The VPN connection here intrigues me. Do these VPN companies know how their IPs are being procured/by whom?
> In a 2020 interview, Golestan told KrebsOnSecurity that Micfo was at one point responsible for brokering roughly 40 percent of the IP addresses used by the world’s largest VPN providers
This would be an interesting deep dive for a tech-focused investigative journalist.
in my opinion almost all VPN companies are shady/gray-market entities, so yes, they absolutely know.
the colocation hosts and regional ISPs that will accept VPN operators as dedicated server and 1U server colocation customers are towards the more suspicious end of the hosting segment market spectrum, in my experience.
dig hard enough on a modern vpn hosting company with a slick marketing presence and you'll find like, a cypriot corporation with a cyprus bank account run by a guy who 15 years ago was in the adult website hosting business, who currently lives and works remotely from cambodia. Or similar.
On the one hand, it's effectively a commodity, so there is a lot of competition.
On the other hand, the entire point is to protect the privacy of the customer. So if you're doing it right and any of your customers are actually in need of that privacy protection, you're going to be taking flack from angry jerks who don't like that you're providing it. The same thing happens to people hosting adult websites, so it's the same kind of people who are willing to put up with that in exchange for money.
> On the other hand, the entire point is to protect the privacy of the customer.
I'm not so sure.
As far as most of these companies are concerned, "the entire point" is to collect customers' money. The quality of the service they're providing is secondary, beyond that it has to be good enough that customers won't leave -- and the privacy properties of that service are even less important, since most customers aren't equipped to evaluate that.
In the world these providers and clients are operating, clients are definitely equipped and aware about privacy concerns. Not for their users but for themselves
yes if you google "Residential proxies for sale" there's a whole slew of grey/black market things using peoples' trojaned home routers or home PCs as relays. IP traffic from legit seeming residential IP space is important in circumventing all sorts of things for not only scraping, but also straight out credit card fraud and other more nefarious purposes.
I have a similar experience. A friend of mine was staying on SE Asia for an extended period of time and asked me to configure her router with an always-on VPN connection to the US to access her media subscription services. She had already signed up with a VPN provider. None of the standard VPN connection types worked (OpenVPN, L2TP etc) with Netflix, only the custom application that they provided. When I analyzed it, I found out that it routed traffic through other users' residential connections.
It's not all trojaned home routers and PCs, at least not in the sense that the user is unaware that they're running the program (even if they're unaware they're routing traffic). For example, all/most the mobile IPs offered done through offering SDKs for app developers to implement and paying them based on usage. Now that phone is a relay while that app is running/backgrounded. Those free apps don't just make money off of ads, they make money this way too. For those, it's probably in the fine print what's going on, but people are conditioned to trade something non-monetary for usage these days, even if they aren't really aware of what they're trading.
Added protection against ISP and local snooping of traffic, either for commercial gain or by some local agencies in less-free countries where such things are common.
Bypassing geo restricted content is also a big one, says for people living abroad who want to enjoy access to content from their country of origin, or content that is not locally filtered.
Maintaining privacy when visiting websites that use your geolocation or IP to correlate your visits and profile you for advertisement based on your (more or less) precise location for instance.
Or maybe you want some added privacy when visiting some adult or political sites whose data may be breached or monitored and make your habits more public than you'd want.
In principle a VPN is just another level of privacy protection, as long as it's one that can be trusted, which is probably another issue since apparently not many can.
a) having been on the side of the ISPs that shady vpn providers approach when they're looking to rent dedicated servers or colocation space. 90% of the time when we did research into the potential "client" it turned out to be too much risk. Lots of common things like we couldn't tie them to a specific LLC or corporation in the USA or Canada, they couldn't provide any information of creditworthiness, the persons who wanted to sign the service agreement we had no way of verifying they were officers of the entity they purported to represent. People who would only contact by email and refuse to have a phone conversation or face to face.
b) that's a specific person, but I won't say who, for obvious reasons. Lots of reasons why from the POV of a shady vpn service provider you might want to live offshore and pay as little money in taxes as possible, I suppose, so there's a certain logic to it.
Please keep in mind I have been seeing weird/shady things in internet infrastructure for a very long time. I was helping set up OpenBSD firewalls for online casinos colocated in small island nation states 22 years ago, so I have a certain jaded perspective on these things.
Beside VPN providers and casinos, what other categories of online business do you often find shady? It is unfair to label a country a tax haven based on a single anecdote. However, Cambodia is cheap and pretty safe for expats so it makes sense.
I dealt with this guy at a previous role. There was always something off with the LOAs they provided. They came off as somebody that would just badger until they found somebody who’d do something to get them to go away.
