DMCA Ignored becomes more and more popular

File and stream hosting right now

File and stream hosting right now

DMCA ignored has become so big that it can hardly be ignored anymore. By not ignored I mean that MPAA or RIAA won’t let this get through so easily anymore. GO Unlimited started with this trend about a year ago and today there are about 10 more hosters. Such providers are popular at the moment because uploaders don’t have to upload again and again when they are deleted. But the content owners are getting impatient and the copyright agencies are more and more under pressure.

More and more lawyers are called in to locate the operators. Namecheap and Cloudflare are lately also increasingly under pressure. The domain of Openload was suspended and blocked only a few days ago, GO Unlimited was removed from Cloudflare. Namecheap has blocked and removed several filehoster domains. Subpoenas from RIAA caused some filehosters to disappear from the scene. Also many Warez pages were under pressure or disappeared from the screen.

In Germany, however, the situation is still relaxed. Portals like Kinox, Movie4k, S.to or bs.to are still online today and accessible without problems. The question, however, is whether Tonic.to will also disclose the data through subpoenas. Up to now there was no case that a .to domain was removed from the net. It is also not known whether more domain registrars are under pressure or only the two US companies Cloudflare and Namecheap. Russian domain providers like .ru or .su or .to still seem to be safe at the moment. International domain providers are under increasing pressure from the Content MAFIAA.

Some DMCA ignored file hosters on ogboard.com

There are many hosting providers that ignore all the DMCA requests because in many countries it is not regulated by law. But if it comes to a subpoena, then even the biggest Bulletproof Hoster will get scared. Information can be forwarded quickly, without problems. It is a big dilemma for all hosting operators. I don’t suspect that OVH, Ecatel, Obenetwork or other providers would cooperate with DMCA at all. The reason is simple. Money rules. If you can earn money with cheap hardware, other things are not relevant anymore. Offshore hosting is expensive and lucrative. Anyway, we are curious about what will happen in the future. What are your opinions on this? If you have other information or discussions, you can comment here.

AS29073, the most fucked-up network ever

ipvolume.net (before quasi networks)

This network has existed for more than 10 years and is known for what they host. Over the weekend, I stumbled upon an interesting blog called “Bad Packets”, where a fellow named Troy has written about various unsavory goings on involving various networks. One network that he called out in particular was AS29073 (today AS202425), formerly called “Quasi Networks” and now “IP Volume”. on his blog, this fellow Troy has noted at length some break-in attempts originating from AS29073 and his inability to get anyone, in particular RIPE NCC, to give a damn. The Master Needler, A Conversation with Ripe, Quasi Networks responds as we witness the death of the master needler.

The fact that RIPE NCC declined to accept the role of The Internet Police didn’t surprise me at all… they never have and probably never will… but I decided to have a quick look at what this newtork was routing, at present, which can be easily see here: http://bgp.he.net/AS29073#_prefixes

So I was looking through the announced routes for AS29073, and it all looked pretty normal… a /24 block, check, a /24 block, check, a /21 block check… another /24 block, and then … WAIT A SECOND! HOLY MOTHER OF GOD! WHAT’S THIS??? 196.16.0.0/14 !!! So how does a little two-bit network with a rather dubious reputation and a grand total of only about a /19 to its name suddenly come to be routing an entire /14 block?? And of course, its a legacy (abandoned) Afrinic block.

BREIN is Taking Infamous ‘Piracy’ Hosting Provider Ecatel to Court (torrentfreak.com)

And of course, there’s no reverse DNS for any of it, because there is no valid delegation for the reverse DNS for any of it… usually a good sign that whoever is routing the block right now -does not- have legit rights to do so. (If they did, then they would have presented their LOAs or whatever to Afrinic and thus gotten the reverse DNS properly delegated to their own name servers.)

I’ve seen this movie before. You all have. This gives every indication of being just another sad chapter in the ongoing mass pillaging of unused Afrinic legacy IPv4 space, by various actors with evil intent. They already documented this hightly unfortunate fad right here on multiple occasions: November, August

This incident is a bit different from the others however, in that it -does not- appear that the 196.16.0.0/14 block has been filed to the brim with snoeshoe spammers. Well, not yet anyway. But if in fact the stories are correct, and if AS29073 does indeed have a history of hosting outbound hacking activities, then the mind reels when thinking about how much mischief such bad actors could get into if given an entire /14 to play with. (And by the way, this is a new world’s record I think, for largest singe-route deliberate hijack. I’ve seen plenty of /16 go walkabout before, and even a whole /15. But an entire /14?? That is uniquely brazen.)

ipv4 from quasi networks

In addition to the above, and the points raised within teh Bad Packets blog (see links above) I found, via passive DNS a number of other causes for concern about AS29073, to wit: pastebin.com/feCztMn0

(In addition to the above, I’ve also found plenty of additional domain names associated with AS29073 which incorporate the names “Apple” “AirBnB”, “Facebook”, and “Groupon”, as well as dozens of other legitimate companies and organizations.) I confess that I have not had the time to look at any of the web sites that may or may not be associated with any of the above FQDNs, but the domain names themselves are certainly strongly suggestive of (a) the possible hosting of child porn and also and separately (b) the possible hosting of phishing sites. So, given the history of this network (as is well documented on the Bad Packets blog) and given all of the above, and given what would appear to be the unauthorized “liberation” of the entire 196.16.0.0/14 block by AS29073, one cannot help but wonder Why does anybody still even peer with these jerks?

The always helpful and informative web site bgp.he.net indicates that very nearly 50% of the connectivity currently enjoyed by AS29073 is being provided to them by Level3. I would thus like to ask Level3 to reconsider that peering arrangement in light of the above facts, and especially in light of what would appear to be the unauthorized routing of the 196.16.0.0/14 block by AS29073. Surprisingly, given its history, AS29073 apparently has a total of 99 different peers, at present, and I would likewise ask all of them to reconsider their current peering arrangements with this network. I am listing all 99 peers below.

Before I get to that however, I’d liek to also note that there currently exists, within the RIPE Routing Registry, the following route object:

ipvolume.net hosted websites

route: 196.16.0.0/14
origin: AS29073
mnt-by: QUASINETWORKS-MNT
mnt-by: EC42500-MNT
mnt-routes: EC42500-MNT
mnt-routes: M247-EU-MNT
created: 2017-03-28T21:47:03Z
last-modified: 2017-08-11T19:58:39Z
source: RIPE

I confess that I am not 100% sure of the exact semantics of the “mnt-routes” tag, but it would appear from the above that the UK’s M247 network (AS9009)… which itself is not even peering with AS29073… appears to have, in effect countersigned the above RIPE route object, vouching for its correctness and authenticity as they did so. Why they would have done that, especially given that they themselves are not even peering with AS29073, is, I confess, beyond me. But I would love to have them explain it, or even try to explain it. It’s enigmatic, to say the least. Anyway, the “created” date in the above record seems to be consistant with that actual start of the announcement of 196.16.0.0/14 by AS29073, which the RIPE Routing History tool says occured sometime in March of this year.

One additional (and rather bizzare) footnote to this whole story about the 196.16.0.0/14 block has to do with the entity that allegedly -is- the current rightful owner of the block (as far as Afrinic is concerned). That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and that in turn has an admin-c and tech-c of NAIT1-AFRINIC. The record for that handle is as follows:

Ecatel.net

person:          Network and Information Technology Administrator
address:        Unit 117, Orion Mall, Palm Street
address:        Victoria, Mahe
address:        Seychelles (SC)
phone:          +972-54-2203545
e-mail:          info at networkandinformationtechnology.com
nic-hdl:         NAIT1-AFRINIC
mnt-by:        MNT-NETWORKANDINFORMATIONTECHNOLOGY
changed:      info at networkandinformationtechnology.com 20150725
source:         AFRINIC

Upon fetching the current WHOIS record for networkandinformationtechnology.com I found it more than passing strange that all of the contact details therein are associated *not* with anything in Africa, nor even anything in the home country of AS29073 (Netherlands) but rather, the address and ophone numbers therein all appear to be ones associated with a relatively well known Internet attorney in Santa Monica, Califiornia by the name of Bennet Kelly. As it happens, in the distant past (about 10 years ago) I personally crossed swords with this particular fellow. He may

bad packets biggest enemy

be a lot of things, but it never seemed to me that stupid was one of them. And indeed the domain name networkandinformationtechnology.com and all of its connections to the 196.16.0.0/14 block appear to date from 2015… long before AS29073 started routing this block (which only started in March of this year).

So, my best guess about this whole confuseing mess is that the -original- legitimate owners of the 196.16.0.0/14 block most probably sold it on, in a legitimate transaction, to some other party in 2015, where that other party was/is represented by Mr. Bennet Kelly, Esq. And my guess is that neither he nor the new owners, who he represents, even know that their expensive /14 has gone walkabout, as of March of this year. I will be trying to make contact with Mr. Kelley today to discuss this with him and will post a follow-up if any new and interesting information arises from that conversation.

Peers of AS29073:
pastebin.com/prV5YNCh

The Kinox.to Group

bitshare.com

Many from the scene, especially from Germany, know the Kinox.to group and the old Kino.to. Kinox and Movie4k all originate from Kino.to and Movie2k. There have been rumours and speculations about who the operators might be. Since the foundation of the portals, the German authority has been working to remove them from the net. It is assumed that the largest Warez and Stream portals in Germany belong to the same operators. These sites are Kinox.to, Movie4k.to, Boerse.to and Mygully.com. They have the same Cloudflare connections and even before they knew that many of the sites are on the same servers. Among other things it was also said that they belonged to ddl-warez.to and also these web pages are operated by the same persons. For years Kino.to was the most famous stream portal in Germany and left the biggest headlines behind. The revenues were in millions in one month. Everything about Kinox, Kino.to and its history can be read on Tarnkappe (German), or Torrentfreak (English).

My blog post is not about the Warez portals themselves. It’s about the phenomenon of their hosting providers that were used in the past. There used to be very large stream and file hosting sites. These called themselves as follows: Bitshare.com, Duckload.com, Freakshare.com, Archiv.to, Freeload.to and others. The business model of Kino.to at that time was not only to run a stream portal, but to run several portals. It even went so far that own hosting and stream hosters were founded to earn money through premium. It was a real business where you could earn a lot of money. That’s exactly what happened. They had reached their goal and thus also the great attention.

Many still have a big question mark. How could a new portal like Kinox.to be created after Kino.to was taken off the net and the companies were arrested after about two days? It went relatively fast and the copy of Kino.to appeared after two days out of nowhere and was able to get the throne. It is speculated that Kinox.to belongs to the same operators and until today it was suspected that the real operators were caught although they were not caught or only a part of it?

akrino inc

Even later, after Kinox.to went online, the same DDoS protection from Akrino Inc was used as it was for Kino.to. Akrino Inc was a private and expensive DDoS protection in the form of a reverse proxy that could only be obtained through Russian Business Network contact. Through an inquiry at RIPE you got the mail from Akrino, but you didn’t always get an answer from them.

Then there’s another question I’m asking myself today. Why are Bitshare.com and Freakshare.com still online today? The subpages are no longer available but you can still see the start page today. Both portals have been inactive for more than 5 years but are still online. Such portals were a part of the old Kino.to team and were still online after the bust of Kino.to. The German authorities used to think that after the arrest of Kino.to several portals would go offline which didn’t happen. Some hosting operators were arrested who cooperated with Kino.to and also later cooperated with the German GVU. Kino.to was in its time a real company with many employees and partners. There were even some Hetzner employees who cooperated with Kino.to to earn some money. Archiv.to had all its storage servers at Hetzner. An employee of Hetzner who also knew what was distributed on Archiv.to cooperated. Russian Business Network cooperated with various hosting services that were used. Ecatel, Dragonara and Akrino were all involved.

cloudflare scan

The Kreshnik and Kastriot Selimi brothers from Kosovo are suspected of having run the Kinox.to group. But I still suspect that both brothers are innocent and not the right operators. The German police accuse the brothers of violence, weapons, coercion, arson and threats. But if you look at the pictures of the two brothers, this can hardly be possible. They simply look like two innocent nerds. The German police themselves do not know who the operators are. They speculate and wait until the operators make a mistake, which they didn’t make after Kino.to went offline. They search for the Selimi brothers and the Warez pages are still online today. Many things don’t make sense and it is questionable how Germany operates against them. Much is veiled and lied. Therefore these Warez pages are a phenomenon today. Many suspect honeypots behind the portals and don’t even want to work with them anymore.

If you scan the Cloudflare name servers or the SSL, you will see how many domains are actually involved with Kinox. Of course this does not mean that all domains are involved. It only means that on the same name there are also domains that others use. But certain domains stand out and one can only think that they must have almost a connection. Like on the photo with crypt.to.

What my thoughts on the whole Kinox Group are, I’ll keep my hands off it. A whole group of operators cooperating with RBN. Have fingers on almost all Warez pages. In principle they control the whole German Warez scene. Be it a hosting operator, proxy provider, stream hoster or just a DDL site. It could also be that a Hetzner employee runs the whole site if they were already involved before? They always say your friend is the biggest enemy and I think it is the same with all these Warez pages. I guess Kinox is run by someone the police would never think. What is your opinion about these portals?

GO Unlimited, how do you do it?

Actually, they’re known. The video hosters that appear in the Wjunction Board from nowhere and actually leave the net after a few months. However, there is a provider who calls himself GOUnlimited and this provider is still a very big phenomenon for me today. This is a pure video hoster that is really able to ignore all DMCA messages and provide a service that should be a target for content mafia companies like MPAA. I suspect that the owner of this site either acts alone or has some friends to help him. He uses the script from Sibsoft called XVideoSharing which has been used by sites like Streamcloud, Flashx and others for years and was a big hit back then. But we should not forget that until today no real alternative exists. Openload, Rapidvideo and several other hosters all have self-made scripts and the remaining 70% use Sibsoft scripts and the other 30% perhaps Yetishare. After research I know that the owner lives somewhere in an Arab country and also owner of some Warez websites is relatively well known in the Arab countries.

How he presents his service: GO Unlimited is the only DMCA ignored and offshore video hosting on the web which means that your pirated videos won’t be deleted due to any law, but it’s also a great option for all kind of videos. GO Unlimited is founded and being managed by a team who has more than 10 years of experience with pirated Movies, TV Shows, Football, websites online streaming and torrent.

But the big question is, why does he have such big balls? He offers a service that will be recognized by the MPAA at some point, if this hasn’t been done for a long time anyway. We know how fast the USA can take a page off the net. As an example there is Megaupload which was shut down by the FBI within weeks without any legal search decisions. For webmasters DMCA are a very sensitive topic. There are some, for them the handling of such messages is very important. One of these providers is Rapidvideo.

wjunction in a nutshell

If you look at the thread on Wjunction, the hoster is very popular for its offer and is growing steadily. It is paid for downloads, the streams run smoothly and videos are not deleted, a dream to be true, right? I don’t know if this will work in the long run. But one thing is clear, we hope that there won’t be another headline like the one from Megaupload. GOUnlimited expressed himself in any case in a contribution in Wjunction how he handles all this exactly. Is it wise that he pays his servers with his credit card? The storage servers are all at OVH and in case of a court order the data will be passed on in a few days. The Main Server is located in Netherlands at an offshore provider.

Many users also accused him of spreading lies and manipulating PPD revenue or blocking some accounts. In his thread in Wjunction you can read various posts and discussions that accuse him of some things. But we know now how the Wjunction users tick and some of them are more than annoying. I wish him a lot of success and let’s see how it will develop over the next years. Here you can express your opinion if you think otherwise or if you think that this is possible in the long run.