Slashdot Mirror
New Rules Make Domain Hijacking Easier
Tanktalus writes "Netcraft seems to have a little ditty about new rules from ICANN that take effect on Friday making it easier to hijack domain names. Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer. Previously, the default answer was no, and you had to explicitly state your acceptance of the domain transfer. Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
5 Days you have got to be kidding me! Give us at least 10
As they point out in the article, GoDaddy (and others) have a domain locking feature that will still prevent these transfers.
*waits for the slashdot editors to take a week's vacation*
someone give me a sample of the email notice and I'll whip up 4 lines of perl to take care of that.
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!
This advice is a bit extreme... you can rest easy so long as you turn on domain locking at your registrar. That'll default all requests for transfer to a fail until it's removed... so all you need to do is keep your password to your domain registrar accout from falling into enemy hands.
Maybe this is a good time to educate the casual website operator about the domain locking feature, and what it's useful for. The new system's assumption is if your domain is unlocked, you're sending out a signal that you're intending for a transfer to happen soon. Maybe the rules should have locking as a default-on thing, but they don't so it's buyer beware for now.
People with small domains should beware?
Size isn't everything, you know...
500GB of disk, 5TB of transfer, $5.95/mo
Comment removed based on user account deletion
...when you're putting the damage on.
The upside is this will all end after the first lawsuit against ICANN.
Which should be in about 7 days.
It's mine, mine, mine... down, down, down!
Daffy Duck reminds me a lot of someone...
You never know who could go down...someone could steal their name!
Cache
Any registrar? It doesn't seem possible at gandi.net; I've been looking for the last ten minutes. Anyone have any domain names there and know how to do it?
I realize that the primary use of tracking graphics is for spam, but wouldn't something like that be useful here?
If someone is unable to read the email in a way that loads the tracking image, then the server can just assume that the email was never received. Once the image has been downloaded, the request countdown can begin at T-minus 5 days.
This wouldn't even affect pico mail users because the image wouldn't load in the first place, thus the countdown would never begin. If they receive the email, they can always respond, even if the tracking image does not get loaded and the countdown does not get started.
If anyone registers www.microsoft.com can you please have it redirect to redhat.com? just for a week before selling it back to M$ for 12 billion dollars.
If send ICANN a letter and a dollar saying im buying their corporation , and they dont tell me no before friday, im rich?
Whuhu. New busisness model.
1. Send letter
2. Wait 4 days.
3. Suck the profits out before next guy sends letter....
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Does this only apply to the usual TLDs, or country codes too?
(Didn't RTFA)
Does it make you happy you're so strange?
Can you imagine waking up one day and finding Slashdot full of articles praising Bush and promoting school prayer?
If you don't claim it within five minutes, it's mine.
YOINK!
Come now - how hard is it really to keep track of when your domain expires? Most geeks don't have wedding / dating anniversaries to remember, so there should be at least one empty date register in the old brain ... :-)
Seriously - as much as I'd like to see another slip like the relatively-recent lapse of the MS Passport domain name, and something outrageous as thousands of unwitting customers ending up at a pr0n site when they type in "wal-mart.com" or "yahoo.com" ... I don't think this will last. There's far too much potential for really ugly squabbles - and even if the registrar's acting according to "the rules," paying to defend oneself in court over a nasty domain name war adds up even if you lose.
Nothing has changed really. This has ALWAYS been the way the system ran, only some registrars choose to ignore it, and setup abusive transfer blocking mechanisms, and called them "Safety" measures for their customers instead of the lock-in attempts they really were. The problem with the old way was that some unscrupulous registrars (NetSol for instance)made it harder to get your domains away from them, forcing you to jump through hoops, and making them harder and harder to accomplish, and then deny them for wrong reasons. The new policy only sets out EXPLICIT rules about what are allowed reasons for a domain transfer to be rejected by the current registrar, and a process by which disputes over transfers will be handled. Other than that, nothing has changed really at all, and any news articles saying otherwise are less than properly informed, and listening to alarmist rhetoric instead of understanding how the system worked until now, and how it will work in the future. As a previous poster pointed out, the best thing to do is to lock your domains with your current registrar, just make sure that they provide an easy means to unlock them when you need to make changes, or when you really do want to go to a new registrar.
I swear to god, as soon as some huge website run by billionaires gets its domain transferred out from under them, heads will roll and this assinine "rule" will get changed.
Or perhaps someone at icann.org is asleep at the switch themselves? (hint hint)
Of course, I just doublechecked that warrenernst.com has the correct contact info. ;-)
I was thinking more Passport.com and Hotmail.co.uk
Join moola.com, play games to earn money.
Joker.com is my registrar and they emailed me 3 days ago about the changes, and declared all domains under their service were auto-locked by default!
:) Now if only I could get this kind of service from my credit card.
I had no idea about the regulations until they emailed me first. First they helped me transfer my domain away from a bad registrar, now they help me through new regulations without me lifting a finger.
Buyer beware of other services, but that's why you sign up with a reliable service with good references!
"All great wisdom is contained in .signature files"
Or we could find members of ICANN, or people of influence with ICANN who have domains, and try to hijack them.
I'm not bothered by this. I never had any faith in ICANN in the first place. They seem to be good for nothing except taking expensive vacations.
More importantly than the crap ICANN spews is your choice of a registrar. At least once a month, I end up in a wrestling match over a client-domain that is being held hostage by a fly-by-night, cheapie registrar. The latest happened about two weeks ago where this dumbass registrar decided to deactivate domains a month before they were set to expire if they weren't renewed. ICANN has done nothing to crack down on unethical registrar behavior. They're good for NOTHING.
Choose a solid registrar that has a good track record. My choice is Dotster, but even NSI is better than most of the crap registrars out there. Friends don't let friends get held hostage by $4.95 domain registrars.
Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer.
