
Prosecutors allege Micfo obtained 800k IPv4 addresses illegally - ammaristotle
https://www.wsj.com/articles/fraud-case-in-charleston-s-c-shines-light-on-webs-dark-corners-11581944400
======
masayoshis_son
The writing is quite confusing in trying to explain things but the gist of it
appears to be that the person in question (1) applied for IP addresses through
numerous companies created just for this purpose in order to bypass ARIN's
restriction on the number of addresses it was willing to allocate to a single
entity, and (2) made the obtained IP address ranges available to serve as VPN
endpoints, so that "huge amount of traffic—some of it illicit or
criminal—passed through its computer servers but wasn't traceable to the true
originators."

He did keep track though of which VPN operator used which range at any given
time, so perhaps the "true originators" could be traceable after all, assuming
the VPN owners were willing to co-operate. In any case, he is only being
prosecuted for (1), and the immediate reason for this is that a couple of US
politicians were hacked with attacks originating from these addresses.

~~~
londons_explore
A prosecution seems a bit over the top for this... Setting up multiple
companies to meet some rule isnt against said rule. And anyway, it's a company
policy not the law.

~~~
commandersaki
It was done to deceive ARIN which is why it is being considered wire fraud.

~~~
smnrchrds
So if I sign up for a service with different email addresses to use the 2-week
free trial over and over, I will be guilty of wire fraud?

~~~
dlgeek
Yes, and they'd probably throw a CFAA violation in there too.

~~~
smnrchrds
Wow! I shouldn't be surprised, yet I am, that three felonies a day was right.

------
nmc
[https://archive.is/2f9pz](https://archive.is/2f9pz)

------
krebsonsecurity
This story looks familiar. Oh wait:
[https://krebsonsecurity.com/2019/05/a-tough-week-for-ip-
addr...](https://krebsonsecurity.com/2019/05/a-tough-week-for-ip-address-
scammers/)

------
bitxbitxbitcoin
Relevant post by a former Mifco employee:
[https://news.ycombinator.com/item?id=22360642](https://news.ycombinator.com/item?id=22360642)

------
neonate
[https://archive.md/2f9pz](https://archive.md/2f9pz)

------
checkyoursudo
I can come up with at least 3 distinct meanings for “amassed VPN clients” and
I’m still not 100% sure which is correct in this context. I take it that
clients here refers to “paying customers”?

~~~
nicolaslem
> He said Micfo provides a legitimate service to VPNs, adding that whatever
> his customers or their users do through Micfo servers is none of his
> business.

From what I understand he was attributed many IPs by creating shell companies
and rented these IPs to VPN providers.

~~~
wut42
Why pursue him? What he's done has been done by many others since years.

~~~
masayoshis_son
That's what I've been thinking as well. Creating "shell companies" (aka
"Special Purpose Entities/Vehicles") is not illegal per se.

Perhaps he violated the terms and conditions of his contract with ARIN and
should have had the assignments cancelled but where does the criminality come
in?

~~~
qtplatypus
If he misrepresented himself in order to gain a financial advantage then that
is fraud.

Creating shell companies is not illegal, using a name fir yourself that isn’t
your legal name is not illegal, doing either of those things in order to trick
people into giving you money is.

~~~
tialaramex
Not just financial advantage, all deceit where you intend to gain from it is
fraud. Money just makes it more obvious what the gain was.

Are there grey areas? Sure. In particular there's a passive sort of deceit in
which you let people assume things that you know aren't true, to your benefit.
Mostly the law holds that it's their mistake for not asking, and anyway they'd
usually be far too embarrassed to make a fuss if they realise their error.

