ARIN-PPML Message

[arin-ppml] SWIPs & IPv6

Chris Engel wrote:
> I'm probably going to get blasted for this, but speaking on the
> Enterprise side of things there are fairly understandable reasons why
> Enterprise Admins might want to avoid public disclosure of their
> contact information and why they sometimes put in contact information
> that isn't well monitored..... 

That is why ARIN allows Role accounts.

hostmaster at wonkulatinggronkulators.com  reveals nothing to the public
about the personal data of the admin.

There is such a thing as a public and a private persona.  That is why
many (if not most) actors have stage names.  Many authors also use
pen names.  There's plenty of legal precedent for doing this and there
is no legal or contractural requirement in the RSA to NOT use a
public persona in your POC data.

The only requirement is that it is accurate.  Meaning that if I send
an e-mail to hostmaster at wonkulatinggronkulators.com that it gets
to the actual person - maybe Sally Sue - who is responsible.  Nothing
compels Sally Sue in her response to me to identify herself as anything
other than an androgynous hostmaster at wonkulatinggronkulators.com,
or publish her personal phone number, etc.

Enterprise admins that simply use stale or non-monitored contact info
are just lazy asses, IMHO, and their orgs should be sued in civil court
for violation of the RSA if they don't clean up their act after being
prompted to do so.

> and why they might choose to utilize
> services like the privacy listings Domain Registrars provide.
> 

There is no difference between an org running a Role account that does
not identify any specific person in the org (or the actual org itself)
and paying some 3rd party company to do it for them.  That is not
what is at issue here.  As long as the 3rd party that is acting as
the org's agent is responsive, there isn't a problem IMHO.

> Just like any other information it can be used for both legitimate
> and illegitimate purposes. That sort of information can be used to
> facilitate social engineering attacks, to SPAM the contacts
> themselves or mined to create targeted sales lists for telemarketing
> services that cater to Tech related industries. Frankly, it's been my
> experience that the volume and frequency of illegitimate use of this
> information far outweighs the legitimate use of it.

Each to his own, that's not been my experience.  My personal domain 
names have my real address on them.  My public website has my Resume 
with real address and phone number and picture.   Google my name
and you come up with 65K hits, and there's not a lot of people
out there with the same name as me.  And, I'm no stranger to honking 
people off.

Yet, nobody has shown up at my door with the proverbial axe to murder
me yet, so I have to say that based on my OWN experience, these
"fairly understandable reasons" and similar phrases like that which
people use to self-justify making themselves hard to reach don't hold water.

It was also well known (at least in the SF world) that the famous
author Issac Asimov maintained his real telephone number in the NY
telephone directory, his real NY address, and so on, and HE never got
bothered EITHER.  (he did get some interesting phone calls from
time to time, though)  If it was good enough for him, it's good enough
for me.

> I'll grant though
> that when it IS legitimately needed the importance of it being
> available (IMO) far outweighs the negatives of it being out
> there..... and frankly there are other avenues to obtain that sort of
> data. We keep our contact info public, but I can understand why many
> others don't want to .... and not because they are criminals or
> spammers....making THEIR data public they get to experience the
> downsides of that, but rarely the upsides... it's when they need the
> OTHER guys data that they see the importance.
> 
> Frankly, I'm not convinced of the utility of WHOIS information in
> catching criminals/spammers. Being who they are, those people almost
> never use their own systems to do their dirty work and they don't
> generally give out legitimate contact information that can be easily
> traced to them.... and in cases where they do it's usually because
> they are operating out of jurisdictions where it doesn't matter
> because the local authorities won't do anything about it (heck
> sometimes the guys doing it ARE the local authorities). The dynamic
> is pretty much the same as it is outside of cyberspace where you
> almost never see criminals (at least the less stupid ones)  use cars
> or guns that are actually registered to them in the commission of
> their crimes.
> 

It's not in CATCHING them that this data is valuable, it's in MITIGATING
the damage they are doing.

If your goal in life is to make things difficult for shoplifters, when
you see a shoplifter in a store are you going to mention it to the owner 
of the store or confront the shoplifter directly?  Who has more 
motivation here to shut down the shoplifter?

> The real utility of accurate contact information, I think comes not
> in dealing with people who are actually committing malicious acts but
> rather those who may have innocently misconfigured their systems or
> may have been compromised by hackers and who's resources are being
> used without their knowledge.
> 

That is important, too.

> So while maintaining accurate contact info is important, I can see
> why their is a legitimate desire (by people who aren't doing anything
> wrong) to have their info shielded as well. Gatekeeping services to
> such information are not inherently bad... as long as the gatekeepers
> themselves are responsive to legitimate requests for such info in a
> timely fashion.
> 

I'll say it again, there is no difference between an org running a Role 
account that does not identify any specific person in the org (or the 
actual org itself) and paying some 3rd party company to do it for them. 
  That is not what is at issue here, and never HAS been the issue.

The issue is orgs that deliberately put in bogus info in the Whois
database, or orgs that have stale info in there that they don't update,
specifically because they think this enhances their "privacy"

Ted

> 
> 
> 
> Christopher Engel _______________________________________________ 
> PPML You are receiving this message because you are subscribed to the
> ARIN Public Policy Mailing List (ARIN-PPML at arin.net). Unsubscribe or
> manage your mailing list subscription at: 
> http://lists.arin.net/mailman/listinfo/arin-ppml Please contact
> info at arin.net if you experience any issues.