I once applied for a position at what I found out to be a spam marketing company. In order to send their spam they worked with a local hosting company that would take unused legacy ip addresses and put them in their router so the spam could be sent over them. They would just burn the ip's and move on to the next set. My job would be to update their firewall with the new ips, update their mailing software with the current set of ip's each day. They made their own mailing software it had an interface like a stoplight where red meant the mail wasn't going out, yellow a lot of it was getting blocked (so move to the next ip's) and green is things are good. I didn't end up taking the position. This was around 12 years ago.
> In order to send large numbers of emails from an IP address -- you need to gradually ramp up number of emails sent
As a spammer you would not go for dedicated IP; you would rather want to use a shared pool as pissing in a big pool plenty of people who hold their liquids to themselves will help your pee to be less visible and detectable.
Here are samples of my spam box from this week so far, courtesy of Sparkpost (their complaint/spam/abuse mailbox is probably going into null, as I have never received a single response and majority of spam I see these days comes from them)
It is not hard to identify each abuser, my point is that in a large pool you will have lots of small abusers to go thru and vet. When someone is using dedicated IP that's what it is. Its dedicated so you immediately know whether the actors acts in bed faith or not (perhaps sent a few more-than-usually-spam-looking messages).
I don't know whats going on with Sparkpost honestly. I actually uncovered a large international scam artist (CNN did an investigative reporting on similar one milking population to the tune of $400MM/annul) with over 30 dedicated IPs running thru Sparkpost network, but frankly they don't care. I reported that multiple times and also tried to talk to them about it over twitter but they quickly banned me. I think their rules in terms of anti-spam/anti-scam are more guidelines than rules they abide by. I would imagine someone with such vast setup brings tens of thousands of dollars in revenue, so that makes sense why they would turn a blind eye. Its sad actually, the CNN reporting was about broken families and suicides that were to some degree a result of emails' content that perpetrators sent (like romance-type scams send to seniors in hopes to get them send money oversees).
I guess if Rich Harris sleeps well at night knowing his company abides in scam artists pushing senior citizens into taking their own lives, then the business continues as usual. But its sad IMHO nonetheless...
I wonder if governments could somehow vouch for emails addresses being a little like verified twitter accounts, so that we can have a good whitelist of legit email addresses.
Right now it seems gmail is benefiting from the chaos because they have the training data that allows them to know if a mail is spam. I just wish that the internet could adopt more security standards and processes. You can't trust only google now.
Whistleblowing is the last of my concerns. I live in Italy and PEC is a thing, it’s a government certified email with legal value.
Technical rules for the formation, transmission and validation are mandatory: read receipts are automatic.
To use the service you must have a PEC box with one of the authorized managers. The publication of the list of authorized operators, the supervision and coordination is entrusted to the “Agency for digital Italy” (AgID).
This means that every citizen with a pec is paying to obtain an email from a bunch of friends of friends of the government, in a market with virtually no competition, and that your mail box is heavily surveilled but left unsecured.
To be fair, email is a very poor medium for whistleblowers in any case.
The notion of a regulated "official" communications channel (akin to postal mail) for bills and such isn't a terrible idea, although it would make more sense to build something new for this. Email has too many weaknesses to be a good choice.
I always wondered if someone had created a biz for the purpose of hoarding IPv4 with intent to “sell them”. We talked about this kind of abuse back in the 90s when I worked for a hosting company. Part of my job was filling out ARIN templates and SWIP and all that nonsense. Justification was easy, but it occurred to me how easy it would be to fake requests and just pay the trivial fees. There were already some businesses buying up smaller companies for access to their old legacy allocations. Then the massive cloud build ours started and IP consumption became a real concern.
I find the CFC situation to be rather interesting because it not only made it illegal to intentionally release them into the atmosphere (which would, if anything, just cause people to release them from things like old fridges and ACs even more frequently so as not to be caught with the "prohibited substance"), but by stopping production and keeping it legal to continue to use, created a market for recovering/reselling/reusing that helps to keep them out of the atmosphere.
It's the difference between saying "it's bad for the environment so don't release it", and "it's rare and valuable so don't let it escape, but recover, resell, and reuse" --- not everyone believes in global warming or cares as much about the former, but the latter is a powerful motivation.
If carbon was placed under a cap and trade system, where it had a price, and entities which emit CO2 pay for that privilege, then that externality won't be so external, those who do the most damage pay the highest price, and those who can perform carbon capture and storage can realise a revenue stream.
