Tech CEO Sentenced To 5 Years in IP Address Scheme (krebsonsecurity.com) 58
Amir Golestan, the 40-year-old CEO of the Charleston, S.C. based technology company Micfo, has been sentenced to five years in prison for wire fraud. From a report: Golestan's sentencing comes nearly two years after he pleaded guilty to using an elaborate network of phony companies to secure more than 735,000 Internet Protocol (IP) addresses from the American Registry for Internet Numbers (ARIN), the nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.
In 2018, ARIN sued Golestan and Micfo, alleging they had obtained hundreds of thousands of IP addresses under false pretenses. ARIN and Micfo settled that dispute in arbitration, with Micfo returning most of the addresses that it hadn't already sold. ARIN's civil case caught the attention of federal prosecutors in South Carolina, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he'd orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.
In 2018, ARIN sued Golestan and Micfo, alleging they had obtained hundreds of thousands of IP addresses under false pretenses. ARIN and Micfo settled that dispute in arbitration, with Micfo returning most of the addresses that it hadn't already sold. ARIN's civil case caught the attention of federal prosecutors in South Carolina, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he'd orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.
Re:Great, back to the drawing board... (Score:5, Informative)
Re:Great, back to the drawing board... (Score:5, Interesting)
Preach to the choir on that one my friend.
Now go convince my brain dead ISP [ziplyfiber.com] they need to support it. They have a subreddit [reddit.com] where their network types directly interact with customers and all requests for IPv6 are hand-waved away with stupid rationalizations like, "You don't need it for anything" or "We're more focused on expanding and upgrading our network" (because lots of consumers are clamoring for 10G service at $300/mo) while they retain right in fine print (not being implemented yet AFAIK) to put all customers behind CGN, which would be the one thing they could do that'd convince me to fire them in favor of Comcast.
What's particularly insulting is they can't be bothered to spin up a 6rd deployment [wikipedia.org], which can be done with existing provisioning systems, IPv4 only routers, etc., and was the path just about every ISP took before they offered dual stack. They stopped engaging with me after they claimed 6rd would not work on their network, I spun up an instance using resources from work, then sent them packet captures proving it worked just fine.
Since I'm on one of my favorite lonely hill soap boxes, a very special fuck you to Netflix for treating Hurricane Electric tunnels as geo-evasion and blocking them, when they are not useful for geo-evasion. It's trivial to ID the underlying IPv4 address that "owns" an HE tunnel and the IPv6 addresses also geo-locate to the relevant country of origin. No nice way to work around this. Pick one:
1) VLAN off your streaming devices onto a v4 only VLAN, at the expense of breaking Layer 2 functionality like AirPlay and Chromecast
2) Play kludgey DNS games to strip AAAA answers from Netflix owned domains, at the expense of complicating your DNS setup, having it all break when Netflix changes CDNs, etc.
Seriously, fuck you for that move Netflix.
Why is the actual argument not stated? (Score:4, Insightful)
Having a dual stack requires us to get security right on both sides. We can't do 6-only. We can do 4-only. So we are doing that.
Not endorsing this, just saying out loud what the issue is. If 6 had been 4 compatible, this would already have been done and over with.
Re: (Score:3)
Making 6 compatible with 4 was never in the cards. The addresses went from 32 to 128 bits. By definition it was never going to be compatible. There was always going to be some sort of transition period where both had to be run side by side. The only thing that's going to put an expiration date on this transition is government/regulatory mandates OR the big boys in the CDN/Cloud space getting together and imposing it themselves. Amazon, Google, Microsoft, they have the collective gravitas to do it, bu
Re: (Score:3)
I think they could have done a lot more to make it compatible. For example they could have just tackled the address availability issue and not put the kitchen sink into the protocol on a mandatory basis.
I'd think that it would have been possible to keep most of the change to just affecting the core of the internet and boundary routers.
Once a packet gets to an organization, IPv4 address space is almost certainly sufficient. It just needed a new inter-organization addressing feature that defaulted to organiza
Re: (Score:3)
I believe it would have been completely possible to have modified v4 at the time to accomodate the larger addresses without doing massive surgery otherwise.
The point was that the authors of 6 wanted to fix internetworking as it existed at that moment of time in the mid 90s. Get rid of the dependencies on ARP, get rid of broadcasts, every itch they scratched. Everything works the way that the IPv6 people wanted it to work as opposed to how it worked in IPv4. So no wonder it's a pain in the ass to implemen
Re: (Score:2)
I believe it would have been completely possible to have modified v4 at the time to accomodate the larger addresses without doing massive surgery otherwise.
