Chapter 2: Denver By The Bay

Updated: 5/22/2008

Please see the related Washington Post story by Brian Krebs.

See also this related Washington Post story which talks about registrar Dynamic Dolphin.


Radio Days

Apparently, the folks responsible for the early experimental wireless Internet research project that Once Upon A Time was known as San Francisco Bay Packet Radio (which was apparently a project run out of the NASA Ames Research Center) have decided to take their show on the road, and this time well and truly out-of-town, specifically to the Denver suburb known as Westminster, Colorado. Or did they? Let's take a quick peek at the official ARIN WHOIS record for the 134.17.0.0/16 IP address block. Hummm... well now. That certainly is interesting! Headquarters for SF Bay Packet Radio up and moved about a thousand miles to the East, for no apparently good reason. Must have been one of those damn Left Coast earthquakes! Well, maybe not.

Could this apparent anomaly be attributable to an easily-explained record keeping snafu, or just some other trivial misunderstanding? Read on and decide for yourself.

The (new?) official contact person for the 134.17.0.0/16 IP address block, as shown in the aforementioned Official WHOIS registration record for that IP address block is apparently one Chad Montgomery, whose e-mail address is listed in the WHOIS record for the IP block as cmontgomery@sfbaypr.com. The domain sfbaypr.com itself was only registered relatively recently, i.e. on June 18th of last year (2007), and was registered to a Limited Liability Company calling itself SF Bay Packet Radio, LLC. Now, you'd think that a company with that name might be incorporated somewhere in the general vicinity of the San Francisco Bay Area, or at the very least, someplace in California, but you'd be wrong. SF Bay Packet Radio, LLC is apparently a Colorado entity (Westminster, CO, to be precise), as can be seen by looking at its official corporate registration record as provided by the Colorado Secretary of State's Web Site. (This Colorado version of SF Bay Packet Radio was also, apparently, only formed relatively recently, i.e. March 6th, 2007.)

Note that the 134.17.0.0/16 IP address block itself was originally registered way back on April 12th, 1989, a full 17+ years before the inception of either sfbaypr.com or Westminster-based SF Bay Packet Radio, LLC. The plot thickens!

Connecting The Dots

So what really goes on here. Is this a case of IP address block hijacking, also known as network identity theft? That would call for some speculation. All I can do here is to report the facts.

Here's what I can tell you... Are these all just amazing coincidences? You be the judge.

Dirt Cheap

Why would anybody ever want to steal a pre-existing already-registered IP address block that belongs (or that belonged, past tense) to somebody else anyway? Well, according to my sources, there are two potential reasons.

First, if you make off with somebody else's pre-existing IP address block, then you don't have to go through all of the hassle to justify (e.g. to ARIN) why you really and truly need a whole big batch of fresh new IP addresses. (That could be difficult to do if you're just a mass e-mailing company that wants say, 65,536 fresh IP addresses if, for example, you wanted to use them to help you to sneak past spam filters.)

Second and perhaps more importantly, if you manage to get control of an IP addresses block that was grandfathered in by ARIN... i..e one that was allocated before January, 1997... then unlike newly allocated IP address blocks you don't have to pay a dime in annual fees for your shiny new IP address block. You can't get IP addresses at this low low price these days except by stealing... zero dollars and zero cents per IP address!

If An IP Address Block Falls In the Forest, And There's Nobody There to Hear It...

Of course, if a mass e-mail marketer did in fact abscond with an entire /16 IP address block, and if he/she/it didn't use it for anything, then what would be the difference, right? That would be a non-event.

Well, in point of fact, at the present time (Mon Apr 21 14:34:14 PDT 2008) it does appears that the 134.17.0.0/16 IP address block is being used for something as evidenced by all of these 1,700+ web sites that are currently being hosted in that block.

Thick As Thieves

Tricking ARIN into assigning you your own /16 IP address block (consisting of 65,536 separate IP addresses) is actually not that hard. It's just a small matter of social engineering. You tell them that you are the original owner of the block, and the fine folks at ARIN just believe you, apparently.

The hard part comes when you have to find some legitimate or at least semi-legitimate company that has it's own properly-registered Autonomous System Number (ASN) and who is willing and able to announce routes to your shiny new IP address block.

Fortunately for the recently minted, Colorado-based SF Bay Packet Radio, LLC, and for its apparent Denver area progenitor, Media Breakaway, these two companies together apparently had little trouble finding this willing participant to help them solve this part of the problem. This was a natural fit, given that this somewhat mysterious San Diego-based (but Nevada-registered) company, JKS Media, had already been supplying other Internet routing to most of the IP addresses used by Media Breakaway.

