The underlying crime was wire fraud, and it happened to be about acquiring IP addresses. He wasn’t prosecuted because he got too many, but for how he got them.
Wire fraud, wire fraud, it's nearly always wire fraud. Elizabeth Holmes, George Santos, Charlie Javice, all the people who got fake Covid funds - wire fraud, wire fraud, wire fraud.
In this day and age if you're committing fraud it's pretty hard for it not to be wire fraud given how everything is transmitted digitally. And penalties for wire fraud are extremely steep (up 20 years for each charge), and it automatically makes it a federal crime. So just don't...
It's often easier to prove this (or, even more often, tax evasion) than prove the alleged criminal activity. Either way, bad guy goes to jail, so the government is happy.
Would like to see Amazon charged with wire fraud for all the counterfeit stuff they sell. It's paid for "by wire" is it not? And almost certainly across state lines which makes it federal.
The vendor that appears on my Credit Card statement is Amazon. The organisation who sets the commercial terms is Amazon. The website is completely Amazon branded. The goods are usually stored in a big warehouse with "Amazon" written on the side and delivered by someone engaged and paid by Amazon. The box that arrives has "Amazon Prime" written all over it.
I'm sorry, but as far as I'm concerned, Amazon is selling the item.
Right, but there are plenty of counterfeit items shipped by Amazon. Just search for 1TB USB stick. Whatever internal distinctions they make don't matter to the reality that they are accepting payment and shipping the items.
1. Amazon ships plenty of counterfeit merchandise.
2. There is so much counterfeit stuff on Amazon that they should know about it, and should be held responsible since they do nothing about it. "Should have known" is sufficient for guilt in a court of law, when the thing is blatantly obvious.
Anecdotal, second-hand story I remembered being told by a former colleague with some significant time working in the Postal service: state or city police pulled over a contracted semi truck carrying mail from one station to the other on suspicion of running un-taxed cigarette shipments from a reservation manufacturer. Because the semi was contracted by the postal service, they had the requisite security: tags, seals and the magical panic button in the cab of the tractor. The driver pushed the button when the state/city police broke the seal and started rummaging through parcels which summoned the inspectors, guns drawn to the scene. Apparently the Postal Inspectors arrested the -police- at that scene on breaking and entering mail facilities.
Some of the details pertaining to why the shipment was actually legal and the police didn't have cause/jurisdiction yadda yadda yadda I don't remember, but still a good story even if the telling of it by my former colleague was more engaging than I can recount.
That reminds me of a story from a good friend who works in the Idaho National Labs, which have some areas under rather tight security.
As the story goes, one of the scientists there copped a warrant high grade enough for the Federal Marshals to come by and make an arrest. They were stopped at one of the gates into a more secure area, asked their business, and told that security would send out the person in question. The Marshals balked at this and demanded to be let in to make the arrest, lest the fugitive make good an escape somehow. After security asked for their requisite clearance, which the Marshals could not provide, it continued to escalate. Fingering their pistol butts, the Marshals insisted they were on lawful business and must be let in, while the guards with rifles replied that by all means the Marshals might make their entry but as armed intruders into a secure laboratory they would promptly get shot.
The pissing match took long enough that the fugitive was finally marched up to the gate and taken into custody before it could escalate further, at this point I believe the Marshals were on the phone with their higher ups trying to plead their case to be let in.
Boy, that's a level of "sysadmin read too many BOFH stories and also thinks being 5'11" & bearded is a superpower" bombast I thought died out years ago.
Quite a bit more boring, but a co-worker once paid a contractor to install some blinds in his house, for a few thousand dollars. Dude took a down payment and then never delivered/installed the product, wouldn’t return their calls, etc.
My coworker went to the local police, who wouldn’t do anything, but then his lawyer advised him to go to the postal inspector (he had mailed the check to the contractor.)
The contractor ended up getting five years in federal prison for mail fraud.
The US justice system seems very odd to this European. Then I realize that if the EU project ever were to reach its presumed goals (by some), we'd probably end up with something pretty similar in terms of "oddness complexity".
Oh, it is absolutely wild, which I don't think is a very good characteristic for a legal system, especially one where the rule is that 'ignorance of the law is not a defense'.
I think we need a new take on that phrase, something like "ignorance of the law must not be a reasonable defence" — when the law is too complex for most people to understand, it is vulnerable to capricious enforcement, malicious compliance, and unwitting everyday violations being held against the politically undesirable.
Not only do I have absolutely no idea how to get from here to there, I also assume the degree of simplification I desire — to the point that normal people know what's going on most of the time — is the legal equivalent of saying "Twitter doesn't need 6000 employees because Mark Zuckerberg wrote Facebook by himself in college" in a software engineering context, and wrong for much the same reasons.
77k fine for a net worth of $10-14 million from his businesses, and a 5 years sentence at a minimum security prison (with the likelihood of parole much earlier) is not a bad retirement plan.
I once committed mail fraud when I was 17 years old. I had been using the return address as a destination address on envelopes to send mail to places for free without stamps. Finally got caught one day at the local branch. Postal Inspectors said I could face 20 to 30 years in federal prison.
I was part of a conspiracy to commit massive credit card fraud as a minor (thankfully all no longer relevant). I was given AT&T calling card numbers which were pilfered right from the USPS to use to connect to US BBSes to download hacked software.
The Belgian guy I was in with got raided by the police. His hard disks had been hidden behind a brick wall with only the cables visible. They didn't find the hard disks so he got away with it, and I never got arrested or charged.
I tried this a few times as a little kid to see if it would work. If I sent it from my home, it didn't work and I got it returned with red pen notes on it explaining how to send it properly. I am sure it looked like a little kids writing, so they gave me the benefit of the doubt. Next I mailed it from the post office and that actually worked, as long as it was being sent locally.
In other words just not putting stamps at all, and the postal service would 'return' it to the address listed as return (which is actually your destination)?
That's insane. 20 to 30 years in federal prison for having defrauded the post of how many letters? Imagining you've been sending couple of letters a weeks at most, that's like what? $10 per months!?
