Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-15 Thread Christopher Morrow
(I hate to step into the pond, but...)

On Thu, Aug 15, 2019 at 8:02 AM John Curran  wrote:
>
> On 14 Aug 2019, at 11:16 PM, Ronald F. Guilmette  
> wrote:
>
>
>
> Report it on some webpage and call it "Internet
> Resources stolen", document every incident as you do via email, send a
> copy to the appropriate RIR and upstream ISP allowing the hijack in
> question to show that you did the appropriate effort and we can then
> move on.
>
>
> I can and will stop posting here, and go off an blog about this stuff
> instead, if the consensus is that I'm utterly off-topic or utterly
> uninteresting and useless.  But a few folks have told me they find
> this stuff interesting, and it has operational significance, I think.
> So for now, at least, I'd like to continue to share here.
>
> As regards to reporting to RIRs or upstreams, what makes you think that
> either of those would care one wit?  The RIRs are not the Internet
> Police, or so I am told.
>
>
> Good morning Ron –
>
> The RIRs are not the Internet Police, but we do care very much about the 
> integrity of the Internet number registry system.
>
> Please report to ARIN any instances of number resource records in the ARIN 
> registry whose organization you believe to be incorrect – while such records 
> are updated only based on appropriate documentation, that doesn’t preclude 
> the use of fraudulent documentation that goes undetected.

There seem to be 2 different (at least) classes of thing Ron's noting here:
  1) an aggregate (an ALLOCATION in RIR resource divying-up parlance)
with (perhaps) bad data showing in WHOIS:
   216.179.128.0/17

  2) a subnet (an ASSIGNMENT in IR resource divying-up parlance) with
bad data showing in WHOIS:
  216.179.183.0/24

How data gets into the WHOIS system here is mechanically the same, but
the control ARIN (or any RIR) can exert is drastically different.
During the process of ALLOCATION from the RIR to an LIR (or end-site)
there is some process which includes validating "who" and "where" and
such, which John (and a few others) have outlined.
During the ASSIGNMENT from LIR -> customer / end-site the LIR is
solely (well.. mostly, yes the LIR can create and ORG and permit the
Customer the ability to send SWIP updates)  in control of what
data ends up in the WHOIS. ARIN (for example) has no real say in the
records for ASSIGNMENTS. They could, I suppose, do something ... but
that seems a lot like drinking from a firehose without any real
ability on the part of ARIN (for instance) to validate anything in the
inbound data :(

-chris


RE: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-15 Thread Michel Py
Hi John,

> John Curran wrote :
> Even so, we at ARIN are in the midst of a Board-directed review of the RPKI 
> legal framework to see if any improvements can be made
> 
>   – I will provide further updates once it is completed.

Thanks, we appreciate the effort.

That being said, something has to be done. I feel that the RPKI validation by 
ARIN is somehow useless. Why : because few download the TAL (at least in part 
because of the indemnisation clause).
Therefore, many networks that do RPKI validation do validate prefixes from the 
other 4 RIRs but not mine.
In simple words : why bother validating, if all of most of the networks that 
could block invalid prefixes don't, because the TAL agreement is not palatable.

I understand that ARIN has to deal with a legal system that makes things 
difficult, but OTOH I would like ARIN's RPKI validation to provide the same 
protection than the other RIRs, which it currently does not.

I created my ROAs, but I am not protected as well as an Org belonging to 
another RIR.

Michel


TSI Disclaimer:  This message and any files or text attached to it are intended 
only for the recipients named above and contain information that may be 
confidential or privileged. If you are not the intended recipient, you must not 
forward, copy, use or otherwise disclose this communication or the information 
contained herein. In the event you have received this message in error, please 
notify the sender immediately by replying to this message, and then delete all 
copies of it from your system. Thank you!...


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-15 Thread John Curran
On 14 Aug 2019, at 11:16 PM, Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:


Report it on some webpage and call it "Internet
Resources stolen", document every incident as you do via email, send a
copy to the appropriate RIR and upstream ISP allowing the hijack in
question to show that you did the appropriate effort and we can then
move on.

I can and will stop posting here, and go off an blog about this stuff
instead, if the consensus is that I'm utterly off-topic or utterly
uninteresting and useless.  But a few folks have told me they find
this stuff interesting, and it has operational significance, I think.
So for now, at least, I'd like to continue to share here.

As regards to reporting to RIRs or upstreams, what makes you think that
either of those would care one wit?  The RIRs are not the Internet
Police, or so I am told.

Good morning Ron –

The RIRs are not the Internet Police, but we do care very much about the 
integrity of the Internet number registry system.

Please report to ARIN any instances of number resource records in the ARIN 
registry whose organization you believe to be incorrect – while such records 
are updated only based on appropriate documentation, that doesn’t preclude the 
use of fraudulent documentation that goes undetected.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers



Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Hank Nussbacher

On 15/08/2019 06:16, Ronald F. Guilmette wrote:

- If the resource owner is no where to be found, why should we as a
community care?

I'm so glad you asked.


Regardless, in -either- the case where no heir can be found -or- in the
case where the rightful heir is either just too dumb or just too lazy
to take the minimal steps necessary to reclaim the property (and/or before
this has ocurred) the community should care because the kind of people who
either steal or squat on IPv4 blocks are, almost without exception, not the
kind of people who anybody sane wants to be accepting packets from, let
alone peering with.  There is, in my opinion and experience, a high
degree of correlation between skulduggery with respect to -obtaining-
(illicitly) IPv4 address blocks and using those addresses in a manner
which is not at all conducive to the general welfare of the Internet or
its users.


So if the rightful is apathetic, then won't these new "malicious blocks" 
just end up in numerous blacklists and all the illegal activity being 
performed from those usurped blocks will just be blocked in the end?  
Since the RIRs won't do much(as much as we have tried) why not just 
leave it be (as much as it may hurt to do that) and let the bad blocks 
just become part of the blacklist sludgepool?



Report it on some webpage and call it "Internet
Resources stolen", document every incident as you do via email, send a
copy to the appropriate RIR and upstream ISP allowing the hijack in
question to show that you did the appropriate effort and we can then
move on.

I can and will stop posting here, and go off an blog about this stuff
instead, if the consensus is that I'm utterly off-topic or utterly
uninteresting and useless.  But a few folks have told me they find
this stuff interesting, and it has operational significance, I think.
So for now, at least, I'd like to continue to share here.


Suggestion: post here a link to your new blog for every incident you 
find.  State here something like "/22 stolen from  registered in 
country aaa by yyy located in country bbb".  Those that are interested 
will click on the link and I suggest you allow comments on every blog 
post so that people can respond and comment.


Regards,

Hank



Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Ronald F. Guilmette
In message <20190810003820.gd2...@jima.tpb.net>, 
Niels Bakker  wrote:

>* r...@tristatelogic.com (Ronald F. Guilmette) [Sat 10 Aug 2019, 02:26 CEST]:
>>As far as I am aware, no RIR makes any effort whatsoever to vet 
>>changes to WHOIS records, either for IP blocks or ASNs or ORG 
>>records.
>
>This is hilarious.  You should hear the whining from any EU-based 
>operator who has to implement the transfer of RIPE NCC resources in 
>a corporate acquisition.
>
>I recently was involved with one of those and the amount of due 
>diligence required by the RIPE NCC was pretty intense.  If I were at 
>an RIR I'd be insulted by your claim of "no... effort whatsoever".

I do not and would not dispute that at least a few RIRs... in particular
ARIN and RIPE... are -very- good and -very- diligent these days in their
vetting of the legitimacy of what the RIRs themselves, and on their
(secret) -internal- books list as "registrants" of number resources.

But what is listed on the internal books of any given RIR is -not- what
appears in the WHOIS records.  It's just that simple.  Your RIR may
have given you a full rectal exam prior to giving you your IP addresses.
But how does that help -me- if you're sending me bad packets and your
WHOIS records says the following?

Registrant:Salvador Dali
Address:   12345 Moon St., The Universe, 9
Phone: <>

Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-14 Thread Ronald F. Guilmette
In message <4fcb73bf-224f-e011-f310-522193c86...@efes.iucc.ac.il>, 
Hank Nussbacher  wrote:

>Just as an observer to your long resource theft postings:
>- Do you attempt to contact directly the organization or person who have 
>had their resource taken over?

To the extent that I can spare the time, and to the extent that I am able
to do so, (which is often limited by time zone differences) yes, I do.

>- Do they care or are they apathetic?

Before answering let me clarify first the two different classes of problems
that I've most often been looking at.

