28
Aug 16

HostSailor Threatens to Sue KrebsOnSecurity

Earlier this month, KrebsOnSecurity published The Reincarnation of a Bulletproof Hoster, which examined evidence suggesting that a Web hosting company called HostSailor was created out of the ashes of another, now-defunct hosting firm notorious for harboring spammers, scammers and other online ne’er-do-wells. Today, HostSailor’s lawyers threatened to sue this author unless the story is removed from the Web.

Obviously, I stand by my reporting and have no intention of unpublishing stories. But I’m writing about HostSailor again here because I promised to post an update if they ever responded to my requests for comment.

The letter, signed by Abdullah Alzarooni Advocates in Dubai — where HostSailor says it is based — carries the subject line, “Warning from Acts of Extortion and Abuse of the Privacy of Third Parties.” It lists a number of links to content the company apparently finds objectionable.

Could this same kind of legal pressure be why security industry giant Trend Micro removed all reference to HostSailor from the report that started all this? Trend hasn’t responded to direct questions about that.

Astute readers will notice in the letter (pasted below) a link to a Twitter message from this author among the many things HostSailor’s lawyers will like me to disappear from the Internet. That tweet to HostSailor’s Twitter account read:

“Potential downside of reporting ISIS sites: The hosting firm (ahem @HostSailor) may share your info/name/report with ISIS. Opsec, people!”

I sent that tweet after hearing from a source with whom I’ve been working to report sites affiliated with the jihadist militant group ISIS. The source had reported to HostSailor several of its Internet addresses that were being used by a propaganda site promoting videos of beheadings and other atrocities by ISIS, and he shared emails indicating that HostSailor had simply forwarded his abuse email on to its customer — complete with my source’s name and contact information. Thankfully, he was using a pseudonym and throwaway email address.

HostSailor’s twitter account responded by saying that the company doesn’t share information about its customers. But of course my tweet was regarding information shared about someone who is not a HostSailor customer.

This isn’t the first time KrebsOnSecurity has been threatened with lawsuits over stories published here. The last time I got one of these letters was in Sept. 2015, from a lawyer representing AshleyMadison’s former chief technology officer. The year before, it was Sony Pictures Entertainment, whose lawyers lashed out a large number of publications for too closely covering its epic and unprecedented data breach in 2014.

Prior to that, I received some letters from the lawyers for Igor Gusev, one of the main characters in my book, Spam Nation. Mr. Gusev’s attorneys insisted that I was publishing stolen information — pictures of him, financial records from his spam empire “SpamIt” — and demanded that I remove all offending items and publish an apology.

My attorney in that instance laughed out loud when I shared the letter from Gusev’s lawyers, calling it a “blivit.” When I apparently took more than a moment to get the joke, he explained that a “blivit” is a term coined by the late great author Kurt Vonnegut, who defined it as “two pounds of shit in a one-pound bag.”

Only time will tell if this letter is a blivit as well. I’ve taken the liberty of sanitizing the PDF document it came in, and converting that into two image files – in case anyone wants to take a look.

An emailed "legal notice" I apparently received from a law firm in Dubai, demanding that I unpublish an unflattering story about HostSailor.

An emailed “legal notice” I apparently received from a law firm in Dubai, demanding that I unpublish an unflattering story about HostSailor.

Tags: , , , ,

82 comments

  1. Both “image” and “files” link to the same image of page 1 of the Legal Notice.

  2. Brian, did you ever get the chance to verify whether this supposedly legit law firm really exists?

  3. Nigerian Attorney At Law, Esq.

    I think if an attorney can’t write a sentence in the language of the person they are threatening with legal action without sounding exactly like a Nigerian Prince spammer, you can safely disregard that attorney.

    • Nigerian prince

      Later that day the ahem “lawyer” went back to his lucrative business of writing letters from rich people willing to give total strangers 10 million dollars for access to their bank details.

      I agree this lawyer sounds more fake but I’m not sure

      • Research before you post. This is an established firm of Dubai lawyers.