I know someone who was hoarding banned freon and selling it on the side. The government eventually had caught on that people were doing it, but they also understood that punishing people even harder for selling it wouldn't work. So instead they started to provide incentives to convert refrigeration units to not use that kind of freon. It's been a few years so not sure how effective that was, but I thought it was interesting.
Yes, it's easy to buy, but as I mentioned in another comment here, the price compels everyone to be cautious in using it and not let it escape. You can even find plenty of DIY videos on YouTube of people building their own refrigerant recovery machines (basically a compressor and a tank), so I'd say everyone recognises the importance of not just venting it into the atmosphere.
The last time I heard, the EPA certificate is itself very easy to obtain too; the fee is around $20, and it's a short open-book multiple-choice exam. Not really a hindrance considering that a gauge set and vacuum pump, which is obligatory if you intend to do anything with refrigeration, costs far more.
I think carbon taxes are the opposite of what the OP is talking about. Carbon taxes are artificial barriers to using fossil fuels.
On the other hand, when technology improves so that electric cars cost less per mile than gasoline cars, people won't necessarily buy them to be green, they'll buy them because they're a cheaper form of transportation that happens to be greener.
Same with wind and solar power. When a solar farm on 10 acres of land can produce more energy than a coal plant on the same 10 acres, then power companies will build them instead of coal - not to be "green", but to make more money.
Carbon taxes aren't artificial barriers. There are real costs to emitting carbon. Putting a price on negative externalities helps align incentives properly so the people making the coal plant have to consider the full costs of their actions.
Why not talk to the coal plant owner directly? Or how about the other 100(!) private citizens living around the world who control the companies that are responsible 70% of the greenhouse emissions of the entire Earth?
Talking to them doesn't change the economic incentives. No matter how stern of a talking to I give them, they'll still be making a large personal profit at the expense of a larger cost spread across everyone else.
Do you think no one has tried talking to any of these people about climate change yet?
> Carbon taxes are artificial barriers to using fossil fuels.
> On the other hand, when technology improves so that electric cars cost less per mile than gasoline cars, people won't necessarily buy them to be green, they'll buy them because they're a cheaper form of transportation that happens to be greener.
Carbon taxes are like trash disposal fees. If your business dumps trash into the landfill or carbon into the atmosphere, the public should not have to subsidize your business by paying for that. You should pay to manage your own waste.
Gas cars are cheaper than electric at least partly because we're all subsidizing them by allowing them to dump waste for free into the air that we all own, and paying on their behalf for all the damages that causes (asthma, climate change, flooding, etc). A carbon tax would remove that subsidy and make fossil fuels compete on a level playing field.
And yes, once the subsidy is removed, the market can sort it out.
> When a solar farm on 10 acres of land can produce more energy than a coal plant on the same 10 acres
This is energetically impossible, I'm afraid. Even if you count the area of the plant plus the area of its corresponding mine and the transport links between them. Because the energy density of coal is so incredibly high.
On the other hand, now that Drax has switched to burning wood, you might get more energy efficiency from the same (huge) area of woodland by direct solar farming instead. Annoyingly I can't find any numbers, other than an estimate that if Drax was limited to domestic wood (rather than importing it from the US, using oil-fired shipping) it would consume every tree in the UK within a year.
As we're running out of time we ideally need both to happen, but it's good that green tech is becoming increasingly more financially viable. As a little gem, just about all reports from the SA Tesla battery installation make for simply fantastic reading.
Cars are a red herring. Even gasoline and diesel car aren't really contributing that much to world pollution compared to the real culprits, such as ocean liners and huge cargo ships. These ships alone pollute more than all the cars on Earth.
What do you think about going after the things that are actually harmful, instead of following a red herring? I mean, sure, cars should of course be dealt with also, but if you really want to lower carbon emissions fast, then shouldn't we go for the big fish first?
Politicians trying to save the environment:
Policitian #1: Um, I can't think of anything. Can you?
Policitian #2: I got it! Let's make a new tax! It'll annoy these guys, while we'll insure our state jobs, and it'll make state finances look a ton better for all posterity!
Policitian #1: Yeah, that sounds really great and all, umm, but will it fix the problem with greenhouse gases?
Policitian #2: Don't be silly! This is as good a reason to make the state richer than any.
What's happening right now is absolutely unprecedented and it will kill a lot of people. It's demoralizing how even within a crowd that's supposed to value science we have people waving away what's happening right now.
