Re: Whois vs GDPR, latest news

[bzs]

In a nutshell this is a tariff war.

They should have pursued their ideas about data privacy etc in
international, multilateral venues.

The EU is only about 10% of the world's population and perhaps 20% of
the world's GDP.

What does, for example, China or India think about all this? Is the EU
going to seek enforcement against Alibaba or Baidu or FlipKart (ok
Walmart owns most of FlipKart now but you get my point I hope)? Latin
America? Africa? Brooklyn?!

Are APEC, ASEAN, CIS, GCC, DJT, etc (regional trade organizations)
each going to launch their own "GDPR"?

My guess:

Some noise, some lawyers make a buttload* of money, other countries
and multinational trade orgs begin resisting which attracts attention
from their non-EU nation members, and then it's modified into
oblivion.

* Note: a "butt" is a standard English barrel measure, a large barrel,
108 imperial gallons.

  https://en.wikipedia.org/wiki/English_brewery_cask_units#Butt

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Whois vs GDPR, latest news

[bzs]

On May 23, 2018 at 07:45 h...@efes.iucc.ac.il (Hank Nussbacher) wrote:
 > ...Now there is GDPR vs Theworld.

Or vice-versa.

Sincerely, TheWorld.com.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Juniper BGP Convergence Time

[Adam Kajtar]

Hello again:

I've tried using the default route, adjusting bgp timers, and mutlipath.
Unfortunately, these changes haven't helped much. Juniper support hasn't
been very helpful also. Although, I think I might have found the solution.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/forwarding-indirect-next-hop.html

Let me know what you think.

On Tue, May 22, 2018, 4:03 AM Mark Tinka  wrote:

>
>
> On 16/May/18 18:59, Phil Lavin wrote:
>
> Ask if they will configure BFD for you. I’ve not found many transit providers 
> that will, but it’s worth a shot and it will lower failure detection to circa 
> 1 second.
>
> We've tended to shy away from it, but we have 2 customers we've done it
> for.
>
> Mark.
>

VPN Filter: botnet of routers

[Scott Weeks]

Kaboom!

https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

"FBI agents armed with a court order have seized control of a 
key server in the Kremlin’s global botnet of 500,000 hacked 
routers..."

"The FBI counter-operation goes after  “VPN Filter,” a piece of 
sophisticated malware linked to the same Russian hacking group, 
known as Fancy Bear, that breached the Democratic National 
Committee and the Hillary Clinton campaign during the 2016 
election."


https://blog.talosintelligence.com/2018/05/VPNFilter.html

"The known devices affected by VPNFilter are Linksys, MikroTik, 
NETGEAR and TP-Link networking equipment in the small and home 
office (SOHO) space, as well at QNAP network-attached storage 
(NAS) devices. No other vendors, including Cisco, have been 
observed as infected by VPNFilter, but our research continues. 
The behavior of this malware on networking equipment is 
particularly concerning, as components of the VPNFilter malware 
allows for theft of website credentials and monitoring of Modbus 
SCADA protocols."


scott

Re: Whois vs GDPR, latest news

[Owen DeLong]

How is it false?

If you don’t do business in the EU or with EU persons, then you are not 
included in the class of organizations which GDPR says are subject to GDPR.

Owen


> On May 23, 2018, at 4:36 PM, K. Scott Helms  wrote:
> 
> Owen,
> 
> That's false, please don't spread misinformation.  
> 
> Scott Helms
> 
> On Wed, May 23, 2018, 7:34 PM Owen DeLong  > wrote:
> 
> 
> > On May 23, 2018, at 9:29 AM, Anne P. Mitchell Esq.  > > wrote:
> > 
> > 
> > 
> >> On May 23, 2018, at 10:21 AM, Daniel Brisson  >> > wrote:
> >> 
> >>> Also, don't forget the private right of action.  Anyone can file anything 
> >>> in the U.S. courts... you  may get it dismissed (although then again you 
> >>> may not) but either way, it's going to be time and money out of your 
> >>> pocket fighting it.  MUCH better to just get compliant than to end up a 
> >>> test case.
> >> 
> >> Isn't "better" a factor of how much it costs to become compliant with 
> >> GPDR?  I'm no expert, but some of the things I've heard sounded not 
> >> trivial to implement (read potentially BIG investment).
> >> 
> >> -dan
> > 
> > In our experience, orgs that are already following all industry best 
> > practices are, generally, at least 70% of the way to becoming compliant 
> > already.   Where it can get expensive for the ones who aren't is in 
> > hardening their systems to provide for better security/privacy.  U.S. 
> > companies are used to being able to drink at the firehose of data that is 
> > collected here in the U.S., and use it however they want.. this is the real 
> > major change.  I suppose you could say it's expensive in that it is 
> > reducing the ways they can monetize that data. 
> 
> Of course a perfectly valid alternative is to refuse to do business with EU 
> persons. Then GDPR compliance becomes entirely unnecessary.
> 
> Owen
> 
> > 
> > Anne
> > 
> > Anne P. Mitchell, 
> > Attorney at Law
> > CEO/President, 
> > SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> > GDPR Compliance Consultant
> > GDPR Compliance Certification
> > http://www.SuretyMail.com/ 
> > http://www.SuretyMail.eu/ 
> > 
> > Attorney at Law / Legislative Consultant
> > Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> > Author: The Email Deliverability Handbook
> > Legal Counsel: The CyberGreen Institute
> > Legal Counsel: The Earth Law Center
> > Member, California Bar Cyberspace Law Committee
> > Member, Colorado Cybersecurity Consortium
> > Member, Board of Directors, Asilomar Microcomputer Workshop
> > Member, Advisory Board, Cause for Awareness
> > Member, Elevations Credit Union Member Council
> > Former Chair, Asilomar Microcomputer Workshop
> > Ret. Professor of Law, Lincoln Law School of San Jose
> > 
> > Available for consultations by special arrangement.
> > amitch...@isipp.com  | @AnnePMitchell
> > Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
> > 
> 

