The Curious Case of 143.95.0.0/16
Mel Beckman
mel at beckman.org
Wed Aug 28 13:24:08 UTC 2019
Ronald,
I have one question, “of late”, regarding your post: Is it “Antia” or “Anita”?
:)
-mel
> On Aug 27, 2019, at 11:27 PM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
>
> Fair Warning: Those of you not enamored of my long-winded exposés of
> various remarkable oddities of the IPv4 address space may wish to click
> on the tiny little wastebasket icons on your mail clients at this
> point. For the rest of you, please read on. I think you may find the
> following story intriguing. It contains at least a few surprising
> twists.
>
> +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
>
>
> Our story today consists of three acts.
>
>
> Act 1 - It is Born
> ------------------
>
> In mid-February of 1990 a new venture-capital backed company was formed in
> Sunnyvale, California. In some ways it was no different than the hundreds
> or thousands of hopeful high-tech startups that had been formed in Silicon
> Valley, both before and since. It started with a hopeful dream that, in
> the end, just didn't work out.
>
> The founders of this company settled initially on a temporary placeholder
> company name, XYZ Corporation:
>
> https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view
>
> The mission of the company was to design and manufacture so-called X-Windows
> terminals. These would be diskless workstations, complete with CPUs, color
> (CRT) displays, graphics, memory, and an ethernet interface. The basic
> idea what that such a diskless workstation could run the free X-Windows
> client software, and that the system would be cheaper than ordinary PeeCees
> due to it not having any hard drives or optical drives.
>
> By some odd twist of fate, I myself was working in the same geographic area
> as a software engineer at around the same time, but I worked for a different
> Silicon Valley startup, just down the road from XYZ Corporation. And by a
> rather remarkable coincidence, the company I worked for had exactly the
> same goal and mission as the XYZ Corporation. The name of this other
> X-Windows workstation startup was Network Computing Devices, or just "NCD"
> for short.
>
> Quite obviously, both companies were inherently "network-centric" and thus,
> both requested and were granted blocks of IPv4 addresses. That wasn't at
> all within my area of responsibility at NCD, so I don't know who actually
> issued those blocks. My guess, based on published historical accounts,
> was that it was most probably Dr. Jon Postel who assigned the blocks. I'm
> sure that someone will correct me if I'm wrong.
>
> Months passed, and eventually the founders of XYZ Corporation settled on
> something they would use as a permanent replacement for their temporary
> placeholder corporate name. They decided to call the thing Athenix, Inc.
> Once they had settled on that name, they filed papers to update their
> records with the California Secretary of State's office:
>
> https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view
>
> At some point, they also and likewise updated the ARIN WHOIS record for the
> /16 block which had been assigned to them, on or about 1990-09-06, as was
> appropriate to reflect their new permanent corporate identity:
>
> https://pastebin.com/raw/YbH6zYrR
>
> More time passed and eventually it became clear that the entire world was
> not in fact breathlessly waiting for -two- companies to bring to market
> diskless X-Windows workstations. In fact, as history now shows, market
> demand would not support even one such company over the long term.
>
> Thus it came to pass in the year 1993 that an all-too-familiar end-of-life
> ritual played out once again in Silicon Valley. At Athenix, Inc. HQ in
> Sunnyvale, the people were all let go, including the founders. The desks,
> the chairs, the phones, the computers, and the tools were all sold at
> auction, with the proceeds going to the preferred shareholders, i.e. the
> poor fools who had put up all of the money for this now-failed venture in
> the first place, the venture capitalists. Foremost among those in this
> instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.
>
> I've confirmed this historical account of the rise and fall of the original
> 1990-vintage Athenix, Inc. in multiple phone and email exchanges with both
> the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately
> of Los Altos, California, and also the original CTO of the company, Mr. John
> Garman, lately of Reno, Nevada.
>
>
> Act 2 - Rebirth - The Athenix Phoenix
> -------------------------------------
>
> Fast forward fifteen years. On April 22, 2008 a pair of gentlemen in
> the Commonwealth of Massachusetts elected to establish a new corporate
> entity within the commonwealth. It's name would be Athenic, Inc.[1]
>
> https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
> https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view
>
> As you can see in the documents above, a certain Mr. Ofer Inbar and a certain
> Mr. Robert Anita, both of the greater Boston area, formed this new corporate
> entity in Massachusetts. At its formation, the younger Mr. Inbar was the
> President, while the more senior Mr. Antia served as the corporate secretary
> and treasurer.
