Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Corporate identity theft is a simple ploy which may be used to illicitly
obtain valuable IPv4 address space. Actual use of this fradulent ploy
was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

Quite simply, a party bent on undertaking this ploy may just search
the publicly available IP block WHOIS records, looking for abandoned and
unrouted IPv4 address blocks belonging to companies or organizations
which no longer exist. Upon finding any such, the thief may simply
undertake to formally register, with relevant government authorities,
a new corporate entity with the same or a very similar name as the now
defunct entity that is still listed in the WHOIS records as the registrant
of the coveted IPv4 address block(s).

Note that so-called "legacy" address blocks, i.e. those which were
assigned prior to the formation of ARIN in early 1997, are especially
prized by IPv4 address thieves because such blocks may be less subject
to effective control or regulation by Regional Internet Registries.

Publicly available evidence strongly suggests that a corporate identity
theft has occurred with respect to a former Delaware corporate entity
known as Azuki, LLC and also with respect to its valuable legacy IPv4
address block, 216.179.128.0/17.

The corporate search function of the Delaware Secretary of State's web
site may be used to obtain records relevant to corporate entities
registered in Delaware:

    https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx

At present, the Delaware SoS's web site indicates that there are or have
been two different corporate entities, both named Azuki, LLC, that have
been registered in the State of Delaware. The file numbers for these
entities are 2810116 and 4751384.

The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee. My
own personal speculation is that it most likely ceased operation well
more than a decade ago.

The latter entity was registered in Delaware on or about 11/9/2009.

According to the current live ARIN WHOIS record for the 216.179.128.0/17
address block (NET-216-179-128-0-1), this block was first allocated by ARIN
to Azuki, LLC on or about 1999-01-07. Quite obviously, this assignment
must have been made by ARIN to the original 1997 Azuki, LLC because the
one that was registered in Delaware in 2009 did not yet exist at that time.

Nontheless the mailing address currently present in the ARIN WHOIS
record for the 216.179.128.0/17 IPv4 address block, and the one which
is also present in the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901,
matches exactly with the address given in Delaware corporate records
for the particular Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)

These evident inconsistancies, by themselves, are strongly indicative
of a probable case of corporate identity theft. Additional indicators
are however also present in this case.

In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (216.179.128.0/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain
which was, according to the relevant GoDaddy WHOIS record, registered
anew on or about 2011-05-12, some twelve years -after- the original
assignment, by ARIN, of the 216.179.128.0/17 block to Azuki, LLC.

The absence of evidence of the contnuous registration of this one and
only contact domain name since the original 1999 assignment, by ARIN,
of the 216.179.128.0/17 address block also tends to support the theory
that this valuable address block has been illicitly and perhaps illegally
appropriated by some party or parties unknown, and specifically via the
fradulent ruse of a corporate identity theft. Quite simply, my theory
is that following the demise of the original Azuki, LLC, sometime in
the 2000s, some enterprising crook registered the domain name azukinet.com
in order to successfully impersonate the actual and original Azuki, LLC,
specifically when interacting with ARIN staff members. This simple ruse
appears to have worked successfully for its intended purpose.

Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the
relevant IP block WHOIS records, during normal business hours, Eastern
Daylight Time, yield only an anonymous answering machine recording.
(The recorded message does not even state the company name.) This is
yet another indicator of possible deliberate deception.

Last but not least, the widely-respected Spamhaus anti-spam organization
has had the entirety of the 216.179.128.0/17 block listed on its anti-spam
SBL list since 2019-06-08, i.e. two full months, dating backwards from today:

    https://www.spamhaus.org/sbl/query/SBL103083

This listing, together with additional data from passive DNS and reverse
DNS scans suggest that the 216.179.128.0/17 block has been and is being
used for less than entirely admirable purposes. This is yet another
persuasive indicator of the possible/probable theft of the block.

I will shortly be informing both hostmaster (at) arin.net and also the folks
at Spamhaus of all of the above factual findings. I did however want to
share this information also with the NANOG community. Some or all of
you may wish to drop all packets from addresses currently announced by
AS13389, and/or may wish to encourage the direct peers of AS13389 to
review those peering arrangements. Of course, my exposition of all of
the above facts and indicators may perhaps also serve to further educate
members of the community regarding what to look for when and if suspicions
are cast upon a particular IP block or ASN.

In the 2008 case referenced above, which involved self-evident corporate
identity theft as a ruse to steal IPv4 address assets, ARIN apparently
elected not to actively seek the involvement of law enforcement, even
though the multiple clearly fraudulent actions undertaken in that case
were altogether apparent and were clearly perpetrated quite deliberately
and directly against ARIN.

In multiple more recent instances in which ARIN has, allegedly, been
targeted and defrauded, ARIN appears to have become more proactive in
seeking the involvement of criminal law enforcement. Specifically,
in addition to the well-publicized, notorious, and ongoing "Micfo"
case, a less well reported federal criminal case (3:18-cr-04683-GPC),
filed the Southern District of California last year, is currently
ongoing. This case also and likewise attempts to hold to account,
criminally, a different set of actors who also are alleged to have
perpetrated a rather elaborate fraud against ARIN for the purpose of
illicitly obtaining control over a number of IPv4 address blocks.

Personally, I am gratified that ARIN is nowadays taking this more forward
leaning posture towards those criminal actors who would attempt to use
fraud and deception to surreptitiously obtain IPv4 address blocks.
I do also hope that if the tenative conclusions of this public report
are borne out by subsequent investigation, that ARIN will again and
likewise seek an appropriate response from elements of the criminal
law enforcement community. We cannot have and should not have these
kinds of events happening again and again. Some appropriate deterrence
against ALL of these kinds of crooks is therefore no longer optional.

Regards,
rfg

Thought you may find these connections with the 3500 South DuPont Hwy, Dover, DE, 19901 address interesting.

https://offshoreleaks.icij.org/nodes/14014038

Thank you,

Kevin McCormick

Further investigation of this case obliges me to post the following
correction and retraction.

Additional evidence now strongly suggests that the 216.179.128.0/17
IP address block has NOT been "stolen" as I had suggested yesterday.
I simply mis-read the ARIN historical registration ("WhoWas") data
with repect to this block.

In fact, the ARIN historical "WhoWas" registration data for this
block indicates that when the block was first assigned, by ARIN...
which the historical WhoWas records show as occuring on 06-24-2002...
the block was assigned to a Southern California company named HHSI, Inc.

Records available on the California Secretary of State's web site
indicate that this company was first registered with the State of
California 02/11/2002. Oddly, some seven years would pass after the
registration of this California corporation before any documents
were filed with California which would designate any officers of
the company. On 03/02/2009 however a filing was made indicating
the President of the company was a gentleman named Koji Ban.
Additional corporate filings in subsequent years indicate that
both Mr. Ban and the company, HHSI, Inc. were located at 20 Arches,
Irvine, CA 92603.

On or about 02-17-2010 the public WHOIS record for the 216.179.128.0/17
block was changed so that instead of designating HHSI, Inc. (California)
as the block's registrant, the WHOIS record for the block would henceforth
say instead that the registrant of the block was the 2009 vintage
Delaware LLC called Azuki, LLC.

Unfortunately, we cannot read too much into this change that was made
to the block's public-facing WHOIS record. Neither the new WHOIS info
nor even the old WHOIS info can be used to reliably infer who or what
is the legitimate registrant of the block at any point in time. This
is because ARIN, like all of the other Regional Internet Registries,
allows registrants to put essentially any bovine excrement they desire
into their public-facing WHOIS records. (And, it should be noted, the
man behind the recent large scale "Micfo" fraud apparently availed
himself of this exact opportunity far subterfuge, in spades.)

Regardless, the available records suggest that there are only two likely
possibilities in this case:

     1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
        registration of the 216.179.128.0/17 block from itself to the
        2009 vintage Delaware entity Azuki, LLC. If this is what happened,
        then it is likely that the transfer was performed in violation
        of the applicable ARIN trasfer policy that was in force at the time.
        (Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
        barrel in 2010. California records show that HHSI, Inc. continued
        to be an active California corporation until at least 02/12/2014,
        and probably well beyond that date.)

     2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California) simply
        altered what would henceforth appear in the public-facing WHOIS
        record for the the 216.179.128.0/17 block to make it appear... to
        everyone except ARIN staff, who knew better... that the block was
        now registered to Azuki, LLC in Delaware.

Only ARIN staff can tell us which of these possibilities actually applies.
But due to ARIN's strict adherence to contractual confidentiality with
respect to all of their resource holders, I do not anticipate that ARIN
will actually provide any clarity on this case anytime soon.

To summarize, either the block was transferred in 2010 in violation of
ARIN's own transfer policy or else the information that we have all been
looking at in this block's WHOIS record since 02-17-2010 is and has been
nothing other than a very deliberate and bald-faced lie. There is no
third option.

Regardless of which of the two possible scenarios applies, it is a dead
certainty that the registration of the 216.179.128.0/17 block was indeed
transferred away from HHSI, Inc. at some point in time, and in a manner that
most probably did not comport with applicable ARIN transfer restrictions
in place at the time. I say this without fear of contradiction because
the State of California currently lists HHSI, Inc. as "suspended". Legally
speaking, it no longer exists. It cannot therefore still be a valid
contractual counterparty, with ARIN, or with respect to the registration
of *any* ARIN-administered resources.

All of this ambiguity, and all of these crooked deception games are enabled
and materially aided and abetted by the disastrous interplay of two
longstanding policies that are and have been in force, for many many years,
both at ARIN an also at all of the other RIRs, namely:

   *) Excessive anal retentiveness with respect to corporate confidentiality
       which deprives the public at large from even knowing even so much as
       the accurate and correct legal names of resource holders.

   *) Policies which permit resource holders to place any arbitrary garbage
       they desire into their associated public-facing WHOIS records, without
       there being any vetting at all of that information by the RIRs.

I am not now and never have been a big fan of ICANN, but to ICANN"s credit,
it at least had the good sense to recognize, years ago, that crooks are in
fact present on the Internet, and that many of them have no qualms at all
about putting deliberately misleading garbage into the WHOIS records
for their registered domain names. As a result, ICANN developed both
policies and procedures, feeble though they may be, to try to respond to
this perennial and ongoing problem.

I do wonder what sort of catastrophy it is going to take before the Regional
Internet Registries likewise take at least some affirmative steps to address
the fact that -their- WHOIS records are now also (and provably) contaminated
with unreliable garbage, put there deliberately by various flavors of
Internet miscreants intent on harming the rest of us honest netizens.

Regards,
rfg

Peace,

First he thought that a /17 got stolen (by creating a company with the same name as the original, now-defunct owner), but he then said he was wrong and actually it either 1) got transferred against ARIN policy or 2) was made to look like it was transferred by altering the whois data.

In message <CA+FDdDTjDgHY=0+Ey-LDwsGtp3QvoktLrEDZ8HCrHXPUigha9g@mail.gmail.com>

First he thought that a /17 got stolen (by creating a company with the same
name as the original, now-defunct owner), but he then said he was wrong and
actually it either 1) got transferred against ARIN policy or 2) was made to
look like it was transferred by altering the whois data.

Yes. What he said.

Although he left out the imporant detail that the whole thing appears to
be just a smokescreen cover for a large spamming operation, which apparently
targets primarily the Japanese market and which appears to have been ongoing
since at least 2004:

    https://yomi.tokyo/agate/toki/bouhan/1103682730/1-/a

Regards,
rfg

...
Unfortunately, we cannot read too much into this change that was made
to the block's public-facing WHOIS record. Neither the new WHOIS info
nor even the old WHOIS info can be used to reliably infer who or what
is the legitimate registrant of the block at any point in time. This
is because ARIN, like all of the other Regional Internet Registries,
allows registrants to put essentially any bovine excrement they desire
into their public-facing WHOIS records.

Ronald -

That is not the case – ARIN confirms the legal status of organizations receiving number resources.

(And, it should be noted, the
man behind the recent large scale "Micfo" fraud apparently availed
himself of this exact opportunity far subterfuge, in spades.)

As previously noted on this list, such was only possible because of the use of falsely notarized documents.

Regardless, the available records suggest that there are only two likely
possibilities in this case:

    1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
       registration of the 216.179.128.0/17 block from itself to the
       2009 vintage Delaware entity Azuki, LLC. If this is what happened,
       then it is likely that the transfer was performed in violation
       of the applicable ARIN trasfer policy that was in force at the time.
       (Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
       barrel in 2010. California records show that HHSI, Inc. continued
       to be an active California corporation until at least 02/12/2014,
       and probably well beyond that date.)

    2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California) simply
       altered what would henceforth appear in the public-facing WHOIS
       record for the the 216.179.128.0/17 block to make it appear... to
       everyone except ARIN staff, who knew better... that the block was
       now registered to Azuki, LLC in Delaware.

Only ARIN staff can tell us which of these possibilities actually applies.
But due to ARIN's strict adherence to contractual confidentiality with
respect to all of their resource holders, I do not anticipate that ARIN
will actually provide any clarity on this case anytime soon.

That is easy to address: submit a fraud request, and it will be reviewed and corrected if it was done fraudulently.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Seems like submitting a fraud request to ARIN is more effective than writing a novel and sending it to NANOG, and doesn’t require the latter…

In message <D9973D64-91AB-4380-B5E8-DEE173726CC0@arin.net>,

...
Unfortunately, we cannot read too much into this change that was made
to the block's public-facing WHOIS record. Neither the new WHOIS info
nor even the old WHOIS info can be used to reliably infer who or what
is the legitimate registrant of the block at any point in time. This
is because ARIN, like all of the other Regional Internet Registries,
allows registrants to put essentially any bovine excrement they desire
into their public-facing WHOIS records.

That is not the case – ARIN confirms the legal status of organizations
receiving number resources.

This is NOT the message that I got from our recent discussion of the giant
Micfo fraud on the ARIN Public Policy Mailing List. When I raised
questions about why various of the Micfo phoney baloney shell companies
has block with WHOIS records saying they were located in states that
they were obviously not located in, I believe that you said that once
a black has been allocated, by ARIN, to some (properly vetted) entity,
that after that point in time, the entity could -change- the relevant
WHOIS record to say any bloody thing it wanted, and that such -changes-
to ARIN WHOIS records are not vetted in any way.

If I got the Wrong Impression from your prior statements, then by all
means, please do correct me. And then please do explain why several of
the Micfo phony shell companies did in fact have WHOIS records for ARIN-
issued IPv4 space that gave street addreses in states where none of these
phony shell companies were actually registered to do business.

(And, it should be noted, the
man behind the recent large scale "Micfo" fraud apparently availed
himself of this exact opportunity far subterfuge, in spades.)

As previously noted on this list, such was only possible because of the
use of falsely notarized documents.

I -do- understand that the fradulent documents that were originally
presented to you/ARIN provided information indicating that the phoney
Micfo shell companies -did- actually exist in -some- state (Delaware?),
and that ARIN -did- verify, to the best of its ability, that those
companies -did- exist, legally spekaing, in their originally declared
home state(s). But that fact is just skirting the real issue here,
which is the question of whether or not ARIN even looks at -changes_
that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
-after- those blocks have been assigned.

It appears from where I am sitting that ARIN dos not do so. And thus,
I stand by my comment that a registrant -can- in fact put any bloody
nonsense they want into their WHOIS records, at least as long as they
do it via -changes- and not in the original/initial WHOIS records.

Regardless, the available records suggest that there are only two likely
possibilities in this case:

{trimmed}
    1) 216.179.128.0/17 was transferred in violation of ARIN policy.

    2) The current WHOIS for 216.179.128.0/17 is simply fradulent.

That is easy to address: submit a fraud request, and it will be reviewed
and corrected if it was done fraudulently.

I would do that, but for the following four things:

    1) ARIN is not the Internet Police and has no power to affect routing
        decisions of anybody.

    2) Getting the info out here, on the NANOG list, allows people to make
        up their own minds and to ignore the relevant route announcements
        and/or cease peering if they are persuaded that 216.179.128.0/17
        is likely a source of "undesirable" packets.

    3) An investigation by ARIN of 216.179.128.0/17 could take weeks or
        perhaps even months. In contrast, packets, including bad ones,
        travel from one end of the planet to another in milliseconds.
        ARIN and its careful review processes are a sure and steady and
        reliable check on fradulent behavior over the longer term. But
        they will not do much to addres the bad packets that may be
        flowing out of 216.179.128.0/17 this week, or even next.

    4) Filing a "fraud request" with ARIN is a serious step and one that
        could quite conceivably end up with the party filing such a formal
        report being on the business end of lawsuit, just for having filed
        such a report.

        Does ARIN indemnify the parties who file such reports against such
        claims, as ARIN is currently asking ARIN-region networks to do for
        ARIN if they want to avail themselves of the added security of RPKI?

Regards,
rfg

In message <CA+FDdDQ3vBm_=j2GjdHRT4evh_5yz8Lzg2bKTaTErBWpgavp=A@mail.gmail.com>

Seems like submitting a fraud request to ARIN is more effective than
writing a novel and sending it to NANOG, and doesn't require the latter...

As noted in my immediately prior posting, ARIN's careful adjudication of
this or any other possible case of fraud could take weeks or even months.
And even if, after careful and thoughtful deliberation, ARIN concludes
that there is indeed something wrong here, ARIN has neither the power nor
the authority to tell anyone how to configure their routers, and thus,
any decision or conclusion made by ARIN, regarding this or any other case
of possible fraud, will have no immediate effect on the flow of bad packets.

Regards,
rfg

P.S. I do apologize for my verbosity. As the late Carl Sagan often said,
extraordinary claims require extraordinary evidence. I made the extraordinary
claim, on this public mailing list, that -something- fradulent had gone on
with respect to the 216.179.128.0/17 block which has resulted in the WHOIS
record for that bearing little or no relationship to actual reality.
Having made the claim, I felt a duty to explain and to provide the evidence,
not in 140 characters, but in detail.

But if he didn't fully document his assertion(s), then he would be faced
with a plethora of replies decrying the lack of substantiating evidence.
Better to lay the case out in detail so that everyone can see the work
and so that anyone who cares to can check it for themselves.

And -- given Ron's long history of thorough documentation -- there are
some of us who are willing to take his word for it and make operational
decisions based on what he reports, independent of what ARIN decides to
do or not do, or when it decides to do it.

---rsk

For the record, there are just as many of us that appreciate your verbosity.

4. Filing a “fraud request” with ARIN is a serious step and one that
   could quite conceivably end up with the party filing such a formal
   report being on the business end of lawsuit, just for having filed

such a report.

What makes you think that the sort of persons who would hijack a /17 sized piece of space, for spam generation purposes, would sue you over some formal submission you might make to ARIN, but would not already have sued you over your already exhaustively detailed posts to the public NANOG list?

In message <CAB69EHiWkmEACduS2U1WaDQRfk03Xmvd9S0DGro9FcgxUyXKeQ@mail.gmail.com>,

  4) Filing a "fraud request" with ARIN is a serious step and one that

       could quite conceivably end up with the party filing such a formal
       report being on the business end of lawsuit, just for having filed
       such a report.

What makes you think that the sort of persons who would hijack a /17 sized
piece of space, for spam generation purposes, would sue you over some
formal submission you might make to ARIN, but would not already have sued
you over your already exhaustively detailed posts to the public NANOG list?

Let me see if I understand this. You don't have any argument with the
other three reasons I gave for sending my alert to the NANOG list, but you
-would- like to quible with reason #4. Have I understood you clearly?

Assuming so, let me answer your question with a question (or two).

Is my fear of the potential for lawsuits actually LESS reasonable than
ARIN's use of the same vague and non-specific bogeyman to thwart and
impede, on a global scale, the more widespread adoption of RPKI...
adoption which would, if it ever became universal, put an end to most
or all of these nefarious and malevolent IP block hanky panky games?

The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide. Ah yes, here it is...

   https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI. I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of.... something. We're not even sure what ``something''
actually is in this case, other than some demented lawsuit from some
deranged ``lone wolf'' individual, but since ARIN demanded that we sign
it, the thing had to go to -our- lawyers, and they took one look at it and
said, in effect, ``F that! We are NOT going to accept any new potential
liability if we don't have to'', so that was the end of that."

As I have often said, if we all only did things that had been pre-cleared
as being ``utterly safe'' by our respective lawyers, then none of us would
ever even get out of bed in the morning.