As the years go by, I have found that some of people who gave me a bad feeling later turn out to be even worse than I first suspected. In my book "How To Destroy A Tech Startup" I describe this guy Milton, who is the villain of the story. He did many things that seemed vaguely creepy, most of which I didn't put in the book because it didn't seem relevant. But I just recently learned he was in prison on charges of child pornography. So, yes, wow, my instincts were right. There was something creepy about him and eventually his creepiness turned out be far worse than I first guessed. The story of Milton is the most extreme example I can give, but I've worked with others who I could tell milder stories about. I had a bad feeling about them, and 10 years later, when I learn even more, the facts justify the bad feeling I had about them.
This is why I have a strong No Business With Bastards policy. When someone acts badly enough, they go on the Nope list. I'll work with them if I have no choice at all, but it's consistently worthwhile to avoid those I know I can't trust. For example, Norton were already incompetent, but installing cryptominers put them on the Nope list. See also Oracle. Similarly, in traffic, that guy who does something painfully dumb is likely to keep making poor decisions, so be prepared for that, and increase your space cushion.
I wonder if this is probability based... people who do a lot of creepy things are more likely to be noticed for at least one creepy thing. If you observe enough behavior in a short period of time to think they are creepy, they are probably doing creepy things all the time.
Even further, it can be reasonably argued that there is no ethical context for such behaviour.
For those on the demanding side, it can be a badge of honour not to take "no" for an answer. While those on the other side, are being deliberately placed between a rock and a hard place. Just for another's benefit.
with suspicious entities I encourage other ISPs to apply the same general principles as KYC/AML (know your client, anti money laundering) investigatory techniques to suspicious neighbor ASNs.
It is shady, but it's interesting that it's "wire fraud" to me. The laws allow for shell companies, and I assume he was paying. And the thing he was skirting feels more like a TOS, contract rule, etc. It doesn't seem much different from things large companies do for tax purposes, etc. They can sentence up to 20 years per count for wire fraud.
You can set up all of the shell companies you want, but what you can't do is fake notarized statements and induce others to take actions based on them by transmitting them "over the wires." That's what he is being charged with here, because otherwise ARIN would have said "all of these companies are owned by the same person and our rules don't permit address allocations in this manner."
> Each of those shell companies involved the production of notarized affidavits in the names of people who didn’t exist. As a result, Lydon was able to charge Golestan with 20 counts of wire fraud — one for each payment made by the phony companies that bought the IP addresses from ARIN.
That's the part that becomes wire fraud, says the OP. Faked notarizations of people who don't exist.
There is hardly anything that doesn't evolve the internet one way or another. Haven't all the frauds become wire fraud now? Does this legislation still make any sense?
It is odd that it's up to 20 years per count, but what was actually done ranges from something like a misdemeanor to robbing someone of their life savings.
At first I thought it was a weirdly inept clothing ad, until I realized it was actually the person being discussed in the article. Looking at that picture, I have to actively tell myself to not judge someone by just one photo.
The email group thread where Ron Guilmette (security researcher cited at the end of the article) is confronting an Israeli businessman about the alleged theft of the AFRINIC IP blocks is/was available. I ran across it while looking for information related to an aggressive bot scanning ports on my Linodes that happened to be using a /20 involved with the theft. It's a riveting thread for anyone interested in that kind of thing, I'll post back if I can find it again.
CGNAT does provide value in our current v4 situation, but it's far from ideal. Not having NATs allows for more decentralization (p2p connections, self-hosting), and saves the resources - unnecessary energy and compute - that NAT consumes
IPv6 was poorly designed, and will never be fully adopted because of this. Unfortunately, we seem to be stuck between IPv4 and IPv6 when really, what we need is a new solution, something better designed and easier to adopt.
I've heard people complaining how hard IPv6 but I've never see a plan that is actually easier than migrating to IPv6. It's always massive CGNAT investment or making non-backwards compatible changes to IPv4 that is somehow "easier" to work with.
That is like all the how to terraform Mars plans. I know what is easier than living on any other planet, saving the one we are currently on right now.
That being said I think it is good people are so good at being non-conformist, at least if there was any other solution out there we would more than likely have found it by now.
The comparison is wrong. ipv6 is already fully developed, while ipv4 is getting crowded.
There are already more devices connected to the internet than there are ipv4 addresses. Already Android devices alone are more than 3 billion, PCs 1.5 billion. The limit is at 2^32 = 4.3 billion.
It would be a better comparison if Mars were already habitable and one only had to move humans over. Because that's all we have to do to make ipv6 suitable.
