>> The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?)

If you haven’t read the book by “Google Employee #59”, it is a great insight into the company and also touches on why Google would handle something like this privately.

The core gist of it (or at least how I read between the lines) is that Google ultimately knows that direct fights are expensive, have unintended consequences, etc. Essentially, they view “fighting the good fight” as declaring “war”, and are very hesitant to do so. In contrast, their secret weapon is an incredibly talented tech team that can work around and solve these types of issues for themselves while staying under the radar.

Freedom

Paxfire apparently currently occupies quarters formerly used by a janatorial services company which seems to have employed youth offenders in Texas to clean toilets in Brooks Air Force base. Which is interesting because Paxfire is in a much dirtier business.

Paxfire was founded in 2003, but appears to have been a spin-off from a slightly older company, Simena LLC, whose president, Seyzen Uysal, is an inventor named in at least one patent assigned to Paxfire. Both companies are located in Reston, VA, home of many companies which are involved in, shall we say, shady dealings involving the US government. Simena has about 5 employees and annual revenues of about 0.5 million, while Paxfire has about 21 employees with annual revenues of about 29 million. Paxfire operates servers in Asia, Europe, as well as the US, and has offices in the Holland, Germany, the United Kingdom; and Australia. Simena offers a device which sorts and tees traffic for further analysis (for example by a DPI box), while Paxfire offers devices which geolocates consumers and hijacks their search requests (often ALL search requests), sending the consumer to a fake Google server, a server which is actually operated by Paxfire, a company which has no business relations with Google (according to Google, and for once I believe the Chocolate Factory).

Initial mention of Paxfire in the press came mostly from business writers who appear to have been inclined to give the benefit of the doubt to co-founders Mark Lewyn, a former reporter, and Allan Sullivan. What I find remarkable about later coverage from tech writers is the depth of personal revulsion at the business practices of Paxfire (and sleazy ISPs which install Paxfire boxes in their server rooms) which is apparent in their writing. Another interesting feature is that it appears to be standard practice for ISPs to deliberately mislead their own helpline employees and even admins about the presence and function of the Paxfire boxes. It even seems that some smaller ISPs which hired a “modem management company” based in Pittsburgh, Ad-Base Systems, may have misled the ISPs about the presence and function of Paxfire boxes which Ad-Base had installed in its server rooms, allegedly without the knowledge of the ISPs (or at least, their admins). As one might expect, call center techies and admins who find out that they have been passing on misinformations to consumers are usually quite angry when they learn they have been deceived by their own company (or its business partners). (See the Google Knol cited below.)

Another aspect which doesn’t come through very clearly in most of the coverage is the extent to which Paxfire tries to hide its ownership of the fake Google servers behind front companies, and more generally of its business activities. It appears to describe itself by saying it offers “telecommunication services, namely, electronic data reception and transmission”, which is obviously extremely misleading. One page even mispells Mark Lewyn’s last name.

Reaction to VeriSign’s New 36-Hour Deadline
CircleID, 3 October 2003

Broken Links Lined With Gold for Paxfire
Washington Post, 30 January 2005

Interview with Mark Lewyn, Paxfire.
Mark talks about his experience raising money from the CIT GAP fund.
Keywords: Mark Lewyn Paxfire CIT GAP raising money
MeThings, 14 Jul 2005

Washington Post
Recent Deals, 23 May 2005
[quote]
Paxfire Inc. , an Internet traffic reduction company in Reston, sold $2.1 million of series A preferred stock to three investors, according to an SEC filing. Paxfire will use the money for working capital. On Demand Venture Fund of San Francisco and three Paxfire executives were listed as beneficial owners.
[/quote]

