The Curious Case of 143.95.0.0/16
Steve Spence
steve.spence at arkitechs.com
Mon Sep 2 06:31:59 UTC 2019
Very interesting story great work Ronald
-----Original Message-----
From: NANOG <nanog-bounces at nanog.org> On Behalf Of Ronald F. Guilmette
Sent: Wednesday, August 28, 2019 2:27 AM
To: nanog at nanog.org
Subject: The Curious Case of 143.95.0.0/16
Fair Warning: Those of you not enamored of my long-winded exposés of various remarkable oddities of the IPv4 address space may wish to click on the tiny little wastebasket icons on your mail clients at this point. For the rest of you, please read on. I think you may find the following story intriguing. It contains at least a few surprising twists.
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_
Our story today consists of three acts.
Act 1 - It is Born
------------------
In mid-February of 1990 a new venture-capital backed company was formed in Sunnyvale, California. In some ways it was no different than the hundreds or thousands of hopeful high-tech startups that had been formed in Silicon Valley, both before and since. It started with a hopeful dream that, in the end, just didn't work out.
The founders of this company settled initially on a temporary placeholder company name, XYZ Corporation:
https://drive.google.com/file/d/1CkDNKq4M1DQKuTxBBhlYxUNAjU2cvDnY/view
The mission of the company was to design and manufacture so-called X-Windows terminals. These would be diskless workstations, complete with CPUs, color
(CRT) displays, graphics, memory, and an ethernet interface. The basic idea what that such a diskless workstation could run the free X-Windows client software, and that the system would be cheaper than ordinary PeeCees due to it not having any hard drives or optical drives.
By some odd twist of fate, I myself was working in the same geographic area as a software engineer at around the same time, but I worked for a different Silicon Valley startup, just down the road from XYZ Corporation. And by a rather remarkable coincidence, the company I worked for had exactly the same goal and mission as the XYZ Corporation. The name of this other X-Windows workstation startup was Network Computing Devices, or just "NCD"
for short.
Quite obviously, both companies were inherently "network-centric" and thus, both requested and were granted blocks of IPv4 addresses. That wasn't at all within my area of responsibility at NCD, so I don't know who actually issued those blocks. My guess, based on published historical accounts, was that it was most probably Dr. Jon Postel who assigned the blocks. I'm sure that someone will correct me if I'm wrong.
Months passed, and eventually the founders of XYZ Corporation settled on something they would use as a permanent replacement for their temporary placeholder corporate name. They decided to call the thing Athenix, Inc.
Once they had settled on that name, they filed papers to update their records with the California Secretary of State's office:
https://drive.google.com/file/d/1dUjsvSkzzdzUsIbIZCS7RF0afsI3uU0l/view
At some point, they also and likewise updated the ARIN WHOIS record for the
/16 block which had been assigned to them, on or about 1990-09-06, as was appropriate to reflect their new permanent corporate identity:
https://pastebin.com/raw/YbH6zYrR
More time passed and eventually it became clear that the entire world was not in fact breathlessly waiting for -two- companies to bring to market diskless X-Windows workstations. In fact, as history now shows, market demand would not support even one such company over the long term.
Thus it came to pass in the year 1993 that an all-too-familiar end-of-life ritual played out once again in Silicon Valley. At Athenix, Inc. HQ in Sunnyvale, the people were all let go, including the founders. The desks, the chairs, the phones, the computers, and the tools were all sold at auction, with the proceeds going to the preferred shareholders, i.e. the poor fools who had put up all of the money for this now-failed venture in the first place, the venture capitalists. Foremost among those in this instance, was the venerable Menlo Park venture capital firm Kleiner Perkins.
I've confirmed this historical account of the rise and fall of the original 1990-vintage Athenix, Inc. in multiple phone and email exchanges with both the original CEO of the original Athenix, Mr. Robert ("Bob") Garrow. lately of Los Altos, California, and also the original CTO of the company, Mr. John Garman, lately of Reno, Nevada.
Act 2 - Rebirth - The Athenix Phoenix
-------------------------------------
Fast forward fifteen years. On April 22, 2008 a pair of gentlemen in the Commonwealth of Massachusetts elected to establish a new corporate entity within the commonwealth. It's name would be Athenic, Inc.[1]
https://drive.google.com/file/d/1jYUqtgYprI4iyJkTT91-yRBYJt0c2ufF/view
https://drive.google.com/file/d/1mlVML8z7vzp7aeGmOK-3cWBBJeNBuThn/view
As you can see in the documents above, a certain Mr. Ofer Inbar and a certain Mr. Robert Anita, both of the greater Boston area, formed this new corporate entity in Massachusetts. At its formation, the younger Mr. Inbar was the President, while the more senior Mr. Antia served as the corporate secretary and treasurer.
