New York's Oldest ISP Gets Domain-Jacked

Howard Roark writes "Panix, the oldest commercial Internet provider in New York, had its domain name 'panix.com' hijacked by persons unknown. The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."

Panix

[UnCivil+Liberty]

One domain hijacked and another soon to be slashdotted, sucks to be them.

Just in case:
"Status as of Sat Jan 15 22:04:33 EST 2005

Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site."

Their catch phrase "Your $HOME away from home" is quite cute.

Re:Panix

[wpanderson]

Looks like their MX records are back under their own control ...

intrepid:~> dnstracer -s . panix.com
Tracing to panix.com[a] via A.ROOT-SERVERS.NET, maximum of 3 retries
A.ROOT-SERVERS.NET [.] (198.41.0.4)
|\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)
| |\___ ns2.ukdnsservers.co.uk [panix.com] (207.61.90.196) Got authoritative answer
| \___ ns1.ukdnsservers.co.uk [panix.com] (142.46.200.67) Got authoritative answer
[snip]
intrepid:~> host -t mx panix.com
panix.com MX 200 mailhost-l2.panix.com
panix.com MX 150 mailhost.panix.com
intrepid:~> host -t any mailhost.panix.com
mailhost.panix.com does not exist, try again
intrepid:~> host -t any mailhost-l2.panix.com
mailhost-l2.panix.com A 166.84.1.75
intrepid:~> whois 166.84.1.75

OrgName: Panix Public Access Internet
OrgID: PPAI
Address: 15 West 18th St.
Address: 5th Floor
City: New York
StateProv: NY
PostalCode: 10011
Country: US

NetRange: 166.84.0.0 - 166.84.255.255
CIDR: 166.84.0.0/16
NetName: ACCESS-NET-B
NetHandle: NET-166-84-0-0-1
Parent: NET-166-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.ACCESS.NET
NameServer: NS2.ACCESS.NET
Comment:
RegDate: 1993-11-10
Updated: 2000-08-21

TechHandle: PANIX5-ARIN
TechName: Panix Network Information Center
TechPhone: +1-212-741-4400
TechEmail: hostmaster@panix.com

OrgTechHandle: PANIX5-ARIN
OrgTechName: Panix Network Information Center
OrgTechPhone: +1-212-741-4400
OrgTechEmail: hostmaster@panix.com

# ARIN WHOIS database, last updated 2005-01-15 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

... or did I miss something

Re:Panix

[multipartmixed]

I'm still getting the freeparking IP for the MX from my local servers, but network-tools.com is showing the right info.

Presumably my stuff is cached; but at least the TTL on the hijacked domain is to 7200s. Nice and short.

Re:Panix

[canuck57]

but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

I smell a law suit a happening. But given the lack of response from this registrar their registration should be pulled if they don't have it fixed with 30 minutes notice.

And maybe ISPs will lean on ICANN to remove the registrar. It is easy to protest. If the top ten ISPs blocked this registrars DNS servers this would in fact make it worth their while to get their act together. If I worked for Earthlink, RR, Sprint, Simpatico, Telus, ATT and others, and had the authority to do this I would participate. As there has to be NO DNS registrar that is fradulent. As it could have been my domain that was hyjacked.

Re:Panix

[rs79]

It's not like you folks wern't warned this would happen. The NSI-ICANN agreement took away any power NSI had to fix this.

An in band solution altering DNS is probably not a solution, welcome to the modern internet and oddly, I don't see a peep out of ICANNs "Transfer Task Force".

The proper geek way to fix this is with BGP. Why hasn't anybody had the cajones to do this yet?

If somebody cares to contact me preferably by voice I can put the correct NS records for panix i the ORSC root zone and those of you sensible enough to not rely on other people to be in charge of the entire domain tree will be able to get to (alas) poor Panix normally.

John Berryhill is in Deleware and is now aware of the problem. When he stopped laughing he said he'd make some calls, lawyer to lawyer. And he is in Deleware. The address in DE of the NS host to panix is a residence, FWIW. Wilmington is not a large place...

I must say when I heard panix had been hijacked by something in Wilmington De and Canada my heart stopped till I found out is wasn't me and John.

If you're not scared enough, JB suggests you go to any_domain.1bu.com and welcome to the Chinese global phishing site.

Re:Panix

[Simon+Brooke]

As of 17:03 GMT, I am getting (via British Telecom's nameservers):

Domain Name.......... panix.com
Creation Date........ 1991-04-22
Registration Date.... 2005-01-15
Expiry Date.......... 2006-04-23
Organisation Name.... vanessa Miranda
Organisation Address. 1010 Grand Cerritos Ave
Organisation Address.
Organisation Address. Las Vegas
Organisation Address. 89123
Organisation Address. NV
Organisation Address. UNITED STATES

Admin Name........... na vanessa Miranda
Admin Address........ 1010 Grand Cerritos Ave
Admin Address........
Admin Address........ Las Vegas
Admin Address........ 89123
Admin Address........ NV
Admin Address........ UNITED STATES
Admin Email.......... jzoh@yahoo.com
Admin Phone.......... +44.702413697
Admin Fax............ +44.7026413697

Tech Name............ Domain Admin
Tech Address......... Burnhill Business Centre
Tech Address.........
Tech Address......... Beckenham
Tech Address......... BR3 3LA
Tech Address......... Kent
Tech Address......... GREAT BRITAIN (UK)
Tech Email........... admin@powerhost.co.uk
Tech Phone........... +44.2082496081
Tech Fax............. +44.2082496076
Name Server.......... ns1.ukdnsservers.co.uk
Name Server.......... ns2.ukdnsservers.co.uk

Re:Panix

[Antique+Geekmeister]

Because BGP is a technical solution to a human problem, that of verifying users requests. And the BGP traffic is already a signifant amount of traffic to core routers: adding another layer of manipulation and complexity to them is asking for more brokenness, and many of the top-tier providers manipulate their BGP information to raise the "distance" of what are fiscally expensive routes, or to blackhole people they don't like.

Take a look at the routing wars surrounding the various spam blackhole lists if you're curious about this.

Re:Panix

[rs79]

We're not talking about the same thing. Go read the NANOG thread and pay attention to the post ragrding a quick BGP change.

Re:Panix

[arwel]

Admin Name........... na vanessa Miranda
Admin Address........ 1010 Grand Cerritos Ave
Admin Address........
Admin Address........ Las Vegas
Admin Address........ 89123
Admin Address........ NV
Admin Address........ UNITED STATES
Admin Email.......... jzoh@yahoo.com
Admin Phone.......... +44.702413697
Admin Fax............ +44.7026413697

Hmm, no surprise there -- a Nevada address, and an invalid UK phone number (1 digit too short for a UK mobile number, as +44-7 numbers are). That admin fax number doesn't work either, I just called it! Anyone laying any odds that that yahoo.com address would work? :)

Re:Panix

[wpanderson]

You're not getting that via BT's nameserver, whois records come from whois servers, not DNS servers.

Total Hypocrisy, Michael

[Jewcatur]

Wow, total irony here

Do you realize how hypocritical that Michael is posting this story when Michael himself hijacked censorware.org from the people it belonged to? I reproduce the story here (you can read the original here:

h2>Michael Sims, Domain Hijacking and Moral Equivalency by Jonathan Wallace jw@bway.net

How would you feel if your webmaster maliciously took your web-site offline, then, when you demanded its return, put up a site attacking your company at your old URL? It happened to a group I was involved in, the Censorware Project, currently at http://www.censorware.net. The purpose of this essay is to put the behavior on record, and to give you some impressions and inferences about it.

The Censorware Project was originally an informal collective of six people who collaborated online to fight censorware: Seth Finkelstein, Bennett Haselton, Jamie McCarthy, Mike Sims, Jim Tyre and myself. Several of us had never met or even spoken on the phone, yet for some time -- around two years as I recall -- we had a remarkably easy collaboration. There was no funding, no hierarchy, no titles, not even project managers. Someone would suggest a project and take the responsibility for a part of it, others would sign up for other elements, and proceeding this way we got a remarkable amount of work done, including reports on X-Stop, Cyberpatrol, Bess and other censorware products.

Even though two of us were attorneys -- Jim and myself -- we never incorporated the group or wrote a charter or any contracts among ourselves. Mike Sims was obliging enough to register the domain, just as other members paid for press releases and the other incidental expenses which came along. Mike also served as webmaster of the censorware.org site and did substantial work for the group, including writing contributions to several of the reports and lead authorship of at least one. Seth was the source of our decrypted censorware blacklists and managed many technical tasks, but later felt he had to leave the group because of the increasing prospects of a lawsuit, particularly under the Digital Millennium Copyright Act (DMCA). After Seth left the group, the remaining five continued.

Robert Frost said that "nothing gold can stay," and the Censorware Project was no exception. Over the summer of 2000, Mike Sims' reaction to a perceived slight from Jim Tyre was to take the site down for a week. He sent us mail at the time saying something like "The Censorware Project is now closed." I replied to him that, given that the group was a collective and we all had an interest in its work product, the domain, and the goodwill it had achieved, the decision was not his to make. Sims did not reply.

After Seth created a partial, text, mirror, Mike put the site back up a week later without explaining, let alone apologizing for, his actions. Given his continuing failure to answer any email from me (and I think from others) and the overall signs that Sims thought the group was exclusively his, I wrote him several emails requesting that he turn the domain over to Jamie or Bennett, as I felt we could no longer trust him to administer it. We also found out during that time that important email from people trying to contact us, including members of the press, was not being answered by Sims, nor being forwarded to other members.

I ultimately became exasperated that my name was listed as a principal on what had now become a "rogue" site I had no control over. Over about

Re:Total Hypocrisy, Michael

> Mike Sims was obliging enough to register the domain

In other words he owned the name from the beginning, hence could not 'hijack it'.

I'm going for a drive in my car. Can my neighbour report the car stolen? well sure, if they're stupid.

That's what this is.

Re:Total Hypocrisy, Michael

Wrongo. Michael only "owned" the domain because he was the one who registered it. The whole group was putting financial resources into the whole website.

Michael had no right to steal it away, only a legal technicality allowed him to stay criminally out of trouble

Re:Total Hypocrisy, Michael

Ah, but technicalities are the soul of law. Or something like that.

It may not have been RIGHT, it may not have been JUST, but it was LEGAL.

Re:Total Hypocrisy, Michael

No one is saying it was illegal (Please note where this is mentioned in the text). This is still hijacking and that makes Michael Sims a hypocrite for even posting this story.

Re:Total Hypocrisy, Michael

[barc0001]

Oh, I see. So because someone does something that's wrong, they can never talk about it, or post stories if someone else does the same wrong thing? Cool! I bet every cop whose ever given me a speeding ticket has sped at least once, so I can ignore them from this point on!

So, you're one of the persons Micheal screwed over. What does that have to do with Panix?

Re:Total Hypocrisy, Michael

Yes. Should pedophiles be allowed to work with children? Should a rapist be allowed to work in a women's shelter?

BTW, I'm not one of the parties involved, I am just a person who reads and posts here.

Unless Michael can at least have the balls to own up for what he did and make right, he is nothing but a hypocrite and has NO business acting high and mighty and pretending to be on the side of the good guy.

Re:Total Hypocrisy, Michael

[Black+Is+Beautiful]

Note that he never said that Michael shouldn't post such things. But one must remember that a person should practice what they preach, lest they become a hypocrite.

If michael doesn't want to be scrutinized over such things, then he shouldn't hijack domains.

Re:Total Hypocrisy, Michael

[martinoforum]

It's certainly ironic, I must say. But judging by most of my reading, the sole requirement of being an editor on a Linux or Open Source related news site is to be as insufferable an asshole as possible and refuse to resign, ever, regardless.

If it wasn't for the fact that I read Slashdot purely to be reminded of the fact that being a geek does not make you smart - something I feel it is good to remind oneself of on a regular basis - I would probably have stopped reading in horror.