One great thing about dual stack is that it has hardly affected the good operation of IPv4 networks at all. Any breakage has been confined to the people running the new protocol with the bigger address space. In the alternate universe with two types of end system - "olde worlde" 32-bit IPv4 and "larger addresses" IPv4 - talking directly to each other, it seems like there is a lot more scope for widespread breakage. Dual stack allowed us to gradually (*) ramp up IPv6 and solve bugs going along. For example,
Re: (Score:2)
So no wonder it's a pain in the ass to implement and doesn't 1:1 map to the existing Internet.
This has nothing to do with anything you said. It doesn't map 1:1 to v4 because that's impossible with the design and capabilities of v4.
All v4 addresses are mapped into and are accessible from v6, but the reverse is impossible because 2^128 is bigger than 2^32. You could map a tiny subset of v6 into v4, but what would even be the point? (And in fact v6 did do this, using ::/96, but it was deprecated because it's useless. Anything you could do with this could be done more compatibly by just using v4.)
Any at
Re: (Score:2)
It's not a "pain in the ass" to implement unless you're thinking in a v4 mindset. When Microsoft of all companies can implement it in their OS, without major bugs, after the disaster that was the IPv4 stack in Windows 95/98/ME, and the RFC violations in NT/2000/XP, I think you're the outlier saying it's a pain in the ass. I took the HE certification [he.net] the day they made it available and got to 'Sage' with Google research and lab testing within three hours.
You're bitching about issues with implementation in
Re: (Score:2)
Re: (Score:2)
Because it's really frustrating to have to deal with all of the crap v4 piles onto you when you know that it's entirely unnecessary, especially when a big part of why it's happening is ignorance and incompetence by professionals whose job is to know better. It's also very tiring to hear the same bullshit being traipsed out year after year.
You can see multiple examples of both just looking around this comment thread. You try not sounding angry after debunking the same shit repeatedly for 15 years.
Also, maybe
Re: (Score:2)
Re: (Score:2)
That sounds good at first glance, but all the networking equipment reading 4-byte addresses is still going to need to be updated and if you're already doing that, then why not add other improvements?
Re: (Score:2)
For example they could have just tackled the address availability issue and not put the kitchen sink into the protocol on a mandatory basis
The kitchen sink is there to help manage the larger address space. You can find endless posts here on this very site complaining about various problems they have with IPv6, despite the fact those problems are addressed with tools included to manage IPv6, that they don't know about because they keep thinking of IPv4 only.
Once a packet gets to an organization, IPv4 address space is almost certainly sufficient. It just needed a new inter-organization addressing feature that defaulted to organization zero: the internet as it is today
The internet as it is today indeed. Requiring a third party cloud service to facilitate a handshake so those packets know where they are going. You want to own your computer, run a server on
Re: (Score:2)
IPV4 to IPV6 was always possible, here are at least two ways.
Basically, extend the IPV4 address. Double it, or 4 times, or whatever. Remember that there can be a lot leading zeros in an address. These are not empty. 0.0.0.1 is not nearly "empty" but rather bits of value 0, then a single bit of 1.
Lets assume the address went from 4 to 8 bytes.
Back, about 20 years ago, IPv6 should have said, ok, "if we get an IPv4 packet, you can assume the leading 4 bytes are 0.0.0.0". Now, here's the cute bit, registries ne
Re: (Score:2)
The sad part here is that the committee you're criticizing basically did both of the approaches you proposed here, and yet you're still trashing them for not doing it.
Back, about 20 years ago, IPv6 should have said, ok, "if we get an IPv4 packet, you can assume the leading 4 bytes are 0.0.0.0". Now, here's the cute bit, registries never give out any IpvNext addresses with the leading 4 byes having value zero. They are reserved and marked as "legacy". Your devices that are in production that are IPv4 only, keep working with IPv4. Next gen, IPvNext, devices gracefully handle IPv4 by making the assumption about IPv4 addresses.
That's how things already work. The prefix is ::ffff:0:0/96 rather than being completely zero, but that's not a significant difference. No registry gives out v6 addresses in the ::ffff:0:0 prefix, and a v6 device receiving a v4 packet will assume that prefix when presenting the packet to an application on a v6 socket.
Of course, this is fundame
Re: (Score:2)
First off, it's great to find a person on Slashdot who appreciates IPv6. We are now "friends" on this site.