Re: Whois vs GDPR, latest news

[John Levine]

No, but in the absence of a law that specifically bars the courts from
doing so the will under current reciprocal treaty arrangements.


No, really, what treaties?  I understand treaties about domesticating a 
tort judgement but this isn't a tort, this is a regulation.


R's,
John

PS:


can treaties supercede US law?


That question has a very complicated answer.  tl;dr: sometimes

Re: Whois vs GDPR, latest news

[Owen DeLong]

> On May 23, 2018, at 9:29 AM, Anne P. Mitchell Esq.  
> wrote:
> 
> 
> 
>> On May 23, 2018, at 10:21 AM, Daniel Brisson  wrote:
>> 
>>> Also, don't forget the private right of action.  Anyone can file anything 
>>> in the U.S. courts... you  may get it dismissed (although then again you 
>>> may not) but either way, it's going to be time and money out of your pocket 
>>> fighting it.  MUCH better to just get compliant than to end up a test case.
>> 
>> Isn't "better" a factor of how much it costs to become compliant with GPDR?  
>> I'm no expert, but some of the things I've heard sounded not trivial to 
>> implement (read potentially BIG investment).
>> 
>> -dan
> 
> In our experience, orgs that are already following all industry best 
> practices are, generally, at least 70% of the way to becoming compliant 
> already.   Where it can get expensive for the ones who aren't is in hardening 
> their systems to provide for better security/privacy.  U.S. companies are 
> used to being able to drink at the firehose of data that is collected here in 
> the U.S., and use it however they want.. this is the real major change.  I 
> suppose you could say it's expensive in that it is reducing the ways they can 
> monetize that data. 

Of course a perfectly valid alternative is to refuse to do business with EU 
persons. Then GDPR compliance becomes entirely unnecessary.

Owen

> 
> Anne
> 
> Anne P. Mitchell, 
> Attorney at Law
> CEO/President, 
> SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> GDPR Compliance Consultant
> GDPR Compliance Certification
> http://www.SuretyMail.com/
> http://www.SuretyMail.eu/
> 
> Attorney at Law / Legislative Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Author: The Email Deliverability Handbook
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> Member, California Bar Cyberspace Law Committee
> Member, Colorado Cybersecurity Consortium
> Member, Board of Directors, Asilomar Microcomputer Workshop
> Member, Advisory Board, Cause for Awareness
> Member, Elevations Credit Union Member Council
> Former Chair, Asilomar Microcomputer Workshop
> Ret. Professor of Law, Lincoln Law School of San Jose
> 
> Available for consultations by special arrangement.
> amitch...@isipp.com | @AnnePMitchell
> Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
> 

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Wed, 23 May 2018, Owen DeLong wrote:

On May 23, 2018, at 08:53, John Levine  wrote:
If they try to sue in, say, US courts, the US court will ask them to
explain why a US court should try a suit under foreign law.  There is
a very short list of reasons to do that, and this isn't on it.

Actually, due to treaty, it is. At least according to some lawyers that have 
been advising ICANN stakeholder group(s).


can treaties supercede US law?

-Dan

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 21/05/18 17:10, Large Hadron Collider wrote:
> I would go as far as to say that Tier 1 is a derogatory designation, but
> I have a beef with Cogent because they're expecting otherwise Tier 1
> IPv6 ISP Hurricane Electric to bow to the altar of Cogent.

Owen, is dat yew?!

-- 
Tom

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 18/05/18 14:55, Stephen Satchell wrote:
> What happened when you sent out your last RPQ to the vendors with these
> requirements?

Why bother? There are so few products, with so few vendors, and their
list prices & discount levels are easily researchable in less than a
day. If you thought someone was going to build you a tailored device of
that ilk then you're surely going to need to commit to buying a lot more
than you actually need...

Whilst small-to-medium providers still need to play in the DFZ, they
don't often buy hundreds (let alone thousands) of small edge routers.


-- 
Tom

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Tom Hill]

On 19/05/18 21:51, Ben Cannon wrote:
> Isn’t that the ASR9010?  (And before that 7609?)

I can't tell if you're taking the piss or not.

-- 
Tom

BGP Battleships

[Scott Weeks]

I saw the below on SWINOG and thought it might add 
some fun in the middle of all this General Data 
Protection Regulation conversation. :)

scott


--- Begin forwarded message:

From: Gregor Riepl 
To: swi...@lists.swinog.ch
Subject: [swinog] BGP Battleships
Date: Tue, 22 May 2018 23:18:51 +0200

Some good ol' fun with BGP:

https://blog.benjojo.co.uk/post/bgp-battleships

Please (don't?) try this at home!