But really, it would only matter if Michael had a good job. "He hijacked their domain! And now he's a success!" they cry. A success? Jesus, by what standards!? He reads hoax stories about fish washed up by tsunamis, doesn't bother to check any facts and just posts them regardless. And that doesn't even constitute doing a bad job, by Slashdot standards. So if that's the standards they require, I can't imagine it is too hard to get qualified "journalists" to work for them, and they doubtless pay a rate commensurate to his boundless skills.

Just get back to your Neal Stephenson books and consider him Andrew Loeb, everybody. He'll doubtless get shot in the end anyway...

Re:Total Hypocrisy, Michael

Mike Sims was obliging enough to register the domain

Because you didn't have any formal orginazation, he screwed you.

That's the problem with relying on donated resources, thay can go away at any time. Mike donated the domain name and webserver, then chose not to.

What he did next shows that he's not an honorable person, but then we knew that from his editorializing here on /..

Re:Total Hypocrisy, Michael

[sexysciencegirl]

Parent's post is at +5 at 12:30amPST, 1/16/05. Who wants to bet that it
1) will be fixed at -1
2) becomes another post of death
before the day is over?
It wouldn't be the first time when slashdot editors' actions go directly against their high-horse stance against censorship and try to hide any views that they personally don't like.
I would like to remind Michael that you only support free speech if you support your enemies' rights to say things that you don't like and hope that you prove me wrong.

Re:Total Hypocrisy, Michael

Big F'ing Deal. Some day you'll probably tell your kids not to have sex before marriage and that underage drinking is a horrible, horrible crime.

Re:Total Hypocrisy, Michael

No, I wont actually. Not sure how you made this connection to stealing a domain name.

Re:Total Hypocrisy, Michael

[barc0001]

Yes. Should pedophiles be allowed to work with children? Should a rapist be allowed to work in a women's shelter?

Of course not. But your analogy is very flawed, because that's not what Micheal is doing here. Let me fix it for you:

Should a rapist be allowed to call the cops on another? Should a pedophile be able to blow the whistle on another pedophile cruising the schoolyard?

What do YOU think the answer to those two questions should be?

Now, if this was a story about how Michael was registering another domain for another website he'd offered to "help", then your analogy would hold.
And if you are truly not involved with that project, might I suggest you take that chip off your shoulder? Maybe Micheal isn't the nicest guy, who knows? Maybe he had a reason to do what he did, maybe not. All I read in that essay is one person's version of the facts, and as is usually the case, it's all a screed of "We did nothing wrong, he went nuts". Such things are rarely black and white, I am sure there is a lot more to the story than one person's writeup.

Re:Total Hypocrisy, Michael

Of course not. But your analogy is very flawed, because that's not what Micheal is doing here

My analogy is fine. The point of an analogy is to take two different contexts with the same meaning and bring them together logically.

What do YOU think the answer to those two questions should be?

Michael is not blowing the whistle on anyone. You are mistaken on the fact that Michael is the one who discovered this story and submitted it when it is clearly not the case. Michael took a story submission and it is being used to make him look like a hero, instead of the hypocrite he really is.

It is great if a rapist can "Sin no more" and reform himself. But in the case of Michael, he continues to harras the very people whom he stole the domain from to this day and does not apologize or make right for his wrongs.

Maybe he had a reason to do what he did, maybe not.

Yeah, I'm sure plenty of rapists, murders, muggers, and etc. all had good reasons to do what they did too.

Re:Total Hypocrisy, Michael

[barc0001]

Yeah, well I got in a pissing match with an AC troll. Guess I get what I deserve.

Way to not get it, guy.

Re:Total Hypocrisy, Michael

[isometrick]

Well, I hate analogies, but here's my try: Would you think highly of a rapist and/or pedophile that published public criticisms of other rapists and/or pedophiles? I think it's almost like "the pot calling the kettle black." Also, IMHO and I'm not trying to troll, Michael is a horrible editor. I don't know anything about the hijacking situation, but if Michael did do it I'd say this is still a pretty funny post. It's not necessarily WRONG of him to post the submission, but it's still quite funny.

Re:Total Hypocrisy, Michael

[Sri+Lumpa]

"Oh, I see. So because someone does something that's wrong, they can never talk about it, or post stories if someone else does the same wrong thing?"

Michael never apologised for his behaviour or tried to correct it so it is certainly highly hypocritical of him to say that it is wrong for others to do something when he himself is doing the same thing he is denouncing.

It's like an adulterer throwing a stone to a libertine.

Re:Total Hypocrisy, Michael

[barc0001]

At least I have a posting history you can look at to see if I am just a troll or someone worth the time of engaging in a discussion. Something I'd like you to consider.

That is, if this is the same AC that wrote the last message. It's just so hard to tell, ya know.

Re:Total Hypocrisy, Michael

who fucking cares? Slashdot isn't the fucking govt and doesn't have to give a rat's ass about free speech if they don't want to.

Re:Total Hypocrisy, Michael

Youre assuming that the editors actually read this site and its comments. Judging by the number of duplicate stories, Id say thats not very likley.

Re:Total Hypocrisy, Michael

[_KiTA_]

Here's a crazy idea. Maybe it'll be modded -1 troll because, well, he's trolling? Just a thought.

Re:Total Hypocrisy, Michael

I'm the guy who wrote the AC posts above. I sincerely apologize for being an asshole. You are completely right, and I am completely wrong. I hope one day you can forgive me and we can hold hands and take long walks on the beach.

Re:Total Hypocrisy, Michael

[Ithika]

"Should pedophiles be allowed to work with children? Should a rapist be allowed to work in a women's shelter?"

Ahem, I think what you mean to say is:

- Should paedophiles be allowed to report the actions of other paedophiles in their job?
- Should rapists be allowed be allowed to report the actions of other rapists in their job?

"has NO business acting high and mighty and pretending to be on the side of the good guy"

I think you mistake "reporting a story" for "acting high and mighty". Unless you are naive enough to assume that all journalists/editors are morally whiter-than-white you should really shut up.

Re:Total Hypocrisy, Michael

Of course, you can feel free to call me an "AC Troll" all you want (interesting that people berate people for being AC while they are posting from a psuedoname that is barely any less anonymous), it doesn't bother me.

Why on Earth is this moderated down as a Troll? It is true. Unless people show their email address and/or personal web site with their /. username, they are all AC's.

Re:Total Hypocrisy, Michael

[gaspyy]

As always, misleading analogy.

It's more like this
Gullible Buyer: "Hey friend, you are more knowledgeable with cars, will you buy me one? Here's the cash, go to the local deader, buy whatever seems good; I don't know all the tech-speak and I am sure the sales rep. will try to rip me off"
Friend: "Sure. Count on me" ...
Later:
Friend: "I bought this great car, but I made the papers on my name. But don't worry, I'll let you drive it"
Gullible Buyer: "Uhhh, thanks, I guess" ...
Later:
Friend: "You know, this car is mine, so fuck off!"

Believe it or not, I've seen this happening more than once with regard to domain names. One example: The client is a newcomer and the contractor was SO helpful, they provided the internet connection, made and hosted the company website and even registered the domain name (on their name, not the client's name). The client doesn't even notice. A few years after that, the client realizes the mistake, tries to take ownership of the domain. The contractor asks for $50,000.

Luckily, in that case the client also has a trademark on the name, so i advised them to threaten the contractor with a lawsuit and never give in. I don't know the latest status in this matter but I think the contractor will give the domain to the rightful owner.

Re:Total Hypocrisy, Michael

[Sardak]

3) Or maybe he's just saying, "The important thing is I didn't get my comeuppance, and I never will."

Re:Total Hypocrisy, Michael

[julesh]

The discussion regarding posts of death was interesting, thanks for pointing me to that. Unfortunately I can't see anywhere better than here to leave a comment on it.

The person commenting seems to assume that everyone who is banned from moderating is also banned from metamoderating. This is clearly not the case, as I have a mod ban (for moderating an editor's offtopic post down) but not a metamod ban.

Re:Total Hypocrisy, Michael

[wcdw]

Great, another person who didn't bother to actually READ the post.

If I had mod points, *I* would mod the article in question down, as it has no relevance whatever to the parent.

I _certainly_ have no love of the /. editors, being among the thousands who have submitted rejected stories only to see them posted later (sometimes much later) by others.

However - get a life. If you hate this site that much, why read it???

Re:Total Hypocrisy, Michael

He didn't hijack the domain, it was his to begin with. While he may have been childish and "taken his ball home" as it were, he took nothing of yours. You chose to work at adding value to something that wasn't yours. Chalk it up to a life lesson and move on.

Re:Total Hypocrisy, Michael

being a geek does not make you smart

and being smart doesn't make you wise.

Re:Total Hypocrisy, Michael

Exactly, i hate stupid whiny bitchs. Anyways it was her 5th post. I dont think shes been here too long.

Re:Total Hypocrisy, Michael

[NanoGator]

"Of course, you can feel free to call me an "AC Troll" all you want (interesting that people berate people for being AC while they are posting from a psuedoname that is barely any less anonymous), it doesn't bother me."

Wrong. They're the only one that can use their nick due to password protection. They are not nearly as anonymous with a registerred nick, nor do you have a strong point.

Re:Total Hypocrisy, Michael

[stor]

Why on Earth is this moderated down as a Troll? It is true. Unless people show their email address and/or personal web site with their /. username, they are all AC's.

Wrong. With accounts you can see the person's posting history, how they've been moderated, friends, responses to their posts, journal...

Cheers
Stor

Re:Total Hypocrisy, Michael

Because you didn't have any formal orginazation, he screwed you.

Yes, which is exactly what he said at the end of it. Why is this modded up?

Re:Total Hypocrisy, Michael

[leereyno]

I'm far more likely to give them condoms, buy them whiskey, and let them borrow my Japanese Spin-Fuck chair.

Re:Total Hypocrisy, Michael

Since replying to the original post Michael has banned my subnet from posting on Slashdot.

"If I am to be continuously accused of evil deeds, I might as well do them" - Michael Sims

Do a google search on this loser and see what comes up. I hope his history follows him to every McDonalds Tech job he ever submits an application for.

Re:Total Hypocrisy, Michael

[msim]

what really sucks is he has the same bloody name as me and when i read this (and the read of the child posts) i am cringing, i am cringing a lot

*shudder*

Re:Total Hypocrisy, Michael

oh so delicious

Obligitory

I'd like to jack your domain, if you're servicing my backbone.

Re:Obligitory

I'd like to service your backbone, if you're are routing my /16.

Re:Obligitory

I'd like to route your /16, if you're moving my DNS records.

Don't Panix!

Just a subject gag

This happens quite a bit...

[eviljim]

It's not surprising this has happened. Many, many companies do not take administrating their domain seriously, and several registrars -- Network Solutions especially -- make it very easy to steal domains.

I know this from experience -- many years back one morning I woke up and Excite.com, Angelfire.com, and a few other domains were mysterically owned by me. The only thing the hijacker needed to do (it wasn't me, by the way) was send in a single email. Old Story at Wired.

Re:This happens quite a bit...

[John+Seminal]

It's not surprising this has happened. Many, many companies do not take administrating their domain seriously

How do you administer domain security??? All I can think of is a tough password for the registrar. Or do all the changes by telephone only.

Re:This happens quite a bit...

[eviljim]

First and foremost, choose a registrar that is secure. Under the old Network Solutions regime things were mostly done with email forms and the base method of security was verifying the "From" address an email was sent by. Yeah. That's not very secure, yet Exite was using it as opposed to at least the slightly better password or crypt-password options.

Most registrars now use password protection and a web interface (Network Solutions does this now too). Yet like with everything else people will have stupid passwords, and some registrars allow people to have stupid passwords.

Also, domains can be locked. This gives some security -- it prevents a transfer from going through unless you login to your current registrar to unlock the domain first. This is a bit of added security.