Essentially, if the owner of a domain name wishes to re-register with a different registrar, the registrar of record has five days to respond. Note that this is not a change of ownership, it is simply registering the domain you own with a different registry.
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
No, it means that Go Daddy and other registrars cannot have all of their employees go on vacation at the same time.
I guess this is good. At least now i can easily get a domain name I want, if the sucker don't use it. I now quite a few domain names that are not really used but registered "just in case"
May Peace Prevail On Earth
Like it or not, the big fish MS forgot to do this and had their domain handed back to them in a nice manner by some dude who was clearly too harmonious with nature.
... for no other reason than some random name script generates the domainname names that they monitor.
Hey, I think people should know when their domains are expiring; maybe somebody could make a cute 'whois' plugin for firefox that tells you when the tab's->URL's->domain expires. I can imagine some marketers monitor expiration dates, and register them the moment they expire
Its the Hedge Wars all over again. Only now it can happen in real time.
So I ultimate say screw this. 5 days is not nearly enough time.
"Old man yells at systemd"
1. Use a DDOS on the ICANN's website so they can't respond for 5 days. :D
2. Ask to buy their domain
3. Wait 'till they can't answer....
4. You're done!
I'm definite that one of the high profile sites would be taken over soon and someone's is going to get fired for not checking their emails while on vacation. Sounds a little extreme, but wait till it happens.
Subject: From the Honorable Janissary Robert M. Jacobson
Hello sirs,
Writing this letter comes at a times of great anguishes to my community. We have obtained funds in the amount of US$3,000,000 from the Nigerian government, after the passing of Prince Montebu Wilson, to whom we are the singlest heirs. However, due to political difficulties we are unable to secure the actual cash moneys ourselves. We require your assistance, for which we would thankfully provide a commission of $500,000 for your troubles. In order for this transaction to be completed, we hereby requests that your domain, www.coolinternetstuffthatisgreatandfun.com, be transferred to us immediately. Lack of action will be assumed as an affirmative response after five days.
Do YOU ever read more than a few words into those?
-- I prefer the term "karma escort."
...would "Didn't RTFA" = "Insightful"
I went through all of their administrative pages and couldn't find a thing. Nor have I received any email, as others have, pertaining to this development. I made sure the contact info for my domains were pointing at a human being and hopefully they'll address the issue soon.
You dumbass. It's not like the onus is some random person to "ask" you, and you have "5 days to respond" to them. It's the normal process for transfers that happens through the registrar, and your registrar isn't going to try to trick you by embedding the transfer notification in spam.
From the usual shitfights I've gone through trying to get a domain transferred even though I own it.
Network solutions has an outdated email address listed for the admin and technical contact, and in order for you to change it the require faxed copies of a passport, credit card, finger prints, a 500ml sample of your blood and any children or pets you might have as hostages.
2 years and several attempts later and, although they occassionally manage to transfer the domain OK, the email address is still fricken wrong. These new ICANN rules could make my life much easier next time we change ISPs.
:wq
Might it be that ICANN is trying to force people to keep their WHOIS information current (or at the very least have a correct contact email address)?
Who actually benefits from this? What problems does it solve? And maybe most importantly: Who gets rich?
I'm more concerned with them requiring accurate contact info.
I used to have my real name, address and phone number in my whois info. I used to get tons of junk mail, and I even had people PHONE me to ask if I'm selling my domain, and then say they don't actually want ot buy it. One time a guy called when I wasn't home, and got my ex. She wouldn't tell him where I was (duh). When he called later and got me he told me that my secretary was very rude.
I do have a real Email address in the contact, and frankly I think that's really all that should be required.
In the land of the blind, the one-eyed man is kinky.
This policy fails on SO many counts of interstate trade and transfer and fraud, I can't even count.
Someone else already noticed it'll take about a week forthe first lawsuit to turn this around. I wouldn't be surprised if someone like the EFF (or the FTC - oooh - nemmind - I forgot, they're run by the people they regulate now-a-days) doesn't ask for a prelim injunction against these asshats so it never happens, period.
RS
Shoes for Industry. Shoes for the Dead.
Thanks for looking. Yeah, their domain management interface leaves a lot to be desired these days. It was pretty cool back in the day (compared to Network Solution's system that relied on filling out templates and emailing them to make any changes), but it's definitely starting to show its age now.
but icann.org is MY domain! I'd better go reclaim it...
I had a situation a while back with a hosting company. A client I maintain a website for decided to host their website through 1dollarhosting.com
The sign-up form very cleverly asks you for the information to transfer your domain name TO them.
When trying to renew the domain name, I was told by their employees that it is against their policy to release domain names. They let people transfer them in, but they will not release them to other registrars.
After digging a little deeper, they are a partner of Register.com. It took hours (literally) to get someone with enough authority on the phone (at register.com) to release the lock that they had on the account so a transfer would work.
Thankfully, the domain name was finally transferred and the guy at Register.com agreed that what they were doing was unethical....though that didn't stop them from making it a complete PITA.
Mod points are pointless when you browse at -1.
No one has made jokes about a little Diddy yet? I'm disappointed!
________________________________________________
suwain_2
It would seem that this time, Netcraft really did confirm it.
Bravo.
The "Insert Quote Here" line is almost as predictable as inserting an actual quote.
I wonder if people are hired at the Yahoo HQ's to monitor their notices of people raping them of their domain... hmm... This could be a good thing for some people. I can only hope it works in my favour, or I'll be rather pissed.
IANAL but I thought silence could not be used as an agreement to a contract. I learned this in my Business Law class but I guess this doesn't apply here?
this doesn't affect other countries domains, like .tk's, does it?
Note that this isn't about transferring a domain from one owner to another. It's about transferring a domain from one registrar to another while keeping the same owner. Transfers of ownership come under different rules.
It would require all the operators take a 5 day COMPURTERLESS vacation!
You know this is slashdot and chance of that happening is ZERO.
