both of these contentions on Denis' part are not only wrong, but provably so. It is not necessary to physically visit a given mailing address in order for that address to be useful to a researcher. Through the wonders of modern technology, it is now possible, courtesy of Google Street Views to virtually stand outside of the (alleged) place of business of the vast majority of RIPE members no matter where on planet earth they claim to be. And I myself have done so innumerable times -- an exercize which can be quite enlightening in many cases. For example, if you find yourself virttually standing out in front of what should be a web hosting company, but are instead face to face with a plastics recycling plant, then that fact alone can and does speak volumes about the honesty, or lack thereof, of the web hosting company in question. Seprately and additionally, just by googling the alleged street address of a given member, or a given member's purported admin or tech contact, you can often learn things that can be of much interest to a legitimate open source researcher. One such case arose recently in connection with an ARIN member, designated by the symbolic handle SL-206, whose purported mailing address in the Caribbean nation of Nevis & St. Kitts turns out to be one that is inhabited by a veritable plethora of corporate entities, all apparently doing businss out of the same single tiny mailbox on the island of Nevis. (For more info on this case, see the recent large thread about this on the ARIN Public Policy mailing list -- arin-ppml.) Finally, and perhaps somewhat counter-intutively to those who are not in the habit of doing open source research, it is not necessary for the mailing address of any given person or entity to be _either_ correct / accurate _or_ even real in order for the address itself to be useful to researchers. As noted in the preceeding paragraphs, one of the first things that any researcher worthy of the name will do when given an address, either real or fictitious, is simply to google it. I cannot count the number of times that this extremely simple-minded and obvious step has led to a wealth of other relevant and useful information, even if the address in question is totally fictitious. (A lot of spammers and cybercriminals are just lazy, and once they have selected and begun to use a given mailing address, even if it is totally fake, like "1 North Pole", they quite often will use it over and over again, in connection withy other Internet resources they have registered and/or on various web sites, including but not limited to social media web sites.) In addition to all the points above, I should also note, for completness, that sometime it isn't even the specific text of a mailing address that is of significants to the researcher. Sometimes it can even be just the form or format of the address that represents a telltale sine qua non of a particular Bad Actor. I know of at least one case where I have already found this to be true, some time ago, in relation to one specific Bad Actor in the RIPE region, specifically. But I shall not discuss that case at all here or now. For now, I will just mention a different case that I worked of a spamming enterprise that almost invariably registered its multitudes of domain names with Register.com and which invariably did use mailing addresses that all ended with some specific box number. I can't go into this case in too much depth either, but suffice it to say that although the number and street name and the box number were always different, the lexical syntax in which these three address elements appeared in all of the relevant domain name WHOIS records was both somewhat unique, and also always the same. Here again, even though I would indeed never physically visit any of these P.O. boxes, and even though none of them may have even really existed, the mere presence of the lexically/sytlistically consistant mailing addresses was useful when it came to being able to associate multiple (domain name) assets with a single specific Bad Actor. The bottom line is that asumptions about what may or what may not be useful, e.g. to open source researchers, should probably not be made by people who are not themselves actively engaged in doing this often difficult work. For us, *all* information is potentially useful, and this fact alone explains why I personally hold the opinion that I do with respect to current proposals to perform what would seem to be unnecessary data redactions... redactions that are being pushed by just two individuals, apparently based on (a) misunderstandings of applicable law and also (b) personal preferences and prejudices that value privacy above either transparency or accountability. Regards, rfg
Hi, (please see below) On Wed, 20 Jul 2022, Cynthia Revström via db-wg wrote: (...)
This question is not really an "essential point" in my opinion as there is a big difference between hiding postal addresses and hiding abuse email addresses and route(6) objects. I would argue that a postal address is very rarely needed in the context of networks while abuse email addresses and route(6) objects are important to the operation of many networks.
"very rarely" doesn't mean it is never needed. After phone calls don't work, e-mails which aren't answered, the last resort is to send a letter with delivery notification to a postal address. And yes, we already had to do that before "pulling a cable", just to be totally in line with our local/national laws. The postal address is the "last line". It can be argued if it could be optional or mandatory, but it should undoubtably be part of the database's structure. Best Regards, Carlos (Security Team/CSIRT hat=on)
participants (5)
-
Carlos Friaças
-
Cynthia Revström
-
denis walker
-
Nick Hilliard
-
Ronald F. Guilmette