Underground Economy

Not that anybody much will care, of course, but it would appear that the owners of JKS Media, the somewhat mysterious San Diego-based but Nevada-registered company that's supplying the essential routing for the 134.17.0.0/16 IP address block never seem to have bothered to properly register their company with the California Secretary Of State's Office as required by law, even though their own web site makes it altogether clear that they are actually located in San Diego. So who cares if they messed up a small bit of bureaucratic paperwork? It's no big deal, right? Wrong!

By not registering their business in its true home state of California, whoever is behind this mysterious company has almost certainly completely avoided paying any California state taxes on this business, as required by law, probably for years. So they are basically getting a free ride. They enjoy all of the taxpayer-funded benefits of residing and doing business in California... roads, schools, bridges, the protection of California courts and Law Enforcement... but they are freeloading on the backs of other California taxpayers.

A Hole In The Wall... Literally

Evading taxes... if that is indeed what's going on here... is bad enough, but there's yet another reason why JKS Media might not have wanted to file any formal papers with the State of California. You see, unlike Nevada, the State of California insists on knowing where businesses in this state are actually being conducted and also who they are actually being conducted by. (You can avoid both of these small annoyances if all you have is a Nevada corporation or LLC. Nevada is way less nosey than most states when it comes to knowing the particulars of the businesses that are operating within Nevada.) As things stand however, this particular business (a) has no corporate registration... except one in Nevada which, under Nevada law is allowed to have utterly phony baloney information listed for its location and its ownership... and also (b) interestingly, this business, despite the fact that it provides routing for some major hunks of IP address space, appears to be doing business only out of a rented mailbox located at this commercial mail receiving facility in San Diego.

OK, so let's review... We've got a large /16 IP address block with ownership that is, at best, questionable, and it's being provided with routing by a somewhat mysterious company, JKS Media, allegedly located in San Diego, that may or may not be evading California State taxes, that apparently has no real or discernible physical location (except for a four inch by four inch rented mailbox, that is to say a literal hole in the wall) and that (as far as anyone on the outside can tell) may or may not be owned by Osama Bin Laden. (We can't know for sure who actually owns or runs this company because the State of Nevada allows Nevada corporations and LLCs to list only what Nevada euphemistically calls nominee officers... i.e. what the rest of us mere mortals usually call ``front men''... in the official corporate records that must be filed with the state).

I think that about covers everything. Hummm... well... on second thought, no, it doesn't.

Identity Crisis

Even if we ignore the fact that JKS Media, Inc., is providing routing both for Media Breakaway and also for the suspiciously registered IP address block, 134.17.0.0/16, there also appears to be a whole lot of other curious and inexplicable connections between these two supposedly separate business entities, i.e. JKS Media and Media Breakaway. For example...
  • Why is it that all of the routes to all of the IP address space currently being routed by (supposedly San Diego based) JKS Media all appear to pass through (and then dead-end near) routers located in the metropolitan Denver area, and yet none of them ever seem to go anywhere near the San Diego area?

  • Why is it that when you establish an SMTP connection to the primary (only?) incoming mail server for JKS Media you receive an SMTP greeting banner which gives you the domain name of a company called Wholesale Bandwidth... a company that various public bankruptcy filings indicate is actually owned by the owner of Media Breakaway? (If JKS Media is actually an independent and non-trivial provider of Internet services, then why isn't JKS Media willing or able to run its own mail server? It is highly unusual for any legitimate and actual Internet service provider to farm out responsibility for its own incoming mail to one of its own customers.)

  • Why is it that a search for all companies that are registered in Nevada and that have Mark Clements (i.e. the one and only registered corporate officer of JKS Media) as one of their corporate officers turns up a list of three companies, and yet when you look at the corporate registration details associated with the second of these companies you see that, paradoxically, the one and only registered corporate officer is now shown, not as Mark Clements, but rather as Scott Richter, owner of Media Breakaway? (Yes, the on-line records of the Nevada Secretary of State's office are obviously more than a little quirky, but this particular quirk seems to be revealing of an underlying clear connection.)

  • Why is it that the snail-mail address of the mailbox that is the alleged headquarters of JKS Media is further away from the Chula Vista business address of Mark Clements, the company's only registered director, than it is close to the downtown San Diego former law office of the current President of Media Breakaway, Steve Richter?

  • Why is it that although JKS Media has existed (allegedly in San Diego) since at least 2002, they never sent any representative(s) to any of the past annual or bi-annual ARIN meetings (even the nearby one in Los Angeles in October, 2005) yet they did manage to send a representative to the recent (April, 2008) ARIN XXI Meeting which was held in Denver?