        • correction: Established firm of jackasses*

        • It may be the firm name of Dubai lawyers, but that does not show that the letter came from that firm. How hard is it to copy letter head and impersonate a lawyer? A teenager could do it.

          • The Phisher King

            Bing! Correct.
            Best if Brian’s highly-skilled legal team contact the real law firm whose name is being used, to confirm yes or no that they are behind the letter.

            • Brian's Highly-Skilled Legal Team

              Yea, we did already. The letter really did come from the law firm in question. It’s been confimed.

  4. Brian, I hope you weren’t planning any trips to Dubai. If you go, don’t expect fair play (by our standards) in the courts there.

    • Not just Dubai : stay away from the United Arab Emirates. Under UAE law your publication of the story is a crime if it is likely to damage the reputation of a person or company, regardless of the truth or merits of the story. I’ll post later with details.

  5. Back in the olden days of n.a.n.a.e we used to mock this sort of hollow threat from a fictional attorney, “You’ll be hearing from my cartooney!”

    I think from now on, we should say, “You’ll be hearing from Al Zarooni!”

    • More like Al Patooti…

    • Ahmed Al Zarooni III, Esq.

      You may think that that guy’s funny last name is a joke, but I can assure you that it is no laughing matter!

      For example, do you know who is responsible for the actual day-to-day operation of the entire top-level domain name for the United Arab Emirates (.AE)? No? Look it up! Just do:

      whois -h whois.iana.org ae

      The guy’s name is Mohammad Al Zarooni. So this guy is THE big shot of the whole Internet in UAE. And here he is, in living color:

      https://twitter.com/mohdalzarooni

      People who have followed the reporting that Brian has done on this crooked HostSailor company, and who have read the TrendMicro reports may want to tweet this nitwit and ask him to explain why the UAE is apparently too stupid to even revoke the business license of a UAE company (HostSailor) that has been caught by TrendMicro doing hacking against governments worldwide *and* even hacking against UAE government servers.

      Maybe this guy Mohammad Al Zarooni doesn’t want to do anything about HostSailor because HostSailor is a good paying customer of his lawyer cousin Abdullah Al Zarooni, you know, the guy who sent Brian the threat letter.

      And the Al Zarooni coincidences don’t even end there! Get this! In November 2015, the U.S. Treasury Department formally sanctioned a UAE-based organization that Treasury called “The Altaf Khanani Money Laundering Organization (Khanani MLO)”

      http://bit.ly/2bFw9Jb

      Treasury sanctioned this “MLO” because, to quote Treasury directly “The Khanani MLO launders illicit funds for organized crime groups, drug trafficking organizations, and designated terrorist groups throughout the world.”

      Sounds pretty bad, right?

      So what do you think the government officials in UAE did in response to Treasury’s public designation and public press release about this? Answer: Nothing. They sat on their hands for two months and did nothing, thus allowing this organization to funnel yet more money to organized crime, drug kingpins and terrorists.

      But here is the shocking part! After farting around for two months and doing nothing, the UAE government finally got off its ass and revoked the UAE business license of the Khanani MLO -and- “…its Dubai-based supporter, the Al Zarooni Exchange, for laundering money for criminals and political extremists.”

      http://bit.ly/2c4K22U

      Am I going too fast, or is everybody getting this?

      Al Zarooni, Al Zarooni, Al Zarooni.

      Especially in the Middle East, its nice to have connections, especially when those connections are all your cousins. I’m sure that if a guy was this well connected, it wouldn’t even matter if he was an absolute disaster as an attorney. He’s still have clients anyway, clients who wanted to benefit from his “juice”.

      Remember friends, that’s @mohdalzarooni.

      Tweet early. Tweet often.

      All of these UAE jackasses have some splainin’ to do.

  6. ralph l. seifer

    Brian–I long ago retired from the practice of law, but I learned early on, sometimes as a sender and sometimes as a recipient, that simply not responding–in any form or type of action–is usually the most effective technique. In plain everyday language, “it drives ’em nuts.”