Re: Whois vs GDPR, latest news

[Anne P. Mitchell Esq.]

> On May 23, 2018, at 11:05 AM, K. Scott Helms  wrote:
> 
> Yep, if you're doing a decent job around securing data then you don't have 
> much to be worried about on that side of things.  The problem for most 
> companies is that GDPR isn't really a security law, it's a privacy law (and 
> set of regulations).  That's where it's hard because there are a limited 
> number of ways you can, from the EU's standpoint, lawfully process someone's 
> PII.  Things like opting out and blanket agreements to use all of someone's 
> data for any reason a company may want are specifically prohibited.  Even 
> companies that don't intentionally sell into the EU (or the UK) can find 
> themselves dealing with this if they have customers with employees in the EU. 

Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based 
website and orders something (or even just provides their PII)... but happens 
to be in a plane flying over an EU country at the time.  Because GDPR doesn't 
talk about residence or citizenship, it talks only about a vague and ambiguous 
"in the Union", and I can certainly envision an argument in which the person in 
the plane claims that they were, technically, "in the Union" at the time. 

Anne

Anne P. Mitchell, 
Attorney at Law
GDPR Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Whois vs GDPR, latest news

[K. Scott Helms]

Anne,

Yep, if you're doing a decent job around securing data then you don't have
much to be worried about on that side of things.  The problem for most
companies is that GDPR isn't really a security law, it's a privacy law (and
set of regulations).  That's where it's hard because there are a limited
number of ways you can, from the EU's standpoint, lawfully process
someone's PII.  Things like opting out and blanket agreements to use all of
someone's data for any reason a company may want are specifically
prohibited.  Even companies that don't intentionally sell into the EU (or
the UK) can find themselves dealing with this if they have customers with
employees in the EU.

On Wed, May 23, 2018 at 12:29 PM, Anne P. Mitchell Esq.  wrote:

>
>
> > On May 23, 2018, at 10:21 AM, Daniel Brisson  wrote:
> >
> >> Also, don't forget the private right of action.  Anyone can file
> anything in the U.S. courts... you  may get it dismissed (although then
> again you may not) but either way, it's going to be time and money out of
> your pocket fighting it.  MUCH better to just get compliant than to end up
> a test case.
> >
> > Isn't "better" a factor of how much it costs to become compliant with
> GPDR?  I'm no expert, but some of the things I've heard sounded not trivial
> to implement (read potentially BIG investment).
> >
> > -dan
>
> In our experience, orgs that are already following all industry best
> practices are, generally, at least 70% of the way to becoming compliant
> already.   Where it can get expensive for the ones who aren't is in
> hardening their systems to provide for better security/privacy.  U.S.
> companies are used to being able to drink at the firehose of data that is
> collected here in the U.S., and use it however they want.. this is the real
> major change.  I suppose you could say it's expensive in that it is
> reducing the ways they can monetize that data.
>
> Anne
>
> Anne P. Mitchell,
> Attorney at Law
> CEO/President,
> SuretyMail Email Reputation Certification and Inbox Delivery Assistance
> GDPR Compliance Consultant
> GDPR Compliance Certification
> http://www.SuretyMail.com/
> http://www.SuretyMail.eu/
>
> Attorney at Law / Legislative Consultant
> Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
> Author: The Email Deliverability Handbook
> Legal Counsel: The CyberGreen Institute
> Legal Counsel: The Earth Law Center
> Member, California Bar Cyberspace Law Committee
> Member, Colorado Cybersecurity Consortium
> Member, Board of Directors, Asilomar Microcomputer Workshop
> Member, Advisory Board, Cause for Awareness
> Member, Elevations Credit Union Member Council
> Former Chair, Asilomar Microcomputer Workshop
> Ret. Professor of Law, Lincoln Law School of San Jose
>
> Available for consultations by special arrangement.
> amitch...@isipp.com | @AnnePMitchell
> Facebook/AnnePMitchell  | LinkedIn/in/annemitchell
>
>

Re: Whois vs GDPR, latest news

[K. Scott Helms]

Yeah, that's not accurate.  US organizations sue EU organizations in US
courts (and vice versus) on a regular basis but have EU courts collect the
damages.  Congress can carve out an exemption, but I haven't heard of an
effort in that direction getting started yet.  In the absence of a
legislative exemption the EU regulators can absolutely sue a US entity in
US civil courts and get a ruling based on EU laws and regulations.

