Very interesting story great work Ronald
-----Original Message-----
From: NANOG <nanog-boun...@nanog.org> On Behalf Of Ronald F. Guilmette
Sent: Wednesday, August 28, 2019 2:27 AM
To: nanog@nanog.org
Subject: The Curious Case of 143.95.0.0/16
Fair Warning: Those of you not enamored of my long-winded exposés of various
remarkable oddities of the IPv4 address space may wish to click on the tiny
little wastebasket icons on your mail clients at this point. For the rest of
you, please read on. I think you may find the following story intriguing. It
contains at least a few surprising twists.
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_
Our story today consists of three acts.
Act 1 - It is Born
------------------
In mid-February of 1990 a new venture-capital backed company was formed in
Sunnyvale, California. In some ways it was no different than the hundreds or
thousands of hopeful high-tech startups that had been formed in Silicon Valley,
both before and since. It started with a hopeful dream that, in the end, just
didn't work out.
The founders of this company settled initially on a temporary placeholder
company name, XYZ Corporation:
https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view
The mission of the company was to design and manufacture so-called X-Windows
terminals. These would be diskless workstations, complete with CPUs, color
(CRT) displays, graphics, memory, and an ethernet interface. The basic idea
what that such a diskless workstation could run the free X-Windows client
software, and that the system would be cheaper than ordinary PeeCees due to it
not having any hard drives or optical drives.
By some odd twist of fate, I myself was working in the same geographic area as
a software engineer at around the same time, but I worked for a different
Silicon Valley startup, just down the road from XYZ Corporation. And by a
rather remarkable coincidence, the company I worked for had exactly the same
goal and mission as the XYZ Corporation. The name of this other X-Windows
workstation startup was Network Computing Devices, or just "NCD"
for short.
Quite obviously, both companies were inherently "network-centric" and thus,
both requested and were granted blocks of IPv4 addresses. That wasn't at all
within my area of responsibility at NCD, so I don't know who actually issued
those blocks. My guess, based on published historical accounts, was that it
was most probably Dr. Jon Postel who assigned the blocks. I'm sure that
someone will correct me if I'm wrong.
Months passed, and eventually the founders of XYZ Corporation settled on
something they would use as a permanent replacement for their temporary
placeholder corporate name. They decided to call the thing Athenix, Inc.
Once they had settled on that name, they filed papers to update their records
with the California Secretary of State's office:
https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view
At some point, they also and likewise updated the ARIN WHOIS record for the
/16 block which had been assigned to them, on or about 1990-09-06, as was
appropriate to reflect their new permanent corporate identity:
https://pastebin.com/raw/YbH6zYrR
More time passed and eventually it became clear that the entire world was not
in fact breathlessly waiting for -two- companies to bring to market diskless
X-Windows workstations. In fact, as history now shows, market demand would not
support even one such company over the long term.
Thus it came to pass in the year 1993 that an all-too-familiar end-of-life
ritual played out once again in Silicon Valley. At Athenix, Inc. HQ in
Sunnyvale, the people were all let go, including the founders. The desks, the
chairs, the phones, the computers, and the tools were all sold at auction, with
the proceeds going to the preferred shareholders, i.e. the poor fools who had
put up all of the money for this now-failed venture in the first place, the
venture capitalists. Foremost among those in this instance, was the venerable
Menlo Park venture capital firm Kleiner Perkins.
I've confirmed this historical account of the rise and fall of the original
1990-vintage Athenix, Inc. in multiple phone and email exchanges with both the
original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately of Los
Altos, California, and also the original CTO of the company, Mr. John Garman,
lately of Reno, Nevada.
Act 2 - Rebirth - The Athenix Phoenix
-------------------------------------
Fast forward fifteen years. On April 22, 2008 a pair of gentlemen in the
Commonwealth of Massachusetts elected to establish a new corporate entity
within the commonwealth. It's name would be Athenic, Inc.[1]
https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view
As you can see in the documents above, a certain Mr. Ofer Inbar and a certain
Mr. Robert Anita, both of the greater Boston area, formed this new corporate
entity in Massachusetts. At its formation, the younger Mr. Inbar was the
President, while the more senior Mr. Antia served as the corporate secretary
and treasurer.