In idle moments, I daydream of a wager where people who are concerned about climate change bet with those who are unconcerned. If climate change turns out to be mild, the unconcerned get the money. If it's severe, they die.
A scheme in Northern Ireland (colloquially known as "Cash for Ash") was set up where heating properties using renewable fuels (mainly biomass) was subsidised, only the subsidy was priced higher than the cost for fuel causing people to heat empty properties just to claim the subsidy. The whole thing cost almost half a billion pounds.
There have been huge allegations of fraud and it even brought down NI's power-sharing executive (~ the regional government) in 2017.
There's an initiative in Guatemala where land owners are paid an amount of money every year for each acre of their land that they reforest.
Naturally, land owners immediately started clear-cutting virgin rainforest, selling the lumber, and then collecting a payout from the government for planting pine trees that they'll raise for 10 years before they'll cut them down for lumber too.
That's a really interesting effect! Thank you for making me aware of it! However it should be noted that the reason it backfired, was because people exploited a weakness in the system, so to speak. It could even be that they did something illegal and fraudulent, since the bounties were obviously for animals that weren't bred in captivity, and for wild animals that were properly killed so they wouldn't be able to procreate. Thus the question remains on whether the measures had effective ways of dealing with such fraud, or whether that would make the whole thing more expensive than other measures.
I had an 88 Chevy Pickup Truck that used the old style freon (R12). Man that stuff worked so good. In 100 degree heat that truck would stay nice and cold. It took over 20 years before the alternatives were competitive.
Propane makes a good substitute for R12 with very little modifications. I wouldn't use it inside a home or anything like that, but I have used it to make older vehicles blow cold.
It's extremely good refrigerant. The biggest problem people have is that it ends up too cold and icing up the system.
It sounds dangerous, but it's really not. Propane is only flammable with the correct mixture of air. Otherwise you couldn't light it with a blow torch. Even if you have a leaky system it isn't going to leak fast enough to cause a issue. Also propane is significantly heavier then air so anything that leaks out is going to go to ground. And the amount of propane you use is not very significant.
Cars that end up having issues with propane are typically home built propane fuel conversions with no ventilation under the tanks or connections. The propane can then pool in the low places and build up enough to cause a explosion.
Proponents of propane as refrigerant claim that it's not more dangerous than the 10 gallons of gasoline in the gas tank. I'm not sure I agree. Since propane is heavier than air, it doesn't dissipate as quickly as, say, natural gas would.
And while its true that you need the right mixture of propane and air for it to ignite, with the right-mixture, you've got a fuel-air explosive formed right next to an ignition source (the car's engine and battery).
Like propane, gasoline fumes are also heavier than air. This becomes a problem in boats, where propane and/or gasoline fumes "collect" down in the hull with no natural ventilation path. Boats with propane stoves or gasoline motors need gas detectors and ventilation to ensure dangerous (suffocating or exploding) levels don't build up below decks...
I used to work at a company that recovered and decommissioned freon. If some tech came by with a cylinder filled with R12 it would many times mysteriously disappear from storage. Probably because it sells for an insane price and is very rare in my region.
There is an active, mature market for IPv4 addresses (just google "IPv4 address broker"), so it stands to reason that there are people hoarding them for speculation.
It's not free money, of course -- it's entirely possible that the value goes down, as things that reduce the pressure on the IPv4 address space slowly come online (CGNAT and IPv6)
That said, I'm a bit confused by this story. ARIN ran out of addresses in 2015, and it was my impression that since then you can't just get IPv4 addresses for free from them, which is why the above-mentioned markets exist. So, how were they able to keep running this scam after 2015?
IIRC you can get a laughably small number from ARIN if you say the right things, and you could get a slightly less laughably number in the past. Try saying you're an ISP and all your customers are dualstack already but you need 128 v4 addresses for compatibility or CGNAT or your DNS caches or something.
I work for a UK based ISP. We have millions of unused addresses, largely because back in the 90s they were practically giving them away. We're still expanding and using up new IPs daily, but we often sell blocks when the department needs a boost...
Wow, I dealt with this guy / company Micfo LLC at my previous employer a few years back. He had our DC announce a range and all his documents checked out. Some other dude reached out to our ipadmin address saying we were announcing his range. The Micfo guys had forged the documents or something shady and we removed the announcement for his range. He was very upset and claimed the other party was sour over some deal. He ended up leaving when we pushed back on him announcing new ranges. He provided more excuses on why he didn't have things then actual documentation. He tried to come back a couple years later but we told him to kick rocks.
US prison sentences are ridiculously long in general.
In principle the key word is supposed to be "up to", the judge is supposed to use their discretion.
In practice, it's used as a lever to force plea deals. If you waste the government's time and money with a trial, you probably still won't win, but now you will be doing up to 20 years. Sign here and spare us the trial and you'll get 5 years.
Of course then you have the people who are truly innocent but are forced to plea out anyway at threat of spending a significant chunk of their lives in jail...
There is also the view that extreme prison sentences are supposed to be a deterrent and thus are unfair by nature. If know you are at risk of spending 20 years in jail, you won't do the crime. Of course in many cases criminals do not really consider the risk of getting caught, and likely wouldn't know the exact penalties for a given crime anyway...
American tax payers stand to save a lot of money by adopting the Scandinavian model for their prison system, particularly because of the use of much shorter sentences, and heavier use of fines (a lash to the pocket is often a far better deterrent than a long prison sentence). This opens up for better rehabilitation, and much less recidivism. In turn that means shorter queues which means a clear cut in the expenses needed to maintain all those prisons. In the end, it's a win-win for the state, tax payers and the prison inmates themselves. Only prison wardens would disapprove. ;)
> There is also the view that extreme prison sentences are supposed to be a deterrent and thus are unfair by nature. If know you are at risk of spending 20 years in jail, you won't do the crime. Of course in many cases criminals do not really consider the risk of getting caught, and likely wouldn't know the exact penalties for a given crime anyway...
I'm pretty sure it has been proven multiple times over that harsher sentences don't reduce crime. They serve just as retribution.
The prison industry is huge. The prison guard union even lobbied against decriminalization, it is nuts. Most every jail releases inmates right after midnight so they can charge the state for a full extra day. It is a business.
At some point it involved violence. It's one of those things where he provided a service that did not follow the regulations that were in part placed there to prevent crime. His violations of these regulations allow other criminals to piggyback off of him by using his services. Spammers, VPNs, and other services which criminals can use - especially with forged IP address ranges - to commit crimes. He is a middle man, and by not following regulations, he assisted all of those crimes.
Consider craigslist, they are protected by safe harbor laws because they comply with regulations and laws, even though criminal activity passes over their servers, it's a level that is deemed acceptable by society for the service they provide (given they are well regulated). When laws like FOSTA/SESTA get passed and change those regulations, some services will shut down (because they are no longer complying).
Which is why he probably deserves a larger sentence (though others have pointed out the ridiculousness of the US sentencing system and I don't disagree).
And we can't. Because this person failed to follow the regulations that allow for that to be proven.
It's like if I ran a car rental business, and I stole license plate numbers from random cars or made them up, and then kept no records. And then when convicted and charged you were like "but you have to prove that those license plates were used for crime". How? The whole point of the crime was to obfuscate and prevent that very action of tracking the license plates.
Which is why he isn't going to jail for any additional criminal acts. But he is getting a very long sentence for the crime he committed because his crime was particularly egregious in enabling other crimes and preventing them from being discovered or tracked.
While I'm more for rehabilitation than retribution, $10M - rough value of the stolen IPs - is a staggeringly large amount of money, around 4x the average lifetime earnings of a college graduate.
$10M can save a lot of lives, and $10M missing from shareholder's accounts and not going into employee benifit plans for healthcare etc. might very well end some. Framing that as nonviolent... is correct by the letter of the law, but it's not the way I'd frame it first and foremost.
I think the better framing is the amount of fraud, abuse, and second hand criminal activity this person enabled. His violations of the regulations allowed criminals to piggyback off of that and get away with crimes more easily.
Link Updated May 15, 2019: "Charleston Man and Business Indicted in Federal Court in Over $9M Fraud" — The indictment charges that, through this scheme, defendant obtained the rights to approximately 757,760 IP addresses, with a market value between $9,850,880.00 and $14,397,440.00."
I love that they desperately tried to file for a restraining order the day before Christmas.
Why do grifters like this always get so defensive? If he'd just played it cool he would absolutely have had time to wind down his operation and move the money somewhere safe. Now he's just going to go to jail.
