[ppml] /29 limit for ARIN SWIP whois

[Ted Mittelstaedt]

>-----Original Message-----
>From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of
>Leo Bicknell
>Sent: Wednesday, January 09, 2008 11:17 AM
>To: Public Policy Mailing List
>Subject: Re: [ppml] /29 limit for ARIN SWIP whois
>
>
>In a message written on Wed, Jan 09, 2008 at 02:01:19PM -0500, 
>Paul G. Timmins wrote:
>> I'm not sure what their upstream's abuse POC would have done in the
>> above circumstances, but I'm glad they populated whois.
>
>Note, I know of at least two ISP's that switched from rwhois to
>SWIP solely so their customers information would be visible to the
>general public.  They preferred to have the customer contacted
>directly first, rather than have their abuse desk deal with all
>complaints.  That's a business model choice.
>

You can publish this in an rwhois org object that is trivial to
lookup.  You can in fact publish both SWIPs and run an rwhois
server.

>I don't advocate removing that choice.  If an ISP wants to publish
>down to the /32 level, more power to them.  Indeed, if you look at
>RIPE's whois server, not only can you publish that level of detail,
>but the end ISP is given "remarks" fields where they can populate
>information like how to contact them, what their BGP communities
>mean and all sorts of other information.  It would be valuable if
>ARIN had that sort of facility.  RIPE proves that such optional
>fields would be used by many ISP's.
>

We have that with rwhois now.

>However, while I think ISP's should have the option of putting more
>data in whois, via more interfaces (web, api, e-mail templates) I
>am strongly opposed to requireing any data beyond who arin made an
>assignment or allocation to public.  We should not have to "out"
>grandma because she bought a DSL line.

Then propose a "residential" exception similar to what was done
with domain names.  I won't support it, but if you really were
concerned about Grandma this would work for it.

>There should not be a privacy
>divide between static and DHCP addresses.  Saying you can't have a
>"unlisted" IP address without having an unlisted phone number is
>silly.
>

Why is it silly?  I think your only calling it silly because you
cannot think of a reasonable and logical argument against it.

>Moreover, if Grandma's computer is taken over by a bot is it better
>to have random people on the internet e-mailing her, calling her,
>showing up at her door with pitchforks in hand yelling "stop scum!"
>or is it better for her ISP to be notified; someone she is paying
>for support and has technicians who can walk her through installing
>AV software (that many ISP's provide for free)?
>

If Grandma owns a car and gets into her car and drives it, and
runs over a pedestrian, should we not publish the accident in
the newspaper over privacy concerns?

Your advocating Internet usage without identification, which is
the root problem that is what has led to spam and identity theft.

If Grandma cannot deal with the possibility that someone might
show up with a pitchfork, she should not be on the Internet.

In any case, your showing your bigotry.  Given a choice between
being at your house when the angry mob comes, and being at 
Grandma's house, I'd choose Grandma over you any day.  I'll
bet money that most Grandmas out there could handle an angry
mob better than you could.

>If a computer is run by a real bad actor, a criminal enterprise
>making millions of dollars off of spam would you rather have them
>simply kicked off a provider only to reappear on another, or would
>you rather have them put in prision?  Mob justice only accomplishes
>the former, and makes it harder for law enforcement to do the latter
>as peole are not working with them to get them the information they
>need, and the result of sending them underground is the information
>is harder to collect.
>

I'm sure the law enforcement in my country really gives a rat's
ass about a spammer in the PRC.

>It may be satisifing to e-mail some bozo who sent you spam and say
>"you're an idiot".  It may seem useful to put them on some black
>list somewhere and match them up.  However, all you're doing is
>training a better spammer.  We've had 10 years of people taking
>these sorts of actions and spam has grown year over year.  Vigilante
>justice doesn't work in the real world or the cyber world, no matter
>how good it makes people feel.

This depends on your definition of "works"

I think that clearly, spam control HAS worked, it's worked very well
in fact.

I do not see legitimate companies these days supporting spammers,
or arguing (as the direct mail association used to do a few years
ago in the US) that we shouldn't pass laws against spammers because
it might affect a legitimate businesses ability to use direct mail.

Instead, what the vigilanties have done is turned spam into a very
black and white issue.  They have made the entire issue of bulk mail
so politically touchy that legitimate businesses stay away from it,
unless it's an opt-in address, and in fact, interest in those is
also declining.  The legitimate businesses now are looking more
into blogs and such for information dissemination.

The reason that there's lots more spam today is because since every
spammer is now automatically considered by everyone to be a criminal,
very few people are now actually buying the weight-loss pills,
penis enlargers, baldness cures and such that used to be hawked by
spammers.  Spam has become less and less effective at getting money
in the door so the criminals have to send more and more of it.  This
is the law of diminishing returns in action.

Eventually, spam will be so useless as a means of getting money in
the door that the spammers will give it up.  This would never be
possible if legitimate businesses had embraced spamming as a viable
business model.

Ted