Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
On 13/12/2019 13:38, Ronald F. Guilmette wrote: In message <9c7d5885-f4e5-5c00-9523-bcc3a3b6a...@efes.iucc.ac.il>, you wrote: Again, great work Ron! Thanks much Hank. I wish that I could get some journo in Israel to cover this, and maybe go and put some questions to the man who ended up with most of this looted IPv4 address space, i.e. a certain Mr. Elad Cohen (netstyle.co.il / netstyleservers.com), a member in good standing of RIPE, of course. and now standing for the Executive Board: https://www.ripe.net/participate/meetings/gm/meetings/may-2020/confirmed-candidates -Hank I tried to make that happen, but got nowhere. :-( Oh well, I gues that there are some different corruption stories that are getting all of the ink these days in Israel... just as there are here in the U.S., at present, I'm sorry to say. There's yet another member in good standing of RIPE whose fingerprints are also all over this mess. I'll just have to hope that eventually Interpol or Europol might take an interest in this case and maybe start asking these guys some rather pointed questions about it all. That's the only hope, I'm afraid. I'm frankly not in the least bit persuaded that RIPE will ever demonstratably give a shit about any of this. The last time I looked, the various folks, mostly Russian, who were running the networks responsible for the massive `3ve' clickfraud scam... which I had also publicly outted before LE caught up to them... were also all still members in good standing of RIPE, and those guys were formally indicted by the U.S. DoJ: https://www.whiteops.com/press-releases/3ve-google-whiteops-online-fraud https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing Regards, rfg P.S. This stuff that took place down in the AFRINIC region arguably isn't even on-topic for this list and/or this WG. It's kind-of like "meta-abuse", or some such thing. Anyway, this isn't our usual spammers and/or hackers story.
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
In message <9c7d5885-f4e5-5c00-9523-bcc3a3b6a...@efes.iucc.ac.il>, you wrote: >Again, great work Ron! Thanks much Hank. I wish that I could get some journo in Israel to cover this, and maybe go and put some questions to the man who ended up with most of this looted IPv4 address space, i.e. a certain Mr. Elad Cohen (netstyle.co.il / netstyleservers.com), a member in good standing of RIPE, of course. I tried to make that happen, but got nowhere. :-( Oh well, I gues that there are some different corruption stories that are getting all of the ink these days in Israel... just as there are here in the U.S., at present, I'm sorry to say. There's yet another member in good standing of RIPE whose fingerprints are also all over this mess. I'll just have to hope that eventually Interpol or Europol might take an interest in this case and maybe start asking these guys some rather pointed questions about it all. That's the only hope, I'm afraid. I'm frankly not in the least bit persuaded that RIPE will ever demonstratably give a shit about any of this. The last time I looked, the various folks, mostly Russian, who were running the networks responsible for the massive `3ve' clickfraud scam... which I had also publicly outted before LE caught up to them... were also all still members in good standing of RIPE, and those guys were formally indicted by the U.S. DoJ: https://www.whiteops.com/press-releases/3ve-google-whiteops-online-fraud https://www.justice.gov/usao-edny/pr/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing Regards, rfg P.S. This stuff that took place down in the AFRINIC region arguably isn't even on-topic for this list and/or this WG. It's kind-of like "meta-abuse", or some such thing. Anyway, this isn't our usual spammers and/or hackers story.