Federal sentencing rules are very complex and take into account both the severity of the crime (as determined by its "offense level," of which there are 43) and the defendant's criminal history. I don't know the offense level of the particular crime mentioned in the comment, but presumably it would be fairly low, and since the defendant would have been a minor with (presumably) no federal criminal history, it's very unlikely IMO that they would have seen anywhere near that long if they were convicted. My guess is fines, probation, maybe a few months at worst, but judging by the tone of the comment, it seems like basically nothing happened and this was just a "scared straight" scenario.[1]
That's just the maximum they use to scare people with. Federal sentencing guidelines aren't that severe and a first time offender with something as mild as using the return address to send a few letters would plead out to a few hundred or thousand dollar fine and maybe probation, say nothing of the fact that the OP was underage.
IANAL but to get 20 years they'd have to commit a massive fraud that ended in some serious damage like costing victims million of dollars with some other mitigating circumstances.
This hasn’t been my experience. Recently reported a large problematic activity involving hundreds of mailboxes. The post office told me to call the postal inspectors, and the postal inspectors said call my local office.
Idk where the “postal inspectors are bad ass” meme comes from online, but from my sample size they’re just as useless as any other government org.
I was going to say the same thing. My passport was stolen from a mail truck a few years ago and the last update I got from the postal inspectors was that they gave up and told me I wasn't getting my parcel back, and that I should cut my losses. And that was only about 2 weeks after the theft occurred, although they did send me automated "we haven't made progress" emails every 6 months until the case was officially closed. Their "investigation" might as well have never happened.
For some reason, the internet thinks they are a group of James Bond secret agents. In my experience dealing with them, they are TSA level, totally indifferent schlubby federal workers waiting for their pension to vest.
I wonder how much the timeframe matters. I feel like a lot of stuff in the US has really gone down the toilet in the last 20 years, so maybe the Postal Inspectors really were badass 50+ years ago.
Some agencies, ones you might not even expect like the USPS and FDA, also have law enforcement powers, but have very narrow jurisdiction (relative to general law enforcement agencies like the FBI). So when a case actually does fall under their jurisdiction, they execute their duties "with extreme prejudice", so to speak. Assuming the story from the OP you replied to is true, the fact that they arrested the police officers would show how seriously they take their duties, even if the officers tampering with the mail was due to carelessness while they themselves were performing their duty.
It's a psychological thing as far as I have been told. As in, the smaller the "amount" or "area" of power you give someone to enforce / defend the fiercer they will do so.
I saw this live once. A tiny office building's front entrance security guard. Had a sign in/out list for visitors. He was o the stereotypical leaned back in his chair, far away from the heightened desk type guy. Our visitor wanted to sign out. He knew the procedure from other days. The list sat behind the counter but in plain view. Our guest thought nothing of it so as he mentioned he'd leave and just sign out he grabbed the list from behind the counter. You should have seen how fast the security guy got up from his chair and started shouting at the guy what the... he was thinking just grabbing that list! He pulled the list back out of our visitors hands and then we heard a littany of other stuff. Until he finally let him actually sign out
I think that every Department of the US Government (and AFAIK most if not all of the independent agencies) has at least one armed law enforcement agency, though in many cases all it does is ensure the security of the department's buildings and protect against corruption by its employees.
Notably, if you have a counterfeit dollar bill it's the secret service that deals with it.
I've read of someone who worked at a bank who was told that after getting a counterfeit, looked them up in the phone book, and they dealt with it promptly.
Still not as wild as the fact that while everyone was ridiculing Trump for instituting a space force, they have had a weather force, officially the "NOAA Commissioned Officer Corps", since 1917.
But in all fairness, the distinctions are all pretty arbitrary, I'm sure people were laughing as much when the navy spun off their weather stuff and when the army spun off their flying stuff as they do now with the air force spinning off the space stuff.
We laughed at it because it was the product of someone who isn't really known for original thoughts or consideration of complex concepts, so we all kind of assumed it was just a joke.
For one the Postal Inspection service consistently has a high conviction rate around 98%[0]. Whether that's due to operational excellence or the ability to unwrap evidence for a living is subject for discussion.
They are well trained, judicious and exacting in their conduct. They do not screw around and they do everything by the book. They're like what we wish regular police officers were.
I credit a lot of that to not being part of the homeland security culture: they work for the post office, their job is keeping the idea that you do NOT mess with US mail. I think a lot of the problems with cop culture come back to the idea that they’re basically soldiers separate from the community and doing such an important job that some collateral abuse just has to be expected.
I mean, if we're going there, there is this comical yet informative and strangely relevant Brooklyn Nine-Nine (thanks djbusby, for the correction) scene:
Jake (Andy Samberg) and Charles (Joe Lo Truglio) form an unlikely alliance with Jack Danger (Ed Helms), a nerdy lead investigator at the United States Postal Inspection Service, as they embark on a mission to crack the case to bring down a drug dealer.
Sounds like I need to target wire fraud as well, with drug cultivation/sales, firearm manufacture/sale/possession (even by a felon), and tax evasion to my list of charges to jury nullify on...
It's hardly victimless-- when you lie to get something of value that would otherwise go to other people, and then sell it, you're ripping those people off.
> No one lost anything here. At worst rent seekers didn’t get to collect rent for something that cost them nothing.
This was your original comment.
The opposite is true here: a person received addresses at low costs reserved for people who don't have any addressing of their own, and then sold the addresses for millions of dollars to companies who already have a lot of addresses and would be ineligible for this.
They pretended to be dozens of new companies to do this. They filed false affidavits where they swore facts that were untrue.
Meanwhile companies actually eligible for ARIN's initial block policy had to wait indefinitely because this scalper had snatched up all the inventory. Were they not harmed?
Fraud basically means lying to someone to steal from them. Wire fraud means doing that using electronic communications.
Of course there can be bogus charges and you should vote to acquit on those, but wire fraud seems squarely in the set of things that should be illegal if we have laws at all.