    Occasionally, although very rarely, the guy on the other side will file a suit, but that’s a very infrequent occurrence. Most of the time they’ll hit you with a second or third letter/email/threat, etc., and then they’ll finally just throw up their hands and say the hell with it.

    Intimidation is not expensive, but actual honest-to-God litigation costs a ton of money, and moves very slowly, on those few occasions when it moves at all.
    Ralph L. Seifer, Long Beach, California

    • Yup. That’s why back when on the Usenet group nanae (news.admin.net-abuse.email, now defunct) where spam and spammers were discussed, this stuff was known as cartooney.
      Spammers rarely followed through with legal threats, because that would expose their operations to legal scrutiny…

    • The firm is legit, but I agree with Ralph. Unless they file, its just posturing.

      I was recently sued for $50 million in a defamation action by a Southern California mortgage broker who (“allegedly”) ran a Ponzi scheme that lost 2,000 investors over a half billion in investment dollars. So I get a bit sensitive when I see people I respect, who are trying to do the right thing for the right reasons, get threatened by (“purportedly”) bad actors.

      Which led me to wonder, were a frivolous defamation lawsuit to manifest, whose law would govern, and what hurdles would one have to overcome to pursue such cross-border defamation claims? Moreover, whose law would be applicable; how would that be determined, and by whom?

      Digging through UAE law, I ran into the following fun facts (or “interpretations” if you prefer):

      Unlike the US, “defamation in the UAE is a criminal offense, punishable by two years in prison and an AED 20,000 fine.

      Any allegation of defamation must be filed with the police within three months from the date of publication of the “defamatory statement”. 

      Once the criminal complaint is filed, the Police investigate the complaint and, if they conclude there is evidence of defamation, refer it to the Public Prosecutor for charges.

      [Tangential thought: So exactly how does Dubai PD go about investigating a case where the alleged defamation originates outside its jurisdiction? And how many Dubaians actually visit Krebsekistan or follow Brian’s feeds in Twitterland and Ripensburg? But I digress.]

      There is no civil action for defamation; however the complainant can file a civil claim for damages pursuant to the general principles of tort (“wrongful acts causing harm”) and seek financial compensation, provided the elements can be proved.

      The UAE courts will not grant injunctive relief preventing future publications of the “defamatory statement”.

      Defamation explained

      There are two main defamation offences set out in Articles 372 and 373 of UAE Federal Law No. 3 of 1987 (as amended) (“the Penal Code”).  Article 372 deals with publicity which exposes the victim to public hatred or contempt and Article 373 deals with a false accusation that dishonours or discredits the victim in the public eye.

      To succeed with a criminal complaint for defamation, the complainant must prove:
      * a false or defamatory statement was made;
      * which was issued to a third party (either in writing or verbally); and
      * that statement caused “harm” to the complainant.
      The absence of any of these elements will undermine the merits of any such complaint.”

      From what I’m reading, it appears that truth is irrelevant if the offended party can prove that you damaged to their reputation. Apparently a man’s honor and reputation carry more weight than factual truth.

      It also makes me wonder how much actual damage someone can sustain in the UAE from American sourced comments, despite global reach. In other words, how many English reading UAE readers are there really?

      “On January 20 2009, the UAE’s legislature, the Federal National Council, passed the draft law, which was drawn up by the National Media Council. According to the draft law, journalists are not subject to criminal penalties (such as imprisonment).  

      Further, the draft law decreases the number of infractions for which media organizations can be liable. It also instructs government institutions to facilitate information flow to the media and to respond to their requests for information.   More significantly, the draft law provides journalists freedom from coercion to reveal sources, reflecting the government’s commitment to the journalistic right to protect sources.

      Hopes for reform, however, were dashed on November 12, 2012 when President Sheikh Khalifa bin Zayed al-Nahayan declared that the government would imprison anyone who maligns or caricatures the country’s rulers or state institutions online.”

      Apologies for the long winded comment.

