Prosecutors allege Micfo obtained 800k IPv4 addresses illegally
wsj.comThe writing is quite confusing in trying to explain things but the gist of it appears to be that the person in question (1) applied for IP addresses through numerous companies created just for this purpose in order to bypass ARIN's restriction on the number of addresses it was willing to allocate to a single entity, and (2) made the obtained IP address ranges available to serve as VPN endpoints, so that "huge amount of traffic—some of it illicit or criminal—passed through its computer servers but wasn't traceable to the true originators."
He did keep track though of which VPN operator used which range at any given time, so perhaps the "true originators" could be traceable after all, assuming the VPN owners were willing to co-operate. In any case, he is only being prosecuted for (1), and the immediate reason for this is that a couple of US politicians were hacked with attacks originating from these addresses.
A prosecution seems a bit over the top for this... Setting up multiple companies to meet some rule isnt against said rule. And anyway, it's a company policy not the law.
It was done to deceive ARIN which is why it is being considered wire fraud.
So if I sign up for a service with different email addresses to use the 2-week free trial over and over, I will be guilty of wire fraud?
Yes. For example, someone signed up for 58,000 accounts and used them to receive micro deposits (those small sums that are deposited into an account to validate that two accounts are linked correctly). They had their time in court: https://www.wired.com/2008/05/man-allegedly-b/
Intent matters. Scale of abuse matters qualitatively.
The legal system does not operate like a computer program.
Yes, and they'd probably throw a CFAA violation in there too.
Wow! I shouldn't be surprised, yet I am, that three felonies a day was right.
s/will be guilty of/could be charged with/
if shell companies are fraud, much of the economy is in trouble
Shell companies are not normally used for structuring. That's a different matter entirely. A shell company is usually a holding company, not a company created in order to deceive or to bypass a hard cap on some scarce resource.
Well, there are the fake registrars, such as DropCatch 345, DropCatch 346, DropCatch 347, ... DropCatch 1545. Those are all ICANN-accredited registrars.[1] ICANN parcels out dropped domains among all the registrars who want them at random. Having a thousand dummy registrars improves the odds. That's definitely "structuring" to hog Internet assets.
This is possible only because, while ICANN charges each registry when they acquire a domain, ICANN refunds that if they give the domain back within some time period.
[1] https://www.icann.org/registrar-reports/accreditation-qualif...
ICANN is utterly dysfunctional, see .org debacle.
The .org debacle is evidence that ICANN is corrupt, not dysfunctional. That's an important distinction.
It's both. You could say that the .org debacle more strongly indicates corruption than dysfunction, but it's definitely both with strong ties between them.
How is it both?
They knew exactly what they were doing.
The fact that they knew exactly what they were doing does not contradict that what they were doing is dysfunctional. If anything, it is the dysfunction.
As strange and dysfunctional as that is, DropCatch isn't trying to deceive ICANN into thinking those registrars are unrelated companies, so it's not fraud.
Just FYI for others: https://en.wikipedia.org/wiki/Structuring
I didn't know there was a formal term for this. Splitting up money transfers to avoid detection of large sums moving around.
Sounds like packet switching.
No, more like packet fragmentation and reassembly.
This seems like a bit of an over reach no?
I've looked up wire fraud in the US and it seems to come with some properly serious penalties:
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.[4]
No? The use of deception to obtain something of value that would not otherwise be given to you is the literal, legal definition of fraud?
So, where does that leave advertising? The entire purpose of advertising is to get somebody to spend money on a product they otherwise wouldn't have.
Advertising has specific legal limits on what is deceptive. You can say ‘worlds best’ because that’s considered a subjective and meaningless statement, but lying about objective facts gets you into hot water. For example, peanut butter is legally required to have been made from peanuts.
It is called "puffery"[0], for anyone who is interested.
The wikipedia page says a "puff piece" is journalistic puffery. Neat, I hadn't made that connection.
You going to work also serves the purpose "to get somebody to [give you] money they otherwise wouldn't have". So that definition is obviously too broad, and different from the definition of fraud mentioned above.
Advertisement tends to deal in opinions, not facts. And where specific factual claims are made against better knowledge it does constitute fraud, and is occasionally prosecuted. See Volkswagen's emissions claims, for example. Or, just this week, some hand sanitiser got hit by the FDA for claiming protection against Ebola and Coronavirus.