[for mathematicians, it is zero, not a near zero but a real zero.]
Emacs is good operating system, but it has one flaw: Its text editor could be better.
Or perhaps someone at icann.org is asleep at the switch themselves? (hint hint)
Just tried it using PairNIC. It didn't show up as available. Slashdot.org however is available. =)
'nuff said.
2) Notify ICANN to xfer it to you.
3) Spam owner of domain's mailbox with several thousand e-mails for the next five days (make titles of spam look something like ICANN sends).
4) Sell newly aquired domain.
5) Profit!
I'm an American. I love this country and the freedoms that we used to have.
Time for me to add a domain transfer lock to my domains. I suspect this'll be a popular option from here on out. I'm sorry, ICANN, but I want the default to be that nobody orders or executes changes to my domains without explicit authorization from me, preferably in writing with my signature on it (yes, I'm willing to FAX authorizations as needed).
Domains can be transferred at any time before a domain expires. Not just when it's up for renewal.
First off, anyone who has a clue (and granted that's definitely not everyone) has their domains set to "Registrar-lock" already - this means when a transfer request is made it is automatically denied by the registrar right away. This stops all sortsa fun and games, in the past mainly to stop assholes like DROA (Domain Registry of America) and Register.com from "slamming" my (and other's) customers. See these assholes send REALLY OFFICIAL looking "renewal notices" to domains expiring soon by postal mail, with instructions to simply return a check for $25 or fill in CC info and if someone isn't paying attention, or clueful, they just transferred their domain to these bastards without a clue.
So I started years ago setting registrar lock to ON for everything I register.
However one bonus is, maybe this will make a FEW transfers INTO me a little easier. The assholes at itsyourdomain.com pop into mind, they will absolutely deny any transfer no matter how much their customer screams "I WANT TO TRANSFER THIS DOMAIN AWAY FROM YOU GODDAMNIT". Complaints to ICANN, and others go unheeded.
So in short - ICANN SUCKS, this rule doesn't really suck THAT bad but I'm sure there's going to be at least a few horror stories about lost domains next week.
--- www.f-theocean.com
Damn, probably 90% of the posts in here need to be modded to -1. These rules relate to the transfer of a domain by the domain owner of that domain from one registrar to another. It is not about claiming (or hijacking) someone else's domain as the headline improperly entices you to think.
This is a good thing people! It helps to ensure that domain owners can transfer their registrations when they so wish. In fact, the domain owner has to first request the transfer before it even gets this far.
Sheesh.
- The registrant or domain owner;
- The losing registrar;
- The gaining registrar.
- The central registry - central repository of records.
Got that?Okay, the way a transfer was supposed to work was as follows:
- The domain owner submits a transfer request to the gaining registrar
- The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
- Having received such confirmation, they notify the central registry that the transfer is valid.
- The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
- If the losing registrar does not object, the transfer is executed.
(Steps 2 and 4 actually run in parallel, but that's irrelevant.)The Problem
However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.
One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)
Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.
When one tries to cover ones ass too much, one's hands end up covered in shit.
Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.
The Solution
The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them
It does not require the losing registrar to do so, so this is business as usual for the nice registrars.
The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.
What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.
Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.
"A goldfish was his muse, eternally amused"
How would you notice?
(this is meant as a lighthearted jest).
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Almost got it right...
1. Use a DDOS on the ICANN's website so they can't respond for 5 days.
2. Ask to buy their domain
3. Wait 'till they can't answer....
4. ???
5. Profit
Fahrenheit 9/11?
:)
"Sit down, son. We don't read most of the bills that pass through here. Have you any idea what that would entail?"
Substitute "bills" for "articles" and you have slashdot. At least we're up to the US Congress standard
Kjella
Live today, because you never know what tomorrow brings
While acknowleding that this is a joke, I will point out that this doesn't affect .uk domains at all, or any other ccTLD for that matter.
"A goldfish was his muse, eternally amused"
No. The gaining registrar still has to get explicit confirmation from the domain owner.
"A goldfish was his muse, eternally amused"
"Can you imagine waking up one day and finding Slashdot full of articles praising Bush and promoting school prayer?"
Not as shocking as insightful articles, relevant posts, and links that don't time out.
but there is a reason for it.
/dev/random.
the behaviour registrars im reading about on here, which this new rule does not even address, is just as unethical as domain squatting, which the new rule does.
talk about asshats.
i mistyped a url earlier and wound up at some pricks site with a massive list of domains that looked like something that was generated in the depths of
people who legitimatly and appropriatly have claim to a domain should not be held back from profits because of squatters who have no business with, for example, yourname.com in their possession.
give it a couple weeks, and alot of those sites you really wanted might be up for grabs.
ethics and governance just do not cross paths in todays society no matter how you spin it.
You are about to give someone a piece of your mind, something which you can ill afford...
Some of the naster email viruses out there don't even need you to click on a link in order to own your machine.
Sooo, what's to stop someone from sending email to the "Administrative Contact" of the domain with such a virus, and sending out a fake confirmation email that, yes, they do indeed want to transfer the domain? To the Registrar, it will look like a real transfer request. It might even hold up in court.
I suppose if one uses a Registrar which has a lock in place, this might offer some protection. But Heaven help the Administrative Contact if he/she has the password info written down in a file on the box which has now been hijacked.
Hmmm. I wonder if this "thought experiment" even applies to Microsoft? Odds are that the Administrative Contact there is using IE with all of its holes.
Suddenly, Microsoft's consistent ignoring the value of security in their products really can come back to bite them in a very nasty way.
Not that I'm suggesting anyone do this of course. But this setup, along with the security flaws in Windows, can expose a lot of sites to a new form of domain hijacking.
"I did too, until I returned with a small reading light and a magnifying glass."
So what's a geek doing with a magnifying glass, and a small reading light? Hmmm...