Various other records, which I shall not include here, suggest that both Mr.
Inbar and Mr. Anita were at some point in the distant past affiliated, in at
least some tangential way, with the well-regarded white-hat Boston area hacking
collective known as L0pht, aka L0pht Heavy Industries. I cannot say much about
this apparent connection, other than to say that the details I have ferreted
out about this connection are sketchy at best.
I do however have it on reasonably good authority that Mr. Inbar has of late
relocated to the greater Seattle metropolitan area, and that he is or was
working as a network administrator for Google, Inc. in that area. Mr. Antia,
in contrast, is still, when I last checked, a resident of the greater Boston
area, and is a well regarded "graybeard" in the computing community in and
around Boston, having been in the business, one way or another, for decades.
Mr. Anita currently serves as President of the Boston area chapter of the
public/private critical infrastructure cybersecurity defense partnership known
as InfraGuard.
https://infragard-boston.org/
The evidence currently available to me suggests that not long after the
creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN
elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
IPv4 block to a pair of name servers called dns1.athenixinc.com and
dns2.athenixinc.com. That delegation was already in place by 2010-06-24, which
is about the time that Farsight Security Inc., my data source, first began
passively collecting its historical archives of DNS response records.
Historical records made available to me by Domaintools, LLC indicate that the
athenixinc.com domain name was, at least initially, registered to Mr.
Anita in Lincoln, Massachusetts.
https://pastebin.com/raw/GNhbFDFz
Subsequent historical WHOIS data collected by Domaintools in relation to the
athenixinc.com domain name shows that after Mr. Anita, the domain name
registration passed into the hands of at least one other individual, and
eventually, to an entirely different corporate entity. We will come to that
shortly.
Almost a year ago now, when I was first investigating the 143.95.0.0/16 block,
I attempted to interview Mr. Inbar by phone regarding his and Mr.
Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
It did not go well. Mr. Inbar was apparently reluctant to engage with me by
phone on these or any other topics. He and I did have a few brief and
truncated email exchanges after that however, but apparently my questions
regarding how Mr. Inbar and Mr. Anita came to exercise effective day-to-day
control over the 143.95.0.0/16 ARIN legacy block were not ones that Mr. Inbar
felt in any way obliged to answer, and at some point he simply ceased answering
my emails.
In contrast, Mr. Antia was a veritable fount of information and he and I had
multiple phone conversations as well as multiple email exchanges. From these
exchanges I quickly deduced that Mr. Antia saw absolutely nothing wrong with,
much less anything at all to be shy about with respect to the history of the
143.95.0.0/16 block -or- his formation, along with Mr. Inbar, of a new Athenix,
Inc. in Massachusetts back in in 2008. Quite the contrary!
Mr. Anita was kind enough for forward me a copy of the following really rather
remarkable lease agreement, in which Mr. Inbar and Mr. Anita together
undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada-
incorporated and Colorado-resident limited liability company known as Media
Breakaway, LLC:
https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view
As you can see, the term of the lease is 20 years, beginning from the 28th day
of May, 2008. The compensation to be paid to Mr. Inbar's and Mr. Anita's
Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
$100,000 USD As Mr. Anita related to me, this sum was in fact paid, and Mr.
Inbar and Mr. Anita split it evenly. (But of course, I have no way to
independently verify that.)
For those unaware, I pause here just long enough to note that the CEO of Media
Breakaway, LLC is none other than Mr. Scott Richter, one-time "Spam King" and a
man who both Wikipedia and the KrebsOnSecurity blog have asserted is a
convicted felon. And of couurse, this is the very same Scott Richter who
figured so prominently in Brian Krebs' report about pilfered legacy ARIN /16
blocks, published on the Washington Post, way back in April, 2008.