Here's a completely unrelated civil case, on libel, that references the
bilateral enforcement and how NY state carved out an exemption.

https://www.npr.org/sections/parallels/2015/03/21/394273902/on-libel-and-the-law-u-s-and-u-k-go-separate-ways

Scott Helms

http://twitter.com/kscotthelms


On Wed, May 23, 2018 at 11:56 AM, Owen DeLong  wrote:

> Not really. If you don’t offer services to EU persons, then you are right.
> However, due to treaties signed by the US and other countries, many places
> outside the EU are subject to GDPR overreach.
>
> Owen
>
>
> > On May 23, 2018, at 05:36, Mike Hammett  wrote:
> >
> > If you don't have operations in the EU, you can not so politely tell the
> EU to piss off.
> >
> >
> >
> >
> > -
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > Midwest-IX
> > http://www.midwest-ix.com
> >
> > - Original Message -
> >
> > From: "Matthew Kaufman" 
> > To: "Fletcher Kittredge" 
> > Cc: "NANOG list" 
> > Sent: Monday, May 21, 2018 8:07:15 PM
> > Subject: Re: Whois vs GDPR, latest news
> >
> >> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge 
> wrote:
> >>
> >> What about my right to not have this crap on NANOG?
> >>
> >
> >
> > What about the likely truth that if anyone from Europe mails the list,
> then
> > every mail server operator with subscribers to the list must follow the
> > GDPR Article 14 notification requirements, as the few exceptions appear
> to
> > not apply (unless you’re just running an archive).
> >
> > Matthew
> >
>
>

Re: Whois vs GDPR, latest news

[Anne P. Mitchell Esq.]

> On May 23, 2018, at 10:21 AM, Daniel Brisson  wrote:
> 
>> Also, don't forget the private right of action.  Anyone can file anything in 
>> the U.S. courts... you  may get it dismissed (although then again you may 
>> not) but either way, it's going to be time and money out of your pocket 
>> fighting it.  MUCH better to just get compliant than to end up a test case.
> 
> Isn't "better" a factor of how much it costs to become compliant with GPDR?  
> I'm no expert, but some of the things I've heard sounded not trivial to 
> implement (read potentially BIG investment).
> 
> -dan

In our experience, orgs that are already following all industry best practices 
are, generally, at least 70% of the way to becoming compliant already.   Where 
it can get expensive for the ones who aren't is in hardening their systems to 
provide for better security/privacy.  U.S. companies are used to being able to 
drink at the firehose of data that is collected here in the U.S., and use it 
however they want.. this is the real major change.  I suppose you could say 
it's expensive in that it is reducing the ways they can monetize that data. 

Anne

Anne P. Mitchell, 
Attorney at Law
CEO/President, 
SuretyMail Email Reputation Certification and Inbox Delivery Assistance
GDPR Compliance Consultant
GDPR Compliance Certification
http://www.SuretyMail.com/
http://www.SuretyMail.eu/

Attorney at Law / Legislative Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Cyberspace Law Committee
Member, Colorado Cybersecurity Consortium
Member, Board of Directors, Asilomar Microcomputer Workshop
Member, Advisory Board, Cause for Awareness
Member, Elevations Credit Union Member Council
Former Chair, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose

Available for consultations by special arrangement.
amitch...@isipp.com | @AnnePMitchell
Facebook/AnnePMitchell  | LinkedIn/in/annemitchell

Re: Whois vs GDPR, latest news

[Daniel Brisson]

On 5/23/18, 12:10 PM, "NANOG on behalf of Anne P. Mitchell Esq." 
 wrote:



> On May 23, 2018, at 9:59 AM, Owen DeLong  wrote:
> 
> 
> 
>> On May 23, 2018, at 08:53, John Levine  wrote:
>> 
>> In article 
 you write:
>>> I asked one of the EU regulators at RSA how they intended to enforce 
GDPR
>>> violations on businesses that don't operate in their jurisdiction and
>>> without hesitation he told me they'd use civil courts to sue the 
offending
>>> companies.
>> 
>> He probably thought you meant if he's in France and the business is in
>> Ireland, since they're both in the EU.  Outside the EU, on the other
>> hand, ...
>> 
>> If they try to sue in, say, US courts, the US court will ask them to
>> explain why a US court should try a suit under foreign law.  There is
>> a very short list of reasons to do that, and this isn't on it.
> 
> Actually, due to treaty, it is. At least according to some lawyers that 
have been advising ICANN stakeholder group(s). 
> 

>Also, don't forget the private right of action.  Anyone can file anything 
> in the U.S. courts... you  may get it dismissed (although then again you may 
> not) but either way, it's going to be time and money out of your pocket 
> fighting it.  MUCH better to just get compliant than to end up a test case.

Isn't "better" a factor of how much it costs to become compliant with GPDR?  
I'm no expert, but some of the things I've heard sounded not trivial to 
implement (read potentially BIG investment).

-dan

Re: Whois vs GDPR, latest news

[Stephen Satchell]

On 05/23/2018 09:09 AM, Anne P. Mitchell Esq. wrote:

Also, don't forget the private right of action.  Anyone can file
anything in the U.S. courts... you  may get it dismissed (although
then again you may not) but either way, it's going to be time and
money out of your pocket fighting it.  MUCH better to just get
compliant than to end up a test case.


And that's why my domains use Register.com's proxy service.  I'm 
risk-adverse, especially with the revenue (pennies) my domains earn. 
Better to just bite the bullet.


That said, I have abuse contacts listed for my domains.  You just have 
to ask the proxy for them.


(In 15 years, the only abuse mail I've received is mail from people who 
HATED what I said on NANAE newsgroup...and I've not used USENET for 10 
of those years.)

Re: Whois vs GDPR, latest news

[Anne P. Mitchell Esq.]

