Hostexploit report/Intercage/Esthost
Konstantin Poltev
kokach.esthost at gmail.com
Mon Oct 13 14:30:07 UTC 2008
Hello,
My name is Konstantin Poltev and I'm with Esthost. I'd like to ask
you to read through this email before hastily replying.
As you are probably aware, Esthost has been accused of pretty much every
mortal sin - from cybercrime to being KGB-sponsored part of Russian
Business Network involved in information warfare against Georgia [R1].
However, that's just one side of the story. I'd like to present our side,
in this email, and in person - I am right here at NANOG, ready to answer
your questions.
I've initially planned to make a short presentation during security BOF,
but decided against it - I believe tempers are still too hot to hear our
side of the story, also, my English is not quite as good to be able to
stand up before 1000 people.
However, I'll be around, in the hotel bar, should anyone want to ask me
any questions in person - or should any law enforcement officer wish to
arrest me :)
Now, on to the story:
First, few words on the "community police" that is accusing us of all the
misdeeds. The accusations initially were made by (anonymous) John Reid
from Spamhaus, then continued with anonymous rbnexploit blog, then by Jart
Armin from the "hostexploit". All of those are (to my knowledge) are very
much anonymous.
I'd love to debate the report and their accusations, in public, but,
regretfully, I don't see this happening anytime soon - while I'm very much
willing to travel to US and subject myself to US jurisdiction, my accuser
John Reid in Spamhaus is anonymous, and Spamhaus itself claims not to be
subject to any US laws, where it clearly does business. It begs the
question - how come the alleged "criminals" are so brazen, and alleged
"community police" so anonymous? One possible conclusion is that there's
no evidence of a crime, and "community police" is nothing short of a lynch
mob, that needs no evidence, heeds no laws, and acts as a judge, jury and
executioner. However, more on spamhaus later.
Finally, the last point was the publication of an article in Washington
Post by Brian Krebs. Brian, as it appears, has commissioned the
hostexploit report, and it makes a wonderful media story - you have
full-on thriller, with cybercriminals out of Estonia being aided by
corporations small and large in US - it doesn't get any better than that.
Unfortunately, said report is full of unsubstantiated allegations - in
fact, not just unsubstantiated, but clearly known to be false to anyone
who is actually in the industry (more on this later).
Brian has attempted to ask us for our side of the story. However, the
questions asked were "How many EstHost employees have graduated the KGB
military public information school?", "How often does KGB/GRU/FSB ask
Esthost to implement special measures against Western visitors", "Does
Esthost provide GRU/SVR with information about Western visitors", "What
percentage of Est's revenue is reinvested by FSB into Est's
infrastructure".
I'm dead serious - those were the questions - I can't make this up. You
can draw your own conclusions on Brian's bias and the desire of a
sensational story.
I'd like to point out that Esthost doesn't hide behind anonymity - names
of the owners of Esthost are well known, and we live in Estonia, which,
despite what you think, is as much of a Western-world country with rule of
law as, say, France or Germany - with criminal police, extradition
treaties, Interpol membership, etc.
What is the truth?
We have no affiliation with "Russian Business Network" (if there ever was
such a thing). We have no affiliation with Emil or Atrivo (other than
being an ex-customer). We have no affiliation with HostFresh. We don't
know what *they* do with their network, or their abuse complaints - we can
only speak for ourselves.
Onto the discussion of the "hostexploit report" itself: I am surprised
that it appears that nobody actually have taken time to read the report -
as inaccuracies are glaring enough to be immediately noticable. Report is
hardly "unbiased" - it is a very beautifully typeset piece whose purpose
is to smear our company (and our vendors' vendors' vendors, and our
customers, and just about anyone else, maybe short of the guys who deliver
pizza to our office).
As I point out flaws in the report, I'd like to again emphasize, we are
not atrivo. I believe Emil and Atrivo were unfairly smeared, and as much
as Esthost, they deserve fairness, although I can't speak for the rest of
Atrivo's customers, not affiliated with Esthost. Report itself is located
at: http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf
First part of report is fluff - using spamhaus pages as evidence of
wrongdoing.
Let's start with obvious:
****** Page 16 - the page with the actual data:
Google has 4 times more infections than Atrivo, and approximately same
infection rate. Are they also cyber-criminals? Chinanet-backbone - has 48
times number of Atrivo's infections - they are here at NANOG, are they
being asked what are *they* doing about the abuse? INETWORK-AS, twice the
infections in quarter of Atrivo's space, 65% infection rate - what about
them? Theplanet and Softlayer, *three* times the number of infections?