One thing that is annoying is that ARIN recently raised the amount of money it costs to maintain a /24. I was unexpectedly hit with a $500 bill when previous prices were $100. Was quite annoying considering is very little cost in providing these allocations (they really beef up their headcount). Been thinking about trying to get on the board but it is near impossible.
I've often wondered how much of the IPv4 address space is legacy allocations that are not at all being fully utilized. Perhaps the market for IPv4 addresses has worked this out, and anyone that has such an allocation has cashed in.
There are tons of legacy allocations from the 90's and earlier than are not being routed / utilized. Many are also assigned to defunct entities. To confirm this, you can poke around WHOIS a little bit. Because many of them actually predate ARIN's formation in 1997, they are considered "legacy" allocations and aren't charged a fee by ARIN unless the organization has opted into an agreement.
Here's one, it's under S-MOS Systems, Inc. (SMOSSY) which was bought by Epson the printer company. Somebody registered the domain when it expired and sold the company + "IPs" to a company I worked at in the Noc. When we went to ARIN to set everything up for rDNS, ARIN pushed back and said you do not own these, Epson own's this range. The company that sold the IPs disappeared with the money. The smos.com registration lapsed and some chinese company immediately registered the domain.
Quite a few years ago the security team of the organisation I worked at didn't have our internal vulnerability scanning services automated. It relied on them capturing the IPv4 addresses (specifically the /32's, not the subnets) and manually entering them into the engine.
Our security team mistyped a handful of these addresses and instead of the scan running across our internal infrastructure, we scanned WalMarts external facing infrastructure in the US from Australia.
These scans were happening semi-regularly for a period of a few weeks before we received a cease and desist and the sec. team realised their error. I'm still rather surprised more didn't come of it.
No, I haven't heard of anyone being criminally charged for ping, but I have known someone whose ISP cut them off and he had to go through an onerous process to get service restored. I've also heard of people that use EC2 instances and get their AWS account terminated.
I don't use Scaleway or Online.net, as they're known for ignoring abuse reports. Other hosts like OVH tend to forward abuse reports and deal with repeat offenders, a good middle ground between AWS's draconian policies and Scaleway's.
Adding to sibling comments, some networks are extremely heavy-handed at self-regulating host discovery. Back when I was on AS88, I once got a warning alleging that I was performing suspicious port scans. I acquired a report of my “suspicious” activities from the admin, and turns out all I did was connecting to port 22 of some two dozen hosts I rented from a handful of VPS providers across North America and Europe. Of course the warning was dropped after my explanation, but I found it pretty crazy.
Not sure if it's related or not but I was receiving spammy e-mails for a while from "Admiral Hosting":
"Mike Watson here, from Admiral Hosting. I'm touching base regarding a business opportunity. Have you ever thought about turning your IP's into profit on a monthly basis? Admiral Hosting handles dozens of such B2B projects and its dedicated technical team oversees each project’s implementation."
The link is http, so you're using something (perhaps HTTPS Everywhere?) which is converting it to an https link.
According to the Qualys SSL tester (https://www.ssllabs.com/ssltest/analyze.html?d=www.circleid....), the IPv6 server for www.circleid.com has "Certificate not valid for domain name" (and the IPv4 server gets an F grade), so you're probably either using IPv6, or using IPv4 with a browser which no longer accepts the obsolete TLS 1.0 version.
UPDATE May 15, 2019: "Charleston Man and Business Indicted in Federal Court in Over $9M Fraud" – United States Department of Justice issues a statement annoucing Amir Golestan, 36, of Charleston, and Micfo, LLC, were charged in federal court in a twenty-count indictment. The indictment charges twenty counts of wire fraud, with each count punishable by up to 20 years imprisonment.
Is ARIN going to assign these to people who are waiting? I certainly haven't seen 2960 /24s being released. They have NOT announced anything like this. Maybe they will "transfer" them for $13 to $19 per IP with a third party facilitator?
I'm at a home connection from a normal provider on brasil (third world country) and my router assigns a public ipv6 for each connection. I think all big providers have ipv6 enabled by default over here.
It's already viable to supply IPv6 only mobile with NAT64 (see T-Mobile US). I'm aware that many residential ISPs are putting everybody behind CGNAT; and there's some amount of push towards LTE for residential internet, so I suspect IPv6 with a transition mechanism is already viable for home connections.
Anyway, given the number of people who have effectively no choice in home connections, what are we going to do when the incumbent provides us with IPv6 only? LTE or Satellite is going to be even less likely to give me a real IPv4 address.