I also use HE's tunnel service. I'm not sure if your router has this ability, but what I do with Netflix is I find their IPv6 ranges and then I blackhole those routes. That'll make Netflix fall back on IPv4 and then I can stream without disabling IPv6.
Here are the ranges I've blackholed:
That's worked pretty well for me for a year or two. Hope it helps
Re: (Score:2)
That's very useful. Where did you source their blocks from? I see a lot more than those blocks looking at their ASN.
FWIW, I got around it by rolling my own 6rd implementation using work resources, which is a soft abuse of my Network Admin privilege, but when you're the sole Network Admin you get to do things like that. I justify it to myself as an early warning system for the Internet going down at the office.
Ironically, I have better latency to the office (4 to 5ms) than I do to HE's nearest endpoint
Re: (Score:2)
That's me watching my router's logs and loading up stuff on Netflix, then running whois on IP addresses and blocking routes until it works. If I recall correctly, Netflix owns their own IPv6 ranges so you can see their networks pretty easily from whois. Honestly, if you've got their ASN then I guess you could just block the whole thing and let the browser/client/whatever fall back to IPv4.
5 Years for that? (Score:3, Insightful)
A lot of the sentencing in the US seems to be lacking a sense of proportion, although this is far from being an extreme example.
Whatever, Land of the Free and all that, and one of the those with the highest proportion of the population behind bars.
Re:5 Years for that? (Score:5, Funny)
Re: (Score:3)
Re: (Score:2)
This! I used to use 127. on my network until I found out EVERYONE can access it. Now I hide behind a random number just to be sure. No one can get me.
Re: (Score:1)
5 years for not being rich enough to get away with it. Or, rather, not knowing the right people.
Justice in the State seems as random as drawing a value out of a huge hat. Whatever number's written on it, that's how many years of jail you get.
Re: (Score:3)
Re:5 Years for that? (Score:4, Insightful)
Re:5 Years for that? (Score:4, Interesting)
A lot of the sentencing in the US seems to be lacking a sense of proportion, although this is far from being an extreme example.
Couple things,
1) Under the Federal sentencing guidelines [ussc.gov], the recommended range for a fraud sentence comes down to the monetary value obtained for the fraud. IPv4s are going for around $40 per IP [ipv4marketgroup.com] the last time I checked, which puts the value of this fraud at 29.4 Million.
2) Following the guidelines, assuming he has no criminal history, that dollar amount puts him at an offense level of 28 (pages 82 and 83 from the full PDF [ussc.gov])
3) We can probably subtract 2 levels, since he plead guilty, under acceptance of responsibility (page 376), so now we're at 26
4) Looking at the sentencing table, page 407, that gives a suggested sentence range of 63 to 78 months, or 5.25 to 6.50 years.
tl;dr, he probably got a below guidelines range, which is pretty damned rare in the Federal system. It strongly implies he had exceptionally good lawyers (likely, he's rich), a sympathetic judge (unlikely for white collar fraud in Federal system), or he really assisted the Feds with the investigation and they joined defense counsel in asking for a downward departure (exceptionally rare but not unheard of).
Another thing to remember, if he behaves in prison -- "prison" being relative here, he'll be at a minimum security camp that probably won't have a fence -- he'll get credit and can anticipate serving roughly 85% of his sentence. 4 years and change for eight digits worth of fraud.
Now, should IP addresses be worth that much? Hell fucking no. See my IPv6 rant [slashdot.org] above. That's the only reason IPv4 addresses have this insane inflated value attached to them. This problem should have solved a full decade ago. Blame idiot ISPs like mine, idiot enterprise networks admins that are afraid of IPv6 and unwilling to bring it into their networks, and idiot well resourced organizations that should be doing better with IPv6 than they are, e.g., Microsoft, who only this year finally got around to offering geo-location support for IPv6 addresses [microsoft.com] within Azure. :(
Re: (Score:2)
idiot enterprise networks admins that are afraid of IPv6
There's another bit to it.
IPv4 is REALLY easy to do on AWS. IPv6? Not so much.
Some hobbyist can just rent an EC2, plop an IPv4 address on it, and they're good.
IPv6? No, you need to setup a subnet and like 12 other steps.
Also, in my experience, it's not the network admins that are afraid of IPv6, it's the managers don't think it's important, and just let things sit.
A router (Score:3)
A router goes to the doctor and says it hurts when I pee.
This just isn't real any more. (Score:1)
Another poster said we "need IPv6". No, we don't. It's just one of several "hacks" to make it seem like we take IPv4 public address exhaustion seriously.