Finally, make sure your email is secure and VALID. The number of people with invalid emails in their domain profile is staggering. Without a valid email you won't be notified that a domain is attempting to be transfered. If someone gets into your email, it's also likely they can get the login details for your registrar account.

Okay that finally wasn't too final -- here's a few more things: don't deal with resellers. Go straight to a registrar and make sure they are ICANN accredited (not selling for someone else who is). Deal with a company with a good reputation.

Re:This happens quite a bit...

[ErichTheWebGuy]

Well, with a name like eviljim, I'm not surprised they wound up under your control [grin]

Re:This happens quite a bit...

Ahh the telephone!!! My favorite social eng. weapon...

Re:This happens quite a bit...

[Aurix]

Okay that finally wasn't too final -- here's a few more things: don't deal with resellers. Go straight to a registrar and make sure they are ICANN accredited (not selling for someone else who is). Deal with a company with a good reputation.

Can anyone comment how much more protection this gives from domain transfers? If you have the domain locked, isn't that enough protection in itself?

Cheers.

Re:This happens quite a bit...

[eviljim]

It can actually make a big difference... not so much for transfering (although it is possible that the reseller steal your domain), it's just another layer where something could go wrong.

Also, resellers often have the same power you have over a domain -- they could easily change the admin contact to themselves, for example.

Or, in a recent example, the employee of one reseller decided to delete everyone's domains. The users were forced to either pay some price over $100 to get the domain from redemption or potentially lose the domain (aside from the fact that what they paid for the domain was gone). If you care to read about that, here is a rather long thread on it.

Re:This happens quite a bit...

[jez9999]

Interesting. The registrar i've long used, buydomains.com, doesn't appear to be ICANN-accredited, yet I've never had a problem with them or heard anyone who has. Is there a reason why a perfectly good registrar wouldn't get ICANN-accredited?

Re:This happens quite a bit...

[wwahammy]

I thinks its significatly cheaper. Registrars have to fulfill a complex set of requirements I believe to be accredited by ICANN. This of course is more expensive.

Re:This happens quite a bit...

There was also a period when you set your NSI-hosted domain so you could do NSI domain stuff via email only when you pgp-signed your email appropriately. I was fond of that.

Re:This happens quite a bit...

[alonsoac]

You can lock the domain, then it can't be transferred and in theory on you can unlock it. Or at least that's what we're told by Godaddy.

Re:This happens quite a bit...

[Antique+Geekmeister]

The surprise isn't that such a theft happened. The surprise is that it took this long. Verisign's willingness and ability to verify their customers' identity has been a joke for years, as thousands of throwaway domains registered by spammers and other frauds have demonstrated.

Verisign doesn't want to verify and fully identify their customers. It's a lot of work, it doesn't create extra business, and it would make the fraud domains too traceable and cost them a significant revenue source, and would make them accountable for damages when their lax policies allow such thefts. The benefit would be to legitimate customers such as panix.com, but Verisign has always been about generating new profit sources, not improving the security of current services.

On top of Verisign's hijacking of all unassigned *.com addresses, this is another reason for ICANN to review Verisign's ownership of the .com top level servers and consider giving them to another, more reliable provider.

Re:This happens quite a bit...

[pcjunky]

This happened to my domain (cyberstreet.com) back in 1999. Someone forged my return address and sent an Email to Netsol requesting the DNS change. It took several days and lots of time on the phone to netsol to fix this.

Aparently all the theif had to do was send one email. Netsol ASSUMED (ASS out of U and ME) that I had requested this and did it without any attempt to verify this with me.

I am alarmed to hear what happened to panix because I had thought this security issue was fixed.

Re:This happens quite a bit...

[eviljim]

Usually becoming a reseller requires little or no investment upfront (free signup, free software).

Becoming an ICANN accredited registrar means large fees and you also need to prove a substantial amount of working capital in order to be approved. Financial Requirements.

And, just to be nit-pickey, unless the company is ICANN accredited they are not actually a registrar (just a reseller).

More details, please...

[EvilStein]

*How did this happen?
*Was it the registrar that was at fault?
*Did they forget to renew the domain?
*What is the registrar doing about the issue? (if anything)

I'm kind of curious about this..

Re:More details, please...

[Gendalia]

Panix's registrar has no record of the transfer request. Dotster's whois shows that the domain needs to be renewed by April.
Registrant:
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US

Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-05
Last Updated on: 15-JAN-05

Administrative, Technical Contact:
Hostmaster, Panix hostmaster@panix.com
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US
212-741-4400
212-741-5311

Domain servers in listed order:
NS1.ACCESS.NET
NS2.ACCESS.NET

End of Whois Information

Re:More details, please...

[Fully+Sick+Like+Ot's]

Ha Ha Dotster as the losing registrar, need to authorise the transfer away with the current owner, it's a standardised email issued by ICANN with a link that needs to be accepted by the registrant. Wow hasn't anyone transferred a licence before, or do we just take what we are told for granted?

Re:More details, please...

[ahodgson]

That is not true. If the domain is not REGISTRAR-LOCK then any other registrar can request a transfer of the domain. If the current registrar does not explicity deny the request, the domain automatically gets transferred after 5 business days.

Re:More details, please...

[Alan+Cox]

If the sex.com case is precdent and verisign screwed up then I imagine its going to be expensive for them. If verisign has been compromised then the situation is going to look bad for them as they are allegedly trusted enough to handle large numbers of SSL certificates...

Re:More details, please...

[rs79]

"If the sex.com case is precdent"

What he said. It took what, 5 years to get that fixed?

Re:More details, please...

[Fully+Sick+Like+Ot's]

Hey A, Thanks for clarifying I apologise you are right, "Once you have entered into the Agreement, the transfer will take place within five (5) calendar days unless the current registrar of record denies the request." So why wouldn't the ISP in question deny the request? I still think people are blaming the wrong parties for this 'Travesty'. STANDARDIZED FORM OF AUTHORIZATION DOMAIN NAME TRANSFER - Initial Authorization for Registrar Transfer An English version of this message is contained below. ENGLISH VERSION Attention: Re: Transfer of [OPTIONAL text: The current registrar of record for this domain name is .] has received a request from [OPTIONAL text:] via [END OPTIONAL TEXT] on for us to become the new registrar of record. You have received this message because you are listed as the Registered Name Holder or Administrative contact for this domain name in the WHOIS database. Please read the following important information about transferring your domain name: You must agree to enter into a new Registration Agreement with us. You can review the full terms and conditions of the Agreement at Once you have entered into the Agreement, the transfer will take place within five (5) calendar days unless the current registrar of record denies the request. Once a transfer takes place, you will not be able to transfer to another registrar for 60 days, apart from a transfer back to the original registrar,in cases where both registrars so agree or where a decision in the dispute resolution process so directs. If you WISH TO PROCEED with the transfer, you must respond to this message via one of the following methods (note if you do not respond by , will not be transferred to us.). [NOTE: a registrar can choose to include one or more of the following in the message sent to the Registered Name Holder or Admin contact, and additional processes may be added with ICANN approval. The order in which options are presented is a decision for each registrar. Further,in addition to the options below, the registrar may choose to request the "Auth-Info" code from the Registered Name Holder or Administrative Contact] [option 1] please email us with the following message: "I confirm that I have read the Domain Name Transfer - Request for Confirmation Message. I confirm that I wish to proceed with the transfer of from ." [option 2] please go to our website, to confirm. [Note: website to contain text as above, with the option to confirm or deny the transfer] [option 3] please print out a copy of this message and send a signed copy to If you DO NOT WANT the transfer to proceed, then don't respond to this message. If you have any questions about this process, please contact .

whois

[kyoko21]

Found crsnic referral to whois.melbourneit.com.

Domain Name.......... panix.com
Creation Date........ 1991-04-22
Registration Date.... 2005-01-15
Expiry Date.......... 2006-04-23
Organisation Name.... vanessa Miranda
Organisation Address. 1010 Grand Cerritos Ave
Organisation Address.
Organisation Address. Las Vegas
Organisation Address. 89123
Organisation Address. NV
Organisation Address. UNITED STATES

Admin Name........... na vanessa Miranda
Admin Address........ 1010 Grand Cerritos Ave
Admin Address........
Admin Address........ Las Vegas
Admin Address........ 89123
Admin Address........ NV
Admin Address........ UNITED STATES
Admin Email.......... jzoh@yahoo.com
Admin Phone.......... +44.702413697
Admin Fax............ +44.7026413697

Tech Name............ Domain Admin
Tech Address......... Burnhill Business Centre
Tech Address.........
Tech Address......... Beckenham
Tech Address......... BR3 3LA
Tech Address......... Kent
Tech Address......... GREAT BRITAIN (UK)
Tech Email........... admin@powerhost.co.uk
Tech Phone........... +44.2082496081
Tech Fax............. +44.2082496076
Name Server.......... ns1.ukdnsservers.co.uk
Name Server.......... ns2.ukdnsservers.co.uk

now that you know the email address...spam away!

Re:whois

Ah yes, Only on Slashdot will you hear the same people bemoan their inbox being filled with spam but at the same time suggesting that spamming is a legitimate way of getting back at people you don't like.

Have you ever thought that the email addresses listed could be of innocent people that the person responsible wants to get in trouble?

No, of course you didn't.

Re:whois

Admin Phone.......... +44.702413697
Tech Phone........... +44.2082496081

I phoned these numbers, the Admin number is invalid, the Tech number is valid but goes to voicemail, the message says "This is burnhill business centre...".

Re:whois

[BJH]

now that you know the email address...spam away!

I hope we see a retraction and apology for that smartass remark. If you'd bother to look into the situation, you'd know that the whois info most likely has nothing to do with the person/people who hijacked the domain.

Re:whois

I'm having lots of fun going to melbourneit.com and searching for the domain panix.com and then requesting a backorder on it!!

Re:whois

[matthew.thompson]

Just to clarify the DNS servers are not in the UK despite the domain names. ukdnsservers.co.uk is Register to a Wilmington, DE corporation

Domain Name:
ukdnsservers.co.uk

Registrant:
ActiveBytes Software LLC

Administrative Contact's Address:
2530 Channin Drive
Wilmington
DE
19810 US

Registrant's Agent:
Fibranet Services Ltd [Tag = FIBRANET]

Relevant Dates:
Registered on: 25-Mar-2000
Renewal Date: 25-Mar-2006
Last updated: 11-Dec-2004

Registration Status:
Registered until renewal date.

Name servers listed in order:
ns3.ukdnsservers.co.uk 142.46.200.68
ns4.ukdnsservers.co.uk 207.61.90.197

WHOIS database last updated at 10:05:01 16-Jan-2005

However powerhost.co.uk appears to be a UK company - and just down the road from me

Domain Name:
powerhost.co.uk

Registrant:
Fibranet Services Ltd

Administrative Contact's Address:
2a Sutherland Avenue
Biggin Hill
Kent
TN16 3HE
England

Registrant's Agent:
Tollon Limited t/a ukureg [Tag = UKUREG]
URL: http://www.tollon.net

Relevant Dates:
Registered on: 04-Mar-1998
Renewal Date: 04-Mar-2006
Last updated: 04-Apr-2004

Registration Status:
Registered until renewal date.

Name servers listed in order:
ns1.powerhost.co.uk 217.69.32.5
ns2.powerhost.co.uk 217.69.32.6

WHOIS database last updated at 10:05:01 16-Jan-2005

Re:whois

[msaulters]

It doesn't matter that the domain name is resolving to powerhost.co.uk. What matters is the NS listings in the registrant entry and where THOSE nameservers are located (apparently, Ottawa). Either these guys have been hacked or they purposefully added zone info for panix.com to their name servers.

Re:whois

[swe]

Looking on google for that number reveals:

http://www.roynet.co.uk/DeveloperHost.htm
---
"TOLLON
Stewart Hodge 0208 249 6081"
---

Re:whois

Ah ain't no expert, but doesn't this registration date mean that they probably forgot to renew, and someone just nabbed it?

