[arin-ppml] Of interest?

[John Curran]

On 17 May 2019, at 2:57 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> ...This whole epic $10 million dollar Micfo goof up could
> have been stopped in its tracks, at the outset, 4+ years ago, when it
> was just getting off the ground, if ARIN has just done these ridiculously
> simple and cost-free online 30 second checks on each of the bogus shell
> companies involved.

The above assertion is likely false, since we know that perpetrators of false requests are proven adaptable, and can reasonably expect that any party willing to engage in false notarizations would promptly conduct the necessary registrations; i.e. while such a check would have slowed down the first request which did not comply, the formality would inevitably been addressed in subsequent requests. 

> But you're obviously reluctant to have your "investigators" do this one
> trivially easy thing.

Actually, there is no resistance on ARIN’s part in conducting such a check, but such an operational change deserves notice to the community and ability for the community to comment on value and related issues. 

For example, we already know that several of the cases of MICFO requests, the organization business address was in the originally in same state as the corporate registration, and it was only subsequently that it was changed to another state (i.e. your proposed check would not have mattered in the least, and that subset of fraudulent requests would have still been approved.)   Note that also ARIN does not constrain or require our approval of address changes, and thus for your new control to have meaning it would appear that ARIN would also have to review and approve any/all address changes for organizational records.  

>  So I guess that I have no choice but to try to
> draft a formal proposal on the matter and formally submit it.  That's
> a pity.  I hoped that it wouldn't need to come to that, and that the
> obvious reasonableness and desirability of doing these simple checks 
> would be enough to cause you and your staff to make it happen.  But
> apparently not.  So I'll go the formal mandate route.  I shouldn't have
> to, but I will.

Ronald, you suggest that you shouldn’t have to, but that neglects the fact that others might want to comment before ARIN changes operational practices, and there is a process for such.  For example, you’d probably like to know if ARIN were going to reverse its position on reviewing organizational incorporation papers rather than having me simply make that change without warning, the same goes for others who might want to comment on your suggestion.   

>> much as we've seen with the requiring of notarized documents and
>> government issued identification, a determined perpetrator can still
>> readily adapt to such a requirement if there is sufficient financial
>> incentive involved.
> 
> Forgive me John, but that could be read as a lame excuse for doing
> absolutely nothing at all in the way of proper vetting of new applicants.

No, the statement simply reflects the fact that the perpetrators do evolve their techniques, and while ARIN has already done much to improve its vetting process, it is inherently a dynamic situation. 

> For all of these Micfo sock puppet companies, ARIN quite evidently failed
> to do even minimal due diligence, e.g. checking state level registrations,
> before awarding these crooks millions of dollars worth of IPv4 space.
> This isn't abmiguous, and it isn't even debatable.  I have posted the
> evidence here.

ARIN followed a process which involves confirming valid organizational registrations and notarized attentions of requests made.  These are examples of controls that have been added over time by ARIN to deter fraud, and we will add more if necessary.   I would also note that verification of incorporation and reliance upon notarized documents are considered the reference standards in deterring fraud and far greater than undertaken by the vast majority businesses, and measures completely absent for the majority of IP address assignments made over the years. 

> It is thus now abundantly clear that whatever the bleep ARIN actually has
> been doing, in the way of vetting new applicants, it all amounts to just
> "security theater" when the rubber actually meets the road.  Yes, ARIN now
> has in its possession several bogus/fradulent "notarized" documents, and
> those will quite certainly help to put this particular perp in the pokey
> for a long while (we hope) but that is cold comfort in the face of the
> fact that ARIN could have actually -prevented- this whole disaster, and
> this whole fraud, just by doing some simple and cost-free online checks
> on these bogus companies, up front, before they were allowed into the club.

It’s evident you have a gift for hyperbole, and your mischaracterization of ARIN’s vetting as "security theatre” is a fine example, as we know that several of the requests would have been approved given the alignment with state of incorporation at the time of the requests.  Furthermore, just as government ID requests and notarized statements have been overcome in conducting this fraud, the trivial acts of registering as a out-of-state corporation would very likely have been quickly addressed by the perpetrators upon discovery of such a requirement.   

If you’d like to add constructive input regarding our organizational vetting process, I do suggest you submit a suggestion which reflects your proposed solution, as that will allow consideration and discussion by others of its implications.   If instead you simply wish to express angst that ARIN is operated differently than you like, then I would ask that you please send the diatribe directly to me, thus sparing the our public policy mailing list recipients of your missives. 

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers