In message <[email protected]>, John Curran <[email protected]> wrote:
>ARIN does not issue resources to organizations absent a real and substantial >connection to the ARIN region. I would certainly hope that this would be so, since that *is* ARIN's written policy, however the set of facts I'm looking at suggest that this is not always true. I call your attention to the case of the ARIN member organization denoted as "SL-206" aka "1337 Services LLC" which is the current registrant of AS54990, assigned by ARIN, and also the registrant of the 198.167.192.0/19 IPv4 block, also assigned by ARIN to this member. ------------------------------------------------------------------------- OrgName: 1337 Services LLC OrgId: SL-206 Address: P.O. Box 590, Springates East, Government Road City: Charlestown StateProv: Nevis PostalCode: Country: KN RegDate: 2012-12-11 Updated: 2012-12-11 Ref: https://rdap.arin.net/registry/entity/SL-206 ------------------------------------------------------------------------- Although the Caribbean nation of Nevis & St. Kitts (KN) is most assuredly within the ARIN gergraphic service region, I confess that I am not entirely persuaded that this particular member organization actually has the requsite "substantial connection" to the ARIN region which would permit it to obtain or to retain either ARIN membership or ARIN resources. NRPM Section 9 lists eight different indicators of a "substantial connection" to the region. The seventh of these is explicit in noting that mere incorporation in the region is insufficent to establish the required "substantial connection" to the ARIN region: * Demonstrating that the entity has a registered corporation in the ARIN region, although this factor on its own shall not be sufficient. On that basis I am obliged to inquire as to what other indicator(s) of a "substantial connection" to the ARIN region is/are possessed by this member organization. A diligent search for any such on my part has turned up none at all, other than the high probability that this entity was incorporated via an "offshore" incorporation firm in Nevis & St. Kitts... a firm which has apparently also lent its P.O. box mailing address to numerous other shell companies which are using the exact same mailing address. (Thank you Google!) In addition to the highly dubious nature of its alleged domicile, it is, I think, worth of nota also that routing to the entirety of this organization's ARIN-assigned IPv4 address block (198.167.192.0/19) appears to currently be provided by a Finnish company named "abstract" via AS39287. Also, traceroutes to random IP addresses within this block appear to dead end somewhere in the nordic region of Europe, most likely Sweden: ... 13 linx-10ge.lon1.uk.portlane.net (195.66.225.159) 152.769 ms 155.131 ms 154.441 ms 14 be-5.cr3.ams1.nl.portlane.net (80.67.4.225) 159.697 ms 159.874 ms 164.165 ms 15 be-4.cr1.mal4.se.portlane.net (80.67.4.239) 169.469 ms 169.371 ms 170.246 ms 16 80.67.1.121 (80.67.1.121) 169.788 ms 170.777 ms 171.708 ms 17 r.vpn.njalla.net (198.167.192.13) 171.209 ms 169.793 ms 169.998 ms 18 * * * 19 * * * 20 * * * ... Conversely, this organization's ARIN-assigned ASN (AS54990) appears at present to be providing routing only to the following two RIPE-assigned IP blocks: 185.193.124.0/24 2001:67c:235c::/48 and these blocks are themselves registered to (a) a Swedish entity going by the name "Njalla" (for the IPv4 block) and (b) in the case of the IPv6 block, the aforementioned "abstract" company, allegedly located in Finland. I should perhaps mention also that traceroutes to random IP addreses in the 2001:67c:235c::/48 block are also highly suggestive that the physical infrastructure supporting this address block is likely located somewhere in Europe, with the traceroutes passing at least through the Netherlands, and that various web-accessible geolocation services place the address 185.193.124.1 either in the vicinity of Oslo, Norway, or, in the case of Neustar's geolocator service, Malmo, Sweden. These facts, I'm sorry to say, leave me altogether unpersuaded that the corporate entity designated in ARIN records via handle SL-206 has the kind of "substantial connection" to the ARIN region that is allegedly necessary for its ongoing membership, let alone the lear regional connection