  • Why is Vince Chavez, who is listed as one of the official technical contacts for JKS Media and who registered as a representative of JKS Media when he attended the recent ARIN XXI Meeting in Denver listed elsewhere (i.e. both here and here) as actually being an employee (Chief Technical Officer?) of Media Breakaway? (Actually, in this document the gentleman in question is listed as being both an employee of Media Breakaway and JKS Media at the same time.)

  • Last but not least, if JKS Media really is located in either San Diego or anyplace in Nevada (where it is registered) then why does this official record obtained from the RWHOIS server of Cogent Communications (which provides connectivity to JKS Media) show the location of JKS Media as a rented P.O. Box located at the very closest UPS Store to the Colorado headquarters of Media Breakaway

    (Not that it really matters much to this overall story, but by sheer coincidence it appears that the Broomfield, Colorado based domain name registrar that Media Breakaway uses as the registrar for many of its domains, Dynamic Dolphin, also happens to do business out of a rented mailbox at that exact same UPS Store, just a few doors down.... err... I mean just a few boxes down from the address given in that RWHOIS record for JKS Media, i.e. boxes number 233 and 229, respectively. Just another coincidence, I'm sure.)
Yessiree! There do seem to be a number of very interesting, if not to say close connections between Media Breakaway and JKS Media. In particular, one cannot help but wonder if Vince Chavez is drawing salary checks from both companies at the same time.

Final Jeopardy Question: Is there what the legal folks would call a unanimity of interest between Media Breakaway and JKS Media? You be the judge. I am only reporting report the facts, not opinions. (We can set aside for now the separate question of whether or not that apparently related domain name registrar, Dynamic Dolphin, may or may not also have a certain unanimity of interest with either Media Breakaway or JKS Media or both.)

A Hop, Skip, And A Jump

Independent of the various indicators of a possible unanimity of interest between Media Breakaway and JKS Media, there is at least one additional potential connection between the two companies. It doesn't really prove anything, but I mention it anyway, just in case someone else might find this additional clue useful.

As noted above, the current President of Media Breakaway is an attorney... and a very astute one, I might add... named Steven Richter. Mr. Richter used to practice law from his office in downtown San Diego. (He is also the father of Scott Richter, the founder and owner of Media Breakaway, so I guess one could say that Media Breakaway has become a kind of family business for them.)

Anyway, when you practice law, you may sometimes need the help of an outside Litigation Support Specialist. As it happens, there appears to be a lady named Lisa Clements in nearby Chula Vista... just south of San Diego... who appears to be running an unregistered business that happens to specialize in this exact sort of thing. And... umm... oh! I'm sure these are just coincidences too... Ms. Clements last name just happens to be the same as that of Mark Clements, i.e. the guy who is the only publically-identified officer of JKS Media. Also, Ms. Clements just happens to have her office at the exact same Chula Vista residential address where Mr. Mark Clements, the only director of JKS Media, has apparently conducted at least one of his prior businesses.

Small world. Then again, maybe Ms. Clements and Mr. Clements, both of whom seem to be doing business out of the exact same residential address, are related in some way. Anything's possible.

Going Global, Without Leaving Home

Every time I think that I'm done writing this story, another new angle crops up.

It now appears that ARIN may not have been the only Regional Internet Registry to have been duped into assigning an abandoned IP address block to some insubstantial front for either Media Breakaway or JKS Media or both. In fact it looks to me like the European Regional Internet Registry, RIPE, may also have handed over control of a /18 netblock, i.e. 16,384 separate IP addresses, under equally questionable circumstances. That's quite a hunk of IP address space!

The IP address block in question is the 89.255.192.0/18 IP address block, which is associated with something calling itself the ZAO Russian Telecommunications Group but which, for reasons unknown, appears to exist only in New York, and which, also for reasons unknown, appears to have an alter ego name of openaccesscolo.net aka Open Access Colo, Inc., an alleged ``corporation'' whose only available contact information appears to be a mailing address of 1383 6th Ave, New York, New York 10019... which is nothing more that a UPS Store drop-box... and a contact telephone number of 212-372-7710, which appears to lead to nothing more than a slightly clever answering machine.

Note that I used the term alleged corporation above. I use that terminology because, as far as I can tell, this supposed Open Access Colo corporation doesn't actually exist... at least not in this county (US). It is not registered with state-level authorities in in the State of New York, nor with the authorities of any other state within these United States as far as I have been able to determine. In short, it is, apparently, a phantom, a ghost, unreal. And even more interestingly, the former company web site (which was taken down, mysteriously and shortly after the publication of this story) for this phantom of a company, Open Access Colo, gave all appearances of being just a hacked-up (and almost certainly ripped-off) copy of an old/prior version (available in The Wayback Machine) of this legitimate web site belonging to an apparently unrelated legitimate Pennsylvania web hosting company. (So much for copyright laws!)

