The writing is quite confusing in trying to explain things but the gist of it appears to be that the person in question (1) applied for IP addresses through numerous companies created just for this purpose in order to bypass ARIN's restriction on the number of addresses it was willing to allocate to a single entity, and (2) made the obtained IP address ranges available to serve as VPN endpoints, so that "huge amount of traffic—some of it illicit or criminal—passed through its computer servers but wasn't traceable to the true originators."
He did keep track though of which VPN operator used which range at any given time, so perhaps the "true originators" could be traceable after all, assuming the VPN owners were willing to co-operate. In any case, he is only being prosecuted for (1), and the immediate reason for this is that a couple of US politicians were hacked with attacks originating from these addresses.
A prosecution seems a bit over the top for this... Setting up multiple companies to meet some rule isnt against said rule. And anyway, it's a company policy not the law.
Yes. For example, someone signed up for 58,000 accounts and used them to receive micro deposits (those small sums that are deposited into an account to validate that two accounts are linked correctly). They had their time in court: https://www.wired.com/2008/05/man-allegedly-b/
Shell companies are not normally used for structuring. That's a different matter entirely. A shell company is usually a holding company, not a company created in order to deceive or to bypass a hard cap on some scarce resource.
Well, there are the fake registrars, such as DropCatch 345, DropCatch 346, DropCatch 347, ... DropCatch 1545. Those are all ICANN-accredited registrars.[1] ICANN parcels out dropped domains among all the registrars who want them at random. Having a thousand dummy registrars improves the odds. That's definitely "structuring" to hog Internet assets.
This is possible only because, while ICANN charges each registry when they acquire a domain, ICANN refunds that if they give the domain back within some time period.
It's both. You could say that the .org debacle more strongly indicates corruption than dysfunction, but it's definitely both with strong ties between them.
The fact that they knew exactly what they were doing does not contradict that what they were doing is dysfunctional. If anything, it is the dysfunction.
As strange and dysfunctional as that is, DropCatch isn't trying to deceive ICANN into thinking those registrars are unrelated companies, so it's not fraud.
I've looked up wire fraud in the US and it seems to come with some properly serious penalties:
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.[4]
Advertising has specific legal limits on what is deceptive. You can say ‘worlds best’ because that’s considered a subjective and meaningless statement, but lying about objective facts gets you into hot water. For example, peanut butter is legally required to have been made from peanuts.
You going to work also serves the purpose "to get somebody to [give you] money they otherwise wouldn't have". So that definition is obviously too broad, and different from the definition of fraud mentioned above.
Advertisement tends to deal in opinions, not facts. And where specific factual claims are made against better knowledge it does constitute fraud, and is occasionally prosecuted. See Volkswagen's emissions claims, for example. Or, just this week, some hand sanitiser got hit by the FDA for claiming protection against Ebola and Coronavirus.
To be more precise, the elements of fraud include a false statement, made knowingly, upon which someone else reasonably relies, to their detriment. To prosecute, this pattern must not be merely plausibly true but persuasively true in the face of a motivated, skilled defense. That set of circumstances is only rarely true in advertising. It is clearly true here.
People get sued for false advertising al the time. I feel like people on hacker news are continuously surprised to discover that laws exist and are enforced.
These companies often times were bought shelf companies with history so as to have credibility. The goal was selling up blocks to prohibited locations and enabling spamming. This guy spent a lot of time in Tunisia with spam Kong’s and accepted up front money to build infrastructure.
The publicly discussed components here are but a small piece of a complex and sloppily run scam organization.
Look up the judgements under these businesses over the years at various web hosts. These companies would enter long contracts and eventually stop paying.
I can come up with at least 3 distinct meanings for “amassed VPN clients” and I’m still not 100% sure which is correct in this context. I take it that clients here refers to “paying customers”?
> He said Micfo provides a legitimate service to VPNs, adding that whatever his customers or their users do through Micfo servers is none of his business.
From what I understand he was attributed many IPs by creating shell companies and rented these IPs to VPN providers.
A former employer used to rent IPs, the person renting ranges had different companies own each block to reduce abuse report blast radius. We also owned a ton of IPs and never really had to prove utilization when requesting new blocks from ARIN as of 2011.
I'd guess he pissed off some important people... If this prosecution doesn't succeed, you can bet every tax return of his for the last 20 years will suddenly be randomly checked, and he'll be prosecuted for claiming a Starbucks coffee as an expense during a business meeting when he actually took half the coffee away after the meeting making it not an allowable expense, and therefore technically fraud.