Think transfer security is a problem ... there's a security problem far worse:
h readid=328696&perpage=15&pagenumber=1
... as of now, some registrars do little while others suspend domains within only a few days - so if one goes away on holiday, they could very likely come back and find their domains suspended/deleted.
...
(a post of mine reposted from ICANNWatch http://www.icannwatch.org/ - slashdot.org rejected it, but I'm used to that LOL!)
-----
Bogus "Whois Problem Reports" are increasingly going from being an annoyance to being a real security risk. Some recent incidents I've experienced due to Whois Problem Reports *merely* being filed:
* Dotster, about two weeks ago, threatened to delete a domain if I didn't respond.
* BulkRegister, just yesterday, threatened to suspend a domain if I didn't respond within 5 calendar days.
What good are Whois Problem Reports when anyone can file one and there is virtually no screening performed to ensure such reports have any validitity to them; reports filed on some of my domains claimed everything was wrong, including the expiration date - what!? Talk about pure nonsense!
As of now, if one wants to cause a registrant problems, all they need to do is file bogus reports at the Internic link below (it's so easy, it's frightening!) - heck, if someone really wanted to be deviant, they could spread a virus that sends bogus Whois Problem Reports from hijacked computers...
http://wdprs.internic.net/
In addition, some registrars, such as GoDaddy, charge a fee to the registrant for *merely* reviewing a Whois Problem Report for a particular domain, regardless of whether the report is valid - see links below for more details:
http://www.dnforum.com/showthread.php?t=67862
http://www.webhostingtalk.com/showthread.php?s=&t
There is much talk about the transfer policy changes and security, yet bogus Whois Problem Reports is a security risk many times worse.
Some ICANN policy changes are needed pronto regarding Whois Problem Reports...
1. Requiring more than just a name and email for people making complaints - they should have to provide a postal address that's verifyable and/or some other information.
2. Screening of such reports - permit registrars, if they're not already, to toss out Whois Problem Reports that they feel are invalid without involving the registrant; stop wasting their time over this nonsense.
3. A standard on how registrars handle Whois Problem Reports
* including a reasonable time for the registrant to respond, such as 30 calendar days, before any action is taken
Something needs to be done before bogus Whois Problem Reports get any further out of hand
Ron Bennett
now I'll be able to get that domain I've been waiting for!
A few months ago, some teenager requested the domains for amazon.de, ebay.de, and some other sites.
Ebay's registrar send an ACK without checking and he got the domain for a few hours... until denic changed the entries back.
now i can get my spam-domain! :)
since most of their whois information is fake, spammers won't receive (e-)mail.
all their domain are belong to me.
after one week i change the ip-number attached to the domain to 127.0.0.1 and they're owned
Privacy is terrorism.
Everyone RTFA. This is not domain hijacking. This is a rule that allows a registrar to transfer your domain to another registrar. So you don't have to worry about someone "stealing" control of your domain or replacing your website or engage in fantasies about gaining control of microsoft.com cause that's not gonna happen. Microsoft will still control the domain, but if the rule is invoked, it may be at a different registrar.
Stupid rule if you ask me. All this does is put more pressure on Registrars to respond to frivolous requests by other (unethical) registrars phishing for business.
"And then I visited Wikipedia
As someone who works in the domain-registrar industry, this just seems to be a beat-up.
.com and .net domains... the ONLY DIFFERENCE with the new policy, is that the losing registrar is now required to provide a specific yes/no template to the customer, and can only reject the domain if it was the users obvious desire is to do so. This means that domain registrars can no longer hold peoples domains to ransom, if for example, they wish to transfer to a cheaper registrar. It happens a lot, I can assure you, and it's a BIG problem.
.com.au system works better, in the losing registrar has no real say in the matter, but the gaining registrar can't issue a transfer request unless they have the domain password (AND an email confirmation)
The way it works presently, is that when a user requests a domain transfer, the gaining registrar MUST send an email to the EXISTING owner (which may or may not be the person who ordered the domain) and ask them to confirm the transfer.
If the owner approves the transfer, the gaining registrar then issues the transfer request to the registry, at which point the losing registrar has the option of simply sending a "reject" command to the registry, so that the transfer fails.
They are only supposed to do this if the owner doesn't want the transfer to proceed, but a lot of dodgy registrars make the client jump through hoops to approve the transfer, and then reject the domain. If the losing registrar does not explicitly approve or reject the domain within 5 days, the transfer goes through anyway...
The above is how it already works for
This is a GoodThing. Don't be fooled by the dodgy registrars out there! Unfortunately, a lot of registrars have responded by simply "locking" all domains - which means you first need to request the lock be removed before ordering a transfer from another registrar.
The
As a little guy(TM), how I can give my feedback to ICANN?
ICANN seems like a big machine, run by... who knows? Who decides on these rules? Didn't they learn anything from the sex.com case? (perhaps that is too long ago and they have forgotten already) If they expect a big spike in appeals (as mentioned in the article), shouldn't that be indication enough that this rule change be reconsidered?
RTFM; please, I beg you.
This is transfers between registrars not between domain ownership.
It does help you actually if you need to move domains along swiftly.
Also many of these still use an antiquainted technology called facsimile because for some reason, this is a highly secure method of doing business, oh, and a rubber stamp helps.
If someone hijacks a domain, then it will stil be fraudulent, remember no security thorugh facsimile, I mean, obscurity.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Policy on Transfer of Registrations between Registrars, I don't find the part that states that the transfer is approved if the domain owner (i.e. the administrative contact) does not respond in time.
I do find language that states the transfer will be approved if the Registrar of Record does not respond within 5 days. This, however, is a Good Thing, as it makes it harder for the losing registrar to prevent you from transfering your domain. Of course, they can still just deny your request and hope they get away with it.