Various other records, which I shall not include here, suggest that both Mr.
Inbar and Mr. Anita were at some point in the distant past affiliated, in at least some tangential way, with the well-regarded white-hat Boston area hacking collective known as L0pht, aka L0pht Heavy Industries. I cannot say much about this apparent connection, other than to say that the details I have ferreted out about this connection are sketchy at best.
I do however have it on reasonably good authority that Mr. Inbar has of late relocated to the greater Seattle metropolitan area, and that he is or was working as a network administrator for Google, Inc. in that area. Mr. Antia, in contrast, is still, when I last checked, a resident of the greater Boston area, and is a well regarded "graybeard" in the computing community in and around Boston, having been in the business, one way or another, for decades.
Mr. Anita currently serves as President of the Boston area chapter of the public/private critical infrastructure cybersecurity defense partnership known as InfraGuard.
https://infragard-boston.org/
The evidence currently available to me suggests that not long after the creation of Mr. Inbar's and Mr. Antia's Massachusetts Athenix, Inc., ARIN elected to delegate responsibility for the reverse DNS for the 143.95.0.0/16
IPv4 block to a pair of name servers called dns1.athenixinc.com and dns2.athenixinc.com. That delegation was already in place by 2010-06-24, which is about the time that Farsight Security Inc., my data source, first began passively collecting its historical archives of DNS response records.
Historical records made available to me by Domaintools, LLC indicate that the athenixinc.com domain name was, at least initially, registered to Mr.
Anita in Lincoln, Massachusetts.
https://pastebin.com/raw/GNhbFDFz
Subsequent historical WHOIS data collected by Domaintools in relation to the athenixinc.com domain name shows that after Mr. Anita, the domain name registration passed into the hands of at least one other individual, and eventually, to an entirely different corporate entity. We will come to that shortly.
Almost a year ago now, when I was first investigating the 143.95.0.0/16 block, I attempted to interview Mr. Inbar by phone regarding his and Mr.
Anita's Athenix, Inc. and the unusual history of the 143.95.0.0/16 block.
It did not go well. Mr. Inbar was apparently reluctant to engage with me by phone on these or any other topics. He and I did have a few brief and truncated email exchanges after that however, but apparently my questions regarding how Mr. Inbar and Mr. Anita came to exercise effective day-to-day control over the 143.95.0.0/16 ARIN legacy block were not ones that Mr. Inbar felt in any way obliged to answer, and at some point he simply ceased answering my emails.
In contrast, Mr. Antia was a veritable fount of information and he and I had multiple phone conversations as well as multiple email exchanges. From these exchanges I quickly deduced that Mr. Antia saw absolutely nothing wrong with, much less anything at all to be shy about with respect to the history of the 143.95.0.0/16 block -or- his formation, along with Mr. Inbar, of a new Athenix, Inc. in Massachusetts back in in 2008. Quite the contrary!
Mr. Anita was kind enough for forward me a copy of the following really rather remarkable lease agreement, in which Mr. Inbar and Mr. Anita together undertook to lease the 143.95.0.0/16 IPv4 block to a certain Nevada- incorporated and Colorado-resident limited liability company known as Media Breakaway, LLC:
https://drive.google.com/file/d/1ASXrUsiNAIq1IIZO5Lw1BqjD1qucqFmI/view
As you can see, the term of the lease is 20 years, beginning from the 28th day of May, 2008. The compensation to be paid to Mr. Inbar's and Mr. Anita's Massachusetts Athenic, Inc. in return for this 20 year leasehold was to be
$100,000 USD As Mr. Anita related to me, this sum was in fact paid, and Mr.
Inbar and Mr. Anita split it evenly. (But of course, I have no way to independently verify that.)
For those unaware, I pause here just long enough to note that the CEO of Media Breakaway, LLC is none other than Mr. Scott Richter, one-time "Spam King" and a man who both Wikipedia and the KrebsOnSecurity blog have asserted is a convicted felon. And of couurse, this is the very same Scott Richter who figured so prominently in Brian Krebs' report about pilfered legacy ARIN /16 blocks, published on the Washington Post, way back in April, 2008.
Of course, in my phone conversations with Mr. Anita, I acquainted him with these relevant historical allegations. He confessed at the time that he had not personally done much at all in the way of due diligence with respect to either Mr. Richter or his company -- a lapse which I personally found (and find) quite unfortunate, to say the least, and not least because of Mr. Anita's position as the President of the Boston Chapter of Infraguard, the public/private partnership whose mission is the protection of the nation's critical infrastructure assets from cyber-threats. I would have hoped that a person in such a position would have been in the general habit of exercising at least some due diligence with respect to the people he does business with and, in this specific instance, preferably at some moment *before* Mr. Anita cashed his $50,000 check.