Yep. If he had real people or real companies buying these IP addresses (even if they are shell companies) he would be fine.
Apparently he started like that but then he got greedy and said: fuck I will just invent some fake people.
The actual criminal activity (fradulent affidavits, forged signatures) started in 2017.
I worked for a dial-up ISP that was going out of business and their last hurrah was selling renting servers doling out clean IPs from their /16 blocks so the clients could spam like crazy.
Then we encountered these spammers were willing to forge BGP LOA stating that they could announce certain, defunct and unused blocks on BGP.
I left there in a hurry, but it seems like they got away with it for a while. It would've been pretty catastrophic if their upstream ISPs decided to cut them off because they were announcing blocks they should not have been.
Of course if the transit providers did a better job (to be fair you're talking about years ago when this wasn't close to practical) they'd reject the announcements as bogus, no need for administrative punishment if it just doesn't work so nobody tries it.
Today RPKI means that machines can in effect authenticate the LOA, the same way your web server is able to prove it's itchyouch.example (or whatever) to a web browser, the real owners of 203.0.113.0/24 can prove to a machine they're the real deal and you aren't. Unfortunately there are still transit providers who don't do that, or have it set just to bring the discrepancy to the attention of a human.
This is likely true for much of the legacy space in the US, since ARIN requires you sign their registry agreement and actually pay fees to enable RPKI. It's not grandfathered.
I'm not a lawyer, but: it becomes a crime when you use it to commit fraud. If you fake a name to buy something embarrassing, then pay the other person as agreed, nothing illegal happened.
My understanding is that using an alias to commit a fraud is an aggravating factor, like it means you went out of your way to deliberately hide your crime. It'd be awfully hard to convince a court that you made an honest mistake if you lied about your identity during the process.
"Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation occurs in relation to, or involving any benefit authorized, transported, transmitted, transferred, disbursed, or paid in connection with, a presidentially declared major disaster or emergency (as those terms are defined in section 102 of the Robert T. Stafford Disaster Relief and Emergency Assistance Act ( 42 U.S.C. 5122 )), or affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both."
So if you are doing things purely for anonymity it's OK, but if you are registering many email addresses to overcome email service's per account free storage limit, or if you order sex toy delivery for new identity to get a first buyer's discount multiple times, then as I understand that could be a wire fraud.
I think no, as the clause says "transmits or causes to be transmitted", while ad blocking extensions block specific transmissions. But may be if you use such extension to block a disclaimer on paywalled website which obscures "read more" button, and press that button, causing website to transmit to you a paywalled content, that would be a wire fraud.
I'm not clear why he needed to use fake names and forged signatures? Couldn't he just create legal LLC's in various states (Nevada is a good one) which don't expose the entities owners and use those to purchase the IPs from ARIN? Rinse and repeat.
I assume that he just run out of friends/colleagues/bodies who will run these companies. I do not know how many companies he created but 10 of them were fradulently incorporated.
Nah he was doing the forging way before that as I had left my previous role in NOC back in 2017. I dealt with this guy probably around 2015-2016 and after we got a complaint about announcement we suspected forgery as the rightful owner shared more than this guy could except for some docs which apparently the other party never signed but magically there was a signature.
Back around the turn of the millennium, there was a company called AllAdvantage. They paid you to install spyware/ad injection software and watch you browse, and sold the add space and analytics to corporations. They'd pay you for... I think it was 48 hours of ad-injected spied browsing per month, and then stop paying you (but keep injecting ads and spying on you). There was also a pyramid aspect where you'd get something like 10% of all of the amount earned by your direct referrals, with no monthly cap. Also, 48 hours of browsing wasn't enough to hit their minimum threshold for AllAdvantage to mail you a cheque.
Edit: maybe there wasn't actually spyware and it just injected extra banner ads in your browsing. I never looked into installing it myself.
A /16 subnet was routed to our fraternity house, licensed to house up to 22 people. 65,536 (minus broadcast, gateway, and network address) IPv4 addresses for 22 people. My roommate bought 1 GB of RAM (about $4k at the time) and a VMWare student license for his Linux desktop. He cut down Win95 to be able to run in 32 MB of RAM (including his COM scripting bot, Internet Explorer, and the AllAdvantage spyware). I seem to remember him configuring the VMs to run 16-bit color to save memory footprint. He scripted the Win95 boot process to read a CSV file off of NFS, remove the top line, and write the file back. The CSV file contained fake name, fake address, etc. The VM would register itself with AllAdvantage, with my roommate as the referrer, and then randomly click on links in Internet Explorer until hitting the payout limit, and then shut down the VM. A Perl script (remember the late 90s?) on the Linux host would re-launch a clean VM every time an old VM shut down, and keep the CSV populated with fake account details.
30 VMs were browsing 24x7 for ALlAdvantage. My roommate set up a caching proxy on his Linux box, so he didn't hose the house's T1 connection. 10% of the payout (the referral fees) over something like 4-5 months paid for the whole desktop. AllAdvantage never got returned cheques from the fake addresses because they never paid out. I think he ran his system for over a year before AllAdvantage went out of business, for a total of something like $12k in profit.
He ran his own DNS server that hopped randomly all over the /16 to reduce the probability of detection. He's pretty convinced AllAdvantage's fraud people noticed him as an extreme outlier. He suspects they ignored him because the data he was generating for them cost 1/11th as much as most of the other data they were selling to customers.
Edit: a quick search shows the AllAdvantage rate was maybe $0.40/hr. 10% of this was $0.04 x 30 VMs = $1.20/hr 24x7. 8766 hours/year works out to about $10,000 per year. $12k in profit, $4k in RAM, and $1k for the rest of the machine works out to a bit under 2 years of running the system, if the rest of my memory is roughly accurate.
A few years later, our school kept the /16 allocated to us, but only routed the first /24 to the house. I'm sure my roommate wasn't the only one to get up to shenanigans with so many IP addresses.
Edit: He also found some online casinos that didn't explicitly forbid bots and he set up some poker bots that would keep track of its winning percentages against all other players. He set up some monitoring/control software for his feature phone (or was it a PDA?) so he could watch his losses from class and shut it down if necessary.