Everybody including myself has in the past used the term "hijack" but
I'm going to try to stop doing that, in future, and instead use the more
precise terms "squatting" and "theft", where "theft" involves a case
where the relevant WHOIS records have been materially "fiddled" by the
usurper.

In both cases, the usurpers generally aim, first and foremost, for the
low hanging fruit, which is to say legacy blocks that were abandoned
years and years ago, sometimes even decades ago, back when IP addresses
had zero monitizable value.

When contacted, victims in these cases are typically at first utterly
perplexed, and when I explain to them that I am trying to give them
back stuff that they already own, and which in some cases is worth
considerable money on the open market, they *do* look a gift horse
in the mouth, and they assume, quite reasonably I think, given the
current way of the world, that *I* am trying to run some kind of
elaboarate scam on them.  It takes a lot of talking on my part to
convince them that no. I'm actually just a good samaritan, and that no,
I am -not- going to be asking them to first send any sort of "release
fee" via WesterUnion or Bitcoin or WebMoney before they can have their
own blocks back.

Even after they have been convinced that this ain't a scam and that they
do own the stuff I say they own, most are often entirely lackadaisical
about getting off their butts and then working with the relevant RIRs
to get their own stuff back.  Even when I try to get them fired up
by telling them that "cybercriminals" have stolen their blocks, and
the fact that evil that is being done under their names may negatively
affect THEIR public reputations, it's still like watching paint dry,
for me anyway.  Clearly, nobody but me has any sense of urgency about
these things at all.

>- If the resource owner is no where to be found, why should we as a 
>community care?

I'm so glad you asked.

Before answering I should first note that it is actually quite rare when
a sufficient amount of research on my part fails to turn up a relevant
"successor or assign" which would, by rights, be the modern day entity
with a legitimate claim on the asset.  So the "nowhere to be found" case
is by far the exception, rather than the rule.

Regardless, in -either- the case where no heir can be found -or- in the
case where the rightful heir is either just too dumb or just too lazy
to take the minimal steps necessary to reclaim the property (and/or before
this has ocurred) the community should care because the kind of people who
either steal or squat on IPv4 blocks are, almost without exception, not the
kind of people who anybody sane wants to be accepting packets from, let
alone peering with.  There is, in my opinion and experience, a high
degree of correlation between skulduggery with respect to -obtaining-
(illicitly) IPv4 address blocks and using those addresses in a manner
which is not at all conducive to the general welfare of the Internet or
its users.

>Report it on some webpage and call it "Internet 
>Resources stolen", document every incident as you do via email, send a 
>copy to the appropriate RIR and upstream ISP allowing the hijack in 
>question to show that you did the appropriate effort and we can then 
>move on.

I can and will stop posting here, and go off an blog about this stuff
instead, if the consensus is that I'm utterly off-topic or utterly
uninteresting and useless.  But a few folks have told me they find
this stuff interesting, and it has operational significance, I think.
So for now, at least, I'd like to continue to share here.

As regards to reporting to RIRs or upstreams, what makes you think that
either of those would care one wit?  The RIRs are not the Internet
Police, or so I am told.  They don't configure routers.  Upstreams are,
in my experience utterly intransigent and unresponsive, especially in
the absence of public exposure of the self-evident problem(s) like
the time I tried to get Telecom Italia to get off their asses and do
something... anything... about their criminal mass squatting customer.
It wasn't until much later on, after WhiteOps and Google had exposed
the massive click fraud operation that was behind all that that Telecom
Italia saw fit to lift even a single finger to actaully DO anything at
all.  And the last time I looked, Telecom Italia was *still* peering
with the exact same crooked ASN, even though most or all of 

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Ronald F. Guilmette
In message , 
John Curran  wrote:

>Alas, it’s not those who fail to properly configure RPKI that are likely to be
>litigating, but rather their impacted customers and those customers' business
>partners who all were unable to communicate due to no fault of their own. 
>
>Such a matter will not be thrown out of court, but will be the start of a long
>and very expensive process involving claims, discovery, experts, etc...

Perhaps.  There are certainly some big players (AWS) that if routing were
interrupted for even, say, 12 hours, a lot of folks would get really mad
about.

Correct me if I'm wrong, but one of your presentation slides seemed to
suggest that a separate arms-length legal entity could be established
to do the RPKI stuff, thus offloading most or all of the potential
liability onto and into this separate entity, which could conveniently
have minimal assets of the kind that might inspire members of the
plaintiff's bar who are looking for deep pockets.

Is that an actual possibility, or did you just throw that in there for the
sake of completness?

Personally, I don't much care how the problem gets solved, as long as it
gets solved.  The fundamental BGP problem has been known and discussed
now for 20+ years and it is only getting more dire and ominous, day by day.


Regards,
rfg


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Anne P. Mitchell, Esq.


> There's obviously a disconnect where people aren't worried about indemnifying
> Spamhaus for using their block list, but are worried about indemnifying ARIN 
> for
> using the TAL.

That would be because there is a rather substantial difference between 
publishing an IP address for which you have spam in hand, and are saying (and 
only saying) "I received spam from this IP address" (not to mention something 
which people use to only affect inbound email), and hosting something on which 
others rely for making their acceptance decision of all legitimate Internet 
traffic, as well as for the ability to not move malicious (or even accidentally 
misconfigured) Internet traffic.

Anne

Anne P. Mitchell, Attorney at Law
Dean of Cybersecurity & Cyberlaw, Lincoln Law School of San Jose
CEO/President, Institute for Social Internet Public Policy
SuretyMail Email Reputation Certification
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Legislative Consultant
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Board of Directors, Denver Internet Exchange
Board of Directors, Asilomar Microcomputer Workshop
Legal Counsel: The CyberGreen Institute
Former Counsel: Mail Abuse Prevention System (MAPS)
Member: California Bar Association



Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Valdis Klētnieks
On Wed, 14 Aug 2019 16:07:49 -, John Curran said:

> > But I suspect a lot of companies are reading it as: "If a spammer sues you 
> > for using
> > a block list that prevents them from spamming your customers, you can't end 
> > up
> > owing money to the block list maintainers.  But if you rely on the ARIN 
> > TAL, and get
> > sued by an address hijacker, you could end up owing money to ARIN".

> It's is not "you owe money to ARIN", but it could be "you need to defend both
> yourself and ARIN from your customers litigation should you get it wrong."

Is there any workable way to remove or diminish the perception of liability in
the case of using it *correctly*?   I admit that (a) I'm not a lawyer and (b)
when I actually tried to read it I couldn't actually tell if it was "you
promise to defend us if you screw it up and customer traffic gets accidentally
dropped on the floor" or "you promise to defend us if you use it correctly and
miscreant traffic is intentionally dropped on the floor"...

There's obviously a disconnect where people aren't worried about indemnifying
Spamhaus for using their block list, but are worried about indemnifying ARIN for
using the TAL.



pgpPfQJhUFewN.pgp
Description: PGP signature


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Rubens Kuhl
On Wed, Aug 14, 2019 at 1:09 PM John Curran  wrote:

> On 14 Aug 2019, at 11:15 AM, Valdis Klētnieks 
> wrote:
> >
> > On Wed, 14 Aug 2019 02:42:09 -, John Curran said:
> >
> >> You might want want to ask them why they are now a problem when they
> weren’t
> >> before (Also worth noting that many of these ISP's own contracts with
> their
> >> customers have rather similar indemnification clauses.)
> >
> > Actually, it's probably ARIN that should be doing the asking, and seeing
> if
> > they can change the wording and/or rephrase the issue to allay concerns.
> >
> > It sounds to me like ARIN's *intent* was "if you get sued by your
> customers because
> > you screw the pooch on deployment, it's your screw-up to clean up and
> not our
> > problem". Or at least I *hope* that was the intent (see next paragraph)
>
> That is indeed the intent - please deploy routing validation using best
> practices, so that you & your customers don’t suffer any adverse impact
> when ARIN's repository is not available.
>
>
Or, move all your number resources to a subsidiary in the AP region, pay
membership fees to APNIC instead of ARIN, and use their trust anchor
instead of ARIN's.
BTW, since all 5 RIRs have certificates signing the whole IP address space,
it really makes no difference.


Rubens


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread John Curran
On 14 Aug 2019, at 11:15 AM, Valdis Klētnieks  wrote:
> 
> On Wed, 14 Aug 2019 02:42:09 -, John Curran said:
> 
>> You might want want to ask them why they are now a problem when they weren’t
>> before (Also worth noting that many of these ISP's own contracts with their
>> customers have rather similar indemnification clauses.)
> 
> Actually, it's probably ARIN that should be doing the asking, and seeing if
> they can change the wording and/or rephrase the issue to allay concerns.
> 
> It sounds to me like ARIN's *intent* was "if you get sued by your customers 
> because
> you screw the pooch on deployment, it's your screw-up to clean up and not our
> problem". Or at least I *hope* that was the intent (see next paragraph)

That is indeed the intent - please deploy routing validation using best 
practices, so that you & your customers don’t suffer any adverse impact when 
ARIN's repository is not available.