The way I see it, this gives domain owners (a little) more control over their domains. I don't see what's wrong with that. I never understood why transfers need to be approved by the losing registrar anyway - why would they ever approve losing a customer?
Please correct me if I got my facts wrong.
It has been exploitet too just two months ago, when ebay.de was hijacked by a 19yo kid.
It seems that Tucows (the domain registrar) messed up by not responding to DENIC's inquiry.
http://www.heise.de/newsticker/meldung/50661
Here's a situation where everyone who gets screwed out of their domain should sue (ICANN plus whomever else).
> no more computerless vacations that last more than 4 days at a time
Not actually.
a) Buy several years at once with automatic extension
b) Use a goddamn calendar & reminder (Hotmail or Yahoo or both, just in case) to remind yourself your domain is about to expire
* Dotster now almost immediately swaps DNS to their servers and puts up a LAME "This domain has expired" and "search engine" type page. I didn't expect them to do something that lame.
* If you don't re-register within a grace period, they charge you a HUGE fee to renew the domain. I am not pleased with that at all. There've been times where I couldn't afford to renew a domain exactly when it was due. More suckage.
Registrars suck.
ICANN't make rules...
Yeah, free Ipod! He is innocent!
And I say this as an insider. When we get a transfer request(i.e. someone says "I own this domain, transfer it from the old registrar to you guys") we just hit the button and initiate it. We figure if the person didn't own it, the transfer won't be approved
OTOH, if we get a request saying "transfer this domain away", we make very sure the customer wants it. Frankly if the request is from another Registrar and the customer has not contacted us directly, we often simply ignore the request
Criticize this all you want, but this new system is going to turn out very badly for everyone
First, the current registrar must approve a transfer of domain without obtaining the registrant's approval. This is contrary to common sense. If the purpose is to stop registrars from unreasonably holding domain names, then the appropriate response is to require the current registrar to approve a transfer request when the registrant has approved it. If the registrant approves, and the current registrar rejects, that's an appropriate cause for complaint.
After all, isn't it more important to protect existing domains from unscrupulous transfers, than to prevent rogue registrars from accepting legitimate transfers? I may have one legitimate reason to move my domain from one registrar to another but there are a large number of scammers who would gladly capture my domain for fraud or other purposes.
It's a bit ridiculous that every registrar should be forced to implement a locking function, and every domain holder should be forced to lock every domain, all at once, in order to protect themselves from fraud.
Secondly, the "unlock" action required prior to a legitimate transfer opens a window of time in which a domain can be stolen - in programming parlance, a race condition. It's a problem with the protocol.
Just the other day I transferred several domains from Joker to GoDaddy. Joker isn't very easy to deal with, and GoDaddy is cheaper, so I decided to move the Joker ones to GoDaddy.
When I jumped through the Joker hoops to tell them that I wanted to transfer my domain name, they opened a "transfer window". I was shocked when they said that, during the transfer window, _any_ registrar could grab my domain. Not just GoDaddy. Not just me. Any user of any other registrar could have issued a transfer request for my domain name, through their registrar to Joker, and Joker would have accepted it, if the request arrived before my legitimate request from GoDaddy. Indeed, any user of GoDaddy could have done the same thing, because there's nothing in the request itself to say that it was me who instigated that request.
What happened to the good old days when a request for a transfer resulted in an email from my registrar to me, asking for my approval. If I approve, the transfer will go through. If I'm not there or indisposed, overseas or not reading my email, then the transfer will not happen.
The ICANN says that , along with other things which are valid, that a Birth Certificate is valid for identity purposes.
It is NOT in the UK - it even says on it that the certificate is not a means of identity !
I image that elsewhere the birth certificate is also not valid as an identity document.
Flood Network Solutions with notices that icann.org ownership is being transferred to someone else.
If there are enough of them, then there got to be at least one which isn't answered within the 5 day timeout.
And whoever wins, wins control of the Internet! Whoot!
Get emailing, theres no bigger competition than this!
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
I've had only horrible experience with register.com. After they completely screwed up the 5th domain I registered with them, and took over a month to get it to work, and then screwed up their web site with buggy programming, I decided to transfer all my domains away. As expected, that took over a month, too. Just about everyone there was clueless, including whoever managed their own DNS servers for their own domain as I found errors in that, too. So from now on, I always recommend to all my friend, partners, and clients, to never use register.com, ever.
now we need to go OSS in diesel cars
For .de domains, this has been the procedure ever since I've been in the domain business. The way that most registrars have implemented it is that they will send an automatic NACK (not acknowledged) to any incoming transfer request that their customer hasn't specifically asked them to authorize. Many registrars then send a notification to their customer after the transfer has been denied, giving them the opportunity to send a LATEACK, which overrides the previous NACK, but this way the rules are reversed again. If the registrar doesn't offer this LATEACK, it's "allow and try again" if you really want the domain to be transferred. What this does achieve is that if a registrar goes out of business silently, you can still get your domains transferred from them because there won't be anybody or anything sending NACKs anymore...
... ever
@
It would require all the operators take a 5 day COMPURTERLESS vacation!
You know this is slashdot and chance of that happening is ZERO.
Not really. There must be tropical islands without internet. We just need some beautiful hookers to lure them there.
And that's going to be expensive.
They re-turned all domains on (I mean blocking so this crap won't happen to anyone)- they turned it on by default on Oct 31 for all domains, at least according to an e-mail I got some time ago.
No reason to freak out unless, perhaps you are with some registrar that doesn't offer the blocking service.
Don't panic. This can only be attributable to human error.
1) ask
2) take
3) PROFIT
And thus we go back the zero. /. can pay a beautiful hooker for themselfs, the chance of them getting cmdrtaco or timothy one is so low it might aswel be -1
Come on who on
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!
Owners of small domains beware? The big ones should fear just as much. They never answer email as it is.
Also all those spammer networks too. Hmmm they don't answer I guess it's time to transfer their domain name...