Of course, in my phone conversations with Mr. Anita, I acquainted him with
these relevant historical allegations. He confessed at the time that he had
not personally done much at all in the way of due diligence with respect to
either Mr. Richter or his company -- a lapse which I personally found (and
find) quite unfortunate, to say the least, and not least because of Mr.
Anita's position as the President of the Boston Chapter of Infraguard, the
public/private partnership whose mission is the protection of the nation's
critical infrastructure assets from cyber-threats. I would have hoped that a
person in such a position would have been in the general habit of exercising at
least some due diligence with respect to the people he does business with and,
in this specific instance, preferably at some moment *before* Mr. Anita cashed
his $50,000 check.
Act 3 - Final Dispensation
--------------------------
Now we come to the final remarkable chapter in the already remarkable history
of the 143.95.0.0/16 legacy IPv4 ARIN address block.
Some months after the formation of the Massachusetts "Athenix, Inc.", on
Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix
Corporation" was incorporated in the State of California. Curiously, this
third Athenix gave both its actual address and its mailing address as 10
Corporate Drive, Burlington, MA 01813.
https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view
As it happens, that street address is also the headquarters address of the
publicly-traded Endurance International Group, Inc. (EIGI).
There is substantial evidence indicating that EIGI is effectively in complete
functional control of the 143.95.0.0/16 address block at the present moment.
The company's primary ASN, AS29873 and also, an AS number belonging to one of
the company's many acquired subsidiaries, A Small Orange LLC, AS62729 are each
routing significant portions of the 143.95.0.0/16 block at the present time.
https://bgp.he.net/AS29873#_prefixes
https://bgp.he.net/AS62729#_prefixes
Additionally, on or about 2017-05-22, EIGI became the registrant of the
athenixinc.com domain, whose associated name servers (dns1 dns2) had provided
revserse DNS service for the entire 143.95.0.0/16 block during
2011 and 2012. Delegation of the reverse DNS responsibility for the entire
143.95.0.0/16 block changed on or about 2013-11-28 so that the new name servers
were ones associated with the domain name asonoc.com, at least according to the
relevant historical data provided to me by Farsight Security, Inc.
https://pastebin.com/raw/MVmzhirc
Historically, and as recently as 2018-04-20, the domain name asonoc.com was and
has been registered to the EIGI subsidiary A Small Orange LLC.
https://pastebin.com/raw/Xy8UHZNw
Responsibility for the reverse DNS for the entire 143.95.0.0/16 block remains
delegated to the rdns1.asonoc.com and rdns2.asonoc.com name servers at the
present moment.
EIGI is primarily a web hosting company. It has, over time. exhibited a
tendency to acquire other and smaller web hosting companies which it has then
absorbed into and under its corporate unbrella. Unlike most other corporate
acquirers however, EIGI is somewhat unique in its notable tendency to not
rebrand its acqusitions so that they would be additive to its main corporate
brand, generally electing instead to maintain the pre-acqusition brand names
for its newly acquired web hosting businesses. One such EIGI- acquired propery
that has retained its pre-acqusition brand name is the aforementioned
Texas-based web hosting company called A Small Orange LLC, aka AS62729.
(Those who may be interested in more backgound regarding EIGI and past
controversies, specifically with relating to the company's accounting practices
as well as the online activities of its clientele, are encouraged to consult
the footnotes below.[2])
The available evidence suggests the clear possibility that EIGI and its
subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16
block in a manner inconsistant with ordinary business rules of fair dealing
and/or in a manner inconsistant with current ARIN policy, and further, that the
company and/or its various C-suite officers may have arrived at this current
situation not by happentance but rather by some very carefully considered
premeditation.
I mention specifically EIGI's C-suite officers, because the available evidence
suggests that EIGI's apparent takeover of the 143.95.0.0/16 block was not
purely or only the product of some unsanctioned rogue activity on the part of
lower-level company functionaries. Multiple publicly available records
obtained from the web site of the California Secretary of State implicate
multiple current and former EIGI C-suite officers as having been, at the very
least, directly aware of the formation of the third "Athenix", even if perhaps
not directly or personally responsible for that rather suspicious company
formation.
https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view
Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI. Mr.