> On May 23, 2018, at 9:59 AM, Owen DeLong  wrote:
> 
> 
> 
>> On May 23, 2018, at 08:53, John Levine  wrote:
>> 
>> In article 
>>  you 
>> write:
>>> I asked one of the EU regulators at RSA how they intended to enforce GDPR
>>> violations on businesses that don't operate in their jurisdiction and
>>> without hesitation he told me they'd use civil courts to sue the offending
>>> companies.
>> 
>> He probably thought you meant if he's in France and the business is in
>> Ireland, since they're both in the EU.  Outside the EU, on the other
>> hand, ...
>> 
>> If they try to sue in, say, US courts, the US court will ask them to
>> explain why a US court should try a suit under foreign law.  There is
>> a very short list of reasons to do that, and this isn't on it.
> 
> Actually, due to treaty, it is. At least according to some lawyers that have 
> been advising ICANN stakeholder group(s). 
> 

Also, don't forget the private right of action.  Anyone can file anything in 
the U.S. courts... you  may get it dismissed (although then again you may not) 
but either way, it's going to be time and money out of your pocket fighting it. 
 MUCH better to just get compliant than to end up a test case.

Anne

Anne P. Mitchell, 
Attorney at Law
GDPR Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
CEO/President, Institute for Social Internet Public Policy
Legal Counsel: The CyberGreen Institute
Legal Counsel: The Earth Law Center
Member, California Bar Association
Member, Cal. Bar Cyberspace Law Committee
Member, Colorado Cyber Committee
Member, Board of Directors, Asilomar Microcomputer Workshop
Ret. Professor of Law, Lincoln Law School of San Jose
Ret. Chair, Asilomar Microcomputer Workshop

Re: Whois vs GDPR, latest news

[Owen DeLong]

> On May 23, 2018, at 08:53, John Levine  wrote:
> 
> In article 
>  you 
> write:
>> I asked one of the EU regulators at RSA how they intended to enforce GDPR
>> violations on businesses that don't operate in their jurisdiction and
>> without hesitation he told me they'd use civil courts to sue the offending
>> companies.
> 
> He probably thought you meant if he's in France and the business is in
> Ireland, since they're both in the EU.  Outside the EU, on the other
> hand, ...
> 
> If they try to sue in, say, US courts, the US court will ask them to
> explain why a US court should try a suit under foreign law.  There is
> a very short list of reasons to do that, and this isn't on it.

Actually, due to treaty, it is. At least according to some lawyers that have 
been advising ICANN stakeholder group(s). 


> 
> I'm not saying that one should gratuitously poke EU regulators in the
> eye but it's pretty silly to imagine that they will waste time
> harassing people over whom they have no jurisdiction and against whom
> they have no recourse.

True. But unfortunately, companies in the US (and many other places with 
treaties with the EU, including Mauritius, for example) don’t fit that 
description. 

Owen

Re: Whois vs GDPR, latest news

[Owen DeLong]

Not really. If you don’t offer services to EU persons, then you are right. 
However, due to treaties signed by the US and other countries, many places 
outside the EU are subject to GDPR overreach. 

Owen


> On May 23, 2018, at 05:36, Mike Hammett  wrote:
> 
> If you don't have operations in the EU, you can not so politely tell the EU 
> to piss off. 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> Midwest-IX 
> http://www.midwest-ix.com 
> 
> - Original Message -
> 
> From: "Matthew Kaufman"  
> To: "Fletcher Kittredge"  
> Cc: "NANOG list"  
> Sent: Monday, May 21, 2018 8:07:15 PM 
> Subject: Re: Whois vs GDPR, latest news 
> 
>> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote: 
>> 
>> What about my right to not have this crap on NANOG? 
>> 
> 
> 
> What about the likely truth that if anyone from Europe mails the list, then 
> every mail server operator with subscribers to the list must follow the 
> GDPR Article 14 notification requirements, as the few exceptions appear to 
> not apply (unless you’re just running an archive). 
> 
> Matthew 
> 

Re: Whois vs GDPR, latest news

[John Levine]

In article  
you write:
>I asked one of the EU regulators at RSA how they intended to enforce GDPR
>violations on businesses that don't operate in their jurisdiction and
>without hesitation he told me they'd use civil courts to sue the offending
>companies.

He probably thought you meant if he's in France and the business is in
Ireland, since they're both in the EU.  Outside the EU, on the other
hand, ...

If they try to sue in, say, US courts, the US court will ask them to
explain why a US court should try a suit under foreign law.  There is
a very short list of reasons to do that, and this isn't on it.

I'm not saying that one should gratuitously poke EU regulators in the
eye but it's pretty silly to imagine that they will waste time
harassing people over whom they have no jurisdiction and against whom
they have no recourse.

R's,
John

Re: Whois vs GDPR, latest news

[Roger Marquis]

Dan Hollis wrote:

How about the ones with broken contact data - deliberately or not?
A whois blacklist sounds good to me. DNS WBL?


Many sites are already doing this locally.  It's just a matter of time
before Spamhaus or an up-and-coming entity has an RBL for it.  The data
is perhaps not precise enough for a blacklist but obfuscated whois
records are certainly useful in calculating the reputation of
ingress/egress SMTP, HTTP and other services.  This is not a new idea
and similar to the (unmaintained?) whois.abuse.net contact lookup
service, razor/pyzor, and other useful SIEM and Spamassassin inputs.