Isn't this going to be a fun time, Most people enjoy long holidays over Christmas.
Why doesn't normal contract law apply to domains? This is much like allowing anyone to transfer ownership of your home without your explicit permission.
Oh man, if indeed: "The FOA should be sent by the Registrar of Record to the Transfer Contact as soon as operationally possible, but must be sent not later than twenty-four (24) hours after receiving the transfer request from the Registry Operator. Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer." Oh man, oh man. As a sys admin for a hosting comapny, I can tell you everyone is going to hate this. The only thing that really needs to be fixed is when registrars like Bulk Register block trasnfers to competing companies like enom. This is such a pain for so many folks. Rats, I hope this does not go through, what a mess :(
photoplankton
Hey people do you know how a domain name lock works?
If you do nto then myabe you should find out..
Story conclusion only works for those who do not lock their domain names
Don't Tread on OpenSource
Network Solutions is terrible. I admit, they do have customer support, and when I call, I rarely wait more than a minute to talk to someone. That's good.
Is there a secret phone number? I have a friend who has a problem with them (hijacked domain, actually!) and he's literally been trying to get something done for _months_. Network Solutions ignores his e-mails and faxes, and the only phone numbers we can find only play recordings telling you to submit requests by e-mail. Please, let me know what number you're calling!
Thats just plain wrong. Nothing like this should default to 'YES'.
However, I bet the first high profile case, and this is reversed..
5 days.. sure taht's ok..
---- Booth was a patriot ----
They use the new "locking" feature, but it is off by default. Log in now, and lock your account before you lose it.
I don't particularly care for all the "solutions" people listed here. The bottom line is that something as basic as preventing an undesired domain transfer, should be as "dumbed down" as possible, so even non-techies are protected.
In this day of spam filtering, what happens if the transfer notice never even reaches the domain owner, and ends up in a SPAM trash folder?
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
I could see this happening to larger domains easier than smaller ones. Microsoft has already lost domains because the re-registration got "lost in the mail". Maybe the next time, the one who snags it won't be as nice to return it so promptly and without a legal battle.
That's why you pay the hookers for them. There are some people on /. with a job.
These changes will mostly effect how the .com and .net domains are transferred (and possibly some other lesser ones). It all comes down to how the registrars used to transfer domains between registrars and how they will now.
.com and .net was that an individual went to a registrar to transfer their domain to, that registrar would then initiate a transfer request for that domain (some would verify that the person asking for a transfer is the person who ownes the domain by sending the admin in the whois an email, BUT THIS WAS NOT A REQUIRED STEP). The registry then alerted the current registrar that a transfer request for the domain has been initiated. It was then the current registrars responsibility to verify that the owner was the one wanting to transfer. If there is no response from the current registrar (to either accept or reject the transfer) after 5 days, then it would automatically accept.
.net and .com.
A main difference is how they used to be transferred, which for
All the new rule does is change the verification step from the current registrar to the requesting registrar.
With other TLD's this has already been implemented through a different system for quite some time. In this system, there is an authorization code assigned to every domain name (most times the owner doesn't know it and the registrar does so the owner needs to ask the registrar for it). The only way for a registrar to even start a transfer is for the person requesting the transfer to give them the authorization code. This in effect, then verifies that the person ownes the domain because they have the private passcode. This is in most TLD's with the exception of
Dear Microsoft Employees:
As your Fearless Leader, you've all been given a two-week holiday to commence next Monday. To make sure you get the most out of this holiday, please do not take any work home or respond to e-mail messages. Those that login to check their e-mail will be terminated.
signed,
Bill
signature pending slashdot approval
"Stacy" at the Register.com LivePerson chat just told me this:
I am sorry to inform you that the domain transfer request will be approved within 5 days if you fail to respond to the confirmation email. Register.com may provide the facility of locking domain names in the near future.
Heh. Sorry.
Stiny! Get me a danish!
Do you know if Dotster will protect you? ... or I need to move to GoDaddy.
Simpy
I've found that when transferring .ORG domain names from one registrar to another the PIR gets involved, and requires an authorization code from the losing registrar, so I think we can stop chortling about the idea of hijacking icann.org or slashdot.org. We would need to obtain the authorization code, and I don't think the registrar would hand that over to just anybody.
I have to admit that this story through me into a panic, I mean a full-on tingling-up-the-spine near-freakout, since I use a registrar that's about the worst one on the planet (and I'm in the process of moving everything over to one that I actually like). But it looks like my fears were pretty much unfounded. But there's still a shroud of doubt hanging over me. It's still not clear to me what happens if I am unable to respond to an email requesting authorization on a transfer from my old registrar.
And another thing that weirds me out is that in one part of the ICANN page it says that registrar-locked status will protect the domain name from being transferred, and then in the next section they say it won't. What's the distinction they're making?
You are in error. No-one is screaming. Thank you for your cooperation.
nt
Congrats to ICANN to bring slamming(act of switching providers without customers approval) to domain name registration. Another thing to worry about, I can't wait till my domains get moved over to whatever registar that charges $25 a year without my permission.
Have you ever been to a turkish prison?
Domain names are not supposed to be trademarks or anything else, they're just like phone numbers. Thus, as long as noone is doing business illegally, anyone should be able to own any domain name they can get their hands on.
Seeing as how he hijacked the Censorware domain and all. This might get marked down as troll, but it's true, michael really did hijack the Censorware site and turn it into a personal soapbox for a while, bashing the founders of the group who he claimed were "stalking" him (apparently, taking somebody's website and then having the owners hate you for it was a surprise to michael).
Slashdot seems to take a stance against cybersquatting, yet one of their own editors famously did it for over a year. There's a reason michael is the most despised editor around here and considered the most annoying and unbalanced.
I cannot emphasise enough, do NOT use DotRegistrar!!