The Typo Millionaires
The sordid history of the oldest scam on the Internet?and how to kill it off once and for all.
By Paul Boutin
Slate, 11 February 2005

http://knol.google.com/k/dns-squatting
DNS Squatting
The marketers are out to get you… and your little browser too.
How Paxfire stole Google.com – and nobody noticed. An introduction to DNS Squatting – why you should understand how it works and how it affects you when unscrupulous marketers play games with your DNS.
Joseph Harris
Google Knol, August 2008

http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.html
US internet providers hijacking users’ search queries
Jim Giles
New Scientist, 4 August 2011

http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
Widespread Hijacking of Search Traffic in the United States
Christian Kreibich (ICSI), Nicholas Weaver (ICSI) and Vern Paxson, with Peter Eckersley (EFF).
EFF, 4 August 2011

http://arstechnica.com/tech-policy/news/2011/08/small-isps-turn-to-malicious-dns-servers-to-make-extra-cash.ars
Small ISPs use “malicious” DNS servers to watch Web searches, earn cash
Nate Anderson
Ars Technica, 5 August 2011

http://www.dslreports.com/shownews/ISPs-Covertly-Hijacking-Search-Traffic-115547
10 ISPs Using Paxfire Tech to Track Users, Hijack Results
Karl Bode
DSL Reports, 5 August 2011

http://venturebeat.com/2011/08/05/isp-search-redirect/
Why ISPs are hijacking your search traffic & how they profit from it
Jolie O’Dell
Venture Beat, 5 August 2011

http://www.theinquirer.net/inquirer/news/2099860/isps-hijack-search-traffic
Big US ISPs hijack search traffic
Crikey!
Inquirer, 5 August 2011

http://www.maximumpc.com/article/news/several_us_isps_hijacking_and_redirecting_their_customers_search_queries
Several US ISPs Hijacking And Redirecting Their Customers’ Search Queries
Brad Chacos
MaximumPC, 5 August 2011

http://techcrunch.com/2011/08/05/study-some-isps-still-hijacking-search-results-lawsuit-follows/
Study: Some ISPs Still Hijacking Search Results (Lawsuit Follows)
Devin Coldewey
Techcrunch, 5 August 2011

http://boingboing.net/2011/08/05/many-us-isps-in-epidemic-of-covert-search-hijacking-of-their-customers.html
Many US ISPs in epidemic of covert search-hijacking of their customers
Cory Doctorow
BoingBoing, 5 August 2011

See also
US Patent 7631101, Systems and methods for direction of communication traffic
US Patent 7310686, Apparatus and method for transparent selection of an Internet server based on geographic location of a user

The Wikipedia article was apparently edited by Lewyn and has recently been moved which erased prior history; see
https://secure.wikimedia.org/wikipedia/en/wiki/Paxfire
The version as on 8 August seemed pretty good, but it is strange that it describes Paxfire as a “startup” since it has been operating since 2003.

So why has Paxfire been allowed to operate unmolested for so long, despite such widespread knowlege of and revulsion from its business practices? Practices which, everyone seems to agree, are either criminal or ought to be? The explanation might be some contributions during the most recent presidential election:

http://www.campaignmoney.com/finance.asp?type=io&cycle=08&criteria=Paxfire
Doug, Armentrout, COO, Paxfire, $250, National Republican Trust PAC
Kris Carter, General Counsel, Paxfire, $250, National Republican Trust PAC
Michael Subotin, Research Scientist, $1050 (total), Obama for America

Is that really the price of protection? A mere 1500? Can’t we collectively beat that and put this company out of business and its executives in the dock?

Actually, the true story may be even worse than that. Several of the fake Google servers reported to Google in 2008 were registered to L-3 Communications. Back in 2008, L-3’s webpages said little about the nature of its business, and the Wikipedia article described L-3 as a company which owned a lot of dark fiber. Convenient if you want to hide something ugly. But the current Wikipedia article is much more accurate. L-3 Communications is in fact the 8th largest US federal government contractor, with about 3.8 billion in federal contracts in 2011. It has annual revenue of about 15.7 billion, employs some 63,000 people, has offices all over the world. Its business? The current Wikipedia article says
[quote]
L-3 Communications … supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
[/quote]
And this description is an accurate summary of how L-3 now describes itself.