needed to justify this corporation's currently assigned ARIN number resources. Current reverse DNS for the entire 185.193.124.0/24 block also does not appear to be indicative of any real or material connection to the ARIN region: 185.193.124.1 1-you.njalla.no 185.193.124.2 1-you.njalla.no 185.193.124.33 2-can.njalla.in 185.193.124.34 2-can.njalla.in 185.193.124.230 ns2.sarek.fi In point of fact, this corporate entity, although incorporated in the rather notoriously opaque Caribbean nation of Nevis & St. Kitts, known as much for shell companies as for its sunny beaches, does appear to have rather more of a connection to Europe that it does to North America. In addition to all of the foregoing facts there is also the identity and location of the contact person for the RIPE-assigned 185.193.124.0/24 block which is currently routed by AS54990. That IPv4 block is itself allegedly located somewhere on the remote, isolated, glacier-covered, and uninhabited Bouvet Island (BV) in the far Southern Atlantic: ----------------------------------------------------------------------------- netnum: 185.193.124.0 - 185.193.124.255 netname: NJALLA-NET remarks: ______ ___ ___ remarks: _____________ ___ ______ / / / / _____ remarks: _____\ \ \__\_\___ \/ / / /_\___ \ remarks: _____/ \ / / / _ / /_/ // _ / remarks: ____/ // /\/ / / / / / / / remarks: ___/ __//__/ /\_______\____\___\_______\ remarks: ___\/ \____/ remarks: remarks: A hut, on a pole, in a Sapmi forest, made of wood, to protect. remarks: remarks: https://njal.la remarks: remarks: (Please provide us with better art at ascii at njal.la) remarks: abuse-c: NJ1301-RIPE descr: Njalla country: BV admin-c: BKP-RIPE tech-c: BKP-RIPE status: ASSIGNED PA mnt-by: BKP-MNT created: 2017-11-30T21:48:29Z last-modified: 2017-11-30T21:56:53Z source: RIPE person: Peter Kolmisoppi address: Box 4111, 203 12 Malmo address: Sweden mnt-by: BKP-MNT e-mail: [email protected] phone: +46 40 62 13 000 nic-hdl: BKP-RIPE created: 2008-08-12T01:54:31Z last-modified: 2017-03-03T18:05:55Z source: RIPE ----------------------------------------------------------------------------- The Mr. Peter Sunde Kolmisoppi mentioned in the records above has somewhat of a colorful personal history, it seems, and not in any particularly savory way... https://en.wikipedia.org/wiki/Peter_Sunde If I am reading the information at the above link correctly, I do believe that it is a fair inference that Mr. Kolmisoppi was tried, convicted, and sentenced to prison in Sweden, some years ago now, for having been just a bit too liberal with other people's private property. (Although some may admire him for this, I am not among them.) All that having been said, it would appear that Mr. Kolmisoppi has paid his debt to society for his past criminal missteps, and thus I personally have no reason or basis for any concern about his past. I am however somewhat alarmed at what would appear to be his current connections to what may perhaps be some so-called "carding forums", i.e. web sites where cybercriminals buy, sell, and trade in stolen credit card numbers and associated data (e.g. CVV). Specifically, the domain name briansclub.shop is currently receiving DNS services from the following name servers which would apper to be owned by, or at the very least associated with the company named "Njalla" (see above) which itself would appear to be strongly connected to Mr. Kolmisoppi: 1-you.njalla.no 2-can.njalla.in 3-get.njalla.fo Seprately and additionally, the domain names jokerstash.ms and jokerstash.tk currently receive DNS services from the following set of name servers which also appear to be connected to both Mr. Kolmisoppi and to the 185.193.124.0/24 RIPE-assigned address block previously mentioned above: 1-ceci.njalla.do 2-nest.njalla.ma 3-pas.njalla.in For the record, "Joker's Stash" is the nom de guerre of a collection of well- known carding sites that has been written about extensively by my friend, journalist Brian Krebs: https://krebsonsecurity.com/2016/03/carders-park-piles-of-cash-at-jokers-stash/ Similarly, "Brian's Club" is yet another nom de guerre used by yet another motley and criminal collection of so-called "carding" sites: https://krebsonsecurity.com/2020/04/how-cybercriminals-are-weathering-covid-19/ It is my sincere hope and belief that all