I was trying to send a spam complaint to one of the domains registered through them, and the e-mail kept getting bounced. According to ICAAN rules, the contact information must be correct. So I used the only method DotRegistrar has to contact them, their tech support form. For my e-mail address, I used an address with 'dotregistrar' in it (myname.dotregistrar@mydomain.com), I use this technique often to track the dissemination of my email address (e.g. myname.amazon@mydomain.com, myname.ebay@mydomain.com, myname.zdnet@mydomain.com, etc.).
Not only did I get no response from them, but within a week, I started getting a flood of spam to that exact e-mail address! The bastards sold the address that was used exclusively for a complaint (it has never been used for anything else, not even to register a domain) to spammers! Their (no) privacy policy states that they will release collected information "to third parties or to the public at large, for any purpose," but it does not indicate this includes complaints. I guess they got me, eh?
TZO.COM automatically locks domains for their customers (and unlike the other registrars, they have real human beings staffing the phones).
I suspect all registrars offer domain locking as a feature. Some may not enable it by default.
GoBigMedia automatically locked my domains. *whew*
this is a test
Several people have mentioned that this is about changing registrars, not hijacking. However, having worked at a cheap registrar, let me tell you how a hijacking can and sometimes does take place.
To start, let me explain how domain sales usually worked at this registrar. First, there was a fee to change ownership, even though it could be done by simply modifying the whois information. There was another fee to transfer to a new registrar. Since the person buying the domain name rarely wanted to use the same registrar, many sales would take place by simply transferring the domain to a new registrar. Then they would not have to pay both the name change fee and the transfer domain fee. It used to work something like this.
The new registrar supposedly verified the information before submitting the transfer request to the old registrar. However, if the information did not match, it was assumed that a domain sale was taking place. Only if there were blatent red flags did anyone stop to question a transfer.
Can you see how someone might try to use the new rule to complete a "sale" of a domain? I am sure that there are now more checks to prevent this since I have been away from that cheap registrar for a couple of years. Just to be on the safe side, I will check a few domains to make sure they are locked.
KnarflingGreat civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Besides a lock by the registrar, how about an autoresponder to the official registrant's email on file saying "No, This domain, [domain], is not approved for transfer to any other party." Or some-such. Granted, lotsa spam will get answered, but wouldn't this constitute response?
-- @rjamestaylor on Ello
Sorry, ex-employees and disgruntled employees are very unbelievable without precise, verifiable data.
Talk about a protection scam. Make it easy for someone to steal from you, then offer protection if you pay. Is the mob running ICANN now?
any asshat knows this
I noticed on http://www.godaddy.com/ you can go through the transfer proccess for seemingly any domain you want without entering any information regarding the current owner. If you do this(and pay the few $$), then the real owner doesnt shootdown godaddy's request for transfer, it'll be transfered to godaddy correct?
... I think I'm missing somethin here...
At that point who would have access to the account details/ownership? The owner would need an account with godaddy in order to make changes, but if they are unaware of the transfer.. what then? Would godaddy create an account automagically and perhaps email the owner the account login/pass? If that is the case and the owner had bad contact info listed then the domain would sit stagnant for the next forever years wouldnt it?
Stealing is stealing; with a gun, or a computer.
e rpol. If the calvery won't, or can't help you; Then, well, recourse is up to you.
I've paid for the use of something for a specific period of time. If someone has taken this from me then it is theft. Solution? call the police/sherif/marshal/f.b.i./homeland-seurity/int
You really can't change the way a bad guy thinks, but you can introduce outcomes that would cause the bad guy to reconsider actions in a constructive direction.
For engineers, that's equivalent to a very small value of zero.
~Idarubicin
Spammers often register their domains without proper contact details. They can't get the notice. Some spam vigilantes could, (um... theoretically, of course...) hijack these domains to teach the spammers a lesson.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
asking him if he would give me a billion $. If I haven't heard from him in 4 days, I'll tell the bank to assume he's OK with it and to give me the money. I like this new rule.
Jump in, if you think this is a bad idea! Here's the letter I just sent to icann@icann.org:
Good afternoon:
I stringently oppose the new ICANN Policy on Transfer of Registrations between Registrars, specifically the section 3 line:
"Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer. In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed."
This policy is an extraordinarily bad idea, for several reasons:
1) It puts more responsibility on registrar to wade through spurious domain transfer requests, many of whom will not take the pains to actively sort legitimate from non-legitimate requests.
2) It will mean trouble for domain owners who don't closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk of hijacking.
Please reconsider this decision. Domains have become far too valuable to companies to introduce such a disruptive and potentially damaging policy.
What does it mean to wake out of a dream
and be wearing someone else's shorts?
BNL, Born on a Pirate Ship (1998)
Section 3 5th paragraph: "Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer."
That's dangerous, because the acquiring registrar may also use an automated process to get confirmations. If your autoresponder sent a reply to that registrar's software, it could be misinterpreted as a confirmation of transfer.
All in all, ICANN's new policy is a very bad move.
cpghost at Cordula's Web.
I've seen many negative comments about Network Solutions and I'd like to set the record straight on a few things. I'm an employee of the company and I admit that years ago there were problems with our support and policies. Things have changed now and we provide phone support with an average of 10 seconds hold time before you speak with a person.
The policies and security measures that are in place are only there to protect our customers from unauthorized changes and transfers. Being the world's largest registrar, we get many attempts at such feats but most are thwarted due to our practices.
I challenge any of you that have accounts and have problems to leave a reply to this comment - I'll email you back and help to resolve any issues you might have.
For those of you who aren't customers, might I note that we're currently offering transfers in to Network Solutions for $9.99 a year, a rate very competitive with all other registrars, and we do indeed offer a lock to protect unauthorized transfers from taking place for no additional fee.
Hey I know, I'll make an offer on your house... and if you ignore me, I'll proceed to move all my things in and toss all your things out!
Bzzt, sorry. Doesn't work like this.