The original problem wasn't a lack of IPv4 addresses, it was a lack of routing table size. CIDR and BGP[4] made that 1993 problem go away.
Then it was that the powers that be were too much beholden to politically connected organizations so that the initial "stupid large" allocations they doled out they refused to claw back. Good on MIT for returning it'
Re:This just isn't real any more. (Score:5, Insightful)
You're totally wrong dude. There are more than four billion people on this planet. Boom, you've already exhausted the IPv4 pool. That's before you account for the fact that people own multiple devices, on multiple networks, e.g., smart phones, and those same people tend to work for employers that also have their own networks.
You can't solve the use case with NAT, there literally are not enough addresses in a 2^32, and it's worth remembering that NAT by design breaks end-to-end connectivity. You can work around this to an extent, UDP hole punching [wikipedia.org] and other kludgy hacks, but those don't always work (lots of NAT implementations break them) and should not be required in any case. If you've ever used FaceTime, to pick a main streamapp you've probably heard of, it prefers to establish a direct peer-to-peer connection and will do so where possible with UDP hole punching. If neither end will allow a UDP hole punch to succeed, it falls back onto a connection routed via Apple's servers, and because Apple doesn't have an infinite bandwidth and server budget, you get a considerably lower bitrate/video quality and non-zero amount of additional latency.
FaceTime is far from the only application that works like this, it's just one of the most mainstream ones, so don't take that explanation as an invitation to shit on Apple. Every outfit offering a video/audio communication solution is confronted with the same dilemma, peer to peer communication is best, but if you want consumers to use your app you need to provide the fallback path and you need to do it without bankrupting yourself in the process. IPv6 would greatly simplify this process even if you assume a large number of endpoints will be behind firewalls that filter inbound connections. (Also something that's arguably less important these days, since we all roam and can't control the firewall everywhere we go, your firewall and other security measures need to be done at the endpoint unless we're talking about a desktop or server that never moves, and even there, you still want an endpoint firewall)
Re: (Score:2)
Re: (Score:2)
NAT is the solution to multi-homing, dynamic address allocations and privacy-problems
It's none of those things. The solution to multi-homing is to get an ASN and implement BGP. The solution to dynamic address allocations and privacy is SLAAC and privacy extensions.
It's also a reminder that simple end-to-end connectivity hasn't existed for a long time, and even if you're using IPv6, you still need to design protocols for outbound-only connections and without inband-signalled addresses.
If you're doing security at the network edge you're fucking doing it wrong in the hybrid world we live in now. Do you have control over the firewall at every single hybrid/remote worker's house? Every single hotel/airport/etc. they visit? Of course you don't. You need to attack security at the endpoint, which isn't to say y
Re: (Score:2)
The solution to multi-homing is to get an ASN and implement BGP. The solution to dynamic address allocations and privacy is SLAAC and privacy extensions.
Sure, now every little shop with a need for redundant internet access gets their own ASN and portable address space. Instead of exploding routing tables with 3 bytes per prefix, we get exploding routing tables with 6 bytes per prefix. And show me a network that doesn't fall over somewhere in the stack when it gets renumbered, so what does everybody w
Re: (Score:2)
I won't even bother to address all the reasons why you're wrong about privacy extensions, routing tables, etc.
All I'll say is it's rich that you're telling me the IPv6 people are the problem and it's doomed to failure unless we change. It has been in production for years. It's online with every national ISP, most regional ones, all the cellular carriers, nearly every cloud service provider, every content distribution network, blah, blah, blah, and it's the default on all of these systems/networks. T
Re: (Score:2)
Re: (Score:2)
You are an uninformed idiot. Pointing out there are other uninformed idiots and turning off v4 will preclude you from talking to them does not prove that v6 is useless. It's also a red herring, because I never said you could turn off v4, only that you should be using v6 where possible.
If you want to imagine someone who primarily watches SVOD, surfs Facebook, and reads G-mail, you absolutely could kill v4 without them noticing. Every mainstream consumer oriented service is IPv6 aware. Virtually every CS
Re: (Score:2)
you absolutely could kill v4 without them noticing.
Obviously you have never tried. You are the uninformed idiot.
Re: (Score:2)
No, because there's no reason to do it. But you totally could if confronted with the person who thinks the "Internet" is Facebook and a "computer" is their cell phone.