To be more precise, the elements of fraud include a false statement, made knowingly, upon which someone else reasonably relies, to their detriment. To prosecute, this pattern must not be merely plausibly true but persuasively true in the face of a motivated, skilled defense. That set of circumstances is only rarely true in advertising. It is clearly true here.
People get sued for false advertising al the time. I feel like people on hacker news are continuously surprised to discover that laws exist and are enforced.
And when they are enforced they seem to think that laws can be hacked with cutesy little games to a judge.
“The use of deception” is key, and it’s true that advertising often crosses the line, and should be prosecuted more often.
The advertising industry is hated by many people for exactly the parallels you've perceived.
“Not more than”. For most crimes the sentencing guidelines are broad so the context of the case may be taken into account by the judge and/or jury.
Those are maximums.
I understand insane maximums, offence stacking and plea deals are part of your culture, maybe we should explore that further?
These companies often times were bought shelf companies with history so as to have credibility. The goal was selling up blocks to prohibited locations and enabling spamming. This guy spent a lot of time in Tunisia with spam Kong’s and accepted up front money to build infrastructure.
The publicly discussed components here are but a small piece of a complex and sloppily run scam organization.
Look up the judgements under these businesses over the years at various web hosts. These companies would enter long contracts and eventually stop paying.
This story looks familiar. Oh wait: https://krebsonsecurity.com/2019/05/a-tough-week-for-ip-addr...
Relevant post by a former Mifco employee: https://news.ycombinator.com/item?id=22360642
I can come up with at least 3 distinct meanings for “amassed VPN clients” and I’m still not 100% sure which is correct in this context. I take it that clients here refers to “paying customers”?
> He said Micfo provides a legitimate service to VPNs, adding that whatever his customers or their users do through Micfo servers is none of his business.
From what I understand he was attributed many IPs by creating shell companies and rented these IPs to VPN providers.
A former employer used to rent IPs, the person renting ranges had different companies own each block to reduce abuse report blast radius. We also owned a ton of IPs and never really had to prove utilization when requesting new blocks from ARIN as of 2011.
Why pursue him? What he's done has been done by many others since years.
I'd guess he pissed off some important people... If this prosecution doesn't succeed, you can bet every tax return of his for the last 20 years will suddenly be randomly checked, and he'll be prosecuted for claiming a Starbucks coffee as an expense during a business meeting when he actually took half the coffee away after the meeting making it not an allowable expense, and therefore technically fraud.
He picked the fight foolishly by being greedy. He lived well beyond his means too and owes a lot of money to people you don’t want to owe.
That's what I've been thinking as well. Creating "shell companies" (aka "Special Purpose Entities/Vehicles") is not illegal per se.
Perhaps he violated the terms and conditions of his contract with ARIN and should have had the assignments cancelled but where does the criminality come in?
If he misrepresented himself in order to gain a financial advantage then that is fraud.
Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Not just financial advantage, all deceit where you intend to gain from it is fraud. Money just makes it more obvious what the gain was.
Are there grey areas? Sure. In particular there's a passive sort of deceit in which you let people assume things that you know aren't true, to your benefit. Mostly the law holds that it's their mistake for not asking, and anyway they'd usually be far too embarrassed to make a fuss if they realise their error.
I don't see that here, the plan was explicitly to trick the RIR into giving them resources they were otherwise not entitled to. Those resources were for everybody to share, they're stealing from you and it's appropriate to prosecute for fraud.
> I don't see that here, the plan was explicitly to trick the RIR into giving them resources they were otherwise not entitled to. Those resources were for everybody to share, they're stealing from you and it's appropriate to prosecute for fraud.
The last time I looked which was a couple of years ago there was nothing in the ARIN TOS that said "you can only control one entity that applies for resources".
Joe Schmoe Enterprises, Inc, Joe Schmoe, LLC, Joe Shmoe Fishing Services, Inc are different legal entities even if Joe Schmoe, Jr owns all of them.
The TOS only entitles you to keep the service you already have, you need more paperwork to get more resources assigned.
I presume the specific problem will have been when Joe Schmoe lied on the paperwork for IPv4 delegation to Joe Shmoe Fishing Services not mentioning that Joe Schmoe, LLC already has also applied, as has Joe Schmoe Enterprises, Inc. I'm not in ARIN's region, so I haven't seen their paperwork, but analogous paperwork in RIPE for example asks you about Related Entities because you're not entitled to duplicate resources just by asking more than once.