>
> Various other records, which I shall not include here, suggest that both Mr.
> Inbar and Mr. Anita were at some point in the distant past affiliated, in
> at least some tangential way, with the well-regarded white-hat Boston area
> hacking collective known as L0pht, aka L0pht Heavy Industries. I cannot
> say much about this apparent connection, other than to say that the details
> I have ferreted out about this connection are sketchy at best.
>
> I do however have it on reasonably good authority that Mr. Inbar has of late
> relocated to the greater Seattle metropolitan area, and that he is or was
> working as a network administrator for Google, Inc. in that area. Mr. Antia,
> in contrast, is still, when I last checked, a resident of the greater Boston
> area, and is a well regarded "graybeard" in the computing community in and
> around Boston, having been in the business, one way or another, for decades.
> Mr. Anita currently serves as President of the Boston area chapter of the
> public/private critical infrastructure cybersecurity defense partnership
> known as InfraGuard.
>
> https://infragard-boston.org/
>
> The evidence currently available to me suggests that not long after the
> creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN
> elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
> IPv4 block to a pair of name servers called dns1.athenixinc.com and
> dns2.athenixinc.com. That delegation was already in place by 2010-06-24,
> which is about the time that Farsight Security Inc., my data source, first
> began passively collecting its historical archives of DNS response records.
>
> Historical records made available to me by Domaintools, LLC indicate that
> the athenixinc.com domain name was, at least initially, registered to Mr.
> Anita in Lincoln, Massachusetts.
>
> https://pastebin.com/raw/GNhbFDFz
>
> Subsequent historical WHOIS data collected by Domaintools in relation to
> the athenixinc.com domain name shows that after Mr. Anita, the domain name
> registration passed into the hands of at least one other individual, and
> eventually, to an entirely different corporate entity. We will come to
> that shortly.
>
> Almost a year ago now, when I was first investigating the 143.95.0.0/16
> block, I attempted to interview Mr. Inbar by phone regarding his and Mr.
> Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
> It did not go well. Mr. Inbar was apparently reluctant to engage with
> me by phone on these or any other topics. He and I did have a few brief
> and truncated email exchanges after that however, but apparently my
> questions regarding how Mr. Inbar and Mr. Anita came to exercise effective
> day-to-day control over the 143.95.0.0/16 ARIN legacy block were not ones
> that Mr. Inbar felt in any way obliged to answer, and at some point he
> simply ceased answering my emails.
>
> In contrast, Mr. Antia was a veritable fount of information and he and I
> had multiple phone conversations as well as multiple email exchanges. From
> these exchanges I quickly deduced that Mr. Antia saw absolutely nothing
> wrong with, much less anything at all to be shy about with respect to the
> history of the 143.95.0.0/16 block -or- his formation, along with Mr. Inbar,
> of a new Athenix, Inc. in Massachusetts back in in 2008. Quite the contrary!
> Mr. Anita was kind enough for forward me a copy of the following really
> rather remarkable lease agreement, in which Mr. Inbar and Mr. Anita together
> undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada-
> incorporated and Colorado-resident limited liability company known as
> Media Breakaway, LLC:
>
> https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view
>
> As you can see, the term of the lease is 20 years, beginning from the 28th
> day of May, 2008. The compensation to be paid to Mr. Inbar's and Mr. Anita's
> Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
> $100,000 USD As Mr. Anita related to me, this sum was in fact paid, and Mr.
> Inbar and Mr. Anita split it evenly. (But of course, I have no way to
> independently verify that.)
>
> For those unaware, I pause here just long enough to note that the CEO
> of Media Breakaway, LLC is none other than Mr. Scott Richter, one-time
> "Spam King" and a man who both Wikipedia and the KrebsOnSecurity blog
> have asserted is a convicted felon. And of couurse, this is the very same
> Scott Richter who figured so prominently in Brian Krebs' report about
> pilfered legacy ARIN /16 blocks, published on the Washington Post, way back
> in April, 2008.