I don't see that here, the plan was explicitly to trick the RIR into giving
them resources they were otherwise not entitled to. Those resources were for
everybody to share, they're stealing from you and it's appropriate to
prosecute for fraud.

~~~
notyourday
> I don't see that here, the plan was explicitly to trick the RIR into giving
> them resources they were otherwise not entitled to. Those resources were for
> everybody to share, they're stealing from you and it's appropriate to
> prosecute for fraud.

The last time I looked which was a couple of years ago there was nothing in
the ARIN TOS that said "you can only control one entity that applies for
resources".

Joe Schmoe Enterprises, Inc, Joe Schmoe, LLC, Joe Shmoe Fishing Services, Inc
are different legal entities even if Joe Schmoe, Jr owns all of them.

~~~
tialaramex
The TOS only entitles you to keep the service you already have, you need more
paperwork to get more resources assigned.

I presume the specific problem will have been when Joe Schmoe lied on the
paperwork for IPv4 delegation to Joe Shmoe Fishing Services not mentioning
that Joe Schmoe, LLC already has also applied, as has Joe Schmoe Enterprises,
Inc. I'm not in ARIN's region, so I haven't seen their paperwork, but
analogous paperwork in RIPE for example asks you about Related Entities
because you're not entitled to duplicate resources just by asking more than
once.

------
dang
A related thread is
[https://news.ycombinator.com/item?id=22360642](https://news.ycombinator.com/item?id=22360642).

------
lmilcin
If anybody is interested I have a database of roughly 4B IPv4 addresses for
sale:)

~~~
esotericn
Could you please remove mine under article 17 of the GDPR? :D

~~~
big_chungus
Hmm, GDPR thought experiment: I make a database of public IPv4s by running a
couple for-loops and subtracting private spaces. Can an EU guy who owns an
IPv4 request to have it removed?

~~~
rovr138
Regarding GDPR, I think IPs are considered “personal data” if you can identify
the user from it.

Well, my understanding is any data is ‘personal data’ if you can use it to
identify a user, can be combined to identify a user or can be aggregated to an
identified user.

~~~
lmilcin
That is mostly, but not exactly right.

For example, list of addresses themselves are not personal data. Everybody has
access to addresses, you can get them at the post office for example when you
try to look up code for the address.

But a list of addresses _of creditors_ (ie. address + some non-identifying
context information) is personal data.

I do not know GDPR well but given just that example I would say there is some
more nuance.

------
johnklos
I wish HN had a filter which would block all posts which link to sites which
require subscriptions.

~~~
dang
If there's a workaround, it's ok. Users usually post workarounds in the
thread, and did so in this one.

This is in the FAQ at
[https://news.ycombinator.com/newsfaq.html](https://news.ycombinator.com/newsfaq.html)
and there's more explanation here:

[https://news.ycombinator.com/item?id=10178989](https://news.ycombinator.com/item?id=10178989)

[https://hn.algolia.com/?query=by:dang%20paywall&sort=byDate&...](https://hn.algolia.com/?query=by:dang%20paywall&sort=byDate&dateRange=all&type=comment&storyText=false&prefix&page=0)

------
_-___________-_
Hmm.

I "obtained" 2^32 IPv4 addresses pretty easily; not sure if it's legitimate or
not:

    
    
      for addr in range(2**32):
        print('.'.join([str(addr >> (i << 3) & 0xFF) for i in range(4)[::-1]]))
    

Edit: Well, this was unpopular. In case it's too subtle, my point is that the
title is terrible.

~~~
0x0
Your script doesn't seem to assign any of the printed IPs to ASNs registered
to you, so your joke kind of misses the mark a bit.

~~~
_-___________-_
I added an edit to make it more clear, but I was talking about the title.

~~~
wut42
There's nothing wrong with the title. Obtained means "To get hold of; to gain
possession of, to procure; to acquire, in any way".

~~~
_-___________-_
Which is quite literally what my script does :)

Think about if the title said "800K email addresses obtained illegitimately",
and what you would interpret the meaning of that to be.

~~~
skywhopper
I would expect a database of valid email addresses had been compromised.
Context of what is being “obtained” matters, of course. But the sum total of
valid IP addresses is a fixed, finite, and well-known value. Can you write a
script to generate all valid email addresses?

~~~
_-___________-_
I can, and it does eventually complete, but it might take a while.