Domain Name.......... panix.com
Creation Date........ 1991-04-22
Registration Date.... 2005-01-15

Re:whois

[KarmaMB84]

No, it was due to expire in April but someone apparently was able to have it transferred regardless of locking and apparently without notice to either the registrar or the owner.

Re:whois

Some of us may live in Delaware near this address... just let us know what needs to be done and maybe a visit can be arranged. Just simple information-gathering, you know.

Re:whois

[dickens]

Beware any company incorporated in Delaware. The postage stamp state's main reason for existence is its weak corporate liability laws.

wspanix

widespread panix rocks and will be on tour soon!

How can this happen??

[John+Seminal]

I am writing this as a webmaster of a smaller personal website.

How can someone take my domain, that I paid for, and hijack it? And if you register for a domain, for a period of time, say 1 year, can someone at the end of that time come and take the domain away, or do you always get the first chance to renew?

Does security of domains have anything to do with the company that registers??

There are so many questions...

Re:How can this happen??

[PornMaster]

Well, first thing to do is use the feature "REGISTRAR-LOCK" to make sure that for a domain transfer, not only does there need to be authorization from the listed contacts, but also you need to log in to your registrar and unlock it first.

Re:How can this happen??

[Fully+Sick+Like+Ot's]

Hey John, I have close to 50 domain names, with a registrar, and I have learn't definately to know what's going on at all times, because I don't have a company managing my 'Intellectual Property' I have to rely on my own management, and even then I have learn't the hard way. But I have learn't to blame my own ignorance and learn from it rather than point fingers at other people. Technically it is damn near impossible to 'hijack' a domain name if the proper precautions are taken. e.g. If you lock your domain names with your current registrar, all transfer aways are refused until the domain name is unlocked with a 'domain password' or 'registry key' Keep this safe and personal and you won't ever have a problem. Someone else can take your domain name if you don't renew your licence, but even then that is almost difficult, because you have a certain period after the expiry date to renew the licence, e.g. 40 days, and then ICANN introduced a RGP (Redemption Grace Period) which allows the licence to be retrieved by the 'current' owner only 30 extra days after the licence is cancelled. But speaking from experience, the registry charges a huge fee to do this, something like 70.00 USD. Moral, keep your details updated so you are notified of the renewal. (Assuming that your domain registrar is reliable) The ironic thing is how do I know this?? I happen to be a customer for the same registrar under apparent scrutiny, I find the fact I can call them and they give me accurate information like this a breeze, plus I have so many domains that can be managed under one account, that only I have access to because I keep my password to myself. I wonder how this hijacker who had to have instigated the transfer with the 'Registry Key/Password', managed to do this when the only people who had access to it was the owner and Dotster??? Stay Geeky, Fully Sick

Re:How can this happen??

[rwyoder]

Well, first thing to do is use the feature "REGISTRAR-LOCK" to make sure that for a domain transfer, not only does there need to be authorization from the listed contacts, but also you need to log in to your registrar and unlock it first.

I am following the NANOG mailing list, and the domains were locked.

Remember....

When Microsoft let its registration of Hotmail.com lapse? That was about the funniest thing I read that year.

Re:Remember....

Well, judging by the fact it's only the 16th, and if the jokes only get better, we might see something half funny by the end of the year.

Re:What?

[aaron240]

What are you talking about?

MODS, This isnt redundant

Fod God's sake, this ISP has enough problems as it is. They already have their domain hijacked, the last thing they need is the rest of their website to be unavliable because of a slashdotting.

Also, this is the 2nd post! Since the 1st post was a troll, how in the F is this redundant?

Re:Man, I remember when trendy names were cool

[John+Seminal]

The only real ISPs that have any serious clout are run directly by the phone companies

There are the cable companies too. Lets not forget them.

I knew a guy who ran an ISP of sorts. He lived in an apartment complex, ordered a cable modem, then sold access to his neighbors. It was probably against his TOS with the cable company, but nobody ever bothered him, and he got service for free.

404?

[TheoMurpse]

Heh. And now I cannot connect to censorware.org at all.

Re:404?

[Black+Is+Beautiful]

Domain ID:D5537279-LROR
Domain Name:CENSORWARE.ORG

Registrant ID:0-164394-Gandi
Registrant Name:Michael Sims
Registrant Organization:Michael Sims

Re:404?

[tektek]

http://web.archive.org/web/20030618204944/http://c ensorware.org/

PROFIT

[killa62]

1 steal domain 2 sell it back 3 ??? 4 PROFIT!!!

Re:PROFIT

[dextr0us]

1-- use tired old joke
2--in soviet russia
3-- make fun of dotcoms
4-- aybabtu
5-- goatse
6-- ???
7-- profit!!

Rogue registrars?

[tjls]

I tried to post about this about 10 hours ago, but no luck. Sigh.

What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever (this violates all the relevant RFCs for the Shared Registration System and the current ICANN policy *and* seems to indicate a severe bug or security problem somewhere in the registration system).

What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm) and won't do anything to help. There are lots of ugly details in the NANOG mailing-list archive, particularly in this message from Perry Metzger, this message from Richard Cox, and this message from me, which includes a slimy note from some customer-service flack at Verisign.

This has clearly happened to others in the past, and highlights a serious flaw in the current registry-registrar system. We are not 100% sure how the domain was transferred between registrars with no notice to anyone (though I have some hunches I won't go into here right now) but consider this: a rogue or penetrated registrar can effectively put you out of business for the duration of the ICANN complaint and appeals process, with no notice, and there may be nothing you or anyone else can do about it short of extremely expensive legal action, even if you get law enforcement involved. Yuck.

Re:Rogue registrars?

[bani]

raises the suspicion melbourneit was a willing party to the hijacking. it's happend before and melbourneit was involved.

lots of spammers and domain squatters like to park domains at mit too.

makes you wonder.

Re:Rogue registrars?

[ErichTheWebGuy]

What's particularly scary is that melbourneIT.com isn't open on the weekends, period ... and won't do anything to help.

I can vouch for this. Melbourne IT is a horrible company to try to deal with. Many US registrars (including Yahoo! domains) are resellers of Melbourne IT's services. Now, if you have a problem with your domain, just try to get in touch with someone at Yahoo. The reply I got from Yahoo was: "there is no support from Yahoo for domain names purchased through Yahoo! domains."

Then, try to get in touch with someone at Melbourne IT. "I'm sorry, only the reseller can help you with this problem, yes even though they refuse to help you, I can't help you."

It took me two weeks to get a domain transferred out of Yahoo/Melbourne's control and into a sane registrar that gives a crap about their customers (register.com, you can actually talk to someone on the phone there, 24/7/365).

Seems to me that they are snappy when it comes to theft of domains, yet sluggish when it comes to any form of customer service. My advice: Boycott Melbourne IT and all of its resellers until they get a clue.

Re:Rogue registrars?

[martinoforum]

Two weeks? That sounds pretty good, it took months for me to get a dotcom transferred out of OneAndOne in the UK. After a while I took to emailing them virtually the same email every day, never getting an answer until I emailed a few other departments asking who the manager of the billing department was. Then I got a response in hours, claiming that I was "Harassing them". Ironically, at that point they actually relented and did what I'd been asking for months - releasing my domain for transfer.

One of the reasons I wanted to transfer it was that they had attempted to charge an expired credit card, failed, pulled the plug on the hosting package and then - hilariously - took a week to get it back online. Ringing them resulted in "We're too busy, goodbye" messages and a hangup from their automated systems. Emailing them was ignored. And although you can change credit card details manually in their admin system - get this - they have to manually action the charge. It took them a week.

So, two weeks sounds good to me.

Re:Rogue registrars?

[Cramer]

Since when has register.com ever been a "sane registrar"? You do know they've been drug into court several times for fraud, predatory business practices, and yes, transfering domain registrations without authorization. Specificly, they were sending domain renewal notices (that looked almost exactly like netsol's notices) for domains that weren't their customers. And weren't expiring either.

Re:Rogue registrars?

[ErichTheWebGuy]

I can't speak to that, I have no bad experiences to speak of with register.com at all. I can only speak to my own experience with them, which has been great. I have over 200 domains registered through them, and never had a problem at all.

If what you say is true (and I will be looking at it), it might make me change my tune, but I don't think so. Even if they have been evil in the past, it's obvious to me that they have shaped up quite a bit.

Re:Rogue registrars?

[Aurix]

What's particularly scary is that melbourneIT.com isn't open on the weekends, period

Perhaps you might like to check their site before you make such comments. They have 24/7 support.

Re:Rogue registrars?

I've worked for Melbourne IT, and can add a little here. I've got a little bit of info on the situation.

It's currently about 9pm on Sunday night in Melbourne. People have been alerted. Things _are_ moving. People are most certainly aware of the situation and are working to get to the bottom of it.

The tech contact address (admin@powerhost.co.uk) is that of one of Melb IT's UK resellers, Fibranet. Its presence would indicate the transfer was initiated under that reseller's account and their access to Melb IT's systems. Possibly (I'm speculating) someone may also have got access to the reseller's account other than the reseller.

It wouldn't surprise me if whoever did this intentionally did this near midnight Saturday, Melbourne time, near the start of Melb IT's longest point of having the office closed (midday Saturday to 8am Monday, Melbourne time). During the week there are staff on 24 hours.

I don't speak for Melb IT here, but I really think they're copping a lot of shit for something that's not their fault. I'm not claiming they're perfect, but hell - this was done when nobody was in the damned office. They're not _evil_ there (or perfect - just human) and would never initiate anything that'd bring down this much bad press.

Someone's playing games and using Melb IT as a tool. It'll all get untangled before long and we'll find out who's really to blame for this.

Re:Rogue registrars?

[Magickcat]

MelbourneIT originates from the hallowed halls of Melbourne University. You'd be lucky if they ever find the phone let alone pick it up. What a university is doing with their hand in domains is a question for their philosophy department.

Oh, and we can blame Melbourne University for this cretin among others.

Re:Rogue registrars?

Not true. I've worked there. I believe they're working up to that, as soon as staff can be hired/trained, but right now they close for about 36 hours a week, over the weekend.

24 hours during the week, though.

Re:Rogue registrars?

[Aurix]

but right now they close for about 36 hours a week, over the weekend.

Appears MelbourneIT's story only gets worse...

Re:Rogue registrars?

[xlsior]

What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever

Or so they say.

What many people here may not be aware of, is that the domain registry system had a slight overhaul recently, after ICANN mandated a change in the registrar transfer procedures.

More specifically: while in the past a domain transfer would automatically be rejected when the account holder did not approve it, recently this changed so now a transfer request get approved by default unless the account holder actively rejects it.

Yes -- that means that if the owner to be on vacation, doesn't check his mail frequently enough, has a spamfilter that ate the transfer notice, or simply never received the message in the first place for whatever other reason, the domain transfer request will automatically be granted.

ICANN's reasoning for this was alledgedly that it would prevent a defunct hosting provider or non-working administrative account from keeping a customer's domain hostage.

The only way to change this behaviour and reject a domain transfer by default, is to lock the domain with the registrar. Many of the registrars responded to this policy change by proactively locking all domains hosted with them with little warning (Network Solutions, for example)

Anyway, it's quite likely that this domain in question simply didn't get locked (or was actively unlocked by the administrator because it was deemed inconvenient?). Then if anyone sent a (bogus) transfer request and the administrator either didn't see the notice or didn't respond in a timely fashion to reject it, this would happen.

This will happen to ANY domain that is not currently locked, and who's admin contacts aren't paying close enough attention to their mailbox. If you haven't already done so: MAKE SURE YOUR DOMAINS ARE LOCKED!!!

Yet another example of how ICANN makes the world a better place, I guess.

Re:Rogue registrars?

I've been involved in investigating this for most of today. In fact, it's not just the admin and tech contacts at Panix who were never notified; the transferred-from registrar (Dotster) was never notified.