Take your tinfoil hats off, because this will not happen.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Well, that doesn't make sense -- if I respond it's yes but if I don't it's yes? That won't fly.
-- @rjamestaylor on Ello
check out http://despammed.com/
It's a free e-mail forwarding service that does a GREAT job filtering SPAM. I've used it for years as my email address for anytime I have to register somewhere and know I'll get a ton of SPAM for doing so (like domain registrations, Ebay, online vendors, etc.)
This time I'll admit it.
I wanted to change a domain name (one a friend of mine legitimately owns, and had asked me to change). I started calling around... I first called names4ever. They went through the process of looking up the actual registrar, which was "In Just a Minute." I then called up IJM and they redirected me to their DNS services guy. I got ahold of the guy (name protected) on the phone and asked him to change the authorized zoneholder... he did it immediately, without asking for any kind of information.
In fact at no time during this process did I ever tell anyone my name or the name of their original client. All I ever said was the domain name (also protected, you evil blackhats).
So... it's not too hard to steal a domain anyway...
FAQ chapter 3.4. Outgoing transfer (leaving Gandi) indicates that there is no any lock. I think.
They've been very good to me.
"NOTICE... November 2004 ICANN Transfer Policy Email
;)
From November 8-10, we are sending an email to all domain customers informing you of a new domain transfer policy, enforced by ICANN (The Internet Corporation for Assigned Names and Numbers). This policy dictates that we must honor any transfer requests, even if you do not personally confirm them. To prevent unauthorized transfers, lock your domains. This service is free and takes only a minute."
I'm a happy customer
VIVA1023.com | Political Fashion.
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
Umm, this says Registrar of Record not Registered Name Holder. Correct me if I'm wrong, but a Registrar of Record would be EasyDNS, Register.com, networksolutions.com, etc. A Registered Name Holder would be me. I think this has more to do with you trying to transfer your domain to a different register, and your current register not responding because they don't want you to move it.
Well despite the nay-sayers and the yea-sayers, I think if my registrar tries to confirm with me before deciding whether or not to send a response in 5 days' time, it's a good thing. 'Coz if somebody does manage something funny, I can say no.
On a good note, www.mydomain.com has the transfer-lock feature available also. The sell domains for about $8.50 or something. I've never had any problems. And I tried lock and unlock, it goes thru. Hehe, if in a month they decide to remove the "unlock" options, it would bother me, but I've never really had any reason to change away in the past.
Ah my 2 texan cents.
If you go read the ICANN Policy on Transfer of Registrations between Registrars http://www.icann.org/transfers/policy-12jul04.htm it's quite explicit regarding the circumstances in which a registrar (aka Network Solutions, Dotster, Tucows, GoDaddy, etc - not the Registrant, billing or technical contacts) could deny a move request as well as under what circumstances they could not deny such a request (Nonpayment, No response from the Registered Name Holder or Administrative Contact, etc).
I'm no rocket scientist but the policy clearly intends to prevent Registrars from hijacking the domains of their clients, as some have been wont to do, or simply refusing move requests by passively ignoring said requests.
Here is some of the verbiage of the policy that indicates its clear intention to anyone who is capable of reading above a 5th grade level.
"Registered Name Holders must be able to transfer their domain name registrations between Registrars..."
"The Administrative Contact and the Registered Name Holder, as listed in the Losing Registrar's or applicable Registry's (where available) publicly accessible WHOIS service are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar."
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
Thus spake the SysGoddess
I dislike 1and1. When I reached the threshold of bandwidth (somehow I used 5GB in three hours?) one month, they shut down my webspace and demanded that I give them my credit card. When I asked how much I owe, they ignored me and resent the same e-mail: "Give us your credit card number and we will reactivate your account".
Many DN registrars have an option to "lock" your domain, to prevent it from being transfered to another registrar.
The new ICANN rules specifically state that such a locked domain is not subject to transfer.
I think that most people here are misinterpreting the new rules.
From what I can see, they're not to make DNs easier to steal from their owners; they're to make it easier to transfer DNs from one registrar to another.
The problem is that the new rules make it easier for one registrar to steal a DN from another (although the owner does not change).
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Whois contact addresses are supposed to be public. They are not contact addresses for your registrar. If they are agressively filtered they might be considered invalid (perhaps if several attempts are made to contact them from several to test validity.) If they are tested for validity and found to be invalid (i.e., not accepting any email) then the domain might be taken from you (for publishung invalid contact info).
I use a sneakemail address on my whois record. I can easily change it to another sneakemail address (only I'm too lasy. I still get only about one spam message a day on that address. I get more spam on the sneakemail address I publish on slashdot posts and I still haven't replaced that one...)
An address published on whois is not immediately spammed. It takes several weeks until spammers scan the database and distribute updated mailing lists, so if you replace your whois address every week, or even just every month, you should be quite spam-clean (at least on these addresses). Of course you might be unlucky and your address harvested just after you publish it, but then, email addresses are cheap.
One thing that might be useful would be a protocol automatically update all whois contact addresses and tools to autopmate the process of creating new addresses, updating them, and then blocking the old ones (ideally, if you want to receive all mail that might be sent to an address, you would want the old address to be kept active and then automatically blocked after about a week (to account for mail delivery delays, plus perhaps a couple of days a possible sender might delay a draft before finally sending it to you).
BTW, widespread use of multiple email addresses, especially if combined with effective methods to automaically change and block old ones, can prove as a very big problem to spammers. They rely on very low response rate from mailing lists that have a reasonable percentage of valid addresses (I would call 5% valid reasonale here). If you throw in a factor of something like 99 out of 100 addresses being automatically invalidated by receiving spam (i.e., most addresses used by spammers becoming invalid soon after they start to receive spam) tehn it might make spam unprofitable. At leasy it would make life much harder for spammers,having to clean up their lists all the time.