EV1, twice the number of infections, and similar infection rate as Atrivo?
The only pattern that I can draw is all the other companies are large
businesses - who wouldn't take kindly to being smeared. It is far easier
to scapegoat a small Estonian company and blame it on them.
****** Page 17:
Claims that Broadwing is AS3356 (...!), and is "Atrivo - directly
controlled /managed".
Claims that Nlayer has control of 5,916,928 IP addresses. While I'm sure
this is unintentional copy-paste thing, it shows lack of technical review
of this report.
****** Page 13: Claims that "Atrivo requires internet connectivity from
ThePlanet". Again, I'm not Emil, but I'd find it unlikely that he'd buy
from his direct competitor. Claims that 1546 of privacyprotect sites are
"ThePlanet sponsored" - I assume they meant hosted at ThePlanet. How does
it demonstrate Planet's complicity, I don't know.
****** Page 6: Claims that "AS 4657 Singapore based providing collocation
for Atrivo". That's a naked assertion, and fails the "oh really" test.
(Again, not speaking for Emil, he *might* have colocation in China, but
that's pretty damn unlikely!)
****** Page 7: "AS 36445 a newer Autonomous Server apparently used by
Cernal". I assume the author meant "Autonomous System", just another
questionable "technical" moment. Claims that "Estdomains is an anonymous
registrar and "Esthost" is anonymous hosting" - I don't really know where
to start. We don't provide anonymous hosting, any more than Yahoo! does.
****** Page 26: "It should be further noted some of the adult sites
hosted are either border line or are within known blacklists of
pedo-pornographic web sites (Note: this topic is outside the remit of this
study, however details have been passed to appropriate third parties)".
This is a very serious accusation - and it seems to be thrown very lightly
with disregard for possible consequences. If it is actual child
pornography, knowingly hosted by Atrivo, it has very direct consequences
for Emil.
Across the entire report, Hostexploit has made allegations of Esthost
being affiliated with DirectI, and of DirectI being a willing participant
in our "crimes". Within a week, Hostexploit had to withdraw those claims -
I can only presume due to pressure from DirectI and its lawyers.
Regarding "cybercriminals" and calls for community to "take action"
against those who allegedly "provide transit" to cybercriminals - I'd like
to point note that neither we, nor any of our customers, have been
convicted (or even accused) in any court of law of any misdeeds.
Spamhaus made claims [1] that: "We assume that every law enforcement
agency with a cyber-crimes division has a dossier bursting at the seams on
Atrivo/Intercage and its tentacles such as Esthost, Estdomains, Cernel,
Hostfresh". Well, I'm right here in LA - if there's actual evidence, I
have no doubt that law enforcement will act. However, I think this is
highly unlikely.
I won't deny that we *did* have abuse issues - that is the problem when
your customers are mostly located in Eastern Europe - there are quite a
few bad apples. Payment systems used in Eastern Europe tend to favor
anonymity - which, obviously is also favored by criminals. However, it's
the exception and not a rule. We've stopped accepting all anonymous
payment systems quite awhile ago, and have new arrangement with one of
Russia's largest payment systems where, if we report abuse, they will lock
the criminal's account and accounts linked to it.
We've always reacted expediously against abuse - every email that we
received we've reacted to. We've implemented a anti-fraud system that
links billing accounts to hosting accounts to domains, and if one domain
is involved in abuse, everything "linked" to it is investigated and
suspended/terminated. This is hard for a small company to do - due to
intense competition in the registrar arena, profit margins are very slim.
I'd like to finish with this - cybercrime is our common enemy. We'd like
to be a part of a solution - and we are playing our part, as much as a
small organization can do. If anyone wishes to discuss any of the above,
or give us suggestions on what more could we do to fight spam/etc, I'll be
around later on in the hotel bar area, just look for my nametag.
However, I won't be there at all the time, in case you want to talk, kindly
drop me an email and we'll figure out a time to meet.
Thanks for reading so far, I know it's a long email. I hope to see you
later at the conference.
Kind regards,
Konstantin
[R1]
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-continuation
.html
[1] http://www.spamhaus.org/news.lasso?article=636
More information about the NANOG
mailing list