>
> Of course, in my phone conversations with Mr. Anita, I acquainted him with
> these relevant historical allegations. He confessed at the time that he
> had not personally done much at all in the way of due diligence with respect
> to either Mr. Richter or his company -- a lapse which I personally found
> (and find) quite unfortunate, to say the least, and not least because of
> Mr. Anita's position as the President of the Boston Chapter of Infraguard,
> the public/private partnership whose mission is the protection of the
> nation's critical infrastructure assets from cyber-threats. I would have
> hoped that a person in such a position would have been in the general
> habit of exercising at least some due diligence with respect to the people
> he does business with and, in this specific instance, preferably at some
> moment *before* Mr. Anita cashed his $50,000 check.
>
>
> Act 3 - Final Dispensation
> --------------------------
>
> Now we come to the final remarkable chapter in the already remarkable
> history of the 143.95.0.0/16 legacy IPv4 ARIN address block.
>
> Some months after the formation of the Massachusetts "Athenix, Inc.", on
> Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix
> Corporation" was incorporated in the State of California. Curiously, this
> third Athenix gave both its actual address and its mailing address as 10
> Corporate Drive, Burlington, MA 01813.
>
> https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
> https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view
>
> As it happens, that street address is also the headquarters address of the
> publicly-traded Endurance International Group, Inc. (EIGI).
>
> There is substantial evidence indicating that EIGI is effectively in complete
> functional control of the 143.95.0.0/16 address block at the present moment.
>
> The company's primary ASN, AS29873 and also, an AS number belonging to one
> of the company's many acquired subsidiaries, A Small Orange LLC, AS62729
> are each routing significant portions of the 143.95.0.0/16 block at the
> present time.
>
> https://bgp.he.net/AS29873#_prefixes
> https://bgp.he.net/AS62729#_prefixes
>
> Additionally, on or about 2017-05-22, EIGI became the registrant of the
> athenixinc.com domain, whose associated name servers (dns1 dns2) had
> provided revserse DNS service for the entire 143.95.0.0/16 block during
> 2011 and 2012. Delegation of the reverse DNS responsibility for the
> entire 143.95.0.0/16 block changed on or about 2013-11-28 so that the
> new name servers were ones associated with the domain name asonoc.com,
> at least according to the relevant historical data provided to me by
> Farsight Security, Inc.
>
> https://pastebin.com/raw/MVmzhirc
>
> Historically, and as recently as 2018-04-20, the domain name asonoc.com
> was and has been registered to the EIGI subsidiary A Small Orange LLC.
>
> https://pastebin.com/raw/Xy8UHZNw
>
> Responsibility for the reverse DNS for the entire 143.95.0.0/16 block
> remains delegated to the rdns1.asonoc.com and rdns2.asonoc.com name
> servers at the present moment.
>
> EIGI is primarily a web hosting company. It has, over time. exhibited a
> tendency to acquire other and smaller web hosting companies which it has
> then absorbed into and under its corporate unbrella. Unlike most other
> corporate acquirers however, EIGI is somewhat unique in its notable tendency
> to not rebrand its acqusitions so that they would be additive to its main
> corporate brand, generally electing instead to maintain the pre-acqusition
> brand names for its newly acquired web hosting businesses. One such EIGI-
> acquired propery that has retained its pre-acqusition brand name is the
> aforementioned Texas-based web hosting company called A Small Orange LLC,
> aka AS62729.
>
> (Those who may be interested in more backgound regarding EIGI and past
> controversies, specifically with relating to the company's accounting
> practices as well as the online activities of its clientele, are encouraged
> to consult the footnotes below.[2])
>
> The available evidence suggests the clear possibility that EIGI and its
> subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16
> block in a manner inconsistant with ordinary business rules of fair dealing
> and/or in a manner inconsistant with current ARIN policy, and further, that
> the company and/or its various C-suite officers may have arrived at this
> current situation not by happentance but rather by some very carefully
> considered premeditation.
>
> I mention specifically EIGI's C-suite officers, because the available
> evidence suggests that EIGI's apparent takeover of the 143.95.0.0/16
> block was not purely or only the product of some unsanctioned rogue
> activity on the part of lower-level company functionaries. Multiple
> publicly available records obtained from the web site of the California
> Secretary of State implicate multiple current and former EIGI C-suite
> officers as having been, at the very least, directly aware of the formation
> of the third "Athenix", even if perhaps not directly or personally
> responsible for that rather suspicious company formation.
>
> https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
> https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
> https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view
>
> Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI. Mr.