> But I suspect a lot of companies are reading it as: "If a spammer sues you 
> for using
> a block list that prevents them from spamming your customers, you can't end up
> owing money to the block list maintainers.  But if you rely on the ARIN TAL, 
> and get
> sued by an address hijacker, you could end up owing money to ARIN”.

It’s is not “you owe money to ARIN’, but it could be “you need to defend both 
yourself and ARIN from your customers’ litigation should you get it wrong."

> (Having said that, John, it takes a special sort of CEO to stand out and be 
> seen
> in situations like this, and the world could probably use more CEO's like 
> that…)

 fairly easy to do if one has a thick skin… ;-)

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers




signature.asc
Description: Message signed with OpenPGP


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Valdis Klētnieks
On Wed, 14 Aug 2019 02:42:09 -, John Curran said:

> You might want want to ask them why they are now a problem when they weren’t
> before (Also worth noting that many of these ISP's own contracts with their
> customers have rather similar indemnification clauses.)

Actually, it's probably ARIN that should be doing the asking, and seeing if
they can change the wording and/or rephrase the issue to allay concerns.

It sounds to me like ARIN's *intent* was "if you get sued by your customers 
because
you screw the pooch on deployment, it's your screw-up to clean up and not our
problem". Or at least I *hope* that was the intent (see next paragraph)

But I suspect a lot of companies are reading it as: "If a spammer sues you for 
using
a block list that prevents them from spamming your customers, you can't end up
owing money to the block list maintainers.  But if you rely on the ARIN TAL, 
and get
sued by an address hijacker, you could end up owing money to ARIN".

(Having said that, John, it takes a special sort of CEO to stand out and be seen
in situations like this, and the world could probably use more CEO's like 
that...)





pgpqCVyRjaf5u.pgp
Description: PGP signature


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread John Curran
On 14 Aug 2019, at 1:21 AM, Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:

In message 
<06570278-e1ad-4bb0-a9fc-11a77bed7...@arin.net>,
John Curran mailto:jcur...@arin.net>> wrote:

Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
legal framework to see if any improvements can be made   – I will
provide further updates once it is completed.

This is an excellent presentation John, and I'm real glad to see that you
have done such a nice job on it and touched on all of the important points.

In particular, I'm glad that you clarified that if everyone is just doing
what they ought to be doing, i.e. following best practices, then even if
RPKI central and all of its sister satellites should all be simultaneously
hit by metorites, then in theory at least, nobody should be any worse off
than they already are today.

And yes, I can't argue and won't argue that some folks aren't going to be
bozos and screw up their RPKI deployment, and then some of them -may-
possibly want to blame ARIN for -their- screw ups, but I continue to have
trouble envisioning how this would ever traslate into a lawsuit that
wouldn't simply be laughed out of court in about five seconds if handled
properly.

Alas, it’s not those who fail to properly configure RPKI that are likely to be 
litigating, but rather their impacted customers and those customers' business 
partners who all were unable to communicate due to no fault of their own.

Such a matter will not be thrown out of court, but will be the start of a long 
and very expensive process involving claims, discovery, experts, etc.  (a 
recent legal matter that was promptly resolved in ARIN’s favor pre-litigation 
still resulted in more than 1/3 million USD in costs...)   Absent a specific 
reason for dismissal, it is only in actual trial that the preponderance of 
evidence gets considered – and note that in such a dispute, we’d end up with a 
jury of regular folks hearing fairly technical arguments about certificate 
validation, covering ROA’s, caching, etc.In other words, even if handled 
perfectly, your five second estimate is likely off by a year or more (and hence 
the reason for indemnification - it provides a clear basis for ARIN’s exit from 
the matter, as it makes plain that the liability resulting from use of the RPKI 
repository lies with the ISP.)

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers





Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread John Curran
On 14 Aug 2019, at 2:26 AM, Matthew Petach  wrote:
> ...
> Now, at the risk of bringing down the ire 
> of the community on my head...ARIN could
> consider tying the elements together, at 
> least for ARIN members.  Add the RPKI terms 
> into the RSA document.  You need IP number
> resources, congratulations, once you sign the
> RSA, you're covered for RPKI purposes as well.

Matthew - 

Yes indeed - this is one of several potential improvements that we’re 
also investigating. 

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers



Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread John Curran
On 14 Aug 2019, at 1:01 AM, William Herrin  wrote: 
> ...
> >  I would observe that continued use at that point has been held
> > to indicate agreement on your part [ref: Register.com, Inc. v. Verio, Inc., 
> > 356 F.3d 393 (2d Cir. 2004)]
> 
> In which Verio admitted to the court that they knew they were abusing 
> Register's computers but figured Register's contract with ICANN gave them the 
> right. The court would have reached the same decision regardless of 
> Register's notice: You're abusing computers that aren't yours. Stop it.

BIll - 

The particular finding from Register v. Verio that is relevant was that a user 
made aware of applicable terms with each query (even at the end) is sufficient 
for contractual binding after continued use.  

> Specht v. Netscape Communications Corp, on the other hand, found that, 
> "plaintiffs neither received reasonable notice of the existence of the 
> license terms nor manifested unambiguous assent" to the contract Netscape 
> offered for the use of their software at download-time, including assent to 
> settle disputes through arbitration.

Register v. Verio was after Specht v Netscape, and distinguished the situation 
where the user received terms at the end of each response from those cases 
where a user couldn’t reasonably determine that there were any applicable terms 
and conditions. 

> I'll take any bet you care to offer that the latter precedent applies to 
> casual consumer use of ARIN's whois.

That bet is available to you at any time by violating the terms the ARIN’s 
Whois service, so the question to ask yourself is: "do you feel lucky?”

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers




Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Matthew Petach
On Tue, Aug 13, 2019 at 5:44 PM John Curran  wrote:

> On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
> wrote:
>
> ...
> The last time I looked, RPKI adoption was sitting at around a grand total
> of 15% worldwide.  Ah yes, here it is...
>
>   https://rpki-monitor.antd.nist.gov/
>
> I've asked many people and many companies why adoption remains so low, and
> why their own companies aren't doing RPKI.  I've gotten the usual
> assortment
> of utterly lame excuses, but the one that I have had the hardest time
> trying to counter is the one where a network engineer says to me "Well,
> ya know, we were GOING to do that, but then ARIN... unlike the other four
> regional authorities... demanded that we sign some silly thing indemnifying
> them in case of something.
>
>
> Interestingly enough, those same indemnification clauses are in the
> registration services agreement that they already signed but apparently
> they were not an issue at all when requesting IP address space or receiving
> a transfer.
> You might want want to ask them why they are now a problem when they
> weren’t before (Also worth noting that many of these ISP's own contracts
> with their customers have rather similar indemnification clauses.)
>

Hi John,

There are things companies will sign
when their backs are up against the wall
that they will balk at signing when it is
for an optional geek-ish extra.

IP addresses are the lifeblood of the
tech industry.  If you don't have an
IP address, you don't exist on the
Internet.  (Apologies to those of us
who still have modems configured
to call and retrieve mail addressed
with UUCP bang paths).

So, companies will grudgingly and with
much hand-wringing sign the RSA
necessary to get IP space.  Without,
they die.  Rather like oxygen; if we
had to sign a license agreement in
order to receive air to breathe, you'd
find most people would sign pretty
horrific terms of service agreements.

Slip those same terms in front of someone
as a requirement for them to buy beer,
and you'll likely discover a whole lot of
people are just fine drinking something
else instead.

So too with the RSA terms versus the
RPKI terms.

As companies, we can't survive without
IP addresses.  We'll sign just about anything
to stay alive.

RPKI is a geek toy.  It's not at all required
for a business to stay alive on the Internet,
so companies feel much safer in saying
"no way will we sign that!".

Now, at the risk of bringing down the ire
of the community on my head...ARIN could
consider tying the elements together, at
least for ARIN members.  Add the RPKI terms
into the RSA document.  You need IP number
resources, congratulations, once you sign the
RSA, you're covered for RPKI purposes as well.

That doesn't solve the issue for out-of-region
folks who don't have an RSA with ARIN; but
that's no worse than you are today; and by
bundling the RPKI terms in with the rest of the
RSA, you at  least get everyone in the ARIN
region that wants^Wneeds to maintain their
IP number resources in order to stay in business
on the Internet covered in terms of being able to
use the RPKI data.