> all deceit where you intend to gain from it is fraud
Except if you're a magician, of course!
One of the things Teller (the magician) talks about is that while obviously you do want the audience to be "fooled" in some sense - that's what they're paying you for - you don't want to do that by straight lying to them. Where's the fun in that?
The goal is to create a scenario in which the audience knows they were tricked but can't figure out how. So you don't lie and say this is a random audience member when it's actually an employee "stooge". But when you're giving the genuinely random audience member a "free choice" of cards you don't need to explicitly tell the audience that, duh, as a magician you're not giving anybody a truly "free choice" of anything actually and you knew immediately which card they picked even without seeing it. That sort of thing.
> Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Have you seen a list of list of all telco companies that are together AT&T which exist solely to allow AT&T to limit liability, create a separation of entities for qualify under some rules for some other entities, etc?
When MCI Worldcom filed for bankruptcy the list of the entities that it covered took a couple of pages in major newspapers.
I am not sure of the point. Limiting liability is one of the things an LLC exists for.
He flat out created new people and signed things via notary with fake names. He then tried to sell blocks to prohibited persons in prohibited regions.
Pull down the whole court doc, it’s pretty clear his intentions.
A related thread is https://news.ycombinator.com/item?id=22360642.
If anybody is interested I have a database of roughly 4B IPv4 addresses for sale:)
Would you mind sharing your email address?
Could you please remove mine under article 17 of the GDPR? :D
Absence of information is information in itself.
Hmm, GDPR thought experiment: I make a database of public IPv4s by running a couple for-loops and subtracting private spaces. Can an EU guy who owns an IPv4 request to have it removed?
Regarding GDPR, I think IPs are considered “personal data” if you can identify the user from it.
Well, my understanding is any data is ‘personal data’ if you can use it to identify a user, can be combined to identify a user or can be aggregated to an identified user.
That is mostly, but not exactly right.
For example, list of addresses themselves are not personal data. Everybody has access to addresses, you can get them at the post office for example when you try to look up code for the address.
But a list of addresses of creditors (ie. address + some non-identifying context information) is personal data.
I do not know GDPR well but given just that example I would say there is some more nuance.
I wish HN had a filter which would block all posts which link to sites which require subscriptions.
If there's a workaround, it's ok. Users usually post workarounds in the thread, and did so in this one.
This is in the FAQ at https://news.ycombinator.com/newsfaq.html and there's more explanation here:
https://news.ycombinator.com/item?id=10178989
https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...
Hmm.
I "obtained" 2^32 IPv4 addresses pretty easily; not sure if it's legitimate or not:
for addr in range(2**32):
print('.'.join([str(addr >> (i << 3) & 0xFF) for i in range(4)[::-1]]))
Your script doesn't seem to assign any of the printed IPs to ASNs registered to you, so your joke kind of misses the mark a bit.
I added an edit to make it more clear, but I was talking about the title.
There's nothing wrong with the title. Obtained means "To get hold of; to gain possession of, to procure; to acquire, in any way".
Which is quite literally what my script does :)
Think about if the title said "800K email addresses obtained illegitimately", and what you would interpret the meaning of that to be.
I know pedantry is a HN thing, but I suspect the majority of the audience here understood what "obtained" meant in this context.
This seems like a particularly weird hill for you to repeatedly die on.
I would expect a database of valid email addresses had been compromised. Context of what is being “obtained” matters, of course. But the sum total of valid IP addresses is a fixed, finite, and well-known value. Can you write a script to generate all valid email addresses?
I can, and it does eventually complete, but it might take a while.
A money printing machine
>printf("$100");
For emails, I would think they just got the address.
For IPs addresses, I would think they got an assignation as well, because IPs numbers without assignations are worthless.
It all depends on the context.
The concept of ownership of an IP address, implied by “obtains”, is pretty clear and well-understood. The story was exactly what I imagined after reading the headline. Rather than making an obtuse joke, how would you suggest it be improved?
"obtains control of" would be much better.
consider the headline "obtained 800k email addresses illegitimately". would you really assume that this meant they were able to receive email at those addresses, or just that they'd obtained the addresses?