      • In your summary of 3 points, the first point is that what is said must be untrue. If I understand your further comments correctly, that point gets ignored where a person’s name –oops, I mean a “man’s name” because so few women are legally people in the middle east — ignored where a man’s name is more important than the facts. That means your first summary point gets ignored in practice.

        If this were real, why would they send a threatening letter instead of filing charges? So, in agreement with the later comments, this is Blivit. However, let’s assume for a moment that this was real letterhead and not stolen from images on the internet. Then as someone asked, where would the trial take place? In fact, why not be charged already? Brian is warning people of immoral behavior that may be legal at its point of origin, just for the sake of argument. So, if their behavior is legal at its point of origin, then that should apply to Krebs, where his statements are legal here in the States and not slanderous/illegal because they are true. If the people in the UAE really wanted him extradited, again reality aside, then they’d be inconsistent in their thinking.

      • Looks like you’d do well to stay out of the UAE, Brian. Of course, the same can be said of just about anyone who resides in a civilized country.

  7. Note the PO Box mailing address. Hilarious…

    • That’s quite normal in those countries. My son, a professional athlete, sometimes has problems as the hotel only supply a P.O. Box address. But the taxi drivers always know…

    • Where I come from, having a street address as your mailing address would indicate a non-professional, backyard firm. Real businesses don’t trust their clients’ correspondence to the vagaries of the mailman.

  8. If one sees a video like that online, who is the proper authority to report it to? Would it be appropriate to report it t the FBI IC3?

    • FBI would only work if it was hosted on a US server, or in a country that worked with US law enforcement — so pretty much parts of Western Europe and a few other small countries. Middle East, APAC, South America, etc.? Won’t do any good. Your best bet would be something like Interpol. Not guaranteed but more likely to produce a result (to varying definitions of ‘likely’).

  9. This always amazes me. There’s a specific and somewhat limited target audience that avidly follows Brian’s blog, even if he has a million daily readers on a regular basis. But the minute you threaten to sue someone influential in the media, or actually file a civil lawsuit, then that brings the attention of the entire world upon you.

    It’s like the guy who was using a helicopter and gathering photographic information about the geography of the Southern California coastline a few years ago. Barbra Streisand got mad because some of the photographs included part of her backyard, and then she ended up trying to sue the guy in civil court. How many millions of us looked at those photos of her backyard, just because she filed a lawsuit that was so comical. If I recall the details, ultimately she ended up having to pay all of his lawyer’s fees because the lawsuit was deemed to be without merit.

    • That’s now known as the “Streisand Effect” in tech circles: https://en.wikipedia.org/wiki/Streisand_effect

      • Beat me to it, Joe 🙂

      • I was wondering how long it would take for somebody to mention the Streisand Effect.

        OK, so psssssstt! EVERYBODY, be sure to keep this bozo legal threat Brian received REAL QUIET now. Whatever you do, DO NOT send a link to this story on Brian’s site to ANYBODY in the media anwhere. We don’t want it getting any extra publicity, now do we?

        I mean after all, Brian is a grown man, and has to take responsibility for himself. So when the UAE federal police stormtroopers show up at his door to cuff him and drag him away, I’m sure he’ll just go along quietly. I mean after all, just because these UAE jackasses wear bedsheets (check the web site) and have probably never even heard of the First Amendment, that doesn’t mean that UAE isn’t a civilized country. They probably won’t stone Brian to death. They’ll probably just cane him a couple of hundred times, you know, for sayin’ bad true things about somebody.

        http://bit.ly/2bOfwN4

        Yessireee… real civilized.

  10. I’m shocked, shocked I tell ya!, that a shady operation like that would respond like that. :-O

    Not

  11. Andrew Peterson

    I’m curious with the hacks on DNC, Hacking Team, NSA, etc … how you went about ensuring this PDF and potentially now you and your systems are not infected?

    • First of all, don’t use Adobe Reader. Another PDF reader program with few features should be more secure. See Sumatra PDF reader; it can’t execute JavaScript which makes it more secure.

