[At-Large] Impressions from the Whois-Review

Lutz Donnerhacke lutz at iks-jena.de
Mon Jan 31 12:19:26 UTC 2011

* Neil Schwartzman wrote:
> 1. "Coming from AtLarge I do not  have to follow economic interests or
> law enforcement needs, I'd even could ignore the laws itself by
> expressing end user concerns. I'll not deal with the discussions here
> or tell stories from the desk, that would only cause trouble."

And full stop here.

All following text could be written before any meeting. It's my personal
view to whois. (Please do not remove the "troublemaker", it's the context of
the sentences you quoted.)

> "Whois information are rubbishy  for law enforcement. Serious crime
> will not give their real name to start their activities, they use
> stolen credit cards and forged identities. All those internet service
> providers and resellers out there can easily be fooled by serious
> criminals. And real criminals do run their own provider services
> itself. Nobody would even consider such a worldwide identification
> scheme for normal internet access today."
> "Whois information is unusable for law enforcement. Current Whois
> services are often used to solve low level internet crime."
> Every time we have heard from law enforcement, there is ongoing and
> legitimate use of WHOIS, and it does manage to be very useful.

Every time I ask the law enforcement people, they tell me the above. You
might have an ear on the recording (day 2) to find out, what they said. Or
wait for the transcript.

> At present time, I am involved with two cases, one a spamming case,
> and the other a phishing incident. In both instances, WHOIS has proven
> to be very helpful. Despite your dismissing WHOIS as not being useful,
> I can state unequivocally that this is incorrect. The spammer has left
> dozens of clues that have allowed us to identify the individual behind
> the incident, and with the phishers, WHOIS allowed us to protectively
> block tens of millions of very malicious (malware payload) phishing
> emails from hitting their intended targets.

You seem to refer to IP addresses. Normally you have a look into the route
registry (or better the live BGP4 data) to find the injecting autonoumous
system and ask there. Whois will you point to the same provider, if it
contains correct data. There is no time difference between both methods:
  1) router> show bgp ipvX unicast XXXXXX  --  Obtain injecting AS
  2) Query the AS contact details from the regional internet registry
  3) Query the end user data from the ISP.

> WHOIS is also used by researchers who assist law enforcement in their
> preparation of cases. This happens daily, constantly.

Of course, because it's there. My first point on my list is to check the
changes in the general framework since 1978. I fear, that Whois is illegal.

> Obviously, I am unable to speak with specifics in either case at
> present time, but it is with 100% assuredness that I can say that
> without WHOIS, we would find it impossible to file charges. As it is,
> we are much more further along in that regard.

That's bullshit. Whois makes it easy. But it's not necessary.

More information about the At-Large mailing list