Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

• Previous message (by thread): Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17
• Next message (by thread): Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <D9973D64-91AB-4380-B5E8-DEE173726CC0 at arin.net>, 
John Curran <jcurran at arin.net> wrote:

>On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
>> ...
>> Unfortunately, we cannot read too much into this change that was made
>> to the block's public-facing WHOIS record.  Neither the new WHOIS info
>> nor even the old WHOIS info can be used to reliably infer who or what
>> is the legitimate registrant of the block at any point in time.  This
>> is because ARIN, like all of the other Regional Internet Registries,
>> allows registrants to put essentially any bovine excrement they desire
>> into their public-facing WHOIS records.
>
>That is not the case – ARIN confirms the legal status of organizations
>receiving number resources. 

This is NOT the message that I got from our recent discussion of the giant
Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
questions about why various of the Micfo phoney baloney shell companies
has block with WHOIS records saying they were located in states that
they were obviously not located in, I believe that you said that once
a black has been allocated, by ARIN, to some (properly vetted) entity,
that after that point in time, the entity could -change- the relevant
WHOIS record to say any bloody thing it wanted, and that such -changes-
to ARIN WHOIS records are not vetted in any way.

If I got the Wrong Impression from your prior statements, then by all
means, please do correct me.  And then please do explain why several of
the Micfo phony shell companies did in fact have WHOIS records for ARIN-
issued IPv4 space that gave street addreses in states where none of these
phony shell companies were actually registered to do business.

>> (And, it should be noted, the
>> man behind the recent large scale "Micfo" fraud apparently availed
>> himself of this exact opportunity far subterfuge, in spades.)
>
>As previously noted on this list, such was only possible because of the
>use of falsely notarized documents. 

I -do- understand that the fradulent documents that were originally
presented to you/ARIN provided information indicating that the phoney
Micfo shell companies -did- actually exist in -some- state (Delaware?),
and that ARIN -did- verify, to the best of its ability, that those
companies -did- exist, legally spekaing, in their originally declared
home state(s).  But that fact is just skirting the real issue here,
which is the question of whether or not ARIN even looks at -changes_
that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
-after- those blocks have been assigned.

It appears from where I am sitting that ARIN dos not do so.  And thus,
I stand by my comment that a registrant -can- in fact put any bloody
nonsense they want into their WHOIS records, at least as long as they
do it via -changes- and not in the original/initial WHOIS records.

>> Regardless, the available records suggest that there are only two likely
>> possibilities in this case:
>>
>> {trimmed}
>>     1) 216.179.128.0/17 was transferred in violation of ARIN policy.
>>
>>     2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
 
>That is easy to address:  submit a fraud request, and it will be reviewed
>and corrected if it was done fraudulently.

I would do that, but for the following four things:

    1)  ARIN is not the Internet Police and has no power to affect routing
        decisions of anybody.

    2)  Getting the info out here, on the NANOG list, allows people to make
        up their own minds and to ignore the relevant route announcements
        and/or cease peering if they are persuaded that 216.179.128.0/17
        is likely a source of "undesirable" packets.

    3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
        perhaps even months.  In contrast, packets, including bad ones,
        travel from one end of the planet to another in milliseconds.
        ARIN and its careful review processes are a sure and steady and
        reliable check on fradulent behavior over the longer term.  But
        they will not do much to addres the bad packets that may be
        flowing out of 216.179.128.0/17 this week, or even next.

    4)  Filing a "fraud request" with ARIN is a serious step and one that
        could quite conceivably end up with the party filing such a formal
        report being on the business end of lawsuit, just for having filed
        such a report.

        Does ARIN indemnify the parties who file such reports against such
        claims, as ARIN is currently asking ARIN-region networks to do for
        ARIN if they want to avail themselves of the added security of RPKI?


Regards,
rfg

• Previous message (by thread): Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17
• Next message (by thread): Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]