That's what I've been thinking as well. Creating "shell companies" (aka "Special Purpose Entities/Vehicles") is not illegal per se.
Perhaps he violated the terms and conditions of his contract with ARIN and should have had the assignments cancelled but where does the criminality come in?
If he misrepresented himself in order to gain a financial advantage then that is fraud.
Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Not just financial advantage, all deceit where you intend to gain from it is fraud. Money just makes it more obvious what the gain was.
Are there grey areas? Sure. In particular there's a passive sort of deceit in which you let people assume things that you know aren't true, to your benefit. Mostly the law holds that it's their mistake for not asking, and anyway they'd usually be far too embarrassed to make a fuss if they realise their error.
I don't see that here, the plan was explicitly to trick the RIR into giving them resources they were otherwise not entitled to. Those resources were for everybody to share, they're stealing from you and it's appropriate to prosecute for fraud.
> I don't see that here, the plan was explicitly to trick the RIR into giving them resources they were otherwise not entitled to. Those resources were for everybody to share, they're stealing from you and it's appropriate to prosecute for fraud.
The last time I looked which was a couple of years ago there was nothing in the ARIN TOS that said "you can only control one entity that applies for resources".
Joe Schmoe Enterprises, Inc, Joe Schmoe, LLC, Joe Shmoe Fishing Services, Inc are different legal entities even if Joe Schmoe, Jr owns all of them.
The TOS only entitles you to keep the service you already have, you need more paperwork to get more resources assigned.
I presume the specific problem will have been when Joe Schmoe lied on the paperwork for IPv4 delegation to Joe Shmoe Fishing Services not mentioning that Joe Schmoe, LLC already has also applied, as has Joe Schmoe Enterprises, Inc. I'm not in ARIN's region, so I haven't seen their paperwork, but analogous paperwork in RIPE for example asks you about Related Entities because you're not entitled to duplicate resources just by asking more than once.
One of the things Teller (the magician) talks about is that while obviously you do want the audience to be "fooled" in some sense - that's what they're paying you for - you don't want to do that by straight lying to them. Where's the fun in that?
The goal is to create a scenario in which the audience knows they were tricked but can't figure out how. So you don't lie and say this is a random audience member when it's actually an employee "stooge". But when you're giving the genuinely random audience member a "free choice" of cards you don't need to explicitly tell the audience that, duh, as a magician you're not giving anybody a truly "free choice" of anything actually and you knew immediately which card they picked even without seeing it. That sort of thing.
> Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Have you seen a list of list of all telco companies that are together AT&T which exist solely to allow AT&T to limit liability, create a separation of entities for qualify under some rules for some other entities, etc?
When MCI Worldcom filed for bankruptcy the list of the entities that it covered took a couple of pages in major newspapers.
Hmm, GDPR thought experiment: I make a database of public IPv4s by running a couple for-loops and subtracting private spaces. Can an EU guy who owns an IPv4 request to have it removed?
Regarding GDPR, I think IPs are considered “personal data” if you can identify the user from it.
Well, my understanding is any data is ‘personal data’ if you can use it to identify a user, can be combined to identify a user or can be aggregated to an identified user.
For example, list of addresses themselves are not personal data. Everybody has access to addresses, you can get them at the post office for example when you try to look up code for the address.
But a list of addresses of creditors (ie. address + some non-identifying context information) is personal data.
I do not know GDPR well but given just that example I would say there is some more nuance.
I would expect a database of valid email addresses had been compromised. Context of what is being “obtained” matters, of course. But the sum total of valid IP addresses is a fixed, finite, and well-known value. Can you write a script to generate all valid email addresses?
The concept of ownership of an IP address, implied by “obtains”, is pretty clear and well-understood. The story was exactly what I imagined after reading the headline. Rather than making an obtuse joke, how would you suggest it be improved?
consider the headline "obtained 800k email addresses illegitimately". would you really assume that this meant they were able to receive email at those addresses, or just that they'd obtained the addresses?
He did keep track though of which VPN operator used which range at any given time, so perhaps the "true originators" could be traceable after all, assuming the VPN owners were willing to co-operate. In any case, he is only being prosecuted for (1), and the immediate reason for this is that a couple of US politicians were hacked with attacks originating from these addresses.