Act 3 - Final Dispensation
--------------------------
Now we come to the final remarkable chapter in the already remarkable history of the 143.95.0.0/16 legacy IPv4 ARIN address block.
Some months after the formation of the Massachusetts "Athenix, Inc.", on Sepetember 2nd, 2008 a new corporate entity calling itself "Athenix Corporation" was incorporated in the State of California. Curiously, this third Athenix gave both its actual address and its mailing address as 10 Corporate Drive, Burlington, MA 01813.
https://drive.google.com/file/d/1GHhwuPGPKdx5n46cYQ2UhTGiMSdxonFu/view
https://drive.google.com/file/d/1ZLtcY2HWoi5vmNFAJleHep8DxIS3igVR/view
As it happens, that street address is also the headquarters address of the publicly-traded Endurance International Group, Inc. (EIGI).
There is substantial evidence indicating that EIGI is effectively in complete functional control of the 143.95.0.0/16 address block at the present moment.
The company's primary ASN, AS29873 and also, an AS number belonging to one of the company's many acquired subsidiaries, A Small Orange LLC, AS62729 are each routing significant portions of the 143.95.0.0/16 block at the present time.
https://bgp.he.net/AS29873#_prefixes
https://bgp.he.net/AS62729#_prefixes
Additionally, on or about 2017-05-22, EIGI became the registrant of the athenixinc.com domain, whose associated name servers (dns1 dns2) had provided revserse DNS service for the entire 143.95.0.0/16 block during
2011 and 2012. Delegation of the reverse DNS responsibility for the entire 143.95.0.0/16 block changed on or about 2013-11-28 so that the new name servers were ones associated with the domain name asonoc.com, at least according to the relevant historical data provided to me by Farsight Security, Inc.
https://pastebin.com/raw/MVmzhirc
Historically, and as recently as 2018-04-20, the domain name asonoc.com was and has been registered to the EIGI subsidiary A Small Orange LLC.
https://pastebin.com/raw/Xy8UHZNw
Responsibility for the reverse DNS for the entire 143.95.0.0/16 block remains delegated to the rdns1.asonoc.com and rdns2.asonoc.com name servers at the present moment.
EIGI is primarily a web hosting company. It has, over time. exhibited a tendency to acquire other and smaller web hosting companies which it has then absorbed into and under its corporate unbrella. Unlike most other corporate acquirers however, EIGI is somewhat unique in its notable tendency to not rebrand its acqusitions so that they would be additive to its main corporate brand, generally electing instead to maintain the pre-acqusition brand names for its newly acquired web hosting businesses. One such EIGI- acquired propery that has retained its pre-acqusition brand name is the aforementioned Texas-based web hosting company called A Small Orange LLC, aka AS62729.
(Those who may be interested in more backgound regarding EIGI and past controversies, specifically with relating to the company's accounting practices as well as the online activities of its clientele, are encouraged to consult the footnotes below.[2])
The available evidence suggests the clear possibility that EIGI and its subsidiary, A Small Orange LLC. may be controling and using the 143.95.0.0/16 block in a manner inconsistant with ordinary business rules of fair dealing and/or in a manner inconsistant with current ARIN policy, and further, that the company and/or its various C-suite officers may have arrived at this current situation not by happentance but rather by some very carefully considered premeditation.
I mention specifically EIGI's C-suite officers, because the available evidence suggests that EIGI's apparent takeover of the 143.95.0.0/16 block was not purely or only the product of some unsanctioned rogue activity on the part of lower-level company functionaries. Multiple publicly available records obtained from the web site of the California Secretary of State implicate multiple current and former EIGI C-suite officers as having been, at the very least, directly aware of the formation of the third "Athenix", even if perhaps not directly or personally responsible for that rather suspicious company formation.
https://drive.google.com/file/d/12gm41jG9iFIC9KvIJmfWNjUqCmRtTfxN/view
https://drive.google.com/file/d/1zdhru_hpYVIJfVKi-s5X1MW0znrErJzQ/view
https://drive.google.com/file/d/1dVHDSPKD4Qvur9rzCK9YZDEtOkFA2raS/view
Plese note that Mr. Hari Ravichandran is the now-former CEO of EIGI. Mr.