Even under the new ICANN rules, that's not supposed to be possible. Someone is playing games with the system.

Re:Rogue registrars?

[tjls]

No. The registrar the domain was taken from wasn't even notified of the transfer. Something is very wrong.

Re:Rogue registrars?

[Frank+T.+Lofaro+Jr.]

Use GoDaddy.com.

They are cheap, efficient, and have good tech support.

Re:Rogue registrars?

Except for the fact that there was nobody in the office when it happened, which makes it look a lot less like it was a deliberate thing on their part.

Hell, if someone _did_ do it deliberately at Melb IT's end, they've made themselves fucking obvious. A quick scan of who swiped themselves into the building and/or logged into a machine will easily show something unexpected when nobody's supposed to be there.

About 11am on a Wednesday would be a better time to do something sneaky.

Re:Rogue registrars?

I've seen this stuff about Melb IT being a "willing party" to hijackings a couple of times in this post now, and nobody's given a specific example. Got one? I'm honestly curious.

What the hell do they have to gain out of this?

Re:Rogue registrars?

What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm) and won't do anything to help.

Q: Why is Tasmania moving closer to Australia?
A: Because Melbourne sucks.

"Melbourne is the arse end of the world" - Jerry Seinfeld.

Re:Rogue registrars?

[martin-k]

That's why I transferred all my domain registrations to Schlund Technologies. Nothing special about them, except that they are in Germany (where I am, too) and if required, I can get within a day a preliminary injunction against them if they tried to give me the run-around.

Re:Rogue registrars?

[bani]

they only shaped up when federal law enforcement forced them to. they didnt change voluntarily.

Re:Rogue registrars?

[bani]

this isnt the first time melbourneit has been involved in domain hijacking. their procedures must be very lax for this to repeatedly occur though.

Re:Rogue registrars?

[cpghost]

While this can happen to every gTLD domain, some (if not most) ccTLD domains are safe, if they are managed by a single operator. The problem here is that ICANN invented an incredibly stupid inter-registrar procedure for registrars that compete on a single registry. So the only way to solve this problem is to revert back to the previous rule (deny transfer unless explicitely approved by admin contact).

The reason behind ICANN's change of policy was, of course, to tackle the situation when a registrar goes out of business (or stays irresponsive for whatever reason), a transfer without their involvement would still be possible. Or when the ISP hosting the admin contact emails goes down or closes that account. Anyway: a solution to this problem would be that the newly acquiring registrar requests physical paperwork (a signed fax or something similar) from the domain owner or its admin contact prior to domain transfer.

A registrar should NEVER be allowed to assume that the transfer has been approved without the admin contact jumping through some (safety) hoops. At least, it should NEVER EVER assume that not replying to a transfer notice consitutes approvement. This also includes replies sent by C/R systems, which MUST NOT be construed as an automatic approval.

It's IMHO incredibly stupid from ICANN not to have tought about this more seriously before putting the whole inter-registrar system in jeopardy.

Re:Rogue registrars?

[Dynamoo]

MelbourneIT are very often used by spammers and feed the registrar clearly fake details. If you're lucky, Melbourne might reply to a complaint about this in a couple of weeks, else they'll ignore it. Sure, every registrar has this problem.. it's just that Melbourne don't seem to care.

Re:Rogue registrars?

No 1.
What the hell were you doing buying a domain name from Yahoo in the first place? There is no excuse for crappy customer service, but the bottom line is... you get what you pay for. You can't purchase a service through one company and expect another company to take over the reigns when things get shitty and you want to terminate your contract with the original company. Get a freakin' clue.

No 2.
The new ICANN transfer policy means that Melbourne IT has no say in what domain names are transferred in, if the request is initiated by a reseller. You honestly think someone sits there, looking at each an every domain name that rolls in to see if it's a 'popular' one or not? Domain names mean nothing to the system - they are all equal. Additionally, if Panix had their finger on the pulse they wouldnt be in this position. They had 5 days to decline the transfer, and they didn't. There should have been a transfer validation email from the losing registrar too. Effectively, they would have had to decline the transfer from both the losing and gaining registrars. They had two chances to decline the transfer, and they didn't. They have to take some kind of responsiblity in this, non?

No 3.
The transfer process itself is handled by the registry. That's Verisign, kids. VERISIGN. Saying that Melbourne IT are 'snappy' when it comes to theft of domains means dick all, the transfer took as long as it did due to the registry approving the entire process. End of story. A domain name can transfer on a Sunday night, despite the physical offices of Melbourne IT not being open. That's the beauty of cyberspace, is it not?

No. 4.
Melbourne IT was open Saturday morning. They are open 5.5 days a week, according to their website. Cha-ching!

Re:Rogue registrars?

[McDutchie]

Use GoDaddy.com.

They are cheap, efficient, and have good tech support.

Unfortunately, they also appear to be spammers or at least spam-supporters, in spite of their claims to the contrary.

Re:Rogue registrars?

[dbIII]

melbourneIT.com isn't open on the weekends, period

This is the sort of lack of responsibility that people forecast when MelbourneIT were set up to take the "au" domain away from the registrar of the time.

They are a very odd but increasingly common beast - the government owned independant corporation with a monopoly - so naturally they are not open on weekends, don't care what their customers think and busy planning some disasterous financial adventure with the help of a confidence trickster in China (always seems to happen when an Australian govenernment body gets "corporatized"). If for some reason a question about this is asked in parliment, the govenment will shrug and say it is out of their control, the only thing they can do is take the profits. This is of course the same government that attemped censorship on one hand while owning the "cx" domain on the other.

Re:Rogue registrars?

[Fully+Sick+Like+Ot's]

Ha Ha, So what your telling me is you buy moldy bread from a grocerys tore, get sick and then tell everyone to stop going to the store and stop going to the baker who made it fresh? Sounds like you had a bad experience with Yahoo? I have used about 1/2 a dozen registrars around the world, and choose Melbourne IT for their service, and reliability. I don't even live in Australia, I live in the UK. I email all the time with queries and get responses usually within 72 hours. I have learn't to know enough about the industry to ask the right questions. Being ignorant in any area of your business is not a good thing. Time for a buttered scone and a pot of tea. Cherio Lads Totally over being Fully Sick.

Re:Rogue registrars?

Melbourne IT still act as though they have a monopoly over .com.au domains -- they have terrible customer service, crap pricing and very bad security.

Only last week I needed to get a .co.nz domain re-delegated (the registrar was Domainz, which is Melbourne IT's New Zealand arm). I rang Melbourne IT and explained that the key I had no longer seemed to be valid, and asked how I could recover the key. I gave them the registry key, and they confirmed the key was incorrect. After a brief moment on hold I was told the registry key had been reset to the one I had given them, and I could now go ahead and re-delegate the domain. No faxes showing that I had the authority to access the domain, just a quick 5-10min phone call.

Before the change of registry ~2.5yrs ago we held about 450 domains under our Melbourne IT reseller account. Within two months of the new registry we had chosen a new registrar and started moving all domains over to them. My experience with all .au registrars has been positive, with the single exception of Melbourne IT. Boycott them? We have been for 2yrs now, and I suspect many others are.

Re:Rogue registrars?

as has go daddy... enom, nsi...

name me ONE larger registrar who *hasnt* been involved in a domain hijack? go on... i dare you...

Re:Rogue registrars?

[Fully+Sick+Like+Ot's]

Dude, you are probably the smartest person on here, thanks for a) knowing and b} enlightening some of the other shot and then point slashdotters!!!

Re:Rogue registrars?

What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm)

Oh come on now. How many times has your IT guy had to come in on the weekend to 'upgrade the servers' while everyone was away? Doing the transfer on saturday sounds like normal behavior to me. You are being paranoid.

Re:Rogue registrars?

Get a grip... It will be a cold day in hell when any of the other registrars are half as big as Melbourne IT. Ever tried dealing with Enetica? They have the single most pathetic customer service in the history of the industry. The only registrar within pissing distance is TPP. And even then they have a long way to go...

You think transferring your 450 domains is hurting MIT? You think boycotting MIT actually hurts their business? You and your backyard resellers need to get your head out the sand! Do you have any idea how many resellers have returned to MIT after going elsewhere and experiencing other registrar's service levels. Hand. Off. Cock. Please.

Re:Rogue registrars?

[42forty-two42]

So, why can't the original owners just hijack it back?

Re:Rogue registrars?

[jafiwam]

Yeah? Well Mr. Anonymous... why not use your real name?

If you "worked there" you could probably answer these questions then:

1) If Melb IT was closed, then how did the domain get transferred?

2) If it was an automated tool, then the tool is flawed. Explain why they did not fix their tool and why they are not helping to fix their tool faster.

Garbage companies like yours deserve to be chased off the net with extreme prejudice.

You are either a liar or a fool.

Melb IT was MOST DEFINATELY a huge portion of the problem. And still ARE a huge portion of the problem. If their shit worked while they were away, it's their fault. If the shit worked because someone was there doing it, it's their fault. Pretty simple to understand.

It sorta makes me wonder why there have not been more calls for vigilante justice here in the comments. I for one might like to play a game of "my bandwidth is bigger than your bandwidth" for a while this weekend.

Re:Rogue registrars?

I'm anonymous because I choose to be. Fuck - you're talking about "vigilante justice" at the drop of a hat without knowing half the facts about a situation, and you're wondering why I want to stay anonymous?

As for your points, as has been mentioned in one or two of the more rational posts here, transfers are conducted by the top-level registry. That's Verisign, for .com domains, if you didn't know. VERISIGN.

Under the new transfer rules, brought to us recently by the ever-lovable ICANN, transfers go ahead FIVE DAYS after they are requested unless the domain is LOCKED BY THE CURRENT REGISTRAR, or the admin contact for the domain EXPLICITLY REJECTS IT.

Melbourne IT has no control over what's transferred in. If Verisign says "hey, you manage this domain now", even on a Sunday morning - they get it. Five days after the admin contact has failed to reject it.

A registrar can't touch a domain until Verisign assigns control to them. They don't have special powers to magically shuffle the things around. Melbourne IT gets calls all the time from people wanting their domains transferred in with a magic transfer button, but if the current registrar has a lock on it, there's nothing that can be done.

Re:Rogue registrars?

[Cylix]

I'm actually surprised he responded on slashdot and even responded further.

Other then PR, they are under no obligation to informally provide information and I'm sure a formal explanation will be available at a later date.

So it happened on Saturday and someone is awake to deal with it on sunday.

Someone knew what they were doing when they planned a short term hijack. It's probably just address harvesting and over all I suspect it's been a bit of a success.

Re:Rogue registrars?

They've also got one of the toughest anti-spam domain policies around. If spam is reported using a domain of yours, they'll pull it and charge you hundreds of dollars to get it working again.

Re:Rogue registrars?

[dickens]

So how did you do it ? I have a hosting client with their domain on yahoo/melbourneit and I haven't the faintest idea how to get it loose from them.

Re:Rogue registrars?

[Antique+Geekmeister]

A company that has no 24x7 service should not be a domain registrar for other domains, period. They have no business being in that business without an after hours contact or at least on-call support service. Blocking their DNS at the routers until they can shape up sounds like the way to correct the issue next time.

Re:Rogue registrars?

[angusmci]

What's amusing is that the 'description' meta tag on MelbourneIT's homepage describes them as "The world's leading domain name registrar". In whose fantasy universe, may I ask?

Re:Rogue registrars?

[rs79]

"This is the sort of lack of responsibility that people forecast when MelbourneIT were set up to take the "au" domain away from the registrar of the time."

Yes, because he wasn't "responsible" enough.

We have always been at war with Oceana.

Re:Rogue registrars?

[Dun+Malg]

The only way to change this behaviour and reject a domain transfer by default, is to lock the domain with the registrar. Many of the registrars responded to this policy change by proactively locking all domains hosted with them with little warning (Network Solutions, for example)

Anyway, it's quite likely that this domain in question simply didn't get locked (or was actively unlocked by the administrator because it was deemed inconvenient?).