      • …or, switch to linux. Not as difficult as history indicates. Any one of the top 4 distros on distrowatch would work fine. If you need some win prog., just run it in virtualbox.

    • Italiano Cazzo Squadra

      Speaking of Hacking Team, I never quite got the straight story on the relationship between Hacking Team and Santrex (now renamed HostSailor). Can anyone clarify? Was Hacking Tem using Santrex IPs to spy on activists on behalf of repressive regimes UNTIL Santrex went tits up? Or was Santrex enlisted to help Hacking Team AFTER Hacking Team lost control of its previously planted spyware?

  12. I’d say it’s a fake claim.

    What is the likelihood that they would mistype their own company name?

    Abdullah Al Zarooni Advocates exists while
    Abdullah Alzarooni Advocates does not.

  13. too smart for the jpeg 0 days krebsy close but no cigar

  14. HAHAHA I LOVE it when companies think they have the power to remove anything from the internet…. that is what makes the internet great. Freedom of speech and expression. Krebs you’re awesome.

  15. “Bad men need nothing more to compass their ends then that good men should look on and do nothing” Mill

    Thanks for being a good man Brian Krebs.

  16. I’m sorry to hear that the old term “blivit” was unknown to Brian. We used it way back in my teen years in the 1950s – only the quantities used were usually 10 and 5.

    • Brian Fiori (AKA The Dean)

      Indeed, 5/10, although the exact amounts aren’t really important. And while I’m a huge Vonnegut fan, he didn’t “coin” the term. He merely used it in his writing. This term predates Kurt.

  17. If it’s legit, which I doubt, it’s called a “bluff letter.” Lawyers can make good money writing bluff letters for pompous clients.

    I’ve heard that some lawyers love to get together for drinks and compare quotes from the best bluff letters they’ve written or received. They have a good laugh and make a few mental notes for the next bluff letter that they are tasked with writing.

    You should probably take it in the spirit in which it was likely written – it’s entertainment.

  18. Then blivit it is, Sir! Oh! Tiny Tim, there will be leftovers.

    Go show, Mr. Krebs!

  19. It seems to be a tactic now among “bad guys” with a bit of money to threaten someone who exposes them–look at the current attempt to do this to Bleeping Computer. I’m surprised Trend Micro gave in.

    Keep up the good work, Bryan. Bleeping Computer got some help from GoFundMe, and I’m sure you can do likewise, should you need to.

    Regards,

  20. Thanks for everything you do, Brian, but most of all, thanks for having a “set.” We need more journalists like you who are willing to stand by their reporting in the face of bullying and intimidation.

  21. Andrew Rossetti

    Keep up the good fight, Brian!

  22. Ooooh… scary! I hope that Mr. Krebs governs himself accordingly (followers of a certain prominent blog that discusses First Amendment issues will get the joke)…

  23. Consider referring to the reply in Arkell v. Pressdram, as explained here:

    http://www.lettersofnote.com/2013/08/arkell-v-pressdram.html

  24. Brilliant!

  25. http://www.lettersofnote.com/2013/08/arkell-v-pressdram.html

    The old Arkell vs Pressdram response is normally all one needs

  26. Brian, looks like @HostSailor practically countered their own claims in their subsequent tweets, saying business was booming. Looks like a common pattern: Deny, Question motives, Declare victory, Threaten.

  27. From following popehat.com, who frequently covers such matters, I’d expect that a foreign judgment for this would not be enforced by a US court (we have laws specifically about this, because of just how absurd English law is on the subject), and if they tried suing here, you hopefully could file a antiSLAPP counter suit, which stops their suit until yours is resolved (and in this case, I’d expect them to loose, and have to pay your costs, hopefully your state has an anti-SLAPP law). https://popehat.com/2012/06/07/why-yes-i-am-into-slapping/

    • As Mike stated, August 29, 2016 at 3:27 pm:
      “…statements are legal here in the States and not slanderous/illegal because they are true”.

  28. Have they heard of Streisand in Dubai? I’m thinking not.

  29. What’s up

    clintonemail.com

    pings