David Bryson was and remains EIGI's Chief Legal Officer. Mr. Marc Montagner
was and remains EIGI's Chief Financial Officer. Mr. Jeffrey Fox is EIGI's
current CEO, having succeded Mr. Ravichandran in that post.
https://www.endurance.com/our-company/our-team
https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
https://www.linkedin.com/in/hari-ravichandran-9b949b8
https://jumpv.com/meet-the-team/
https://www.linkedin.com/in/davidbryson
https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html
https://www.linkedin.com/in/marc-montagner-b112a1b1
https://wallmine.com/people/6106/marc-montagner
https://www.linkedin.com/in/jeff-fox-820a0413
https://wallmine.com/people/2962/jeffrey-h-fox
Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block
appear to be, at best, on somewhat shaky ground, and given that the new
2008-vintage Athenix Corporation does not obviously possess any other obvious
or apparent assets to speak of, it appears, to this writer at least, more than
a little incongruous to see that EIGI apparently listed Athenix Corporation as
a collateral asset on what, to a layman such as myself, appears to be a bank
collateral statement which was filed, apparently in 2013, with the United
States Securities and Exchange Comission.
https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm
All I can say about that is that I personally was turned down for a bank loan,
some years ago, when I attempted to use the monthly -liability- of my recurring
water bills as collateral for the loan. But then I have never been anywhere
near as accomplished at high finance as any of the gentlemen mentioned above
surely are.
Responses
---------
More than 24 hours prior to posting this message, I reached out to the press
contact email address listed on EIGI's web site, press (at) endurance.com, for
comment about the facts elaborated above. No response was received from the
company by press time.
Prior to posting, I also reached out to John Curran @ ARIN for his response to
the facts set forth above. John was kind enough to provide the following
official on-the-record ARIN response:
ARIN does not comment on specific registry changes (as number resource
change requests are made in confidence), but we do take matters of
potential number resource fraud quite seriously. I would recommend that
you report potential incidents of registry fraud (if you have not done
so already) via our Internet Number Resource Fraud Reporting process at
https://www.arin.net/resources/fraud/, and we will promptly investigate.
– John Curran, CEO, ARIN
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_
FULL DISCLOSURE: I hold no postions, either short or long in EIGI or in any
related company.
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_
Acknowledgements
----------------
My thanks to Farsight Security, Inc. and to Domaintools, LLC for their kind
support of this research.
Footnotes:
=======================================================================
[1] Rather remarkably, the Massachusetts Athenix, Inc. was incorporated a mere
six days before my friend, journalist Brian Krebs, put up a story on the
Washington Post web site, detailing how a pair of legacy ARIN IPv4
/16 blocks had somewhat inexplicably ended up in the hands of one of the
world's most notorious spammers, Scott Richter. That story, as some of you
will already know, alleged that a rather simple and yet elaborate fraud had
been perpetrated against ARIN, a fraud which amounted to nothing less than
corporate identity theft, with the one and only apparent goal being the
effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a goal
which was, it appeared, successfully achieved with only a relatively minor
investment of effort and expense.
[2] In recent years, all has not gone well for EIGI. In the year 2015, a
somewhat mysterious New York City short seller using the pen name Gotham City
Research published a sequence of four reports detailing his beliefs that all
was not as it should be at EIGI, both with respect to the company's financial
statements and with respect to its clientele and their (allegedly) questionable
online activities.
2015-04-28 - Endurance International Group - A Web of Deceit
https://bit.ly/2KZXPLA
2015-04-29 - Initial Follow-up To: A Web of Deceit
https://bit.ly/2L5Vv4o
2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric
https://bit.ly/342x4xE
2015-08-03 - Endurance International Group: Malicious Activities
https://bit.ly/30Gk4vr
The value of EIGI stock dropped rather precepitously following the publication
of the Gotham City Research reports and has yet to recover to its earlier highs.
https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view
The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions
against the company and its officers in 2018 also didn't help matters much with
respect to EIGI and its stock price:
https://www.sec.gov/enforce/33-10504-s
https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html