Roger Marquis

Re: Geolocation issue with a twist

[Clay Stewart]

 Yes, I can't find a way to contact the Geolocation eurkapi to get this
removed, and I have to move two multi-million dollar businesses to this
subnet like last month but afraid of impacts on their operations from
email servers, web servers, and VOIP.  And of course, Pandora for music
to their employees, which we know fails to work due to this issue.


On Wed, May 23, 2018 at 8:33 AM, Mike Hammett  wrote:

> Well that's lovely..,
>
> Our site is temporarily unavailable
> Please contact us at  contact...@eurekapi.com
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Clay Stewart" 
> *To: *nanog@nanog.org
> *Sent: *Tuesday, May 22, 2018 10:39:38 PM
> *Subject: *Re: Geolocation issue with a twist
>
>
> https://scsbroadband.com/geolocation/
>
> Here is snapshot of Geolocation issue showing a Spanish ISP registered with
> a GeoLocation database our IP block, pointed to the correct location. But
> customers are getting railroaded with spam and failing apps (due to Spain).
>
> On Tue, May 22, 2018 at 4:50 PM, Clay Stewart 
> wrote:
>
> > Can someone point me for help with the following issue?
> >
> > I purchased a /24 late last year on auction which was originally owned by
> > Cox communications in Europe. It had Geolocation in a lot of bad places,
> > and Cox got it 'cleared' up for me.
> >
> > But there is still one issue, an ISP in Spain has it in a Geo database
> > which is pointed to my correct location, but because it is a Spain ISP,
> the
> > block has lots of issues in block apps and redirects to spam sites.
> >
> > Attach is a snapshot with the incorrect ISP highlight and Geo database. I
> > cannot get any info from the Geo database.
> >
> > I am new to this list, so I hope this is an appropriate question.
> >
>
>

Re: Geolocation issue with a twist

[Mike Hammett]

Often people have issues with their IP blocks being geolocated incorrectly. 
Sometimes it's an error on the database or website's behalf, while other times 
it's due to a transfer. There used to be a wiki that had a few websites to go 
to solve these issues, but that site has been gone for years 
(https://web.archive.org/web/20130122055317/http://nanog.cluepon.net/index.php/GeoIP).
 We've made a site to hopefully collect this information. 


Please fill out this form if you have information to contribute. 
https://goo.gl/forms/jWsaJL1Vgi3yIxFp2 


View responses here: 


https://docs.google.com/spreadsheets/d/1-p7PenqfxnQB1cvq7m3lkmFzLMdxqlgBzaVtsvJ4qZM/edit?usp=sharing
 



- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mike Hammett"  
To: "Clay Stewart"  
Cc: nanog@nanog.org 
Sent: Wednesday, May 23, 2018 7:33:06 AM 
Subject: Re: Geolocation issue with a twist 

Well that's lovely.., 

Our site is temporarily unavailable 

Please contact us at contact...@eurekapi.com 





- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message - 

From: "Clay Stewart"  
To: nanog@nanog.org 
Sent: Tuesday, May 22, 2018 10:39:38 PM 
Subject: Re: Geolocation issue with a twist 

https://scsbroadband.com/geolocation/ 

Here is snapshot of Geolocation issue showing a Spanish ISP registered with 
a GeoLocation database our IP block, pointed to the correct location. But 
customers are getting railroaded with spam and failing apps (due to Spain). 

On Tue, May 22, 2018 at 4:50 PM, Clay Stewart  
wrote: 

> Can someone point me for help with the following issue? 
> 
> I purchased a /24 late last year on auction which was originally owned by 
> Cox communications in Europe. It had Geolocation in a lot of bad places, 
> and Cox got it 'cleared' up for me. 
> 
> But there is still one issue, an ISP in Spain has it in a Geo database 
> which is pointed to my correct location, but because it is a Spain ISP, the 
> block has lots of issues in block apps and redirects to spam sites. 
> 
> Attach is a snapshot with the incorrect ISP highlight and Geo database. I 
> cannot get any info from the Geo database. 
> 
> I am new to this list, so I hope this is an appropriate question. 
> 

Re: IX's and DC's in Denver

[Mike Hammett]

https://ix-denver.org/ 
https://peeringdb.com/advanced_search?city=Denver=ix 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Emily Scarlett"  
To: nanog@nanog.org 
Sent: Wednesday, May 23, 2018 9:08:19 AM 
Subject: IX's and DC's in Denver 

Hey all, 

We're currently looking at expanding our presence in H5 in Denver, one 
question on our mind is what our options are for IX connectivity around 
the area, and if anyone has any experience dealing with them. 

Any info is useful, thanks! 

-- 
~ Em 

IX's and DC's in Denver

[Emily Scarlett]

Hey all,

We're currently looking at expanding our presence in H5 in Denver, one
question on our mind is what our options are for IX connectivity around
the area, and if anyone has any experience dealing with them.

Any info is useful, thanks!

-- 
~ Em

Re: How to leak aggregate/generated routes into another VRF

[lobna gouda]

Juniper allows you to use next-hop table. Yet this next-hop as to be statically 
added in the Forwarding table first



Brgds,


LG



From: NANOG  on behalf of Joe Yabuki 

Sent: Wednesday, May 23, 2018 8:01 AM
To: nanog@nanog.org
Subject: How to leak aggregate/generated routes into another VRF

Hey all,

Is there a method of leaking aggregate/generated routes to other VRFs so
that the next-hop is modified to actually point to table where the agg/gen
routes where created ?