of the foregoing information should be more than adequate to demonstrate that the Nevis & St. Kitts corporate entity known as 1337 Services LLC lacks the requsite "substantial connection" to the ARIN region necessary for it to have ever become an ARIN member in the first place, let alone to remain one now. If however the case is still in the least bit unclear I would like to draw attention also to the person who is the designated Tech, Admin, and Abuse contact for SL-206 and thus also for the ARIN-assigned ASN AS37560 and also the ARIN-assigned 198.167.192.0/19 IPv4 address block: --------------------------------------------------------------------------- Note: ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2022-02-28 Name: Watson, Nyahn Handle: WATSO41-ARIN Company: Address: P.O. Box 590, Springates East, Government Road City: Charlestown StateProv: NEVIS PostalCode: Country: KN RegDate: 2012-12-10 Updated: 2021-02-28 Phone: +1-869-414-4111 (Office) Email: [email protected] Ref: https://rdap.arin.net/registry/entity/WATSO41-ARIN --------------------------------------------------------------------------- (Note that the contact phone number listed above is currently disconnected.) It is perhaps not entirely coincidental that a simple google search for the name "Nyahn Watson" turns up the fact that a gentleman having that exact name is also the Admin and Tech contact for the AFRINIC-assigned organization identifier ORG-CS10-AFRINIC (Cyberdyne S.A.) which would appear to be located Monrovia, Liberia, on the continent of Africa: ---------------------------------------------------------------------------- organisation: ORG-CS10-AFRINIC org-name: Cyberdyne S.A. org-type: LIR country: LR address: Broad Street 80 address: Monrovia e-mail: [email protected] phone: tel:+231-4-713-432 phone: tel:+1-425-906-4769 admin-c: AP39-AFRINIC admin-c: NW2-AFRINIC tech-c: NW2-AFRINIC mnt-ref: AFRINIC-HM-MNT mnt-ref: CyberdyneSA-MNT mnt-by: AFRINIC-HM-MNT notify: [email protected] changed: [email protected] 20130218 changed: [email protected] 20171006 changed: [email protected] 20171113 changed: [email protected] 20180202 changed: [email protected] 20210708 source: AFRINIC person: Nyahn Watson address: Broad Street 80 address: Monrovia address: Liberia phone: tel:+231-4-713-432 e-mail: [email protected] e-mail: [email protected] e-mail: [email protected] nic-hdl: NW2-AFRINIC mnt-by: GENERATED-WVURFBJ8EPYM0NQF6GHLKDUQS7QK9DL3-MNT changed: [email protected] 20121122 changed: [email protected] 20170524 changed: [email protected] 20180202 changed: [email protected] 20180202 changed: [email protected] 20191219 source: AFRINIC ---------------------------------------------------------------------------- Needless to say, having one's Tech, Admin, and Abuse contacts physically in Africa also would not seem to provide the required "substantial connection" to the ARIN region needed for 1337 Services LLC to either become or to remain an ARIN member. On the basis of all of the foregoing, and for the sake of the law abiding Internet user community which prefers not to see ARIN bending rules in order to support online criminal enterprises, even if only indirectly, I respectfully request that you, John, and other ARIN staff, as ncessary, review this case with an eye towards terminating this membership, if warranted, and with an eye towards reclamation of the associated number resources at the earliest possible date, in accordance with existing ARIN policy. Separately and additionally, I would like to understand how such a blatant case as this managed to slip through the cracks with regards to policy enforcement. How many other corporate entities have been accepted for membership by ARIN staff on the basis of mere shell company incorporations within the region where the deception could have been seen (or could now be seen) as readily apparent, simply by googling the asserted corporate mailing address and seeing if dozens or hundreds of other companies are also asserting their residence at that same address? Regards, rfg _______________________________________________ ARIN-PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List ([email protected]). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-ppml Please contact [email protected] if you experience any issues.
