[Community-Discuss] Blog: A Comprehensive audit of the AFRINIC WHOIS Database

Ronald F. Guilmette rfg at tristatelogic.com
Sat Feb 13 11:22:40 UTC 2021

In message <0b787eda-9288-d290-4ae5-282a38295cf8 at gmail.com>,
Sunday Folayan <sfolayan at gmail.com> wrote:

> From the report ...


> * Our current business rules now provide better support to legacy

> resource holders such that proper verification for legacy resources

> holders will be conducted before any updates are made to the records

> on the AFRINIC WHOIS database.

I am very glad that Sunday Folayan has quoted this particular section
of the report. He has saved me from having to do so here myself.

For well more than a year now, an ongoing and frequent topic of discussion
between myself and journalist Jan Vermeulen has been the question of how
exactly it came to pass that so many (20+) AFRINIC-administered large
legacy blocks came to be effectively in the hands of one man, Elad Cohen.

In the total absence of -any- information from either the AFRINIC Board
or management, we have been forced to speculate, and to consider every
even remotely plausible explaination for this ongoing mystery. I will
now list all of these possibilities here.

Of course, it should not be necessary for either myself, or Jan, or the
dues-paying AFRINIC members to have to guess about any of this. AFRINIC
management and the board *must* know what really happened. They just
completed a massive and detailed audit of all of these foolish and corrupt
shenanigans, after all! They are just simply loath to share what they
know, either with me, with Jan, with the press generally, or even with
the dues-paying AFRINIC members.

If we ask the question: "Why are the AFRINIC management and board not
willing to explain how those twenty or so legacy blocks ended up in the
hands of Cohen and his co-conspirators?" the answer is obvious, I think.
Politics and face saving. Better to just bury the truth than to tell it.

That is quite obviously the thinking of the Board and managment. Otherwise
by now they would have explained, in detail, what really happened with
those stolen legacy blocks, assuming that they have been able to determine
that, which they most certainly should have been able to do, considering
that they have had more than a full calendar year to work on the problem,
and that they even had help from APNIC to figure out this whole colossal

Of course, what I just said above discounts the possibility that, even
at this late date, the AFRINIC Board and management, and even the outside
APNIC consultants might still have no idea what the bleep happened that
caused Mr. Cohen to somehow magically end up with massive amounts of AFRINIC
legacy space. If so, then that is arguably even worse than them knowing
and being unwilling to share what they know, because it suggests that they
are so throughly inept and incompetent that even with help from APNIC,
they themselves still have no clear idea what really happened here.

Since management and the board have not seen fit to shed any light
whatsoever on the question of how so many legacy blocks just got up and
walked out, apparently all on their own, I will now provide here what I
believe to be an exhastive list of the plausible possibilities... and if
either AFRINIC management or the AFRINIC Board desire to start being
forthcoming about what they know, then they can easily counter and knock
down these speculations, simply by telling us all, at long last, what
they themselves believe really happened with the stolen legacy blocks.

Here are the obvious possibilities:

1) Ernest alone engineered the theft of the legacy blocks AS WELL AS
numerous free pool blocks. (Unlikely.)

2) Someone else, or perhaps several other persons in positions of
authority within AFRINIC, either acting alone or in conjunction
with Ernest, engineered the theft of the 20+ legacy blocks, for
personal gain.

(I have in hand some evidence to support this theory of the case.)

3) AFRINIC was hacked and this allowed the hackers to alter WHOIS
records at will.

(I have in hand historical evidence that AFRINIC was in fact hacked
at least twice during its short lifetime. Also, a highly superficial
external-only security audit that I myself performed over a year ago
found that AFRINIC was, at that time, running at least 20 different
brands and versions of web server software, some of which had not had
any security updates applied for well over 6 years. A current and
comprehensive security audit of AFRINIC, if done today, would most
likely show the organization to be tragically insecure, even at the
present moment.)

In addition to the above three possibilities, the section of the recently
released Audit Report, more than a year in the making, and which Sunday
Folayan has been kind enough to save me the trouble of quoting from,
suggests one more now obvious possible explanation for how 20+ legacy
blocks were separated from their rightful owners by Mr. Cohen and his
various co-conspirators:

4) The AFRINIC staff members who were responsible, during the relevant
time period (2012-2016), for the AFRINIC WHOIS data base, and for
making MANUAL changes thereto at the request of number resource
registrants, were simply "socially engineered", i.e. flim-flamed,
via phone, fax, and email, into making unauthorized and essentially
bogus changes to the WHOIS data base at the request of Mr. Cohen
and/or his various co-conspirators. They were successfully flim-
flamed because they made little or no effort to verify the identities
of the persons or organizations that they made WHOIS changes for.

I encourage everyone to read again the exact passage from the Audit Report
that Sunday Folayan quoted:

> * Our current business rules now provide better support to legacy

> resource holders such that proper verification for legacy resources

> holders will be conducted before any updates are made to the records

> on the AFRINIC WHOIS database.

This is an extraordinarily telling statement! Translated into plain English
it says that *now* AFRINIC is finally going to *begin* to check the identities
of the people and companies that contact it and who are requesting AFRINIC
staff to make changes, on their behalf, to the WHOIS data base.

The implication of this statement could not be more clear. Quite obviously,
it is an admission that *in the past* AFRINIC staff *were not* in the habit
of checking the identities of the people they were dealing with and/or doing
things for. Given that admission, is it any wonder that time after time
after time, AFRNIC staff may have been trivially socially engineered into
effectively giving away tens of millions of dollars worth of valuable IPv4
real estate to clever con artists?

(To be clear, if this is what happened, it certainly would be neither
precedent setting nor unique to AFRINIC. I have previously documented
multiple cases on the NANOG mailing list that prove beyond a reasonable
doubt that ARIN also has had this exact same stupid problem of allowing
themselves to be socially engineered into effectively ceeding control
of various large chunks of valuable abandoned legacy IPv4 address space
to clever con artists. It is unforgivable that *any* RIR should be so
stupid as to fall for such tricks, but as my late father was fond of
saying "It's hard to get good help these days.")

In a very real sense it almost doesn't matter which of the four possibilities
that I have listed above constitutes the real and true explanation for how
20+ legacy blocks, all under the oversight and control of AFRINIC, were
commandeered, apparently over a period of serveral years, and effectively
stolen by clever cybercrinminals, all apparently without anyone at AFRINIC,
right up to and including the CEO, ever even noticing. The important
point is less about how it happened than it is about how it possibly could
have happened. Who was minding the store? No one, apparently.

Also, of course, there is the issuse of the ongoing stonewalling about
all this by the current board and management. Have any of them had even
the minimal courtesy and respect for the dues-paying members that pay
their salaries to even begin to try to explain how exactly this all
happened? No. Apparently not.

The "final" Audit Report only tells us what resources were investigated,
what resources were reclaimed into the free pool, and what legacy resources
were returned, so far, to their rightful legal owners. I confess that
I have not read all 50 pages of the thing, but within the parts that I did
read I saw no hints about which of the above four possibilities applies,
and who should be held to account for these failures.

In short, AFRINC continues to be, as I have previously said it is, something
other than a friend to either transparency or accountability.


More information about the Community-Discuss mailing list