One way to do this, is to create a Null0 route and redistribute it into the
BGP VRF process, but I would like to know if there is another way to do
this ?

Many thanks,
Joe

How to leak aggregate/generated routes into another VRF

[Joe Yabuki]

Hey all,

Is there a method of leaking aggregate/generated routes to other VRFs so
that the next-hop is modified to actually point to table where the agg/gen
routes where created ?

One way to do this, is to create a Null0 route and redistribute it into the
BGP VRF process, but I would like to know if there is another way to do
this ?

Many thanks,
Joe

Re: Whois vs GDPR, latest news

[K. Scott Helms]

Of course not, but do you really want to be sued?  Even if the US courts
decline to accept GDPR cases, which is not at all a given since we have a
long history of bilateral enforcement, it costs money to deal with and I
don't want to worry that I'm going to fly one day to a country that will
enforce civil penalties.

While I don't tell most people or companies to worry if they only do
business in the US I also don't think it's a good idea to simply thumb your
nose at the EU regulators.  Some North American direct marketing and data
collection firms are definitely going to get a rude, and expensive,
awakening despite not having any EU operations.

On Wed, May 23, 2018 at 8:49 AM, Mike Hammett  wrote:

> *shrugs* Me hurting the EU's feelings is rather low on the list of things
> I care about.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "K. Scott Helms" 
> To: "Mike Hammett" 
> Cc: "NANOG list" 
> Sent: Wednesday, May 23, 2018 7:46:19 AM
> Subject: Re: Whois vs GDPR, latest news
>
>
> Sadly this isn't true. While I doubt the EU regulators are going to come
> head hunting for companies any time soon they do have mechanisms in place
> to sanction companies who don't do business in the EU and the scope is
> clearly intended to reach where ever the data of EU natural persons is
> being held.
>
>
> https://gdpr-info.eu/art-3-gdpr/
>
>
>
> I asked one of the EU regulators at RSA how they intended to enforce GDPR
> violations on businesses that don't operate in their jurisdiction and
> without hesitation he told me they'd use civil courts to sue the offending
> companies.
>
>
> On Wed, May 23, 2018 at 8:36 AM, Mike Hammett < na...@ics-il.net > wrote:
>
>
> If you don't have operations in the EU, you can not so politely tell the
> EU to piss off.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "Matthew Kaufman" < matt...@matthew.at >
> To: "Fletcher Kittredge" < fkitt...@gwi.net >
> Cc: "NANOG list" < nanog@nanog.org >
> Sent: Monday, May 21, 2018 8:07:15 PM
> Subject: Re: Whois vs GDPR, latest news
>
>
>
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge < fkitt...@gwi.net >
> wrote:
>
> > What about my right to not have this crap on NANOG?
> >
>
>
> What about the likely truth that if anyone from Europe mails the list,
> then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
>
> Matthew
>
>
>
>
>
>

Re: Whois vs GDPR, latest news

[Mike Hammett]

*shrugs* Me hurting the EU's feelings is rather low on the list of things I 
care about. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "K. Scott Helms"  
To: "Mike Hammett"  
Cc: "NANOG list"  
Sent: Wednesday, May 23, 2018 7:46:19 AM 
Subject: Re: Whois vs GDPR, latest news 


Sadly this isn't true. While I doubt the EU regulators are going to come head 
hunting for companies any time soon they do have mechanisms in place to 
sanction companies who don't do business in the EU and the scope is clearly 
intended to reach where ever the data of EU natural persons is being held. 


https://gdpr-info.eu/art-3-gdpr/ 



I asked one of the EU regulators at RSA how they intended to enforce GDPR 
violations on businesses that don't operate in their jurisdiction and without 
hesitation he told me they'd use civil courts to sue the offending companies. 


On Wed, May 23, 2018 at 8:36 AM, Mike Hammett < na...@ics-il.net > wrote: 


If you don't have operations in the EU, you can not so politely tell the EU to 
piss off. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message - 

From: "Matthew Kaufman" < matt...@matthew.at > 
To: "Fletcher Kittredge" < fkitt...@gwi.net > 
Cc: "NANOG list" < nanog@nanog.org > 
Sent: Monday, May 21, 2018 8:07:15 PM 
Subject: Re: Whois vs GDPR, latest news 



On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge < fkitt...@gwi.net > wrote: 

> What about my right to not have this crap on NANOG? 
> 


What about the likely truth that if anyone from Europe mails the list, then 
every mail server operator with subscribers to the list must follow the 
GDPR Article 14 notification requirements, as the few exceptions appear to 
not apply (unless you’re just running an archive). 

Matthew 

Re: Whois vs GDPR, latest news

[K. Scott Helms]

Sadly this isn't true.  While I doubt the EU regulators are going to come
head hunting for companies any time soon they do have mechanisms in place
to sanction companies who don't do business in the EU and the scope is
clearly intended to reach where ever the data of EU natural persons is
being held.

https://gdpr-info.eu/art-3-gdpr/

I asked one of the EU regulators at RSA how they intended to enforce GDPR
violations on businesses that don't operate in their jurisdiction and
without hesitation he told me they'd use civil courts to sue the offending
companies.