Regadless of whether ARIN was in any way indemnified against such an event,
the Micfo guy elected to name ARIN in a lawsuit. This is a matter of
public record. It's ludicrous and laughable, obviously, but he apparently
sued ARIN when they woudn't just roll over and allow him to continue to
play his ridiculous little fraud games. Like I say, in this country, at
least (USA), you run the risk of getting sued if you even so much as get
out a bed in the morning. BUT SO BLOODY WHAT? Neither we as individuals
nor ARIN as an organization should cower in fear in our caves because of a
bogeyman that may never come to pass, or that may be totally inconsequential
even if it does, as in the case of Mr. Micfo's joke of a lawsuit.

So I put it to everyone here... Are ARIN policies and its over-hyped fear
of the vague bogeyman of lawsuits materially impeding the adoption of
RPKI, and if so, what should be done about this?

In the meantime, I decline to accept criticism of -my- perhaps misplaced
fears of lawsuits. Mine have essentially no real world consequences.
ARIN's, on the other hand, appear to be keeping some finite non-zero
fraction of 85% of the world's route announcements unchecked, at least
for any meaningful sense of the word "checked".

Regards,
rfg

Interestingly enough, those same indemnification clauses are in the registration services agreement that they already signed but apparently they were not an issue at all when requesting IP address space or receiving a transfer.
You might want want to ask them why they are now a problem when they weren’t before (Also worth noting that many of these ISP’s own contracts with their customers have rather similar indemnification clauses.)

Even so, we at ARIN are in the midst of a Board-directed review of the RPKI legal framework to see if any improvements can be made <https://www.arin.net/vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf> – I will provide further updates once it is completed.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

I signed no legal agreement either to register my legacy addresses or to do a whois lookup to check someone else’s addresses. Just sayin’.

Bill -

When you did that Whois look up at the ARIN website, you did agree to terms of use for the Whois service which contains indemnification provisions and are legally enforceable. <https://www.arin.net/resources/registry/whois/tou/>

If you instead used a command line interface (e.g. "whois -h whois.arin.net …”), then you received output from ARIN’s Whois server along with notice of the applicable terms of service… I would observe that continued use at that point has been held to indicate agreement on your part [ref: Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004)]

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Just as an observer to your long resource theft postings:
- Do you attempt to contact directly the organization or person who have had their resource taken over?
- Do they care or are they apathetic?
- If the resource owner is no where to be found, why should we as a community care? Report it on some webpage and call it "Internet Resources stolen", document every incident as you do via email, send a copy to the appropriate RIR and upstream ISP allowing the hijack in question to show that you did the appropriate effort and we can then move on.

Regards,
Hank

Just like to add kudos to John for being open and responsive on this list and other lists to numerous issues and questions in regards to ARIN. Not many CEOs are willing or able to respond as you do.

Thanks for your time and effort,

-Hank

I signed no legal agreement either to register my legacy addresses or to do a whois lookup to check someone else’s addresses. Just sayin’.

If you instead used a command line interface (e.g. "whois -h whois.arin.net …”),
then you received output from ARIN’s Whois server along with notice of the applicable terms of service…

Hi John,

As I no longer live within or act from within one of the 2 states to have passed UCITA, you’ll find that notice difficult to enforce.

I would observe that continued use at that point has been held
to indicate agreement on your part [ref: Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004)]

In which Verio admitted to the court that they knew they were abusing Register’s computers but figured Register’s contract with ICANN gave them the right. The court would have reached the same decision regardless of Register’s notice: You’re abusing computers that aren’t yours. Stop it.

Specht v. Netscape Communications Corp, on the other hand, found that, “plaintiffs neither received reasonable notice of the existence of the license terms nor manifested unambiguous assent” to the contract Netscape offered for the use of their software at download-time, including assent to settle disputes through arbitration.

I’ll take any bet you care to offer that the latter precedent applies to casual consumer use of ARIN’s whois. I won’t take any such bet when it comes to the legal safety of redistributing ARIN’s RPKI Trust Anchor Locator in my software. And neither, apparently, do many of the folks who would have to redistribute that TAL for ARIN’s RPKI to be useful, as was discussed here last September: https://mailman.nanog.org/pipermail/nanog/2018-September/097161.html

Regards,
Bill Herrin