If you've got them by the short and curlies
already, might as well bundle everything in
while they've got the pen in their hand.  ^_^;

Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
> legal framework to see if any improvements can be made <
> https://www.arin.net/vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf>
>  – I will provide further updates once it is completed.
>

Best of luck!  I know we'll all be watching carefully to
see how it goes.:)

Matt


> Thanks!
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread Ronald F. Guilmette
In message <06570278-e1ad-4bb0-a9fc-11a77bed7...@arin.net>, 
John Curran  wrote:

>Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
>legal framework to see if any improvements can be made vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf>  – I will
>provide further updates once it is completed. 

This is an excellent presentation John, and I'm real glad to see that you
have done such a nice job on it and touched on all of the important points.

In particular, I'm glad that you clarified that if everyone is just doing
what they ought to be doing, i.e. following best practices, then even if
RPKI central and all of its sister satellites should all be simultaneously
hit by metorites, then in theory at least, nobody should be any worse off
than they already are today.

And yes, I can't argue and won't argue that some folks aren't going to be
bozos and screw up their RPKI deployment, and then some of them -may-
possibly want to blame ARIN for -their- screw ups, but I continue to have
trouble envisioning how this would ever traslate into a lawsuit that
wouldn't simply be laughed out of court in about five seconds if handled
properly.

Some arguably proximate historical analogs might be relevant here.

In the past, there have occasionally been problems when one or more of
the root name servers have been DDoSd or have otherwise had issues.
I don't recall anybody lining up to sue ICANN in those instances.

Spamhaus and other public anti-spam services publish their stuff to all
comers, without demanding indemnification.  Yes, they have been sued
from time to time, but none of that has ever resulted in any meaningful
damages, and if the company itself had just been more consistant in
obtaining sound legal advice, none of those events would even have been
all that bothersome.

So, what makes ARIN so special that it can't do what these others are doing
and just simply publish some information?  ARIN is in the State of Virginia
the last time I checked, and I do believe that the First Amendment still
applies in the State of Virginia, and indeed in all 50 states.  I mean it
isn't as if ARIN is going to go around yelling "Fire!" in a crowded theater
for God's sake!

So, you just slap a label on the whole bloody RPKI thing that says "Use at
your own risk" and that ought to do it, I think.  I understand that Steve
Ryan may not see it that way, but it's his job not to see it that way.
In practice, there is no need for -both- belt -and- suspenders.


Regards,
rfg


P.S.  Proactive failure testing (slide #15) is an excellent idea.  You could
and probably should fail the whole thing deliberately for 24 hours once a
year, just as a way of shaking the trees to see what idiots fall out.  It
would be like DNS Flag Day, on steroids.



Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread William Herrin
On Tue, Aug 13, 2019 at 8:25 PM John Curran  wrote:
> On 13 Aug 2019, at 11:03 PM, William Herrin  wrote:
> I signed no legal agreement either to register my legacy addresses or to
do a whois lookup to check someone else's addresses. Just sayin’.
>
> If you instead used a command line interface (e.g. "whois -h
whois.arin.net …”),
> then you received output from ARIN’s Whois server along with notice of
the applicable terms of service…

Hi John,

As I no longer live within or act from within one of the 2 states to have
passed UCITA, you'll find that notice difficult to enforce.


>  I would observe that continued use at that point has been held
> to indicate agreement on your part [ref: Register.com, Inc. v. Verio,
Inc., 356 F.3d 393 (2d Cir. 2004)]

In which Verio admitted to the court that they knew they were abusing
Register's computers but figured Register's contract with ICANN gave them
the right. The court would have reached the same decision regardless of
Register's notice: You're abusing computers that aren't yours. Stop it.

Specht v. Netscape Communications Corp, on the other hand, found that,
"plaintiffs neither received reasonable notice of the existence of the
license terms nor manifested unambiguous assent" to the contract Netscape
offered for the use of their software at download-time, including assent to
settle disputes through arbitration.

I'll take any bet you care to offer that the latter precedent applies to
casual consumer use of ARIN's whois. I won't take any such bet when it
comes to the legal safety of redistributing ARIN's RPKI Trust Anchor
Locator in my software. And neither, apparently, do many of the folks who
would have to redistribute that TAL for ARIN's RPKI to be useful, as was
discussed here last September:
https://mailman.nanog.org/pipermail/nanog/2018-September/097161.html

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Hank Nussbacher

On 13/08/2019 22:17, Ronald F. Guilmette wrote:

Just as an observer to your long resource theft postings:
- Do you attempt to contact directly the organization or person who have 
had their resource taken over?

- Do they care or are they apathetic?
- If the resource owner is no where to be found, why should we as a 
community care?  Report it on some webpage and call it "Internet 
Resources stolen", document every incident as you do via email, send a 
copy to the appropriate RIR and upstream ISP allowing the hijack in 
question to show that you did the appropriate effort and we can then 
move on.


Regards,
Hank


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread John Curran
On 13 Aug 2019, at 11:03 PM, William Herrin 
mailto:b...@herrin.us>> wrote:

On Tue, Aug 13, 2019 at 7:42 PM John Curran 
mailto:jcur...@arin.net>> wrote:
On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:
The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

  https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.

Interestingly enough, those same indemnification clauses are in the 
registration services agreement that they already signed but apparently they 
were not an issue at all when requesting IP address space or receiving a 
transfer.

I signed no legal agreement either to register my legacy addresses or to do a 
whois lookup to check someone else's addresses. Just sayin’.

Bill -

When you did that Whois look up at the ARIN website, you did agree to terms of 
use for the Whois service which contains indemnification provisions and are 
legally enforceable. 

If you instead used a command line interface (e.g. "whois -h 
whois.arin.net …”), then you received output from ARIN’s 
Whois server along with notice of the applicable terms of service…  I would 
observe that continued use at that point has been held to indicate agreement on 
your part [ref: Register.com, Inc. v. Verio, Inc., 356 
F.3d 393 (2d Cir. 2004)]

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers





Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread William Herrin
On Tue, Aug 13, 2019 at 7:42 PM John Curran  wrote:

> On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
> wrote:
>
> The last time I looked, RPKI adoption was sitting at around a grand total
> of 15% worldwide.  Ah yes, here it is...
>
>   https://rpki-monitor.antd.nist.gov/
>
> I've asked many people and many companies why adoption remains so low, and
> why their own companies aren't doing RPKI.  I've gotten the usual
> assortment
> of utterly lame excuses, but the one that I have had the hardest time
> trying to counter is the one where a network engineer says to me "Well,
> ya know, we were GOING to do that, but then ARIN... unlike the other four
> regional authorities... demanded that we sign some silly thing indemnifying
> them in case of something.
>
>
> Interestingly enough, those same indemnification clauses are in the
> registration services agreement that they already signed but apparently
> they were not an issue at all when requesting IP address space or receiving
> a transfer.
>

I signed no legal agreement either to register my legacy addresses or to do
a whois lookup to check someone else's addresses. Just sayin'.

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/


RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-13 Thread John Curran
On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:
...
The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

  https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.

Interestingly enough, those same indemnification clauses are in the 
registration services agreement that they already signed but apparently they 
were not an issue at all when requesting IP address space or receiving a 
transfer.
You might want want to ask them why they are now a problem when they weren’t 
before (Also worth noting that many of these ISP's own contracts with their 
customers have rather similar indemnification clauses.)

Even so, we at ARIN are in the midst of a Board-directed review of the RPKI 
legal framework to see if any improvements can be made 

  – I will provide further updates once it is completed.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers



Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message ,
Eric Kuhnke  wrote:

rfg>>   4)  Filing a "fraud request" with ARIN is a serious step and one that
rfg>could quite conceivably end up with the party filing such a formal
rfg>report being on the business end of lawsuit, just for having filed
rfg>such a report.
rfg>
>What makes you think that the sort of persons who would hijack a /17 sized
>piece of space, for spam generation purposes, would sue you over some
>formal submission you might make to ARIN, but would not already have sued
>you over your already exhaustively detailed posts to the public NANOG list?

Let me see if I understand this.  You don't have any argument with the
other three reasons I gave for sending my alert to the NANOG list, but you
-would- like to quible with reason #4.  Have I understood you clearly?

Assuming so, let me answer your question with a question (or two).

Is my fear of the potential for lawsuits actually LESS reasonable than
ARIN's use of the same vague and non-specific bogeyman to thwart and
impede, on a global scale, the more widespread adoption of RPKI...
adoption which would, if it ever became universal, put an end to most
or all of these nefarious and malevolent IP block hanky panky games?