You're just arguing red herrings though, because I never said that you SHOULD disable it, or even that doing so was desirable. You can't argue the merits of IPv6 so you need to put shit on my mouth to back up your silly head in the sand position because IPv6 is SCARY and NAT gives you the illusion of safety on v4.
Like I said, I look forwar
Re: (Score:2)
Re: (Score:2)
Less than goes wrong today.
"On public addresses" doesn't mean publicly accessible.
Re: (Score:3, Insightful)
Another poster said we "need IPv6". No, we don't. It's just one of several "hacks" to make it seem like we take IPv4 public address exhaustion seriously.
NAT is a hack to get 16 more bits out of IPv4's address space for non-serving consumer addresses. Server Name Indication and HTTP Host headers are another hack to route multiple webservices behind a single address using the standard ports 80 and 443.
IPv6 is not just a hack, it's an actual different network protocol which is showing increasing adoption.
The original problem wasn't a lack of IPv4 addresses, it was a lack of routing table size. CIDR and BGP[4] made that 1993 problem go away.
Originally there wasn't a lack of IPv4 addresses, now there is, and staying on IPv4 defeats any notion that the Internet is a peer network.
Sure, IPv6 will help. So will [...]
Returning / reclass
Re: (Score:2)
Re: (Score:2)
It wasn't. How on earth did you reach that conclusion?
There isn't enough address space in v4 to handle the number of devices that want to be on the Internet, and the cost of the workarounds needed in response to that is extreme and ever-increasing. That's why it was created.
Only about 43 class As were ever allocated. When IANA ran out of v4 space in 2011, we were going through a /8 every three weeks, so even every allocated /8 would only be about 2.5 years of allocations. A /8 just isn't that much space; ev
Re: (Score:2)
The original problem wasn't a lack of IPv4 addresses, it was a lack of routing table size. CIDR and BGP[4] made that 1993 problem go away.
There's literally a problem on the internet with the current routing table size causing latency, the protocol was not designed to be subdivided the way it is (it's why it's a set of numbers rather than one big one). The problem has not "gone away". We're just endlessly moving problems around rather than addressing the damn underlying cause.
There's never enough time or money to do it right, but there's always enough to fix it again.
Ok, who did he really piss off? (Score:3, Interesting)
Compared to some of the crap that has been going down lately where some crooks got off with billions with barely a slap on the wrist if (big if) they got caught, this is the equivalent of putting someone in front of a firing squad for stealing an apple.
Who did that guy piss off, or forget to bribe, that he gets made an example?
Probably even pettier than that. (Score:1)
It's almost as if having a large, militarized police backed by prosecutors with unlimited resources who often use their careers as a springboard into politics is a bad thing....
Re: (Score:3)
prosecutors with unlimited resources
If you think prosecutors -- even Federal ones -- have unlimited resources it's safe to assume you've never been a victim of a crime.
At the risk of bringing up politics and current events, one of the legitimate gripes Hunter Biden has, vis-à-vis his gun charge [apnews.com], while it technically is a Federal Felony, it is virtually never prosecuted as a standalone crime. Every single person in this country that smokes pot and owns a gun -- that's millions to tens of millions of people -- is guilty of this crime. Y
Re: (Score:1, Insightful)
he was an easy target for a quick conviction. Cops aren't there to keep you safe, they're there to arrest people and put them in jail. Those are the numbers people pay attention to. And crime is way, way down. But we keep throwing more money at them. They gotta do something to look productive. It's almost as if having a large, militarized police backed by prosecutors with unlimited resources who often use their careers as a springboard into politics is a bad thing....
Crime is NOT way, way down. Prosecution is way, way down due to activist DAs. The best way to make it looks like crime is down is to pretend like it doesn't exist.
Re: (Score:2)
"Douche nozzle" is implied by "Tech CEO" aka "Tech Bro", IMHO. It's always sweet to see one of them learn the hard way that the Government's dick is bigger than theirs. I imagine this douche nozzle [wikipedia.org] will be learning that lesson very soon and will earn a lot more than 4 to 5 years in Club Fed for his arrogance. He won't be going to Federal White Collar Resort Prison, like this article's douche nozzle, he'll be going to Federal Pound Me In The Ass Prison. :-)
Re: (Score:2)
Given how some "crypto bros" are still basically free...He probably forgot to bribe all the politicians.
It`s unfortunate (Score:2)
What addresses? (Score:2)
Back in the 1990s I had 199.190.120.x and since my ISP shut down years ago I have never seen those IPs used by anyone again. Curious if he had those addresses.