He did keep track though of which VPN operator used which range at any given time, so perhaps the "true originators" could be traceable after all, assuming the VPN owners were willing to co-operate. In any case, he is only being prosecuted for (1), and the immediate reason for this is that a couple of US politicians were hacked with attacks originating from these addresses.
The publicly discussed components here are but a small piece of a complex and sloppily run scam organization.
Look up the judgements under these businesses over the years at various web hosts. These companies would enter long contracts and eventually stop paying.
From what I understand he was attributed many IPs by creating shell companies and rented these IPs to VPN providers.
This is in the FAQ at https://news.ycombinator.com/newsfaq.html and there's more explanation here:
https://news.ycombinator.com/item?id=10178989
https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...
I "obtained" 2^32 IPv4 addresses pretty easily; not sure if it's legitimate or not:
for addr in range(2**32):
print('.'.join([str(addr >> (i << 3) & 0xFF) for i in range(4)[::-1]]))
consider the headline "obtained 800k email addresses illegitimately". would you really assume that this meant they were able to receive email at those addresses, or just that they'd obtained the addresses?
Well, my understanding is any data is ‘personal data’ if you can use it to identify a user, can be combined to identify a user or can be aggregated to an identified user.
For example, list of addresses themselves are not personal data. Everybody has access to addresses, you can get them at the post office for example when you try to look up code for the address.
But a list of addresses of creditors (ie. address + some non-identifying context information) is personal data.
I do not know GDPR well but given just that example I would say there is some more nuance.
Think about if the title said "800K email addresses obtained illegitimately", and what you would interpret the meaning of that to be.
This seems like a particularly weird hill for you to repeatedly die on.
>printf("$100");
For IPs addresses, I would think they got an assignation as well, because IPs numbers without assignations are worthless.
It all depends on the context.
Perhaps he violated the terms and conditions of his contract with ARIN and should have had the assignments cancelled but where does the criminality come in?
Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Are there grey areas? Sure. In particular there's a passive sort of deceit in which you let people assume things that you know aren't true, to your benefit. Mostly the law holds that it's their mistake for not asking, and anyway they'd usually be far too embarrassed to make a fuss if they realise their error.
I don't see that here, the plan was explicitly to trick the RIR into giving them resources they were otherwise not entitled to. Those resources were for everybody to share, they're stealing from you and it's appropriate to prosecute for fraud.
Have you seen a list of list of all telco companies that are together AT&T which exist solely to allow AT&T to limit liability, create a separation of entities for qualify under some rules for some other entities, etc?
When MCI Worldcom filed for bankruptcy the list of the entities that it covered took a couple of pages in major newspapers.
Pull down the whole court doc, it’s pretty clear his intentions.
The last time I looked which was a couple of years ago there was nothing in the ARIN TOS that said "you can only control one entity that applies for resources".
Joe Schmoe Enterprises, Inc, Joe Schmoe, LLC, Joe Shmoe Fishing Services, Inc are different legal entities even if Joe Schmoe, Jr owns all of them.
I presume the specific problem will have been when Joe Schmoe lied on the paperwork for IPv4 delegation to Joe Shmoe Fishing Services not mentioning that Joe Schmoe, LLC already has also applied, as has Joe Schmoe Enterprises, Inc. I'm not in ARIN's region, so I haven't seen their paperwork, but analogous paperwork in RIPE for example asks you about Related Entities because you're not entitled to duplicate resources just by asking more than once.
Except if you're a magician, of course!
The goal is to create a scenario in which the audience knows they were tricked but can't figure out how. So you don't lie and say this is a random audience member when it's actually an employee "stooge". But when you're giving the genuinely random audience member a "free choice" of cards you don't need to explicitly tell the audience that, duh, as a magician you're not giving anybody a truly "free choice" of anything actually and you knew immediately which card they picked even without seeing it. That sort of thing.
The legal system does not operate like a computer program.
This is possible only because, while ICANN charges each registry when they acquire a domain, ICANN refunds that if they give the domain back within some time period.
[1] https://www.icann.org/registrar-reports/accreditation-qualif...
I didn't know there was a formal term for this. Splitting up money transfers to avoid detection of large sums moving around.
I've looked up wire fraud in the US and it seems to come with some properly serious penalties:
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.[4]
The wikipedia page says a "puff piece" is journalistic puffery. Neat, I hadn't made that connection.
Advertisement tends to deal in opinions, not facts. And where specific factual claims are made against better knowledge it does constitute fraud, and is occasionally prosecuted. See Volkswagen's emissions claims, for example. Or, just this week, some hand sanitiser got hit by the FDA for claiming protection against Ebola and Coronavirus.
They knew exactly what they were doing.