The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

   https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.  We're not even sure what ``something''
actually is in this case, other than some demented lawsuit from some
deranged ``lone wolf'' individual, but since ARIN demanded that we sign
it, the thing had to go to -our- lawyers, and they took one look at it and
said, in effect, ``F that!  We are NOT going to accept any new potential
liability if we don't have to'', so that was the end of that."

As I have often said, if we all only did things that had been pre-cleared
as being ``utterly safe'' by our respective lawyers, then none of us would
ever even get out of bed in the morning.

Regadless of whether ARIN was in any way indemnified against such an event,
the Micfo guy elected to name ARIN in a lawsuit.  This is a matter of
public record.  It's ludicrous and laughable, obviously, but he apparently
sued ARIN when they woudn't just roll over and allow him to continue to
play his ridiculous little fraud games.  Like I say, in this country, at
least (USA), you run the risk of getting sued if you even so much as get
out a bed in the morning.  BUT SO BLOODY WHAT?  Neither we as individuals
nor ARIN as an organization should cower in fear in our caves because of a
bogeyman that may never come to pass, or that may be totally inconsequential 
even if it does, as in the case of Mr. Micfo's joke of a lawsuit. 

So I put it to everyone here... Are ARIN policies and its over-hyped fear
of the vague bogeyman of lawsuits materially impeding the adoption of
RPKI, and if so, what should be done about this?

In the meantime, I decline to accept criticism of -my- perhaps misplaced
fears of lawsuits.  Mine have essentially no real world consequences.
ARIN's, on the other hand, appear to be keeping some finite non-zero
fraction of 85% of the world's route announcements unchecked, at least
for any meaningful sense of the word "checked".


Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Eric Kuhnke
>   4)  Filing a "fraud request" with ARIN is a serious step and one that
could quite conceivably end up with the party filing such a formal
report being on the business end of lawsuit, just for having filed
such a report.

What makes you think that the sort of persons who would hijack a /17 sized
piece of space, for spam generation purposes, would sue you over some
formal submission you might make to ARIN, but would not already have sued
you over your already exhaustively detailed posts to the public NANOG list?



On Tue, Aug 13, 2019 at 12:18 PM Ronald F. Guilmette 
wrote:

> In message ,
> John Curran  wrote:
>
> >On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette 
> wrote:
> >> ...
> >> Unfortunately, we cannot read too much into this change that was made
> >> to the block's public-facing WHOIS record.  Neither the new WHOIS info
> >> nor even the old WHOIS info can be used to reliably infer who or what
> >> is the legitimate registrant of the block at any point in time.  This
> >> is because ARIN, like all of the other Regional Internet Registries,
> >> allows registrants to put essentially any bovine excrement they desire
> >> into their public-facing WHOIS records.
> >
> >That is not the case – ARIN confirms the legal status of organizations
> >receiving number resources.
>
> This is NOT the message that I got from our recent discussion of the giant
> Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
> questions about why various of the Micfo phoney baloney shell companies
> has block with WHOIS records saying they were located in states that
> they were obviously not located in, I believe that you said that once
> a black has been allocated, by ARIN, to some (properly vetted) entity,
> that after that point in time, the entity could -change- the relevant
> WHOIS record to say any bloody thing it wanted, and that such -changes-
> to ARIN WHOIS records are not vetted in any way.
>
> If I got the Wrong Impression from your prior statements, then by all
> means, please do correct me.  And then please do explain why several of
> the Micfo phony shell companies did in fact have WHOIS records for ARIN-
> issued IPv4 space that gave street addreses in states where none of these
> phony shell companies were actually registered to do business.
>
> >> (And, it should be noted, the
> >> man behind the recent large scale "Micfo" fraud apparently availed
> >> himself of this exact opportunity far subterfuge, in spades.)
> >
> >As previously noted on this list, such was only possible because of the
> >use of falsely notarized documents.
>
> I -do- understand that the fradulent documents that were originally
> presented to you/ARIN provided information indicating that the phoney
> Micfo shell companies -did- actually exist in -some- state (Delaware?),
> and that ARIN -did- verify, to the best of its ability, that those
> companies -did- exist, legally spekaing, in their originally declared
> home state(s).  But that fact is just skirting the real issue here,
> which is the question of whether or not ARIN even looks at -changes_
> that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
> -after- those blocks have been assigned.
>
> It appears from where I am sitting that ARIN dos not do so.  And thus,
> I stand by my comment that a registrant -can- in fact put any bloody
> nonsense they want into their WHOIS records, at least as long as they
> do it via -changes- and not in the original/initial WHOIS records.
>
> >> Regardless, the available records suggest that there are only two likely
> >> possibilities in this case:
> >>
> >> {trimmed}
> >> 1) 216.179.128.0/17 was transferred in violation of ARIN policy.
> >>
> >> 2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
>
> >That is easy to address:  submit a fraud request, and it will be reviewed
> >and corrected if it was done fraudulently.
>
> I would do that, but for the following four things:
>
> 1)  ARIN is not the Internet Police and has no power to affect routing
> decisions of anybody.
>
> 2)  Getting the info out here, on the NANOG list, allows people to make
> up their own minds and to ignore the relevant route announcements
> and/or cease peering if they are persuaded that 216.179.128.0/17
> is likely a source of "undesirable" packets.
>
> 3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
> perhaps even months.  In contrast, packets, including bad ones,
> travel from one end of the planet to another in milliseconds.
> ARIN and its careful review processes are a sure and steady and
> reliable check on fradulent behavior over the longer term.  But
> they will not do much to addres the bad packets that may be
> flowing out of 216.179.128.0/17 this week, or even next.
>
> 4)  Filing a "fraud request" with ARIN is a serious step and one that
> could quite conceivably 

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Marco Belmonte

  
  
For the record, there are just as many of us that appreciate your
  verbosity.

On 8/13/2019 12:35 PM, Ronald F.
  Guilmette wrote:


  In message 
Ross Tajvar  wrote:


  
Seems like submitting a fraud request to ARIN is more effective than
writing a novel and sending it to NANOG, and doesn't require the latter...

  
  
As noted in my immediately prior posting, ARIN's careful adjudication of
this or any other possible case of fraud could take weeks or even months.
And even if, after careful and thoughtful deliberation, ARIN concludes
that there is indeed something wrong here, ARIN has neither the power nor
the authority to tell anyone how to configure their routers, and thus,
any decision or conclusion made by ARIN, regarding this or any other case
of possible fraud, will have no immediate effect on the flow of bad packets.


Regards,
rfg


P.S.  I do apologize for my verbosity.  As the late Carl Sagan often said,
extraordinary claims require extraordinary evidence.  I made the extraordinary
claim, on this public mailing list, that -something- fradulent had gone on
with respect to the 216.179.128.0/17 block which has resulted in the WHOIS
record for that bearing little or no relationship to actual reality.
Having made the claim, I felt a duty to explain and to provide the evidence,
not in 140 characters, but in detail.


  



Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Rich Kulawiec
On Mon, Aug 12, 2019 at 04:11:00PM -0400, Ross Tajvar wrote:
> Seems like submitting a fraud request to ARIN is more effective than
> writing a novel and sending it to NANOG, and doesn't require the latter...

But if he didn't fully document his assertion(s), then he would be faced
with a plethora of replies decrying the lack of substantiating evidence.
Better to lay the case out in detail so that everyone can see the work
and so that anyone who cares to can check it for themselves.

And -- given Ron's long history of thorough documentation -- there are
some of us who are willing to take his word for it and make operational
decisions based on what he reports, independent of what ARIN decides to
do or not do, or when it decides to do it.

---rsk


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message 

Ross Tajvar  wrote:

>Seems like submitting a fraud request to ARIN is more effective than
>writing a novel and sending it to NANOG, and doesn't require the latter...

As noted in my immediately prior posting, ARIN's careful adjudication of
this or any other possible case of fraud could take weeks or even months.
And even if, after careful and thoughtful deliberation, ARIN concludes
that there is indeed something wrong here, ARIN has neither the power nor
the authority to tell anyone how to configure their routers, and thus,
any decision or conclusion made by ARIN, regarding this or any other case
of possible fraud, will have no immediate effect on the flow of bad packets.


Regards,
rfg


P.S.  I do apologize for my verbosity.  As the late Carl Sagan often said,
extraordinary claims require extraordinary evidence.  I made the extraordinary
claim, on this public mailing list, that -something- fradulent had gone on
with respect to the 216.179.128.0/17 block which has resulted in the WHOIS
record for that bearing little or no relationship to actual reality.
Having made the claim, I felt a duty to explain and to provide the evidence,
not in 140 characters, but in detail.