David Bryson was and remains EIGI's Chief Legal Officer. Mr. Marc Montagner was and remains EIGI's Chief Financial Officer. Mr. Jeffrey Fox is EIGI's current CEO, having succeded Mr. Ravichandran in that post.
https://www.endurance.com/our-company/our-team
https://exechange.com/7850/endurance-ceo-hari-ravichandran-leaves-2/7850
https://www.linkedin.com/in/hari-ravichandran-9b949b8
https://jumpv.com/meet-the-team/
https://www.linkedin.com/in/davidbryson
https://www1.salary.com/David-C-Bryson-Salary-Bonus-Stock-Options-for-ENDURANCE-INTL-GRP-HLDGS-INC.html
https://www.linkedin.com/in/marc-montagner-b112a1b1
https://wallmine.com/people/6106/marc-montagner
https://www.linkedin.com/in/jeff-fox-820a0413
https://wallmine.com/people/2962/jeffrey-h-fox
Given that EIGI's rights in and/or legal title to the 143.95.0.0/16 block appear to be, at best, on somewhat shaky ground, and given that the new 2008-vintage Athenix Corporation does not obviously possess any other obvious or apparent assets to speak of, it appears, to this writer at least, more than a little incongruous to see that EIGI apparently listed Athenix Corporation as a collateral asset on what, to a layman such as myself, appears to be a bank collateral statement which was filed, apparently in 2013, with the United States Securities and Exchange Comission.
https://www.sec.gov/Archives/edgar/data/1237746/000119312514077774/d635170dex1025.htm
All I can say about that is that I personally was turned down for a bank loan, some years ago, when I attempted to use the monthly -liability- of my recurring water bills as collateral for the loan. But then I have never been anywhere near as accomplished at high finance as any of the gentlemen mentioned above surely are.
Responses
---------
More than 24 hours prior to posting this message, I reached out to the press contact email address listed on EIGI's web site, press (at) endurance.com, for comment about the facts elaborated above. No response was received from the company by press time.
Prior to posting, I also reached out to John Curran @ ARIN for his response to the facts set forth above. John was kind enough to provide the following official on-the-record ARIN response:
ARIN does not comment on specific registry changes (as number resource
change requests are made in confidence), but we do take matters of
potential number resource fraud quite seriously. I would recommend that
you report potential incidents of registry fraud (if you have not done
so already) via our Internet Number Resource Fraud Reporting process at
https://www.arin.net/resources/fraud/, and we will promptly investigate.
– John Curran, CEO, ARIN
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_
FULL DISCLOSURE: I hold no postions, either short or long in EIGI or in any related company.
+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_
++_
Acknowledgements
----------------
My thanks to Farsight Security, Inc. and to Domaintools, LLC for their kind support of this research.
Footnotes:
=======================================================================
[1] Rather remarkably, the Massachusetts Athenix, Inc. was incorporated a mere six days before my friend, journalist Brian Krebs, put up a story on the Washington Post web site, detailing how a pair of legacy ARIN IPv4
/16 blocks had somewhat inexplicably ended up in the hands of one of the world's most notorious spammers, Scott Richter. That story, as some of you will already know, alleged that a rather simple and yet elaborate fraud had been perpetrated against ARIN, a fraud which amounted to nothing less than corporate identity theft, with the one and only apparent goal being the effective take-over of two quite valuable legacy ARIN IPv4 /16 blocks, a goal which was, it appeared, successfully achieved with only a relatively minor investment of effort and expense.
[2] In recent years, all has not gone well for EIGI. In the year 2015, a somewhat mysterious New York City short seller using the pen name Gotham City Research published a sequence of four reports detailing his beliefs that all was not as it should be at EIGI, both with respect to the company's financial statements and with respect to its clientele and their (allegedly) questionable online activities.
2015-04-28 - Endurance International Group - A Web of Deceit
https://bit.ly/2KZXPLA
2015-04-29 - Initial Follow-up To: A Web of Deceit
https://bit.ly/2L5Vv4o
2015-05-05 - EIGI’s Adjusted EBITDA is a Meaningless Metric
https://bit.ly/342x4xE
2015-08-03 - Endurance International Group: Malicious Activities
https://bit.ly/30Gk4vr
The value of EIGI stock dropped rather precepitously following the publication of the Gotham City Research reports and has yet to recover to its earlier highs.
https://drive.google.com/file/d/1BaGzFglnrbAca9DsRIqt2eD0m_jnrCMw/view
The SEC's investigation of EIGI, and the SEC's subsequent enforcement actions against the company and its officers in 2018 also didn't help matters much with respect to EIGI and its stock price:
https://www.sec.gov/enforce/33-10504-s
https://www.bizjournals.com/boston/news/2018/08/22/former-endurance-group-execs-pay-1-4m-to-settle.html
More information about the NANOG
mailing list