> David Bryson was and remains EIGI's Chief Legal Officer. Mr. Marc
> Montagner was and remains EIGI's Chief Financial Officer. Mr. Jeffrey Fox
> is EIGI's current CEO, having succeded Mr. Ravichandran in that post.
>
> https://www.endurance.com/our-company/our-team
>
> https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
> https://www.linkedin.com/in/hari-ravichandran-9b949b8
> https://jumpv.com/meet-the-team/
>
> https://www.linkedin.com/in/davidbryson
> https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html
>
> https://www.linkedin.com/in/marc-montagner-b112a1b1
> https://wallmine.com/people/6106/marc-montagner
>
> https://www.linkedin.com/in/jeff-fox-820a0413
> https://wallmine.com/people/2962/jeffrey-h-fox
>
> Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block
> appear to be, at best, on somewhat shaky ground, and given that the new
> 2008-vintage Athenix Corporation does not obviously possess any other
> obvious or apparent assets to speak of, it appears, to this writer at
> least, more than a little incongruous to see that EIGI apparently listed
> Athenix Corporation as a collateral asset on what, to a layman such as
> myself, appears to be a bank collateral statement which was filed, apparently
> in 2013, with the United States Securities and Exchange Comission.
>
> https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm
>
> All I can say about that is that I personally was turned down for a bank
> loan, some years ago, when I attempted to use the monthly -liability- of
> my recurring water bills as collateral for the loan. But then I have
> never been anywhere near as accomplished at high finance as any of the
> gentlemen mentioned above surely are.
>
>
> Responses
> ---------
>
> More than 24 hours prior to posting this message, I reached out to the press
> contact email address listed on EIGI's web site, press (at) endurance.com,
> for comment about the facts elaborated above. No response was received from
> the company by press time.
>
> Prior to posting, I also reached out to John Curran @ ARIN for his response
> to the facts set forth above. John was kind enough to provide the following
> official on-the-record ARIN response:
>
> ARIN does not comment on specific registry changes (as number resource
> change requests are made in confidence), but we do take matters of
> potential number resource fraud quite seriously. I would recommend that
> you report potential incidents of registry fraud (if you have not done
> so already) via our Internet Number Resource Fraud Reporting process at
> https://www.arin.net/resources/fraud/, and we will promptly investigate.
> – John Curran, CEO, ARIN
>
> +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
>
> FULL DISCLOSURE: I hold no postions, either short or long in EIGI or in
> any related company.
>
> +_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
>
> Acknowledgements
> ----------------
>
> My thanks to Farsight Security, Inc. and to Domaintools, LLC for their
> kind support of this research.
>
>
> Footnotes:
> =======================================================================
> [1] Rather remarkably, the Massachusetts Athenix, Inc. was incorporated
> a mere six days before my friend, journalist Brian Krebs, put up a story
> on the Washington Post web site, detailing how a pair of legacy ARIN IPv4
> /16 blocks had somewhat inexplicably ended up in the hands of one of the
> world's most notorious spammers, Scott Richter. That story, as some of you
> will already know, alleged that a rather simple and yet elaborate fraud had
> been perpetrated against ARIN, a fraud which amounted to nothing less than
> corporate identity theft, with the one and only apparent goal being the
> effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a
> goal which was, it appeared, successfully achieved with only a relatively
> minor investment of effort and expense.
>
> [2] In recent years, all has not gone well for EIGI. In the year 2015, a
> somewhat mysterious New York City short seller using the pen name Gotham
> City Research published a sequence of four reports detailing his beliefs
> that all was not as it should be at EIGI, both with respect to the company's
> financial statements and with respect to its clientele and their (allegedly)
> questionable online activities.
>
> 2015-04-28 - Endurance International Group - A Web of Deceit
> https://bit.ly/2KZXPLA
>
> 2015-04-29 - Initial Follow-up To: A Web of Deceit
> https://bit.ly/2L5Vv4o
>
> 2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric
> https://bit.ly/342x4xE
>
> 2015-08-03 - Endurance International Group: Malicious Activities
> https://bit.ly/30Gk4vr
>
> The value of EIGI stock dropped rather precepitously following the publication
> of the Gotham City Research reports and has yet to recover to its earlier
> highs.
>
> https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view
>
> The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions
> against the company and its officers in 2018 also didn't help matters much
> with respect to EIGI and its stock price:
>
> https://www.sec.gov/enforce/33-10504-s
> https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html
>
More information about the NANOG
mailing list