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-13 Thread Ronald F. Guilmette
In message , 
John Curran  wrote:

>On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette  wrote:
>> ...
>> Unfortunately, we cannot read too much into this change that was made
>> to the block's public-facing WHOIS record.  Neither the new WHOIS info
>> nor even the old WHOIS info can be used to reliably infer who or what
>> is the legitimate registrant of the block at any point in time.  This
>> is because ARIN, like all of the other Regional Internet Registries,
>> allows registrants to put essentially any bovine excrement they desire
>> into their public-facing WHOIS records.
>
>That is not the case – ARIN confirms the legal status of organizations
>receiving number resources. 

This is NOT the message that I got from our recent discussion of the giant
Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
questions about why various of the Micfo phoney baloney shell companies
has block with WHOIS records saying they were located in states that
they were obviously not located in, I believe that you said that once
a black has been allocated, by ARIN, to some (properly vetted) entity,
that after that point in time, the entity could -change- the relevant
WHOIS record to say any bloody thing it wanted, and that such -changes-
to ARIN WHOIS records are not vetted in any way.

If I got the Wrong Impression from your prior statements, then by all
means, please do correct me.  And then please do explain why several of
the Micfo phony shell companies did in fact have WHOIS records for ARIN-
issued IPv4 space that gave street addreses in states where none of these
phony shell companies were actually registered to do business.

>> (And, it should be noted, the
>> man behind the recent large scale "Micfo" fraud apparently availed
>> himself of this exact opportunity far subterfuge, in spades.)
>
>As previously noted on this list, such was only possible because of the
>use of falsely notarized documents. 

I -do- understand that the fradulent documents that were originally
presented to you/ARIN provided information indicating that the phoney
Micfo shell companies -did- actually exist in -some- state (Delaware?),
and that ARIN -did- verify, to the best of its ability, that those
companies -did- exist, legally spekaing, in their originally declared
home state(s).  But that fact is just skirting the real issue here,
which is the question of whether or not ARIN even looks at -changes_
that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
-after- those blocks have been assigned.

It appears from where I am sitting that ARIN dos not do so.  And thus,
I stand by my comment that a registrant -can- in fact put any bloody
nonsense they want into their WHOIS records, at least as long as they
do it via -changes- and not in the original/initial WHOIS records.

>> Regardless, the available records suggest that there are only two likely
>> possibilities in this case:
>>
>> {trimmed}
>> 1) 216.179.128.0/17 was transferred in violation of ARIN policy.
>>
>> 2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
 
>That is easy to address:  submit a fraud request, and it will be reviewed
>and corrected if it was done fraudulently.

I would do that, but for the following four things:

1)  ARIN is not the Internet Police and has no power to affect routing
decisions of anybody.

2)  Getting the info out here, on the NANOG list, allows people to make
up their own minds and to ignore the relevant route announcements
and/or cease peering if they are persuaded that 216.179.128.0/17
is likely a source of "undesirable" packets.

3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
perhaps even months.  In contrast, packets, including bad ones,
travel from one end of the planet to another in milliseconds.
ARIN and its careful review processes are a sure and steady and
reliable check on fradulent behavior over the longer term.  But
they will not do much to addres the bad packets that may be
flowing out of 216.179.128.0/17 this week, or even next.

4)  Filing a "fraud request" with ARIN is a serious step and one that
could quite conceivably end up with the party filing such a formal
report being on the business end of lawsuit, just for having filed
such a report.

Does ARIN indemnify the parties who file such reports against such
claims, as ARIN is currently asking ARIN-region networks to do for
ARIN if they want to avail themselves of the added security of RPKI?


Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-12 Thread Ross Tajvar
Seems like submitting a fraud request to ARIN is more effective than
writing a novel and sending it to NANOG, and doesn't require the latter...

On Mon, Aug 12, 2019, 3:16 PM John Curran  wrote:

> On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette 
> wrote:
> > ...
> > Unfortunately, we cannot read too much into this change that was made
> > to the block's public-facing WHOIS record.  Neither the new WHOIS info
> > nor even the old WHOIS info can be used to reliably infer who or what
> > is the legitimate registrant of the block at any point in time.  This
> > is because ARIN, like all of the other Regional Internet Registries,
> > allows registrants to put essentially any bovine excrement they desire
> > into their public-facing WHOIS records.
>
> Ronald -
>
> That is not the case – ARIN confirms the legal status of organizations
> receiving number resources.
>
> >  (And, it should be noted, the
> > man behind the recent large scale "Micfo" fraud apparently availed
> > himself of this exact opportunity far subterfuge, in spades.)
>
> As previously noted on this list, such was only possible because of the
> use of falsely notarized documents.
>
> > Regardless, the available records suggest that there are only two likely
> > possibilities in this case:
> >
> > 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
> >registration of the 216.179.128.0/17 block from itself to the
> >2009 vintage Delaware entity Azuki, LLC.  If this is what
> happened,
> >then it is likely that the transfer was performed in violation
> >of the applicable ARIN trasfer policy that was in force at the
> time.
> >(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
> >barrel in 2010.  California records show that HHSI, Inc. continued
> >to be an active California corporation until at least 02/12/2014,
> >and probably well beyond that date.)
> >
> > 2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California)
> simply
> >altered what would henceforth appear in the public-facing WHOIS
> >record for the the 216.179.128.0/17 block to make it appear... to
> >everyone except ARIN staff, who knew better... that the block was
> >now registered to Azuki, LLC in Delaware.
> >
> > Only ARIN staff can tell us which of these possibilities actually
> applies.
> > But due to ARIN's strict adherence to contractual confidentiality with
> > respect to all of their resource holders, I do not anticipate that ARIN
> > will actually provide any clarity on this case anytime soon.
>
> That is easy to address:  submit a fraud request, and it will be reviewed
> and corrected if it was done fraudulently.
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>
>


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-12 Thread John Curran
On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette  wrote:
> ...
> Unfortunately, we cannot read too much into this change that was made
> to the block's public-facing WHOIS record.  Neither the new WHOIS info
> nor even the old WHOIS info can be used to reliably infer who or what
> is the legitimate registrant of the block at any point in time.  This
> is because ARIN, like all of the other Regional Internet Registries,
> allows registrants to put essentially any bovine excrement they desire
> into their public-facing WHOIS records.

Ronald - 

That is not the case – ARIN confirms the legal status of organizations 
receiving number resources. 

>  (And, it should be noted, the
> man behind the recent large scale "Micfo" fraud apparently availed
> himself of this exact opportunity far subterfuge, in spades.)

As previously noted on this list, such was only possible because of the use of 
falsely notarized documents. 

> Regardless, the available records suggest that there are only two likely
> possibilities in this case:
> 
> 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
>registration of the 216.179.128.0/17 block from itself to the
>2009 vintage Delaware entity Azuki, LLC.  If this is what happened,
>then it is likely that the transfer was performed in violation
>of the applicable ARIN trasfer policy that was in force at the time.
>(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
>barrel in 2010.  California records show that HHSI, Inc. continued
>to be an active California corporation until at least 02/12/2014,
>and probably well beyond that date.)
> 
> 2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California) simply
>altered what would henceforth appear in the public-facing WHOIS
>record for the the 216.179.128.0/17 block to make it appear... to
>everyone except ARIN staff, who knew better... that the block was
>now registered to Azuki, LLC in Delaware.
> 
> Only ARIN staff can tell us which of these possibilities actually applies.
> But due to ARIN's strict adherence to contractual confidentiality with
> respect to all of their resource holders, I do not anticipate that ARIN
> will actually provide any clarity on this case anytime soon.

That is easy to address:  submit a fraud request, and it will be reviewed and 
corrected if it was done fraudulently.

Thanks!
/John 

John Curran
President and CEO
American Registry for Internet Numbers




Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
In message 
Ross Tajvar  wrote:

>First he thought that a /17 got stolen (by creating a company with the same
>name as the original, now-defunct owner), but he then said he was wrong and
>actually it either 1) got transferred against ARIN policy or 2) was made to
>look like it was transferred by altering the whois data.

Yes.  What he said.

Although he left out the imporant detail that the whole thing appears to
be just a smokescreen cover for a large spamming operation, which apparently
targets primarily the Japanese market and which appears to have been ongoing
since at least 2004:

https://yomi.tokyo/agate/toki/bouhan/1103682730/1-/a

Regards,
rfg


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Niels Bakker

* r...@tristatelogic.com (Ronald F. Guilmette) [Sat 10 Aug 2019, 02:26 CEST]:
As far as I am aware, no RIR makes any effort whatsoever to vet 
changes to WHOIS records, either for IP blocks or ASNs or ORG 
records.