On Wed, May 23, 2018 at 8:36 AM, Mike Hammett  wrote:

> If you don't have operations in the EU, you can not so politely tell the
> EU to piss off.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "Matthew Kaufman" 
> To: "Fletcher Kittredge" 
> Cc: "NANOG list" 
> Sent: Monday, May 21, 2018 8:07:15 PM
> Subject: Re: Whois vs GDPR, latest news
>
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge 
> wrote:
>
> > What about my right to not have this crap on NANOG?
> >
>
>
> What about the likely truth that if anyone from Europe mails the list,
> then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
>
> Matthew
>
>

Re: Whois vs GDPR, latest news

[Mike Hammett]

If you don't have operations in the EU, you can not so politely tell the EU to 
piss off. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Matthew Kaufman"  
To: "Fletcher Kittredge"  
Cc: "NANOG list"  
Sent: Monday, May 21, 2018 8:07:15 PM 
Subject: Re: Whois vs GDPR, latest news 

On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote: 

> What about my right to not have this crap on NANOG? 
> 


What about the likely truth that if anyone from Europe mails the list, then 
every mail server operator with subscribers to the list must follow the 
GDPR Article 14 notification requirements, as the few exceptions appear to 
not apply (unless you’re just running an archive). 

Matthew 

Re: Geolocation issue with a twist

[Mike Hammett]

Well that's lovely.., 

Our site is temporarily unavailable 

Please contact us at contact...@eurekapi.com 





- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Clay Stewart"  
To: nanog@nanog.org 
Sent: Tuesday, May 22, 2018 10:39:38 PM 
Subject: Re: Geolocation issue with a twist 

https://scsbroadband.com/geolocation/ 

Here is snapshot of Geolocation issue showing a Spanish ISP registered with 
a GeoLocation database our IP block, pointed to the correct location. But 
customers are getting railroaded with spam and failing apps (due to Spain). 

On Tue, May 22, 2018 at 4:50 PM, Clay Stewart  
wrote: 

> Can someone point me for help with the following issue? 
> 
> I purchased a /24 late last year on auction which was originally owned by 
> Cox communications in Europe. It had Geolocation in a lot of bad places, 
> and Cox got it 'cleared' up for me. 
> 
> But there is still one issue, an ISP in Spain has it in a Geo database 
> which is pointed to my correct location, but because it is a Spain ISP, the 
> block has lots of issues in block apps and redirects to spam sites. 
> 
> Attach is a snapshot with the incorrect ISP highlight and Geo database. I 
> cannot get any info from the Geo database. 
> 
> I am new to this list, so I hope this is an appropriate question. 
> 

Re: Geolocation issue with a twist

[Clay Stewart]

https://scsbroadband.com/geolocation/

Here is snapshot of Geolocation issue showing a Spanish ISP registered with
a GeoLocation database our IP block, pointed to the correct location. But
customers are getting railroaded with spam and failing apps (due to Spain).

On Tue, May 22, 2018 at 4:50 PM, Clay Stewart 
wrote:

> Can someone point me for help with the following issue?
>
> I purchased a /24 late last year on auction which was originally owned by
> Cox communications in Europe. It had Geolocation in a lot of bad places,
> and Cox got it 'cleared' up for me.
>
> But there is still one issue, an ISP in Spain has it in a Geo database
> which is pointed to my correct location, but because it is a Spain ISP, the
> block has lots of issues in block apps and redirects to spam sites.
>
> Attach is a snapshot with the incorrect ISP highlight and Geo database. I
> cannot get any info from the Geo database.
>
> I am new to this list, so I hope this is an appropriate question.
>

Re: Whois vs GDPR, latest news

[Dan Hollis]

On Tue, 22 May 2018, Jimmy Hess wrote:

Perhaps it's time that some would consider  new RBLs  and  Blackhole
feeds  based on :
Domains with deliberately unavailable WHOIS data.


How about the ones with broken contact data - deliberately or not?

A whois blacklist sounds good to me. DNS WBL?


exhibit A:
==
https://whois.arin.net/rest/net/NET-66-111-32-0-1/pft?s=66.111.56.98

   - Transcript of session follows -
... while talking to aspmx.l.google.com.:

DATA

<<< 550-5.1.1 The email account that you tried to reach does not exist. Please 
try
<<< 550-5.1.1 double-checking the recipient's email address for typos or
<<< 550-5.1.1 unnecessary spaces. Learn more at
<<< 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser 
d26-v6si14042755pge.500 - gsmtp
550 5.1.1 ... User unknown
<<< 503 5.5.1 RCPT first. d26-v6si14042755pge.500 - gsmtp


exhibit B:
=
https://apps.db.ripe.net/db-web-ui/#/query?searchtext=79.121.0.5#resultsSection

   - Transcript of session follows -
... while talking to mail.kabelnet.hu.:

DATA

<<< 451 Could not complete sender verify callout ... 
Deferred: 451 Could not complete sender verify callout
<<< 503-All RCPT commands were rejected with this error:
<<< 503-Could not complete sender verify callout
<<< 503 Valid RCPT command must precede DATA
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old



-Dan