He kept records of every card seen in every game his bots played. I asked on at least 3 occasions for access to that data, to check for (1) naive shuffling (2) using a linear congruential generator instead of cryptographic quality random numbers and (3) seeding with time instead of a true random seed. He told me at least 3 times that he would give me FTP access to card histories, but never did. A couple years later, a paper came out detailing a code review of the most common online poker software finding (1) naive shuffling (2) using a linear congruential generator (3) seeded using only the time the game started and (4) containing an off-by-one error in the naive shuffle. The off-by-one error might have prevented me from figuring it all out from the poker bot histories, but there's some alternate history where we made millions in online poker, fully within the published rules of the sites. (Unfortunately, the millions would have come entirely from other players, the online casinos not bearing any of the costs of the shoddy coding.)
He mused several times that it would be fun to create a cardboard box with one of those see-through windows for a shipping label... and two subtle slits allowing a continuous roll of various shipping addresses and an advancement mechanism to be hidden within the package. He'd use a battery and/or inertial energy harvesting weight to power a device to change the sipping address every 4 hours. He wanted to send such a package with tracking information and watch it ping-pong around the country until someone realized something was fishy with the package.
He eventually dropped out of school and was living off of his poker bots until (without health insurance) his appendix burst and he was forced to get a day job to pay off his medical debt.
I hope he gets elected to Congress someday (though he's not very political) just to make a great epilogue to a biographical film.
It's too late to edit, but I swear I know the difference between ad and add.
On a side note, I thought a naive shuffle with a well-seeded cryptographic-quality pseudorandom number generator was the most likely finding from his poker bot history archive. I thought the linear congruential generator and seeding with the current time were long shots. I was just hoping that the skewed distribution gave a measurable edge over bots and players that were playing under the assumption of a uniform distribution of cards.
Had I thought there was a reasonable probability of a popular poker site using a LCRNG seeded with the current time, I would have been much more persistent in my requests for the history data.
Yes. Did you happen to work with the AllAdvantage anti-fraud team, or know someone in Course 2 at MIT who dropped out of school writing poker bots and AllAdvantage bots?
Tbf, front-loading washing machines can suck in socks.
Have had to pull one out of the pump at the bottom. Best part is your clothes are trapped inside with a half load of water. Or you can chance it and hope it can drain a bit at a time over a dozen drain attempts with burning it out.
I suspect another small article of clothing led to a clog in the line (apartment building). Nothing like a whole washing machine load of water back flowing onto your floor.
Fancier machines have an access hole to open up the pump. Annoying models have 3 screws flush with the ground that are nearly impossible to remove without an “airbag” door entry tool. A couple $9 ones from aliexpress can lift my machine and the dryer on top.
This highlights something tangential, but interesting nevertheless: Oftentimes getting embroiled in a civil lawsuit will, if impropriety is uncovered via the process of discovery, lead to separate criminal charges.
The lesson here is that if you have something to hide, and it looks like you're going to be dragged into civil court (especially Federal civil court,) you should rush to settle or beg for arbitration behind closed doors.
Apparently between 15 and 30 percent of the recovered proceeds:
> In general, the IRS will pay an award of at least 15 percent, but not more than 30 percent of the proceeds collected attributable to the information submitted by the whistleblower.
You might be interested to know that there are apparently companies out there that identify people within organizations that may have the access and appropriate demeanor and attempt to get them to whistleblow. It was covered in an episode of Darknet Diaries. https://darknetdiaries.com/transcript/80/
He'd be 82 so it's not implausible that he actually died last year - though he claimed he couldn't participate in his defense against the IRS charges since he had dementia and the government called 'bullshit' on that. Amusingly, the government has some funny details like he learned that his Bermuda-based co-conspirator had been raided by tax officials while on a fishing trip in Alaska, and then 1 day later emailed a neurologist seeking an appointment to diagnose dementia.
Looks like it was a successful Trump-like attempt to just delay things forever by filing dozens of motions; First mention of a competency hearing was in January 2020, they assigned experts, delayed the examination a bunch of times, appealed certain aspects of it, eventually in August 2020 the experts found him competent, which he then appealed again, and again and again -- after several more hearings and briefs where his lawyers lied about the expert testimony, it was nearly 15 months later that he was formerly found competent to stand trial in May 2021
Vista Partners evaded billions in taxes for almost two decades, it was investigated and exposed in 2018, IRS/DOJ filed charges in 2020, his partner pleaded guilty in late 2020, Brockman was charged in Jan 2021, found competent in May 2022 and then died in August 2022 a free man.
"Not protected from disclosure to law enforcement" is still better than "entered into the public record by default" as a result of being offered as evidence in a civil trial.
> law enforcement agents would require cause (warrant? subpoena? IANAL) to obtain the records, right?
No. If I took you to arbitration and think you acted illegally, I can send the case documents to law enforcement. Most people don't do this, because it's a hassle. But if you pissed me off or were morally offensive, hell yes I'm doing it. After that, yes, they need to execute searches to follow up on the information.
There aren't any terms of arbitration that can prevent you from sharing evidence of a criminal conspiracy with the police.
An NDA cannot stop you from reporting criminal conduct. You can be sued by the criminal for doing so, but this is America, you can be sued for anything by anyone. It doesn't mean that they'll win (And will look a hell of a lot like witness intimidation in their criminal trial.)
At this point are there any that don’t also have huge problems with blackmail and extortion? It’s like being the weakest pirate on Pirate Island. You might have a bad time.
The delays were partially due to COVID then later he was able to get it caught up with SCOTUS review of criteria for denaturalization.
But geez his backstory is wild. Iranian born, escaped with parents to Dubai. Started his business in his bedroom at 16. Bought quite a rock for his sweetie back in 2012 (https://youtu.be/FhPiC7zC7wA). She divorced him after everything came undone. Apparently they have a lot of stuff in storage in London. Amazing what you can find in 15 minutes with google.