This is hilarious.  You should hear the whining from any EU-based 
operator who has to implement the transfer of RIPE NCC resources in 
a corporate acquisition.


I recently was involved with one of those and the amount of due 
diligence required by the RIPE NCC was pretty intense.  If I were at 
an RIR I'd be insulted by your claim of "no... effort whatsoever".



-- Niels.


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ross Tajvar
First he thought that a /17 got stolen (by creating a company with the same
name as the original, now-defunct owner), but he then said he was wrong and
actually it either 1) got transferred against ARIN policy or 2) was made to
look like it was transferred by altering the whois data.

On Fri, Aug 9, 2019, 4:47 PM Töma Gavrichenkov  wrote:

> Peace,
>
> On Thu, Aug 8, 2019 at 10:54 PM Ronald F. Guilmette
>  wrote:
> > Corporate identity theft is a simple ploy which may be used to illicitly
> > obtain valuable IPv4 address space.  Actual use of this fradulent ploy
> > was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).
>
> nostromo:tmp ximaera$ wc guilmette_combined.mbox
>  2492122   13695 guilmette_combined.mbox
> nostromo:tmp ximaera$
>
> I wish I had enough spare time to read this.
>
> May we have a tl;dr version of this?
>
> --
> Töma
>


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
In message , Brandon Price  wrote:

>
>
> 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
>registration of the 216.179.128.0/17 block from itself to the
>2009 vintage Delaware entity Azuki, LLC.  If this is what happened,
>then it is likely that the transfer was performed in violation
>of the applicable ARIN trasfer policy that was in force at the time.
>(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
>barrel in 2010.  California records show that HHSI, Inc. continued
>to be an active California corporation until at least 02/12/2014,
>and probably well beyond that date.)
>
>
>The Arin policy in affect at the time of the transfer would absolutely allow
>this as an 8.2 mergers and acquisitions sale. There is no policy requirement
>for a "lock, stock, and barrel" buy-out as you say.
>
>>From the 2010.1 version published 13 JAN 2010, ref: https://www.arin.net/va=
>ult/policy/archive/nrpm_20100113.pdf
>
>
>"ARIN will consider requests for the transfer of number resources
>in the case of mergers and acquisitions upon receipt of
>evidence that the new entity has acquired the assets which
>had, as of the date of the acquisition or proposed
>reorganization, justified the current entity's use of the number
>resource. Examples of assets that justify use of the number
>resource include, but are not limited to:
>* Existing customer base
>* Qualified hardware inventory"
>
>So they bought the customers and routers that were using that /17. What's
>the big deal?

Firstly, there is no clear evidence that I am aware of that there are any
"customers" per se in this case.  Spamhaus has, in effect, judged the
entire 216.179.128.0/17 block as being just one big spamming operation,
and I personally have no reason at this instant to take issue with that
judgement.  (Please note also that a generally reliable source informs
me that Spamhaus has had this SBL listing for the entire 216.179.128.0/17
block active and in place since circa 2010-03-02, i.e. a full 9 years now.)

So anyway, in this case we are really only talking about equipment and not
"customers" per se.  If I am wrong about that, please post the evidence.

Second and more to the point, I think that you and I have dramatically
different understandings of the plain meanings of the terms "merger" and
"aquisition".

The evidence indicates that HHSI, Inc. neither merged with nor was aquired
by Azuki, LLC.  Rather, HHSI continued to have, and to actively maintain
its own separate legal existance through at least 2014... several years
*after* the moment in time, on or about 02-17-2010, when the -apparent-
ownership of the 216.179.128.0/17 block (going by the WHOIS records)
somehow magically passed from HHSI, Inc. to Azuki, LLC.

It is not my understanding of mergers and/or aquisitions that the merged
(or acquired) entity continues to have and maintain a separate legal
existance from the other merged (or acquiring) entity following the
merger or acquisition.  You, it seems, may have a different conception.

Theoretically, HHSI, Inc may have been acquired by Azuki, LLC and may have
then become a wholly owned subsidiary of Azuki, LLC.  This would explain
it's continued, simultaneous, and parallel legal existance in the years
2010 through 2014, along with Azuki, LLC.  But even if this rather remote
possibility applied, it would still not serve to explain the apparent
2010 transfer of the 216.179.128.0/17 block from the wholly owned subsidary
to the parent entity.  Why would such a transfer be either necessary or
even desirable?  And how would such a transfer comport with the ARIN
transfer regulations in place at the time?  Those regulations, as you
have quoted them, DO NOT obviously sanction transfers from subsidiaries
to parent entities in cases where both survive as separate legal entities.
And it is not even in the least bit clear that there even was any such
parent/subsididiary relationship between these two corporate entities at
the time of the transfer.

But in answer to your larger question, "What's the big deal?", the answer
is that -all- WHOIS records for -all- IP address blocks adminstered by
-all- RIRs are fundementally unvetted and thus untrustworthy.  This one
case is a clear and blatant example of that fundemental problem with the
way all RIRs are behaving.

As far as I am aware, no RIR makes any effort whatsoever to vet changes
to WHOIS records, either for IP blocks or ASNs or ORG records.  (And this
fact was abundantly evident in the Micfo fraud case, where the man behind
that fiddled the majority of the street address and other contact information
appearing in the public-facing WHOIS records for the blocks assigned to his
various phony baloney shell companies in a now-obvious attempt to mislead
both the public and also anti-abuse investigators.)

Someday soon, because of policies in place at all of the RIRs, you're
going to get some spam, or a hack attempt from a 

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Töma Gavrichenkov
Peace,

On Thu, Aug 8, 2019 at 10:54 PM Ronald F. Guilmette
 wrote:
> Corporate identity theft is a simple ploy which may be used to illicitly
> obtain valuable IPv4 address space.  Actual use of this fradulent ploy
> was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

nostromo:tmp ximaera$ wc guilmette_combined.mbox
 2492122   13695 guilmette_combined.mbox
nostromo:tmp ximaera$

I wish I had enough spare time to read this.

May we have a tl;dr version of this?

--
Töma


Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Ronald F. Guilmette
Further investigation of this case obliges me to post the following
correction and retraction.

Additional evidence now strongly suggests that the 216.179.128.0/17
IP address block has NOT been "stolen" as I had suggested yesterday.
I simply mis-read the ARIN historical registration ("WhoWas") data
with repect to this block.

In fact, the ARIN historical "WhoWas" registration data for this
block indicates that when the block was first assigned, by ARIN...
which the historical WhoWas records show as occuring on 06-24-2002...
the block was assigned to a Southern California company named HHSI, Inc.

Records available on the California Secretary of State's web site
indicate that this company was first registered with the State of
California 02/11/2002.  Oddly, some seven years would pass after the
registration of this California corporation before any documents
were filed with California which would designate any officers of
the company.  On 03/02/2009 however a filing was made indicating
the President of the company was a gentleman named Koji Ban.
Additional corporate filings in subsequent years indicate that
both Mr. Ban and the company, HHSI, Inc. were located at 20 Arches,
Irvine, CA 92603.

On or about 02-17-2010 the public WHOIS record for the 216.179.128.0/17
block was changed so that instead of designating HHSI, Inc. (California)
as the block's registrant, the WHOIS record for the block would henceforth
say instead that the registrant of the block was the 2009 vintage
Delaware LLC called Azuki, LLC.

Unfortunately, we cannot read too much into this change that was made
to the block's public-facing WHOIS record.  Neither the new WHOIS info
nor even the old WHOIS info can be used to reliably infer who or what
is the legitimate registrant of the block at any point in time.  This
is because ARIN, like all of the other Regional Internet Registries,
allows registrants to put essentially any bovine excrement they desire
into their public-facing WHOIS records.  (And, it should be noted, the
man behind the recent large scale "Micfo" fraud apparently availed
himself of this exact opportunity far subterfuge, in spades.)

Regardless, the available records suggest that there are only two likely
possibilities in this case:

 1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
registration of the 216.179.128.0/17 block from itself to the
2009 vintage Delaware entity Azuki, LLC.  If this is what happened,
then it is likely that the transfer was performed in violation
of the applicable ARIN trasfer policy that was in force at the time.
(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
barrel in 2010.  California records show that HHSI, Inc. continued
to be an active California corporation until at least 02/12/2014,
and probably well beyond that date.)

 2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California) simply
altered what would henceforth appear in the public-facing WHOIS
record for the the 216.179.128.0/17 block to make it appear... to
everyone except ARIN staff, who knew better... that the block was
now registered to Azuki, LLC in Delaware.