FWIW, domain locking is available with Dotster, but you have to specifically request it. I'd bet that nobody even thought to do it.

Re:Rogue registrars?

[tjls]

Unfortunately, you've just posted the same tired bundle of false assertions. Neither the transferred-from registrar (that's Dotster) nor Panix were actually notified prior to the transfer. In fact, if you actually read the relevant standards (in particular, the description of the TRANSFER message in RFC2832 you'd find that a change of registrar works like this: 1) The transferred-to registrar sends a TRANSFER message to VeriSign. VeriSign or the transferred-to registrar (the specification is extremely unclear) then uses an unspecified out-of-band method to contact the transferred-from registrar. 2) The transferred-from registrar sends an identical TRANSFER message to VeriSign, except that it has either Approved:yes or Approved:no in it. This is what actually causes the change to occur. 3) Since the recent ICANN change in policy, if no Approved: TRANSFER message is received in 5 days, the transfer occurs automatically. This points out some very, very odd things about this particular transfer. First, Dotster has no record of any TRANSFER request in their log file. Second, they have no record of sending any approval message -- in fact, their database still shows that Panix is their customer; they can't even try to grab the domain back without deleting the record, which would complicate the ongoing investigation. Yet VeriSign say that the domain was transferred with approval. With approval from whom, exactly? I have some strong hunches about how it might be possible to do this but I can't really go into them here and now.

Re:Rogue registrars?

[WoodstockJeff]

Unfortunately, they also appear to be spammers

Hmmm... I'm a GODADDY customer, and the only messages I receive from them are notices of things like the ICANN screwball decision, and domains about to expire, with 90, 60, 30, and 10 day advance notice.

Of course, I remembered to uncheck the little box when I set up my account that authorizes "third-party offers", and, when I log it, it says I "missed out on $328 in savings on special offers", but I'm not being spammed by GODADDY.

Re:Rogue registrars?

[WoodstockJeff]

Blocking their DNS at the routers until they can shape up sounds like the way to correct the issue next time.

I take it you're not familiar with how a registrar handles things like this, are you? A regisrtar does not necessarily handle any DNS traffic. They just make entries into the master database as to who does handle the DNS for a given domain. If they're providing web hosting or DNS services as part of their package, then yes, there would be DNS traffic to/from that registrar, but normally not.

But, I think what you're wanting would be handled by not accepting any database updates from them, which would require stripping them of their ICANN accreditation first.

Re:Rogue registrars?

[Gendalia]

Law enforcement said not to, as it would erase any trace of what happened.

Re:Rogue registrars?

[ErichTheWebGuy]

I had to get the original owner of the domain to send them a fax with a copy of his ID card, and a few other forms. After 2 weeks, I had the registry key and transferred it with a quickness. Luckily, I had the cooperation of the guy that I bought the name from, and he was all for it. Had it not been for that, I don't think I would ever have wrestled it from them.

Re:Rogue registrars?

[ErichTheWebGuy]

What the hell were you doing buying a domain name from Yahoo in the first place?

Maybe you should get the facts before you flame someone next time. I bought the domain from a private party, who originally had bought the domain name via Yahoo domains. Knowing that Yahoo has never given a shit about their paying customers, I resolved to get it the hell out of there as quickly as possible.

Re:Rogue registrars?

[Nikker]

Listen to yourself you work for them? Walk thier dogs or something? If a company holds onto a service for you that you have paid for and they give it to someone else, what ever the problem they tell the domain fuck off and let it ride till monday?

That is just sick and no matter how 'human' they are they should pack up and start the company under a diffrent name because I will never deal with them or anyone affiliated with them.

Re:Rogue registrars?

[Antique+Geekmeister]

I bet they *do* host DNS for a bunch of other people, too. But the main point was to cut off a lot of DNS access to *their own* domain, since they're obviously not competent to run one.

That would be vigilante extortion at its finest: for an example of how well this can work, look at what finally got agis.net to kick cyberpromo.com off of their network. It wasn't the multiple settled-out-of-court lawsuits against cyberpromo, it wasn't the treats at NANOG to blackhole agis.net, it was the attacks on agis.net's routers that finally got them to cut the "spamming allowed" contract with cyberpromo.net.

Re:Rogue registrars?

I'm very familiar with the transfer process. Thank you for your information. Have you ever thought this has happened due to the reseller agreement between registrars and Verisign? Resellers have the ability to act as registrars, bypassing, in this case, Melbourne IT. This would, therefor, render MIT as an innocent bystander in this mess. Irrespective of such agreement, Dotster aren't forthcoming with their information. Despite any kind of false or fraudulent transfer, Dotster had to be notified of the domain name being transferred away. Even if they werent, its taken their cron job at least 5 days to run before realising the name has been transferred away. Give me a break!

Re:Rogue registrars?

Yeah, I doubt any purposeful wrongdoing was done on MelbourneIT's part.

HOWEVER, their lax procedures, and the simple fact that they HAVE NO STAFF ON WEEKENDS makes them a party to this. That alone should be enough to revoke their registrar status. You can't provide the kind of service needed to be a registrar if nobody is there to handle calls more than 25% of the time (assuming they take off holidays too).

Registrars have to be vigilant. They're responsible for safe-guarding a service that people are paying them for that many companies stake their businesses on. Domain hijacking is obviously a BIG business, and it seems like, to me anyways, that there are people at ICANN and Verisign who are getting a cut, otherwise this couldn't have happened.

Wether or not that is the case is irrelevant. It just points out the webbed nature of the system, and every point on the web has to be safe-guarded against corruption from the other points. Obviously, Dotster and Panix can't be at fault, because the never recieved TRANSFER notices, which are Verisign's responsibility. However, the MelbourneIT staff telling the Panix admin to shove off and wait until Monday is unacceptable. They deserve to be shut down, as that attitude allows them to be a willing accomplice to these crimes, wether they would admit to it or not.

They're essentially allowing a 48-hour window that says "LOOK HERE hijackers! Abuse our lax procedures!".

BIG discounts in the OFFing?

You think?

Looks like they sent the "by the way, your domain name address change is pending and will go through in 5 days so don't delete this" to dev/null.

Dead. horse.

[missing000]

beat. to. death.

Re:Dead. horse.

Still deserves to be mentioned, especially on a story like this. The irony is so rotten that its not even funny.

Re:Dead. horse.

[NanoGator]

"Dead. horse. beat. to. death."

Agreed. Now, let's discuss who the best Starship Captain is.

How does this happen exactly?

[cuban321]

I blame it partially on the registrar for not verifying the identity of the person attempting to transfer the domain.

Granted an ISP should have known to use REGISTRAR-LOCK, but what about Joe Shmoe with his domain to host family pictures?

Re:How does this happen exactly?

[gronofer]

Not every registrar allows setting REGISTRAR-LOCK arbitrarily. E.g. gandi.fr, the registrar of gnu.org, does not.

Re:How does this happen exactly?

[Laebshade]

Granted an ISP should have known to use REGISTRAR-LOCK, but what about Joe Shmoe with his domain to host family pictures?

I know now. I just went and locked my domain. I had no idea this could be done.

Re:How does this happen exactly?

[thornist]

According to emails in NANOG, Panix believed the domains were tagged REGISTRAR-LOCK.

It's not just Censorware

[bonch]

People do not like him as an editor here. Michael constantly editorializes by sticking his opinions into the article submission instead of in a comment like the rest of us have to. He often modbombs threads and blacklists people who post in them from moderating. Even if you don't like Taco's endless dupes or typos, at least he lets the submission speak for itself (iPod launch comment excluded). Michael does very unprofessional things like the infamous all-caps attack toward Intel in the 64-bit chip article last year.

No, this is not just a hobby site where those kinds of things fly. This is a highly-visited news site, considered a major source of tech news for geeks, and a corporate-owned entity of OSTG who employs Malda and company. There's an amount of responsibility you ethically must adopt when your site gets so popular that it's name alone becomes a verb due to the server-killing power of its readerbase.

Michael also does things like edit the words of people's submissions, like adding quotation marks around the word "revealed" in this story (now in my sig). Regardless of what you think of the story, that's just plain misleading and twisting the words and intent of the submitter, making it appear they meant something other than what they did. If it was an anonymous submitter, that would be different, but now Michael has stuffed a message into the submitter's mouth that was not there. At least show a little respect for the people who are providing your content.

Re:It's not just Censorware

Wow, for once I agree with Bonch.

Re:It's not just Censorware

[Doc+Ruby]

I like him.

Re:It's not just Censorware

Flamebait? Nope.

Re:It's not just Censorware

but he's better than Timothy.

Re:It's not just Censorware

[mesach]

considered a major source of tech news for geeks

Since the obligatory You must be new here doesnt apply to someone with a 5 digit UN, then I must say that.

It must have been along time since you have been here. This place has gone downhill, I get my cutting edge news somewhere else, and come here just for the comments. I realize that my UN is rather high to be on this horse, but I didn't see the need to be spreading my info around to every tom, dick, and jane site when I first encountered this one.

Re:It's not just Censorware

[zulux]

I like him

I like 'em too! He done made ma' Karma real good!

Re:It's not just Censorware

If it was an anonymous submitter, that would be different...

Huh? Am i missing something here? Mod me down all the way you want but no one has the right 'twist the intent' just because i'm posting AC.

Re:It's not just Censorware

Jane_the_Great is a bitch anyway, so who cares?

Re:It's not just Censorware

[nazsco]

This is /. remember?
the juice of the news here are DAMN BIASED OPINIONS

Re:It's not just Censorware

[JollyFinn]

Yes. Your name sounds like you might be female slashdotter.
Of course if you are not female that doesn't really prevent the next applaying to you if you happen to be gay. Are you sure that you are not suffering some kind of stockholm syndrome?
Yes. You should love him just as much as you love Microsoft.

Re:It's not just Censorware

[Doc+Ruby]

Huh? You're a fool. I'm not even sure if you're a Finn. You're certainly not too jolly.

Re:It's not just Censorware

[JollyFinn]

Of course I'm Jolly. I'm very spiritual person ;)

Main Entry: 1jolly
Pronunciation: 'jä-lE
Function: adjective
Inflected Form(s): jollier; -est
Etymology: Middle English joli, from Old French
1 a (1) : full of high spirits : JOYOUS (2) : given to conviviality : JOVIAL b : expressing, suggesting, or inspiring gaiety : CHEERFUL

Re:It's not just Censorware

[Matt+Perry]

This is a highly-visited news site, considered a major source of tech news for geeks, and a corporate-owned entity of OSTG who employs Malda and company. There's an amount of responsibility you ethically must adopt when your site gets so popular that it's name alone becomes a verb due to the server-killing power of its readerbase.

Yet how many slashdot readers have written (not emailed) OSTG to let them know how they feel? Personally, the lack of attention to checking links in stories, dupe posting, Michael's comments, etc, are what keep me from subscribing. I let them know that. Write them and let them know how you feel:

OSTG
46939 Bayside Parkway
Fremont, CA 94538
USA

Re:It's not just Censorware

[Doc+Ruby]

Fools are jolly, natch. And now some clues to your earlier, sillier post drop: nspiring gaiety

How This Can Happen

[ErichTheWebGuy]

See this story on Netcraft, which details the recent policy change by ICANN.

In short, if someone initiates a transfer request, you then have 5 calendar days to respond, or else the transfer happens unopposed. You can prevent this by activating the REGISTRAR-LOCK feature on your domain name. The procedure varies by registrar, but it's usually called "domain lock" or something similar. All registrars have to at least give you the option of requesting this feature.

Some registrars (godaddy, I know for sure does) activate this lock by default, Some require you to activate it explicitly. Check with the support dept. at your registrar for further details.