> Prosecutors showed that each of those shell companies involved the production of notarized affidavits in the names of people who didn’t exist. As a result, the government was able to charge Golestan with 20 counts of wire fraud — one for each payment made by the phony companies that bought the IP addresses from ARIN.
Golestan created 20 companies under false names. And wrote 1 check from each company. Which means 20 cases of (money) wire fraud.
What’s funny here is the chain of laws used to get to a prosecution. Apparently creating twenty companies under twenty false names was not illegal enough.
It's prosecutorial discretion. Generally speaking, they want to charge things that are a combination of big and easy-to-prove.
There's nothing beyond convention that would stop them from _also_ charging for creating companies under fictious names, for adding a wire fraud count for every e-mail he sent as one of the people, for not including their real address on any marketing e-mails they sent, etc etc.
I know somebody who basically stole a class A IP network many years ago, in the very early days of IPV4. (He wouldn't tell me which one, but he had inside knowledge of how the system worked, and I know his background, so I believe him. ;)
The huge company that owned it went out of business, so he registered their domain name, and sent in an email to authorize the transfer.
Once you've got a hot class A network on your hands, but don't have 16,777,216 computers to use it, what can you possibly with it? How do you launder it?
It's not as if you can hide it in your garage, file the serial number off, repaint it, and put them all up for sale on the black market or ipBay individually!
Given that there are 24 bits for host identifiers, the total number of possible addresses in a Class A network is: 2^24 = 16,777,216
However, two addresses within that range are reserved: The "all zeros" host address is reserved as the network address, and the "all ones" host address is reserved as the broadcast address for the network. So count those out.
Therefore, the number of usable IP addresses in a Class A network is: 16,777,216 - 2 = 16,777,214
And at today's price of at least $15 a pop, 16,777,214 addresses × $15/address = $251,658,210
He ended up trading it under the table to a company that could use it, in exchange for the promise of free service for life.
I can believe a class B or C block. They gave those out like candy up until the mid 90's. Class A is hard to believe though. There weren't a ton of those.
I do know folks who have "defacto" control of legacy blocks belonging to defunct organizations. In fact, if you look hard enough, you can find entire ASNs full of them. Basically, IP squatters.
Even back in the early days of the internet, non-government Class A blocks were few and far between. I doubt there was a form you could fill out and authorize a transfer to a random individual by merely having an e-mail address and a domain name.
Even if you could finagle a transfer by impersonating the company via e-mail, that would be a clear case of fraud and theft from the defunct company's assets. You couldn't actually expect to use or sell the block without anyone noticing.
> He ended up trading it under the table to a company that could use it, in exchange for the promise of free service for life.
If the story is true, what likely happened is that they coordinated the actual sale through proper channels and laughed at your friends' fraud, er, antics, choosing to give him a token gesture instead of actually buying anything from him.
When I went to college in the mid 90's, the entire campus was on a /16, flat network, every machine had a 255.255.0.0 netmask. There was no subnetting, everything was switched (they said "bridged" at the time.)
With today's switches, you could do much crazier things. Definitely not an /8 though.
That's the joke! Imagine not getting caught these day running a giant routable stolen class A network on a single LAN segment. It would require Trump-level audacity!
The problem is a /8 is too big to transact on. Somebody is going to ask questions, and then the scam will be unwound at best, you'll end up in jail at worst.
If he had taken a defunct entity's /16 (class B), it could probably have been marketed more directly. Although, I'm assuming this was long enough ago that it might have been still quite possible to get a previously unused class B from ARIN.
I’ve mentioned this before on HN but I personally dealt with this guy when I was in NOC at a smaller cloud / dedicated hosting provider. He wanted us to announce range for him and everything appeared to check out until we got a complaint and we promptly withdrew the announcement while we got to the bottom. This guy wasn’t very pleasant to deal with and he kept coming back trying to get us to announce different IP ranges. He eventually went away as we just kept pushing back.
LOL I used to belong to "alternative asset" investor circles and saw that picture. They were looking for investors to buy/sell IPv4 addresses. Glad I noped out of that one
Don't worry about the money - given that you are presumably under a billion years old, and I am sure you are one of the top billion most remarkable people on earth, you surely deserve a spot!
One complaint that I have about ipv6 and mac addresses is that they use hex separated by colons. Not only is it way longer than an ipv4 address, you can't rattle one off using a number pad. Back when I did full time IT, that sounds like a nightmare if in ipv6 land you have to enter addresses as commonly as you have to enter ipv4 addresses.
I think 1 IP address per human was short sighted. We ran out before the human population doubled. But I think a billion per human was someone liking powers of two, and nothing more. “Ipv5” with 48 bit addressing would have done pretty well. As 6 octets or 4 base 12. For humans you could reserve all ambiguous addresses and have about 50k times as many addresses while people sort themselves out. You could still be able to see at a glance that they were ipv5 addresses.
1047.258.300.0/24
v4 was 32-bit, v6 was 128-bit. I think that 64 bits is a more obvious happy medium.
Conveniently, 2^13 = 8192 allows you to use most of the information available in four decimal digits. And 64 = 13•5 - 1 means that you get a roughly even division into five address tiers (with either the first or last one half the size). 4095.8191.8191.8191.8191 is a bit worse than 255.255.255.255 but not nearly as bad as ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
While I do agree with you, I do think we should be long past the point of needing to manually enter IP addresses. We have several good service discovery protocols, and DHCP and DNS, which are less great but still has pretty good tooling these days
I am using IPv6 on home network and I don’t know any addresses. Everything picks up the details and assigns address. To access hosts that matter, I use the mDNS names.
No way, they're a dime a dozen million. NCP addresses are worth much more, because there were only 256 of them. That's where the big money's at. I saw the classic NCP address 134 (MIT-AI) appraised for millions on the Antique Information Superhighway Road Show.
ipv6 is such a failure. even if it eventually 'takes over', its still a failure. Its over engineered for something customers didnt ask for (an ip address for every grain of sand in the universe).
