Hostexploit report/Intercage/Esthost

Konstantin Poltev kokach.esthost at gmail.com
Mon Oct 13 14:30:07 UTC 2008


Hello,



My name is Konstantin Poltev and I'm with Esthost. I'd like to ask

you to read through this email before hastily replying.



As you are probably aware, Esthost has been accused of pretty much every

mortal sin - from cybercrime to being KGB-sponsored part of Russian

Business Network involved in information warfare against Georgia [R1].



However, that's just one side of the story. I'd like to present our side,

in this email, and in person - I am right here at NANOG, ready to answer

your questions.



I've initially planned to make a short presentation during security BOF,

but decided against it - I believe tempers are still too hot to hear our

side of the story, also, my English is not quite as good to be able to

stand up before 1000 people.



However, I'll be around, in the hotel bar, should anyone want to ask me

any questions in person - or should any law enforcement officer wish to

arrest me :)



Now, on to the story:



First, few words on the "community police" that is accusing us of all the

misdeeds. The accusations initially were made by (anonymous) John Reid

from Spamhaus, then continued with anonymous rbnexploit blog, then by Jart

Armin from the "hostexploit". All of those are (to my knowledge) are very

much anonymous.



I'd love to debate the report and their accusations, in public, but,

regretfully, I don't see this happening anytime soon - while I'm very much

willing to travel to US and subject myself to US jurisdiction, my accuser

John Reid in Spamhaus is anonymous, and Spamhaus itself claims not to be

subject to any US laws, where it clearly does business. It begs the

question - how come the alleged "criminals" are so brazen, and alleged

"community police" so anonymous? One possible conclusion is that there's

no evidence of a crime, and "community police" is nothing short of a lynch

mob, that needs no evidence, heeds no laws, and acts as a judge, jury and

executioner. However, more on spamhaus later.



Finally, the last point was the publication of an article in Washington

Post by Brian Krebs. Brian, as it appears, has commissioned the

hostexploit report, and it makes a wonderful media story - you have

full-on thriller, with cybercriminals out of Estonia being aided by

corporations small and large in US - it doesn't get any better than that.

Unfortunately, said report is full of unsubstantiated allegations - in

fact, not just unsubstantiated, but clearly known to be false to anyone

who is actually in the industry (more on this later).



Brian has attempted to ask us for our side of the story. However, the

questions asked were "How many EstHost employees have graduated the KGB

military public information school?", "How often does KGB/GRU/FSB ask

Esthost to implement special measures against Western visitors", "Does

Esthost provide GRU/SVR with information about Western visitors", "What

percentage of Est's revenue is reinvested by FSB into Est's

infrastructure".



I'm dead serious - those were the questions - I can't make this up.  You

can draw your own conclusions on Brian's bias and the desire of a

sensational story.



I'd like to point out that Esthost doesn't hide behind anonymity - names

of the owners of Esthost are well known, and we live in Estonia, which,

despite what you think, is as much of a Western-world country with rule of

law as, say, France or Germany - with criminal police, extradition

treaties, Interpol membership, etc.



What is the truth?



We have no affiliation with "Russian Business Network"  (if there ever was

such a thing). We have no affiliation with Emil or Atrivo (other than

being an ex-customer). We have no affiliation with HostFresh. We don't

know what *they* do with their network, or their abuse complaints - we can

only speak for ourselves.



Onto the discussion of the "hostexploit report" itself: I am surprised

that it appears that nobody actually have taken time to read the report -

as inaccuracies are glaring enough to be immediately noticable. Report is

hardly "unbiased" - it is a very beautifully typeset piece whose purpose

is to smear our company (and our vendors' vendors' vendors, and our

customers, and just about anyone else, maybe short of the guys who deliver

pizza to our office).



As I point out flaws in the report, I'd like to again emphasize, we are

not atrivo. I believe Emil and Atrivo were unfairly smeared, and as much

as Esthost, they deserve fairness, although I can't speak for the rest of

Atrivo's customers, not affiliated with Esthost. Report itself is located

at: http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf



First part of report is fluff - using spamhaus pages as evidence of

wrongdoing.