Re:How This Can Happen

[87C751]

FYI, for Dotster, you need to "add a service" to activate what they call "TransferLock". For those of you with more than one or two domains, here's the bulk modification dance:

1. From Account Management page, select 'Advanced Domain Search'
2. Leave all fields blank
3. 'Select All'
4. 'Manage Domains'
5. 'Order Services for Domains'
6. 'TransferLock' is next to last in the Other Services list. Click 'Add All'
7. Continue through the purchase dance

It's free, but I don't know why it isn't the default. BTW, anyone else wonder why Dotster has made bulk management a little less intuitive lately? The "Advanced Domain List" view used to be the default. (and don't get me started on their automagically registering .info domains last week)

it's worse than that...

[bani]

...melbourneit, the registrar responsible for the mess, basically told panix to take a flying leap. verisign wasnt any help either.

what a sad state of affairs when it's trivial to hijack a domain, but it takes an act of god to return it to its rightful owner. apparently, even law enforcement can't get verisign or melbourneit to do squat:

Date: Sun, 16 Jan 2005 07:04:46 +0000
From: Thor Lancelot Simon
To: nanog@merit.edu
Subject: Re: panix.com hijacked (VeriSign refuses to help)

Alexis Rosen tried to send this to NANOG earlier this evening but it
looks like it never made it. Apologies if it's a duplicate; we're
both reduced to reading the list via the web interface since the
legitimate addresses for panix.com have now timed out of most folks'
nameservers and been replaced with the hijacker's records.

Note that we contacted VeriSign both directly and through intermediaries
well known to their ops staff, in both cases explaining that we suspect
a security compromise (technical or human) of the registration systems
either at MelbourneIT or at VeriSign itself (we have reasons to suspect
this that I won't go into here right now). We noted that after calling
every publically available number for MelbourneIT and leaving polite
messages, the only response we received was a rather rude brush-off from
MelbourneIT's corporate counsel, who was evidently directed to call us
by their CEO.

We are also told that law enforcement separately contacted VeriSign on
our behalf, to no avail.

Below please find VeriSign's response to our plea for help. We're rather
at a loss as to what to do now; MelbourneIT clearly are beyond reach,
VeriSign won't help, and Dotster just claim they still own the domain and
that as far as they can tell nothing's wrong. Panix may not survive this
if the formal complaint and appeal procedure are the only way forward.

> Date: Sun, 16 Jan 2005 00:21:33 -0500
> To: , NOC Supervisor
> Subject: Re: FW: [alexis@panix.com: Brief summary of panix.com hijacking incident]
(KMM2294267V49480L0KM)
> From: VeriSign Customer Service
> X-Mailer: KANA Response 7.0.1.127
>
> Dear Alexis,
>
> Thank you for contacting VeriSign Customer Service.
>
> Unfortunately there is little that VeriSign, Inc. can do to rectify this
> situation. If necessary, Dotster (or Melbourne) is more than welcome to
> contact us to obtain the specific details as to when the notices were
> sent and other historical information about the transfer itself.
>
> Dotster can file a Request for Enforcement if Melbourne IT contends that
> the request was legitimate and we will review the dispute and respond
> accordingly. Dotster can also contact Melbourne directly and if they
> come to an agreement that the transfer was fraudulent they can file a
> Request for Reinstatement and the domain would be reinstated to its
> original Registrar. Dotster could submit a normal transfer request to
> Melbourne IT for the domain name and hope that Melbourne IT agrees to
> transfer the name back to them outside of a dispute having been filed.
> In order to expedite processing the transfer or submitting a Request for
> Reinstatement however Dotster will need to contact Melbourne IT
> directly. If Dotster is unable to get in touch with anyone at Melbourne
> IT we can assist them directly if necessary.
>
> Best Regards,
>
> Melissa Blythe
> Customer Service
> VeriSign, Inc.
> www.verisign.com
> info@verisign-grs.com

Re:it's worse than that...

[Aurix]

As an Aussie, I don't think I'll ever deal with Melbourne IT after hearing this. Their ridiculous high prices are meant to include top support... Seems they're letting everyone down.

Anyone know if they could stand to lose their registrar license? I mean, you can't just pass fraudulent transfers like that....

Re:it's worse than that...

[bentcd]

Top support to _their paying customers_ I expect, not top support to foreign companies trying to inconvenience same customers ...

Re:it's worse than that...

[Aurix]

Yeah, but surely ICANN should/would be interested if MelbourneIT are not interested in at least attempting to resolve the conflict? Given that they transferred the domain in the first place...

Re:it's worse than that...

[NanoGator]

"Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it"

Damn, that startled me!

Re:it's worse than that...

[Fully+Sick+Like+Ot's]

Hi Aurix, You make some valid points, but the blame should definately not be put all onto Melbourne IT. I had to lock many of my domain names because of a new transfer policy inforced by ICANN on the 12th of November 2004, which stated pretty much, that once a transfer was initiated, no one was able to stop the transfer. Registrars like Melbourne IT and Dotsters are just pawns for bigger and smaller enemies, aka hijackers and governing bodies. I have all my domain names with Melbourne IT, and was notified by email that the transfer policy was going to be in place, and procedures to ensure my domain names were locked. I am concerned one of the oldest ISP's in America "PANICS" didn't have there domain name locked (only unlocked with a domain name password). I would also question how this hijacker got the 'victims' password to transfer the licence to another registrar? I definately think people should research facts before they blurt out how horrific the whole scenario is. Any one heard of bureaucratic red tape, I am guessing once Melbourne get's past it they will act accordingly to resolve the issue. Regards, Fully Seriously Sick!

Re:it's worse than that...

[Aurix]

Yeah, but Melbourne IT could do themselves a huge favour and release some details and help Panix out. It's called Goodwill.

Re:it's worse than that...

Goodwill or not, if the transfer requests were authorised (not, specifically, declined), there is no reason for Melbourne IT to do anything.

The blame rests with Dotster. Dotster can contact Melbourne IT and ask for the domain name returned to their control. Have Dotster done so? I think not. Now, wouldn't it be Goodwill on Dotster's behalf to act in the interests of their customer, considering they let the transfer process proceed? Oh wait, according to them, THE DOMAIN NAME IS STILL UNDER THEIR MANAGEMENT AND THERE IS NO PROBLEM. Wake up, people!

Re:it's worse than that...

[SilverspurG]

It's called Goodwill.

Does that still exist? Everything is about the law these days.

Re:it's worse than that...

[Fully+Sick+Like+Ot's]

Ha Ha definately if we lived in a perfect world Auril, where Customer Service, mean't 'customer service' but how many companies that you know that put the customer 'first', geez we would make no money....LOL Have you ever worked for a company that could just do what you wanted, look at every company you have ever dealt with, terms and conditions, policies, procedures. They have to be followed or things go wrong.... For example a domain being hijacked, it would never happen if people followed procedure....locking a domain name...registrars have very little to do with a transfer, blaming either DOTSTER or MELBOURNE IT is just a joke. basically some Preostoric ISP company, turned out to not manage their systems/domains properly, never locked their domain name, probably have spam filters on high, missed the email to reject the transfer and (trumpet blowing) look what happens, so they get on the phone, find their is a procedure to follow, spill some milk, cry some more, spill some more milk, then are not happy with the results, so do a post. geez these stories are all the same and very tiring. The moral is people need to take responsibility for their actions, (or lack of). Although I agree with you 100% that Melbourne IT should be 24/7 I mentioned that when I got a hosting account, and I got a reply back to say that they are in the process of becoming 24/7. I have personally never had a company even bother to notify a client of changes in the future, so what can I say they have my vote. Hopefully once the true story comes out we can see how it happened. I am certainly confident of the result coz I am seen it all before.

Re:it's worse than that...

I'm just a paralegal, so this isn't legal advice. But I've worked on these cases enough to know what that letter is telling you. First, you need to hire a lawyer to handle this. Second, the letter is telling you the precise steps to take. Follow them like you would command line instructions and you will get the best results.

Only the new registrar can help. That is your target. Get Dotster to send the Request for Enforcement. Call up and get to know someone at Dotster (and Melbourne) and call and call and call. Be friendly and do all they ask, step by step. Give them all the info you can find about the new person claiming ownership. Look up in Betterwhois and find out who is the new owner. I'm betting dollars to doughnuts, you will find it isn't a real address. Try to contact the new owner by the address, email, phone listed. If you get no response, tell Dotster. Point that out. Find out if the new place is spamming, porn, whatever. That is almost certainly what is happening to your customers. Make clear to the new registrar that they got the domain through lying, trickery, however they got it. Details and proof.

This is a standard hustle, and usually names change as well as registrars. They generally use more than one hop because it is harder to get it back, harder to trace. Verizon is the worst, in my experience, and they won't help you, but if you can get Dotster and Melbourne on this, they will have to. Make a note of who didn't help you and make future decisions about who you want as your registrar.

You should be able to get it back, but it may take time.

Again, the key to it all is get a lawyer. They know exactly how this dance goes. A lawyer who does UDRP. That is what you ask for. It's called domain name hijacking.

Re:it's worse than that...

should definately not be put
I definately think

"definitely".

didn't have there domain name locked

"their".

Melbourne get's past it

"gets".

Re:it's worse than that...

definately if we lived

"definitely".

mean't 'customer service'

"meant".

some Preostoric ISP company

"prehistoric".

find their is a procedure to follow

"there". (Actually, "that there" is better.)

I am seen it all before

"I have seen".

Re:it's worse than that...

Google search for MelbourneIT

Top result

Contacts

Contacts:

WorldWide Offices Australian Office: Melbourne Street Address Level 2, 120 King Street Melbourne Victoria 3000 Australia Customer Support Australian Callers 1300 654 677 International or Mobile Phone Callers +61 3 8624 2300 Fax - Australian/Int'l +61 3 9620 2388 Hours of Operation 8:30 AM - 1:00 AM Monday - Friday 8:30 AM - 12:30 PM Saturday U.S. Office: San Francisco (Sales & Marketing) Street Address Melbourne IT 2200 Powell Street Sixth Floor, Suite 690 Emeryville CA 94608 Spanish Office: Madrid (Sales & Marketing) Street Address Jorge Juan 8 28001 Madrid Spain Hours of Operation 9am to 2pm, 4pm to 7pm Contact Information Telephone +34 91 426 1951 Fax +34 91 435 8264

[whois.internic.net]

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Server Name: MELBOURNEIT.COM.AU
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com

jwhois melbourneit.com.au -h whois.melbourneit.com
[whois.melbourneit.com]

(Response timed out)

More BS:

To notify Melbourne IT of your complaint or dispute send an email to policy@melbourneit.com.au

Melbourne IT will acknowledge your email within 5 working days of its receipt, and will use all reasonable efforts to provide you with a response to your complaint or dispute within 30 days.

If your matter is more appropriately dealt with by another organisation, we will advise you of any alternative options for resolving your complaint or dispute.

For the curious, their AUP

Please everyone do a 'ping -f whois.melbourneit.com' &; ping -f www.melbourneit.com.au

Re:it's worse than that...

This has nothing to do with the UDRP...

Re:it's worse than that...

[HiThere]

ICANN? help??

That concept contradicts everything I've ever heard about them.

Re:it's worse than that...

Dotster are a pile of crooks anyway, they have hijacked so many domains its not even funny.

Perhaps it's time for alternative action..

Re:it's worse than that...

[MysteriousPreacher]

That post is probably the most interesting thing you'll do in your life and you're not even getting credit for it AC.

Re:What did you expect from Australia?

[martinoforum]

You mean, aside from slashdot editors? Kidding, kidding.

Seriously though, MelbourneIT is a pretty big company in this part of the world. I'm in New Zealand, and they're one of the most important of a small bunch of companies able to offer .co.nz domains - which they do, like all the others, at price approximately equivilent to five times that of a dotcom on the international market. Considering a .co.uk costs around a fifth of that price with most registrars, that makes New Zealand domains worth approximately 25x that of a co.uk.

Go figure. Maybe that's why I'm a dotcom, eh?