There's something to be said about a human readable IP address. Where you can't tell a person the address, you have to copy and paste. where you cant infer any information about the IP address just by looking at it. It adds unnecessary overhead to small packets, etc.
Is human readable IP that important though? I mean even though I know about CIDR it's still hard for me to intuitively think about it, and I will say by far the part of kubernetes I dislike the most is figuring out the networking layer design. I feel like the only reason we need human readable IP's in the first place is for understanding all this NAT stuff that we wouldn't particularly need if we had bigger IP ranges
NAT means we can work with IPv4 already and makes IPv6 moot. you just supported my argument.
Honestly, all they had to do was add alpha characters. Just doing so would have gave us more IP addresses than we ever needed while keeping it human readable.
10^53 kg / 2^128 = 10^14 kg per address, though I have no idea what fraction of the universe is sand.
In practice, the number of allocations is much smaller because IPv6 is effectively a 64 bit address space, with the second half reserved for edge networks.
> There's something to be said about a human readable IP address.
Is 2a01:4f8:1c1c:f6aa::1 really so unreadable, given that every device needs a different number?
The large address space and thus the king addresses are an artifact of optimizing the routing.
I think just saving the endless discussions of "my Xbox only got nat type 2, how do I change it?" alone saves more lifetimes than are lost by c&p adresses (not to speak of the large infrastructure costs of maintaining gcnat at scale).
> Prosecutors showed that each of those shell companies involved the production of notarized affidavits in the names of people who didn’t exist. As a result, the government was able to charge Golestan with 20 counts of wire fraud — one for each payment made by the phony companies that bought the IP addresses from ARIN.
Should have just walked outside and asked some homeless people to be nominees
And plus he changed to a guilty plea and didn’t wait for the trial
That bolsters my opinion that a small clerical change would have nullified prosecutor’s zeal on the criminal side
Most of this kind of clerical stuff is simply making the exact same action legal by paying attention to the clerical structure
It's a federal case, so he'll have to do at least 85% of that 5 years in prison. Prison sucks horribly, even if you are in a camp like him. Especially if you are smart and techy.
They pushed him into a plea deal though. They were likely to mash all the charges consecutively and he'd be looking at 100 years like Ross Ulbricht if he lost at trial. I know people who have played that game and lost.
What is the deal with the notarized affidavits, though? Each of those is a federal offense which carries 5 years on its own, IIRC.
> federal prosecutors in South Carolina, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he’d orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.
So the sentence is for the "Scheme", not the "IP Address".
This is pretty unclear if you have only read the title.
What's crazy is this story went even further than what's been disclosed. He had working relations with know scammers/crime groups in the Middle east. If you want to read about how crazy this guy was, read the court docs for his divorce.. To say he was a piece of work is an understatement.
Edit: There's also numerous cases ongoing for fraud relating to loans / purchases under these companies. One of the things he did was buy dormant LLCs around the US so they'd have logenvity making it easier to secure loans.
Source: Worked with a National Paper on the story back when it started.
Yeah, my initial reading of the headline was that they were being sentenced to be stuck in some IP address scheme for 5 years; I assumed it was a joke about a CEO making a mistake that locked the company into some suboptimal state.
As far as I know the strategy he used - "Shell Companies + Phony Individual Information" can be used to purchase any form of assets. Usually, either federal law agencies ignores these activities mostly because how difficult it is to prosecute them. I am out of my depth here, but that is what I know. It is illegal but rarely people get punished for it. I don't think he is getting punished for the acquisition part, but for something else.
What makes ARIN so special? I am going to bet for other RIRs this is pretty normal. AFRINIC IPv4 has a hassle to transfer, and ARIN and RIPE IPs is the target. That leaves APNIC and LACNIC.
I believe, APNIC allocated MASSIVE IP ranges to government research agencies and government educational institution which are slowly being traded and re-registered under ARIN and RIPE.
My view on it is coloured by the way my country chases down social welfare fraud, but hardly tried with white collar crime which hits the country far harder [1].
Smart people who are willing to commit fraud for profit are some of the most dangerous people in our society. Stupid people are limited in the damage they can do.
Because clearly that "smart entrepreneur" has demonstrated that he has no issue willfully committing an elaborate fraud.
It's not a stretch to believe that its better for society to keep people like this (a combination of high intelligence and low morals) in a place where they can't continue to perpetrate clever schemes.
It will better our society because it will deter other smart entrepreneurs from committing this kind of blatant fraud. If anyone here is ever tempted to try to acquire an asset under false pretenses, just don't, or prison could be in your future.
I'm all for rehabilitation, but the serious amount of criminal energy that went into this scheme would have been better spent building something useful. A thought clearly lost on this individual. Furthermore, he used his ill-gotten IP addresses to house spammers, which was actively causing harm beyond just hoarding addresses.
messing up and defrauding that way doesn't negate the fact that you still need to be smart on some level(depending on your definition) to create an IT company.
We should definitely punish the fraud. But also look at rehabilitation.
In this case, we are taking someone that could under the right circumstance be a net positive for society and putting him in jail for 5 years where he will most probably come out as a destroyed human.
I will never understand how people desire for revenge negate the bigger picture.
When you've created 20 shell companies, I think at this point you've gone beyond "messing up". Just like there's a difference between a crime-of-passion single murder and a serial killer.
Rehabilitation is another issue entirely. I really wish we had a system in place to make that happen, but we don't. Putting him away isn't about revenge at all, at least not to me.
Retribution is an important component of an effective judicial system. It provides approximation of justice (yes) and creates deterrence. Also that was an IT company (or rather many companies) in name only. By that definition those patent troll holdings are “IT companies” too
He didn't 'mess up'. This wasn't an accident. Wire fraud has an intent requirement. The government has to prove beyond a reasonable doubt that the defendent acted with the intent to defraud, specifically, the 'intent to deceive and cheat'.
> I will never understand how people desire for revenge negate the bigger picture.
It is more that people tend to be extremely selective about when they see that bigger picture.
There are lots of smart people rotting in prison who committed very similar crimes who never seem to elicit sympathy. Coincidentally, they tended not to be white collar strivers before being busted.