Only ARIN staff can tell us which of these possibilities actually applies.
But due to ARIN's strict adherence to contractual confidentiality with
respect to all of their resource holders, I do not anticipate that ARIN
will actually provide any clarity on this case anytime soon.

To summarize, either the block was transferred in 2010 in violation of
ARIN's own transfer policy or else the information that we have all been
looking at in this block's WHOIS record since 02-17-2010 is and has been
nothing other than a very deliberate and bald-faced lie.  There is no
third option.

Regardless of which of the two possible scenarios applies, it is a dead
certainty that the registration of the 216.179.128.0/17 block was indeed
transferred away from HHSI, Inc. at some point in time, and in a manner that
most probably did not comport with applicable ARIN transfer restrictions
in place at the time.  I say this without fear of contradiction because
the State of California currently lists HHSI, Inc. as "suspended".  Legally
speaking, it no longer exists.  It cannot therefore still be a valid
contractual counterparty, with ARIN, or with respect to the registration
of *any* ARIN-administered resources.

All of this ambiguity, and all of these crooked deception games are enabled
and materially aided and abetted by the disastrous interplay of two
longstanding policies that are and have been in force, for many many years,
both at ARIN an also at all of the other RIRs, namely:

   *)  Excessive anal retentiveness with respect to corporate confidentiality
   which deprives the public at large from even knowing even so much as
   the accurate and correct legal names of resource holders.

   *)  Policies which permit resource holders to place any 

RE: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-09 Thread Kevin McCormick
Thought you may find these connections with the 3500 South DuPont Hwy, Dover, 
DE, 19901 address interesting.

https://offshoreleaks.icij.org/nodes/14014038

Thank you,

Kevin McCormick

-Original Message-
From: NANOG  On Behalf Of Ronald F. Guilmette
Sent: Thursday, August 8, 2019 2:54 PM
To: nanog@nanog.org
Subject: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Corporate identity theft is a simple ploy which may be used to illicitly obtain 
valuable IPv4 address space.  Actual use of this fradulent ploy was first 
described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

Quite simply, a party bent on undertaking this ploy may just search the 
publicly available IP block WHOIS records, looking for abandoned and unrouted 
IPv4 address blocks belonging to companies or organizations which no longer 
exist.  Upon finding any such, the thief may simply undertake to formally 
register, with relevant government authorities, a new corporate entity with the 
same or a very similar name as the now defunct entity that is still listed in 
the WHOIS records as the registrant of the coveted IPv4 address block(s).

Note that so-called "legacy" address blocks, i.e. those which were assigned 
prior to the formation of ARIN in early 1997, are especially prized by IPv4 
address thieves because such blocks may be less subject to effective control or 
regulation by Regional Internet Registries.

Publicly available evidence strongly suggests that a corporate identity theft 
has occurred with respect to a former Delaware corporate entity known as Azuki, 
LLC and also with respect to its valuable legacy IPv4 address block, 
216.179.128.0/17.

The corporate search function of the Delaware Secretary of State's web site may 
be used to obtain records relevant to corporate entities registered in Delaware:

https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx

At present, the Delaware SoS's web site indicates that there are or have been 
two different corporate entities, both named Azuki, LLC, that have been 
registered in the State of Delaware.  The file numbers for these entities are 
2810116 and 4751384.

The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee.  My own 
personal speculation is that it most likely ceased operation well more than a 
decade ago.

The latter entity was registered in Delaware on or about 11/9/2009.

According to the current live ARIN WHOIS record for the 216.179.128.0/17 
address block (NET-216-179-128-0-1), this block was first allocated by ARIN to 
Azuki, LLC on or about 1999-01-07.  Quite obviously, this assignment must have 
been made by ARIN to the original 1997 Azuki, LLC because the one that was 
registered in Delaware in 2009 did not yet exist at that time.

Nontheless the mailing address currently present in the ARIN WHOIS record for 
the 216.179.128.0/17 IPv4 address block, and the one which is also present in 
the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901, matches 
exactly with the address given in Delaware corporate records for the particular 
Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)

These evident inconsistancies, by themselves, are strongly indicative of a 
probable case of corporate identity theft.  Additional indicators are however 
also present in this case.

In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (216.179.128.0/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain which 
was, according to the relevant GoDaddy WHOIS record, registered anew on or 
about 2011-05-12, some twelve years -after- the original assignment, by ARIN, 
of the 216.179.128.0/17 block to Azuki, LLC.

The absence of evidence of the contnuous registration of this one and only 
contact domain name since the original 1999 assignment, by ARIN, of the 
216.179.128.0/17 address block also tends to support the theory that this 
valuable address block has been illicitly and perhaps illegally appropriated by 
some party or parties unknown, and specifically via the fradulent ruse of a 
corporate identity theft.  Quite simply, my theory is that following the demise 
of the original Azuki, LLC, sometime in the 2000s, some enterprising crook 
registered the domain name azukinet.com in order to successfully impersonate 
the actual and original Azuki, LLC, specifically when interacting with ARIN 
staff members.  This simple ruse appears to have worked successfully for its 
intended purpose.

Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the relevant 
IP block WHOIS recor

Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

2019-08-08 Thread Ronald F. Guilmette
Corporate identity theft is a simple ploy which may be used to illicitly
obtain valuable IPv4 address space.  Actual use of this fradulent ploy
was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

Quite simply, a party bent on undertaking this ploy may just search
the publicly available IP block WHOIS records, looking for abandoned and
unrouted IPv4 address blocks belonging to companies or organizations
which no longer exist.  Upon finding any such, the thief may simply
undertake to formally register, with relevant government authorities,
a new corporate entity with the same or a very similar name as the now
defunct entity that is still listed in the WHOIS records as the registrant
of the coveted IPv4 address block(s).

Note that so-called "legacy" address blocks, i.e. those which were
assigned prior to the formation of ARIN in early 1997, are especially
prized by IPv4 address thieves because such blocks may be less subject
to effective control or regulation by Regional Internet Registries.

Publicly available evidence strongly suggests that a corporate identity
theft has occurred with respect to a former Delaware corporate entity
known as Azuki, LLC and also with respect to its valuable legacy IPv4
address block, 216.179.128.0/17.

The corporate search function of the Delaware Secretary of State's web
site may be used to obtain records relevant to corporate entities
registered in Delaware:

https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx

At present, the Delaware SoS's web site indicates that there are or have
been two different corporate entities, both named Azuki, LLC, that have
been registered in the State of Delaware.  The file numbers for these
entities are 2810116 and 4751384.

The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee.  My
own personal speculation is that it most likely ceased operation well
more than a decade ago.

The latter entity was registered in Delaware on or about 11/9/2009.

According to the current live ARIN WHOIS record for the 216.179.128.0/17
address block (NET-216-179-128-0-1), this block was first allocated by ARIN
to Azuki, LLC on or about 1999-01-07.  Quite obviously, this assignment
must have been made by ARIN to the original 1997 Azuki, LLC because the
one that was registered in Delaware in 2009 did not yet exist at that time.

Nontheless the mailing address currently present in the ARIN WHOIS
record for the 216.179.128.0/17 IPv4 address block, and the one which
is also present in the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901,
matches exactly with the address given in Delaware corporate records
for the particular Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)

These evident inconsistancies, by themselves, are strongly indicative 
of a probable case of corporate identity theft.  Additional indicators
are however also present in this case.

In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (216.179.128.0/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain
which was, according to the relevant GoDaddy WHOIS record, registered
anew on or about 2011-05-12, some twelve years -after- the original
assignment, by ARIN, of the 216.179.128.0/17 block to Azuki, LLC.

The absence of evidence of the contnuous registration of this one and
only contact domain name since the original 1999 assignment, by ARIN,
of the 216.179.128.0/17 address block also tends to support the theory
that this valuable address block has been illicitly and perhaps illegally
appropriated by some party or parties unknown, and specifically via the
fradulent ruse of a corporate identity theft.  Quite simply, my theory
is that following the demise of the original Azuki, LLC, sometime in
the 2000s, some enterprising crook registered the domain name azukinet.com
in order to successfully impersonate the actual and original Azuki, LLC,
specifically when interacting with ARIN staff members.  This simple ruse
appears to have worked successfully for its intended purpose.

Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the
relevant IP block WHOIS records, during normal business hours, Eastern
Daylight Time, yield only an anonymous answering machine recording.
(The recorded message does not even state the company name.)  This is
yet another indicator of possible deliberate deception.

Last but not least, the widely-respected Spamhaus anti-spam organization
has had the entirety of the 216.179.128.0/17 block listed on its anti-spam
SBL list since 2019-06-08, i.e. two full months, dating backwards