Let's start with obvious:



****** Page 16 - the page with the actual data:



Google has 4 times more infections than Atrivo, and approximately same

infection rate. Are they also cyber-criminals?  Chinanet-backbone - has 48

times number of Atrivo's infections - they are here at NANOG, are they

being asked what are *they* doing about the abuse?  INETWORK-AS, twice the

infections in quarter of Atrivo's space, 65% infection rate - what about

them?  Theplanet and Softlayer, *three* times the number of infections?

EV1, twice the number of infections, and similar infection rate as Atrivo?



The only pattern that I can draw is all the other companies are large

businesses - who wouldn't take kindly to being smeared. It is far easier

to scapegoat a small Estonian company and blame it on them.



****** Page 17:



Claims that Broadwing is AS3356 (...!), and is "Atrivo - directly

controlled /managed".



Claims that Nlayer has control of 5,916,928 IP addresses. While I'm sure

this is unintentional copy-paste thing, it shows lack of technical review

of this report.



****** Page 13: Claims that "Atrivo requires internet connectivity from

ThePlanet". Again, I'm not Emil, but I'd find it unlikely that he'd buy

from his direct competitor. Claims that 1546 of privacyprotect sites are

"ThePlanet sponsored" - I assume they meant hosted at ThePlanet. How does

it demonstrate Planet's complicity, I don't know.



****** Page 6:  Claims that "AS 4657 Singapore based providing collocation

for Atrivo". That's a naked assertion, and fails the "oh really" test.

(Again, not speaking for Emil, he *might* have colocation in China, but

that's pretty damn unlikely!)



****** Page 7: "AS 36445 a newer Autonomous Server apparently used by

Cernal". I assume the author meant "Autonomous System", just another

questionable "technical" moment.  Claims that "Estdomains is an anonymous

registrar and "Esthost" is anonymous hosting" - I don't really know where

to start. We don't provide anonymous hosting, any more than Yahoo! does.



****** Page 26:  "It should be further noted some of the adult sites

hosted are either border line or are within known blacklists of

pedo-pornographic web sites (Note: this topic is outside the remit of this

study, however details have been passed to appropriate third parties)".

This is a very serious accusation - and it seems to be thrown very lightly

with disregard for possible consequences. If it is actual child

pornography, knowingly hosted by Atrivo, it has very direct consequences

for Emil.



Across the entire report, Hostexploit has made allegations of Esthost

being affiliated with DirectI, and of DirectI being a willing participant

in our "crimes". Within a week, Hostexploit had to withdraw those claims -

I can only presume due to pressure from DirectI and its lawyers.



Regarding "cybercriminals" and calls for community to "take action"

against those who allegedly "provide transit" to cybercriminals - I'd like

to point note that neither we, nor any of our customers, have been

convicted (or even accused) in any court of law of any misdeeds.



Spamhaus made claims [1] that: "We assume that every law enforcement

agency with a cyber-crimes division has a dossier bursting at the seams on

Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel,

Hostfresh". Well, I'm right here in LA - if there's actual evidence, I

have no doubt that law enforcement will act. However, I think this is

highly unlikely.



I won't deny that we *did* have abuse issues - that is the problem when

your customers are mostly located in Eastern Europe - there are quite a

few bad apples. Payment systems used in Eastern Europe tend to favor

anonymity - which, obviously is also favored by criminals. However, it's

the exception and not a rule. We've stopped accepting all anonymous

payment systems quite awhile ago, and have new arrangement with one of

Russia's largest payment systems where, if we report abuse, they will lock

the criminal's account and accounts linked to it.



We've always reacted expediously against abuse - every email that we

received we've reacted to. We've implemented a anti-fraud system that

links billing accounts to hosting accounts to domains, and if one domain

is involved in abuse, everything "linked" to it is investigated and

suspended/terminated. This is hard for a small company to do - due to

intense competition in the registrar arena, profit margins are very slim.



I'd like to finish with this - cybercrime is our common enemy. We'd like

to be a part of a solution - and we are playing our part, as much as a

small organization can do. If anyone wishes to discuss any of the above,

or give us suggestions on what more could we do to fight spam/etc, I'll be

around later on in the hotel bar area, just look for my nametag.

However, I won't be there at all the time, in case you want to talk, kindly

drop me an email and we'll figure out a time to meet.



Thanks for reading so far, I know it's a long email. I hope to see you

later at the conference.



Kind regards,

Konstantin







[R1]

http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-continuation

.html



[1] http://www.spamhaus.org/news.lasso?article=636



More information about the NANOG mailing list