Fines don't work, they are treated like the cost of doing business, and are easy to escape (if the corporation, not the person, is fined, move as much of the money away as possible and have the corporation go bankrupt).
So execs need to consider that serious prison time is a possibility, or there will be no constraints on bad behavior.
If someone walks into a bank and carries out an unlawful scheme (i.e. fake notarized paperwork) that nets millions of dollars, 5 years would be a lenient sentence.
Also, it is 3 years in jail followed by 2 years of supervised release.
At some point I knew enough people who “lost” things and a kleptomaniac or two and it really called into question what “crime rate” means. It’s things people noticed and that they thought they could get the authorities interested in. What’s the real number?
"in a 2020 interview with KrebsOnSecurity, Golestan claimed that Micfo was at one point responsible for brokering roughly 40 percent of the IP addresses used by the world’s largest VPN providers. Throughout that conversation, Golestan maintained his innocence, even as he explained that the creation of the phony companies was necessary to prevent entities like Spamhaus from interfering with his business going forward."
He had to commit fraud, otherwise the business wouldn't work!
It is reasonable to not want your name plastered on a website run by vigilante cyber police who we have given quasi-law enforcement powers and the ability to de facto shut down ISPs (and in one case a ccTLD). It's even more reasonable when you realize they are incorporated in Andorra - good luck suing them if they get something wrong!
I've seen Microsoft, Yahoo and Google all blackhole IP blocks wrongly because they were mixed up with IPs operated by spammers but I've never seen Spamhaus do this, in fact they went absolutely out of their way (without any requests from us) to ensure that our lonely IP on a Toronto ISP that did a lot of shady stuff was excepted.
You and the parent are both correct, which is the problem. Spamhaus is notorious for inconsistent behavior, driven largely by the personal whims of individual employees.
I find myself looking at the guy's picture and telling myself "of course that is what he looks like!"
But on the flip side, we all know it is a bad idea to judge a book by its cover. How many times can we all recall doing this and feeling bad when our snap judgement was incorrect?
But look at the guy! What is it we are all picking up on in these comments. I am not the only one. Is there something about how he is positioning himself that warrants this? Or do we need to be more aware of our own biases?
I think judging based on the cover is fine when we're judging what the cover is clearly and intentionally trying to communicate to us about the book within.
The pose, the unbuttoned shirt, the hair, those are all conscious choices to communicate a sleazeball personality that probably plays great with his friend/colleague network.
If we were judging someone from a cultural context that's unfamiliar to us or based on irrelevant characteristics like race or gender that would be incorrect and likely biased. But in this case we're just clearly receiving the message he's trying to communicate with intentionality
There's a difference between physical characteristics and fashion. You should not judge someone by their physical characteristics - by and large that's out of their control. Their fashion, on the other hand, is how they've decided to present themselves, and is absolutely fair game for judgement, especially for things like corporate headshots in which one is very intentionally choosing how they would like to be viewed by the world.
This fellow decided to present himself as something like a cross between a pickup artist and a street magician, which seems like it was pretty on the money.
I suspect it's less his physical characteristics, or even his clothing and jewelry, but almost exclusively his body language that is producing this reaction.
He's almost like the caricature image of a techbro douchebag scammer CEO, but then all kinds of people can look like all sorts of things and be far from them. SBF, the biggest techbro douchebag scammer CEO of them all, doesn't really look at all like what he is. He perhaps should have looked more like this guy and a few less people would have been fooled (maybe).
The part I struggle with is what exactly he's trying to say with his dress. Like if it was classically formal, I could see that he's trying to convey maybe a trusted solid businessman. But this is more like.... street magician? I'm all for people doing interesting things with their personal style, but man his style sends a very weird message.
I would wager some of it is from unconscious bias since he is already positioned as a criminal before you even even see the photograph. Your brain wants to tell itself that it can identify such criminals so it picks up on what it can.
The rest is very much "oh, this person is now known as a criminal, let me find the most sinister looking photo of them possible."
The photo gives off RapGenius founder vibes (google their photos for anyone not around for the time when the tech media proclaimed that site was going to be the next big thing).
It's an absolute pain for even single direction communication, as most NATs are going to be stateful — they have to retain, somewhere, the mapping between internal IP/port & external port. And that mapping is in finite memory, and old mappings are usually timed out of it, killing the connection, if there is one.
(You can hack around this with keepalives, but it's just another PITA because of the original sin of breaking the end to end principle.)
Question from an ignorant network person: is IP rotation still common on ipv6? My primary fear with IPv6 is the touted "feature" of every device having an IP. While it's possible, yea, it sounds like a nightmare for privacy and tracking.
Do the proponents of IPv6 also advocate for large ranges of IP rotations to deal with this?
Generally you'd get a network prefix from your ISP of 56 to 60 bits, your router would handle deciding how to make a network out of the remaining 4 to 8 bits of the network part, and then devices would automatically assign themselves unique addresses with the remaining 64 bits for the host part. One thing to note is that devices can and almost always do have multiple IPv6 addresses. Commonly: one for a local only address (like a 10. or 176.16., 192.168. address would be for IPv4), one based on the MAC address of a device, and now one (or a few) that is randomly chosen and periodically cycled to prevent some of the tracking issues you mention. The problem overall though is that the network part of the IPv6 addresses would still be the same and would be similar in tracking capability for a customer/household as how an IPv4 address is with NAT.
A new address from the network that your ISP routes to your house. That's basically identical to the way an ISP routes a single IPv4 address to your house.
As a content company who owns ISPs, I would LOVE NATs.
Why? Keeps P2P like BitTorrent, soulseek, gnutella, and newer protocols crippled. And content creators don't want people consuming content other than through themselves.
And a NAT can also differentiate between "consumer household" and "business" - do you get a real IP or not?
It's also why companies like Comcast zero-rate their own content.
EDIT: for you -1'ers ; you DO realize that most mega-ISP-content companies want the push-style of the television back, right? And these companies will institute NAT, data caps, and "3 strikes" to boot people off.