Also, and by another rather spectacular coincidence, the ethereal not-quite-company calling itself openaccesscolo.net... which is apparently trying to make itself look like a real Internet services company... also (and remarkably), just like JKS Media, doesn't seem to even be able to handle running its own inbound mail server, opting instead to let the previously mentioned Wholesale Bandwidth (also owned by the owner of Media Breakaway) process its incoming mail for it. (As a general rule, legitimate ISPs do not tend to farm this kind of stuff out.)

Maybe They're Renovating

OK, so here's where the story starts to get really interesting... Apparently, the guy who wrote the O'Reilly Spamkings Book was kind enough to archive this dump of RIPE membership records as they existed circa October, 2005. If you search down within that listing for the string ru.org-tp17-ripe you'll see that back then (Oct. 2005) there was an organization known as the ZAO Tekcom Project that was directly associated with the Russian domain name org-tp17-ripe.ru. Stay with me now! Fast forward to today and look at the current ripe membership list. Search again for the same string as before, i.e. ru.org-tp17-ripe, and you'll find that nowadays it is associated with something called ZAO Russian Telecommunications Group (see above) and that for reasons unknown, RIPE has annotated this (former?) RIPE member company as being closed.

OK, so why is any of this at all important? Well, at the very least, it shows us that the current mystery company ZAO Russian Telecommunications Group... which is allegedly Russian, but which actually only seems to exist within the confines of a rented P.O. Box in New York... had a different name earlier in its lifetime, and that name was ZAO Tekcom Project. So it used to have a different name. Big deal! So who cares... right?

Well, a small bit of Googling turns up the fact that Tekcom Project, circa 2005, wasn't exactly a stranger to spam. In fact, Tekcom Project and its former IP range of 194.126.188.0/22 were alleged to have been rather directly connected to major-league criminal spammer and soon-to-be guest of the United States federal government Robert Alan Soloway.

From New York, With Love

The important take-away here isn't so much that the notorious criminal spammer Soloway may be involved with the current goings on within the 89.255.192.0/18 IP address block... he almost certainly isn't, since he is languishing in a jail cell awaiting final sentencing at the moment... but rather, that the exact same mystery ``Russian'' folks who are currently occupying... properly or otherwise... the 89.255.192.0/18 IP address block are apparently also and simultaneously doing business with Media Breakaway and JKS Media. Specifically, the mystery Russians appear to be leasing to Media Breakaway several substantial hunks of IP address space, all of which are, conveniently enough, being provided routing by JKS Media, so that, in effect, the mystery Russians appears to sit in the food chain somewhere between Media Breakaway and JKS Media. (Any go-between sitting between Media Breakaway and JKS Media... let alone a phantom Russian one... would seem to be unnecessary, since it appears that Media Breakway and JKS Media share at least one employee in common anyway, i.e. Vince Chavez.)

There still remains the question of who, if anybody, is the legitimate and current owner of the 89.255.192.0/18 address block. Apparently, it is a company (ZAO Russian Telecommunications Group) that even RIPE itself considers closed. So that begs the question... Who the bleep have they (RIPE) given control of the 89.255.192.0/18 block to, exactly?

It appears that even RIPE itself may not be too awfully sure about the answer to this question. It might be Olga, who RIPE has listed as the contact person for the 89.255.192.0/18 IP address block, but it looks like Olga doesn't have any actual office... preferring to do business out of her New York City P.O. Box... and it also appears that Olga doesn't like to answer her phone much... like maybe not at all. If you ever manage to reach her, or any live human at all at Olga's New York phone number, please let me know. Good luck. (I'd like a Unicorn for my birthday too, if you wouldn't mind.)

Ripe Or Rotten?

So is RIPE as easy to snooker out of IP address space as ARIN apparently is? Is there any other plausible explanation for why a good sized chunk of IP address space which is supposedly allocated to a Russian company (which itself appears to do business only out of a rented P.O. Box in New York City) never gets routed anywhere near either Russia or New York and instead appears to dead end somewhere near Denver?

And what ever happened to the alleged impending crisis of the world running out of IP addresses? If phantom companies, operating out of P.O. boxes, and lacking any real existence whatsoever... except on paper... can get their own /16s and /18s every day of the week, then it's no wonder the world is running out of IP addresses.