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
On 13/12/2019 11:10, Fi Shing wrote: Again, great work Ron! -Hank https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/ - Original Message - Subject: Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider From: "Michele Neylon - Blacknight" Date: 12/6/19 1:14 am To: "Suresh Ramasubramanian" , "anti-abuse-wg@ripe.net" Great work from Ron Sad to see this happen, though it was to be expected considering how much IPs are now worth -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 04/12/2019, 19:43, "anti-abuse-wg on behalf of Suresh Ramasubramanian" wrote: Congratulations, Ron Guilmette. You’ve been doing this for years and this is your biggest success yet. https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC employee #2, and he has now separated from AFRINIC --srs
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/ - Original Message - Subject: Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider From: "Michele Neylon - Blacknight" Date: 12/6/19 1:14 am To: "Suresh Ramasubramanian" , "anti-abuse-wg@ripe.net" Great work from Ron Sad to see this happen, though it was to be expected considering how much IPs are now worth -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 04/12/2019, 19:43, "anti-abuse-wg on behalf of Suresh Ramasubramanian" wrote: Congratulations, Ron Guilmette. You've been doing this for years and this is your biggest success yet. https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC employee #2, and he has now separated from AFRINIC --srs
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
Great work from Ron Sad to see this happen, though it was to be expected considering how much IPs are now worth -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 04/12/2019, 19:43, "anti-abuse-wg on behalf of Suresh Ramasubramanian" wrote: Congratulations, Ron Guilmette. You’ve been doing this for years and this is your biggest success yet. https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC employee #2, and he has now separated from AFRINIC --srs
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
On 04/12/2019 21:42, Suresh Ramasubramanian wrote: Congratulations, Ron Guilmette. You’ve been doing this for years and this is your biggest success yet. https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC employee #2, and he has now separated from AFRINIC --srs Kudos Ron! Just a shame the RIRs themselves don't have each an investigative arm to do this kind of research. -Hank
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
Let me join Suresh in congratulating you, Ron. It is very hard to obtain meaningful results in this kind of affairs. Yet here, the hard-earned results have been impressive. Hats off. Best regards De: anti-abuse-wg [anti-abuse-wg-boun...@ripe.net] en nombre de Ronald F. Guilmette [r...@tristatelogic.com] Enviado: jueves, 05 de diciembre de 2019 0:50 Para: anti-abuse-wg@ripe.net Asunto: Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider I am obliged to thank my friend Suresh for his kind words. I have indeed been trying, for lo these past 20+ years now, to chase spammers and other miscreants off the Internet. It has rarely been easy, but there have been occasional gratifications. Today is one such. But this story is not yet complete, and I have miles to go before I sleep. I am also obliged to post one small but important correction to what Suresh said. Suresh said that Ernest Byaruhanga "has now separated from AFRINIC." That's not really entirely accurate. He has resigned, but as noted in the story on mybroadband.co.za, he is currently still employed by AFRINIC and is currently serving out his notice period. Neither I nor my co-pilot on this story, South African journalist Jan Vermeulen, have any information about whether or nor, at this moment, Mr. Byaruhanga still retains unfettered read/write access to the AFRINIC data base. (I think that it is not at all inaccurate to say that multiple AFRINIC officials that we contacted in regards to this story have been rather entirely less than forthcoming with us as we tried to get to the bottom of all of these matters.) Regards, rfg
Re: [anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
I am obliged to thank my friend Suresh for his kind words. I have indeed been trying, for lo these past 20+ years now, to chase spammers and other miscreants off the Internet. It has rarely been easy, but there have been occasional gratifications. Today is one such. But this story is not yet complete, and I have miles to go before I sleep. I am also obliged to post one small but important correction to what Suresh said. Suresh said that Ernest Byaruhanga "has now separated from AFRINIC." That's not really entirely accurate. He has resigned, but as noted in the story on mybroadband.co.za, he is currently still employed by AFRINIC and is currently serving out his notice period. Neither I nor my co-pilot on this story, South African journalist Jan Vermeulen, have any information about whether or nor, at this moment, Mr. Byaruhanga still retains unfettered read/write access to the AFRINIC data base. (I think that it is not at all inaccurate to say that multiple AFRINIC officials that we contacted in regards to this story have been rather entirely less than forthcoming with us as we tried to get to the bottom of all of these matters.) Regards, rfg
[anti-abuse-wg] Massive prefix theft in AFRINIC - attributed to an insider
Congratulations, Ron Guilmette. You’ve been doing this for years and this is your biggest success yet. https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html tl;dr - The insider is apparently Ernest Byaruhanga, AFRINIC employee #2, and he has now separated from AFRINIC --srs