> it's an absolute pain in the ass for bidirectional communication
You're right and that's what I love about NAT, IPv6 in contrast is a hacker/spy tracking digital superhighway right through my front door and straight into my devices.
You could assign your devices IPs from fc00::/7 range otherwise known as "Unique local unicast"[1], which is the IPv6 version of 10/8, 192.168/16 and the like.
I'd rather just use a proper firewall I think. One thing that's super annoying about NAT is how hard it makes it to host your own server. I remember setting up FTP on my router at one point, but it was so annoying and flaky that I ended up not using it. But I can't say I'd be that afraid of having an SFTP server on the internet with a strong password and every non-relevant port firewalled. The whole NAT thing doesn't make it any more secure, it's just way more annoying to setup
Actually, it is, try the test for yourself in your home over a 30 day period. Drop IPv6 at the router and in your main PC and devices by disabling it. At the end of that 30 days, it will become clear that Ad companies were using IPv6 to track people in the household when Ads for things completely unrelated to their interests and related to the other members of the household start showing on each others PC's and devices.
That's impossible if the devices have privacy extensions enabled, which is the default on all major OSes. My house has a /64 IPv6 prefix. Inside that, the computer I'm writing this on has 8 temporary IPv6 addresses it's using at this moment. An ad company can no more track my individual computer inside my house than it could your computer inside yours. The only difference is that your network is a black box behind public IP 1.2.3.4, and mine is a black box behind public prefix abcd:ef01:2345:6789::/64. (Well, I use IPv4, too, but for the sake of this discussion...)
> Wrong. Try what I said. It was recent enough the results are reproducible.
Nope. What really happened is that an ad company might have started collecting information about your IPv6 prefix, precisely like they might store information about your IPv4 address. That's all the information they can reconstruct about the hosts inside your LAN.
The paper you linked showed that if a host uses the method for generating pseudorandom addresses described in RFC 4941 instead of using completely random one, and if the attacker has a complete history of your generated pseudorandom addresses, and if the attacker has successfully defeated MD5 on a practical time scale, then it's possible that they could guess your future pseudorandom address.
In practice, most OSes generate truly random addresses, and an advertiser doesn't have your complete history of generated addresses, and the advertiser wouldn't spend all those resources to track you specifically anyway. In other words, that 8 year old paper isn't relevant to the situation today.
The barrier for our company is that there's simply not much benefit to upgrading our AWS networking stack from ipv4 to ipv6. It's definitely doable, but there's no real benefit (especially when your infrastructure is behind Cloudflare (or any CDN) which adds ipv6 support for end users without needing the underlying infra to be ipv6.
Even if we were setting up a VPC from scratch, it would probably be ipv4 since it's what everyone knows how to easily do. There's a learning curve with deploying a ipv6 network and very little benefit when it's all behind a ipv6-enabled CDN.
The only reason we're even still on IPv4 is because of NAT. End-to-end connectivity, public IPs everywhere, is how it should work. In the early days, this is how IPv4 worked. I remember having full, publicly routable IPs both at home, school, and work, no NAT. This doesn't mean you shouldn't use firewalls, though many in the early days didn't!
To first approximation, we are. Essentially all mobile networks are IPv6 now. Many wired client drops are IPv4 NAT behind an IPv6 pipe. Most datacenter-internal communication is IPv6, at least at the big players.
The only regime that is still "IPv4-by-default" is public facing servers, which (obviously) still need to present the old addresses for compatibility.
But that last 5% will still be around until we all die. There are just too many client devices out there that will never get an IPv6 update, and client devices tend to live much, much longer than you (or their designers!) think they should.
I recently switch ISP and the new ISP gives you an IPv6 address and have their router just hand out IPv6 addresses on your LAN as well. It generally works really really well. The only weirdness I've seen is in Firefox when using DoH and IPv6. Sites like Google or Wikipedia just worked, while others simply doesn't and because it's DoH in the browser, you can't actually debug the issue all that well. I believe it may be tied to the combination of a specific DoH service and my ISP, but I haven't tested it fully yet.
I imagine it being far simpler for the average person to adopt IPv6 without much research if all of their current firewall rules, including port forwards, work exactly the same as they did with IPv4. You may not need those port forwards without NATs, but do you trust the firewalls on your servers to disallow accessing other ports from outside your local network?
IPv6 is still a mess of compatibility issues, and being an early adopter is not always fun.
I had a really weird problem where Youtube videos were unwatchably laggy on my home desktop PC. Gigabit hard-wired connection. Every other streaming site worked great, ditto every other device I owned. Even downloading the videos on the same device using yt-dlp worked great. After much tearing of hair, I noticed that in the network tab for attempting to watch Youtube, all of the requests for video data that were laggy were going to IPv6 addresses. So I turned off IPv6 at my network adapter and everything worked great after that. I guess Youtube and that PC and browser were the only things that supported v6, every other site, device, and Python dropped to v4 and worked fine.
I guess I could dig deeper into what really went wrong and try to fix it, but I feel like I've already spent enough time and headaches on it. The off switch is just easier.
Big cloud providers have good IPv6 support. The long tail is terrible. We work with ~200 different hosting providers, half of them have no IPv6 support at all, another ~15% it only works occasionally and they clearly don't monitor it.
There's also a fair number of still popular libraries and frameworks that don't handle IPv6 well. Maybe not in their latest release, but in their more popular older ones.
In large part, because of ISPs. There are big costs to the transition that none of their clients care about.
Besides, NAT gives ISPs insight into their users (number of devices, services running on devices, how much traffic each service uses, etc). So you can probably do regional pricing based on that and some other things.
> but I can't think of a technical reason we couldn't do NAT with IPv6?
We absolutely can do NAT with IPv6, but there's no reason why anyone should (aside from stateless NAT66 in case you get a dynamic prefix that changes every now and then, but that's about the only use case)
Minimum range you can actually own is /24 so at current prices you’re looking at $10-20k minimum. Not sure about hetzner but aws can use byo address space