I guess I explained myself really poorly, but I think we mean the same here. To be clear what I mean is that somehow making ipv4 work is much harder than migrating to ipv6. And clearly terraforming Mars is insanely harder than terraforming earth.
If I understand correctly, due to NAT we’re not limited by the number of computers vs available IP addresses, but rather by number of simultaneous connections vs (number of IPs) x (number of IP ports)
You are right, NAT is why the internet still works in the first place. However, NATs have many issues, like severely harming peer to peer capabilities. There is also additional complexity. My ISP frequently has downtimes of their NAT infrastructure.
Then there is the more complex routing tables. ipv4 is highly fragmented so users with many users don't have large contiguous blocks, but multiple smaller ones. This causes routing tables to bloat up, which increases routing overhead of the packets.
Lastly, there is the ridiculousness of paying for ipv4 addresses in the first place. Ideally, companies could just register them, having to pay a small service fee, that's it. In ipv6 this is the case, but in ipv4 you see Amazon paying huge sums for large ipv4 blocks. More importantly though, this cost is also handed down to customers, at least for hosters like Hetzner. For small servers, this can quickly be a significant fraction of the cost.
I'd like to point out some design decisions I love about IPv6:
- 128-bit addresses instead of 32-bit. I can't imagine having a shortage of routable IP addresses for a long, long time.
- I don't have to use NAT if I don't want because there are enough IP addresses to go around. We've grown so used to NAT that we take it for granted, not recognizing it for the ugly hack it is. On my home network, just about every machine has a routable IPv6 address.
- A consistent subnet: it's almost always gonna be a /64. When I lay out my networks, I don't have to regret specifying a /24 and then, as the office grows, wishing I could extend it to a /22. Every IPv6 subnet is big enough.
- A consistent subnet means that you don't need to use a subnet calculator as much.
- Not wasting .0 and .255 addresses (network & broadcast addresses). It's particularly bad with very small subnets (e.g. an IPv4 /30 wastes half its usable IP addresses).
- On that note, I like having my machines being able to have a .0 (::) address. My favorite IPv6 address? 2600::. You can ping it to see if your connectivity is working.
- ::1 is loopback. 127.0.0.1 is lookpback on IPv4, but 127 is a kinda weird number (okay, it's 2^7 - 1, but it's still weird).
- Without NAT I don't have to worry about network collisions when I VPN into corporate ("What? They're using 10.0.0.0/24? That's my home network's subnet! Dang!").
IPv6 works fine. It's all over my house, my mobile devices use it all the time (they're probably IPv6-only over LTE at this point), and I don't have any problems when I occasionally have to type in an IPv6 address. I don't see how you'll wrench IPv6 out of the billions (?) of devices using it and make them use anything other than IPv4 at this point.
Wouldn't this be the kind of thing that would be ripe for a startup to make easier/more accessible through abstraction? Maybe the risk of fracturing an already dense protocol into multiple competing approaches isn't worth it, but my personal experience with IPv6 is also that it can be intimidating and confusing for the uninitiated (of which I am).
Not really. Just personal experience. And I think that's the key point here - coming up with a design that is fit for the world (wide web), and not just academically viable.
I suppose the evidence I would give to back up my statement is that if it was well designed, it would have been adopted. As it stands, I only find it is supported among the more distinguished services that I use.
There's a difference between "poor design" and "difficult to adopt", and I think confounding the two doesn't make sense.
For another example, Python 3 has much better design than Python 2, and the difficult adoption a result of having people fix what they had written using the poor Python 2 design, and making it easier to adopt would have meant preserving the poor choices.
I don't know enough about IPv4 vs IPv6 to make a judgment in this particular case, but I don't think your argument broadly in itself here follows.
I never thought about it this way before: Are we in a dirty industry? Perhaps we should be cleaning up the place, as a responsibility and as enlightened self-interest.
It's far too big of an industry to call it dirty or clean. This guy was doing dirt, which didn't work out too well for him. And cleaning this type of fraud up is definitely squarely the responsibility of law enforcement, not random industry participants.
Most industry participants are just building things that there is market demand for. That is not necessarily enlightened, but it's also no worse than anything anyone in any other industry does.
> cleaning this type of fraud up is definitely squarely the responsibility of law enforcement, not random industry participants
According to who? Law enforcement is a last resort, and it reports to the people. People are responsible for their own communities. We live here, we benefit from it.
> In a 2020 interview, Golestan told KrebsOnSecurity that Micfo was at one point responsible for brokering roughly 40 percent of the IP addresses used by the world’s largest VPN providers
This would be an interesting deep dive for a tech-focused investigative journalist.