The fake Google servers reported to Google in 2008 are still owned by L-3, but if they assigned to anyone, they are bogons. But one subnet previously used (allegedly) by Paxfire in 2008 to hide fake Google servers appears to have popped up again recently in what appears to be a scam in which traffic from US service persons seeking insurance is hijacked and sent to a malware serving site. Nasty, huh? Another of these subnets has recently been named in the ongoing genuine but improperly issued certificate issue, in which a certificate for the International Criminal Court appears to have been given up to an imposter.

Another company which sells multi GB/second deep packet inspection equipment to ISPs and internet backbone providers is Cisco, which has been accused for many years of close cooperation with the Chinese government in its population surveillance and censorship programs. And a UK based company, Gamma International, apparently tried to sell its own DPI equipment to pre-revolution Egypt, and appears to maintain an office in Syria. And there are possible indications here that a third company, Paxfire, may be involved in something which ought to concern the US Congress, even if trampling on consumer rights does not.

I meant “Freedom”‘s comment.

The EFF summary and these two research papers are well worth reading:
http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
http://www.icir.org/christian/publications/2011-satin-netalyzr.pdf
http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf
The EFF researchers admitted they were surprised that millions of US persons turn out to have been victimized in this DNS hijacking, but their figure agrees with my estimate in 2008.

In the papers, “ISP” can be confusing. The researchers found that all the searches of 98% of the customers of Ad-Base Systems, based in Pittsburgh, were being hijacked (apparently by Paxfire boxes, with the connivance of Ad-Base). Ad-Base is not only a local ISP in that area but also operates a “managed modem” business, so dial-up customers of many local ISPs in other areas were actually being redirected to Ad-Base, and then their search requests were being sent to fake Google servers, apparently actually operated by Paxfire. In 2008 I found that some of these servers seemed to be registered to L-3 Communications and Internap, which also agrees with the EFF researcher’s findings. L-3 is the eighth largest US federal government contractor, and the nature of its business raises questions about its involvement in this business:

https://secure.wikimedia.org/wikipedia/en/wiki/L-3_Communications
[quote]
L-3 Communications Holdings, Inc. (NYSE: LLL) is a company that supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
[/quote]

The HBGary leak revealed that L-3 had solicited a prospectus from HBGary for a project which appears morally ambiguous, to say the least.

The paper by Weaver et al., “Implications of Netalyzr’s DNS Measurements”, mentions two subnets:
8.15.228.0/24
69.25.221.0.24

Anyone can look up the registration:

8.15.228.0/24 is associated with
Co-Location.com Inc.
Development Gateway, Inc.
Level 3 Communications, Inc.
The first and last are two companies which came up when I investigated hijacking (of ALL searches, not just “typos”) in 2008. The second, oddly, claims to be a company which works with the UN to develop communication tools.

69.25.221.0.24 is associated with:
Almar Networks LLC
Internap Network Services Corporation

As I said earlier, both these companies also came up in 2008 investigations as apparently having some murky affiliation with Paxfire. See the Knol by Joseph Harris.

Here some addresses for Almar Networks LLC which appear on the web:

ALMAR NETWORKS, LLC
4231 DANT BLVD
RENO, NV 89509-7020

Almar Networks LLC
297 Kingsbury Grade, Suite D
Post Office Box 4470
Lake Tahoe, NV 89449-4470

Almar Networks LLC
Stateline, NV

And at http://www.nvsos.gov/SOSEntitySearch/CorpDetails.aspx? we find that Almar is a registered commercial agent in the US State of Nevada, which is “managed” by
PAXFIRE INC.
45665 WILLOW POND PLAZA
STERLING, VA 20164

Some other companies also turn up which appear to be affiliated with Almar, in places like Florida and Zurich, so following the corporate structure should be a fruitful line of investigation.