Flamebait?

Why is this flamebait? For telling the truth??

You tawkin' ta ME?

[Doc+Ruby]

Panix is an old haunt of lots of very savvy New York geeks, particularly security and OS hackers with lots of money and techniques. I'd hate to piss them off, especially with an attitude that merely a planet-width and a foreign law license protects me from my obligation not to screw them.

how do posts like this get modded up?

You project that someone else will persecute simply so you can rail against it? And then people think this is somehow laudable?

I don't get it. Why not wait and find out what happens?

Just bizarre. Slashdot is one of the most unusal communities I've ever seen. Complain about anything, or in this case nothing, and you're an instant hero.

Re:how do posts like this get modded up?

how do posts like this get modded up?

Becuase some of us actually know what goes on here behind the scenes and wants to fight back?

Why not wait and find out what happens?

Wait and find out? This happened some years ago and the facts have been solidly established that Michael Sims took the domain away.

Complain about anything, or in this case nothing, and you're an instant hero.

Yeah, post some evil facts about someone's injustices and those scumsuckers will make sure they go through hell for it.

Re:how do posts like this get modded up?

The grandparent post has already been modded down at least twice (and modded up again twice) in the period from roughly 12:45 AM - 1:00 AM.

Furthermore, the parent post has been modded down (and then back up to +4) in the same time-period.

Perhaps these were all independent people modding things down, but something leads me to believe that there are some valid points here

Re:how do posts like this get modded up?

he's talking about you ranting about the moderation that hasn't actually happened. Not about michael.

Re:how do posts like this get modded up?

There's also enough people on /. who metamod every downmod "unfair".

use Godaddy.com

[Spy+Handler]

they're real good about protecting their customers from hijackers. They were one of the first ones to lock down outside domain transfers when that whole domain expiration thing happened a few months ago.

MelbourneIT Criminals

[Doc+Ruby]

As this post points out, having hijacked panix.com, MelbourneIT could be logging all userID/password logins to shell.panix.com . So Panix customers should all login to the "temporary" replacement, shell.panix.net , and change their passwords ASAP. Then fly to Melbourne with baseball bats.

Re:MelbourneIT Criminals

[martinoforum]

That's probably a bit extreme to accuse MelbourneIT of this, they're not a small company.

Bastards perhaps, but not quite on the deliberate hijacking/password logging scale. They're the primary "stabilising registrar" for New Zealand's top level domain for a start! Sure, there's only four million people here... but still...

The thread you are linking to is a little less sensational than you're being. There is a suggestion that the malicious attackers could be doing this, but not MelbourneIT. The main suggestion there is that MelbourneIT don't seem to realise the gravity of the situation and are sitting around down at the beach enjoying their summer. I can kind of understand, it's bloody hot over here at the moment and I'm having a bitch of a time concentrating on a magazine feature I'm supposed to be finished with by Tuesday.

I'm sure they'll get it eventually, but it's not really an excuse for not having a good 24/7 contact for expensive emergencies like this.

Re:MelbourneIT Criminals

[Doc+Ruby]

Actually, the circumstantial evidence of the timing doesn't weigh as heavily as the original message, from Thor, in that merit.edu thread, in which he refers to other reason's to be "suspicious". Combine that with the corroboration in this Slashdot thread of exactly this kind of malfeasance by MelbourneIT in the past, and they're looking pretty culpable. Especially in the light of their corporate response: the CEO tells their counsel to tell Panix to get lost, rather than telling a tech to look into the problem.

MelbourneIT's size and importance are totally irrelevant to their possible guilt. If anything, big, important corporations hide behind their straight appearance to commit the most grevious acts. I'm sure MelbourneIT will get this, especially if they're violating any laws anywhere with this kind of "incompetence", and Panix suffers any losses - likely. Then they'll find out that a gang of jetlagged New Yorkers with baseball bats is the easy way, compared to the lawyers who speak so politely.

Re:MelbourneIT Criminals

[martinoforum]

I don't know about that "They must be guilty - they called the lawyer!" business. From the posting I read it looked like they got a call back from the lawyer because the lawyer would the one in the position to make the decision to call a tech. The suggestion here is more than MIT misunderstood the gravity of the situation rather than deliberately acted with malice. I know in the US (and UK - I'm English) things are a touch more fast-paced, but there's a couple of things that are a touch different over this side of the planet - at least in New Zealand. Firstly, a lot of companies are not open on the weekends. Even the ones that are typically run in a fairly "headless" manner - you might get some guys in the call centre, but you can bet the management have their phones turned off. Why? Well, one of the interesting features of this country is that people are quite horrifyingly overworked, at least compared to the UK. It's quite possible to get a job over here that pays below the British minimum wage that will attempt to get you to work above fifty hours - and we're not talking about a crap job here either, this could be a fairly interesting position at a mid-sized company. As a result of this, when the company finally lets people go home they tend to turn the damn phone off in the hope that nobody is going to call them.

I don't know if this is the case with MIT, but I wouldn't go assuming that they're a front for Al Qaeda/working for Michael Sims/Same-thing-we-do-every-night-Pinky just yet. It's a pretty safe bet they're all just drunk and have yet to figure out what the hell is going on. As for past incidents of a similar nature, you'd better believe there's companies that don't close their procedural loopholes in a hurry. Maybe the responsible parties have just managed to use the same exploit as last time via the same parties because, as mentioned above, everybody is too overworked in other areas to care? Domain registration is not exactly a high-margin business for many.

Re:MelbourneIT Criminals

You really need to use a cricket bat in Melbourne.

Re:MelbourneIT Criminals

One would hope most people would notice the "Wrong ssh key fingerprint" type error...

Re:MelbourneIT Criminals

[dbIII]

That's probably a bit extreme to accuse MelbourneIT of this, they're not a small company.

No, they are a government run monopoly for the ".au" domain that is busy trying to get back the cash that was wasted on a big chunk of ".com" while the tech boom was crashing but still paying the top price of the market.

Government run companies are strange things, rules are more important than the reasons for them.

Re:MelbourneIT Criminals

[Strepsil]

I think you're a bit out of date. Melbourne IT does not have a monopoly in .au by a long shot (.au is managed by auDA, and has many registrars), and it's been a publicly listed company for ages.

Re:MelbourneIT Criminals

"Corroboration"? In this thread? I've seen one poster make an accusation at Melbourne IT SEVERAL TIMES (repeat it until it's true?), but haven't seen any link to any cases where Melbourne IT has clearly done something "evil".

Another thing that's eluding me - what the hell does Melbourne IT have to gain from this? Where's the motive? What could convince a registrar to deliberately pull a stunt like this?

Show me a way that Melbourne IT can make enough money doing this to make it worth throwing away their entire business, risking ICANN taking away their accreditation, and starting up again with just a few stolen domain names - then I'll start thinking about their possible guilt.

There's no reason for it - at all.

Re:MelbourneIT Criminals

[Doc+Ruby]

Maybe that's why MelbourneIT is getting away with it. In NYC, the land of baseball, nobody tries to pull this crap anymore - they've already been weeded out with our network debugging tool.

Re:MelbourneIT Criminals

[Doc+Ruby]

Alas, that's where Panix's own bad architecture is guilty of creating a vulnerability. shell.panix.com , their "login gateway" to their network, is a DNS round-robin of several machines, each with their own IP#, but sharing the same FQDN. Since the IP# is part of the ssh key, more often than not the login to the "same" server (by DNS) first warns that the keys are not the same (different actual hosts). So Panix has trained users that logins look insecure, but are secure. It's an interesting "social misengineering" flaw: apparent insecurity when the system is secure makes later actual insecurity hard to detect.

However, this compromise is not really very serious, in this specific case. ssh login attempts to panix.com yesterday merely refused connections on port 22, before a password could be sent.Interactively; invoking ssh with the password on the commandline could possibly send the password to a server which refused the connection, or (more practically) inetd or the OS could log the connection attempt's packets, though it refused the connection. But such passwords are sent in the clear, before encryption is negotiated; every router along the way could log those packets, and I believe that the ssh client might leave the commandline intact in memory, in the ps list for example. Also, most Panix users use POP email, which sends their account login password in the clear every minute or so to check mail - an incredibly stupid protocol. So anyone sniffing mail.panix.com packets traversing the Internet any time in the past 15 years or so could get account passwords.

My Slashdot post is clearly not the venue in which to warn Panix users to secure their accounts. It is more of a demonstration to Slashdotters just what MelbourneIT has achieved by cracking DNS, outside of the Panix system. These dependencies are major security bottlenecks that most geeks can learn from in our own practices.

Re:MelbourneIT Criminals

[Doc+Ruby]

I don't know the actual reason - maybe they're just stupid, greedy and obnoxious, fed by the nonaccountability of both a big multinational corporation and ICANN. But here's a way they could make money (though apparently not [yet] in this case): the new "owner" of Panix.com tried to pay Panix say $50K to sell the domain name, but Panix refused, so MelbourneIT cracked it off for $10K. Since Panix.com now points to a "parked" domain squatter page, that's probably not the case here. But you asked for a way, and that's an obvious one. And the repercussions aren't clear: they're almost certainly not going to lose "their entire business". Plus, many hijacks like this probably succeed, because the original owner doesn't have the expertise or other resources to pursue justice, especially globally and within the untested ICANN/WTO system. Thinking about possible guilt yet?

Re:MelbourneIT Criminals

[Antique+Geekmeister]

You noticed that part! The sales of the panix.com mailing addresses alone can pay the thieves' bills for pulling this scam, and is a lot tougher to prove and convict anyone for than the wire fraud you are mentioning.

Re:MelbourneIT Criminals

[Doc+Ruby]

Actually, as I noted in another post, Panix POP accounts send account login/passwords in the clear across the Internet steadily, so just a packet sniffer would suffice, with even less evidence.

Re:MelbourneIT Criminals

[tjls]

For what it's worth:

1) IP addresses are not "part of ssh keys" -- and I can say this with some authority, as the author of one of the first open-source SSH implementations. (Please don't use it here-now-today, it's painfully obsolete!)

2) SSH clients can store multiple valid keys per DNS name (or, for that matter, per IP address) and multiple physical hosts can have the same SSH private key (the latter, in fact, is probably how Panix should configure its shell servers. Since they provide the same service with the same authentication requirements, using the same SSH key is almost certainly right).

3) A lot of SSH clients suck, about both these things. To this day, some can't cope gracefully with either condition at all though it's a matter of about 10 lines of code in each case to do so. Even OpenSSH can't deal with the somewhat less common situation of a host having two different keys on two different IP addresses. It's a sad fact that no matter what you do users seem to blindly click through the client's warning messages -- which, I think, disincents developers to get which message appear when exactly right.

Re:MelbourneIT Criminals

[Ben+Hutchings]

Since the IP# is part of the ssh key, more often than not the login to the "same" server (by DNS) first warns that the keys are not the same (different actual hosts).

ssh keys do not contain IP addresses. They could avoid this by using the same host key on all the machines.

Re:MelbourneIT Criminals

[Doc+Ruby]

By "contain" I mean "infodynamically": as you more accurately describe, their different host ID info generates different host keys, which they could reduce to one, I believe. They're pretty savvy over at Panix; I wonder why they don't do that?

Re:MelbourneIT Criminals

No, not really. $10,000 might seem like a lot to you, but for a company the size of Melbourne IT, it's nothing. That's not enough to pay one front-line tech for a year, let alone get the CEO rich. The amount of hijacks required to pay even _half_ their staff would be immense and incredibly noticeable.

Besides, the only hijackings that'd be worth _anything_ would be high-profile ones. If, assuming you're right and many hijackings occur which target people without the resources to obtain justice, then how much can their domains possibly be worth?

They're already turning over a steady profit (according to a report, $A1.68M after tax for half-year ending June 2004) by acting as a domain name registrar and hosting services provider. Where's the business sense in jeopardising that for a couple of thousand?

Re:MelbourneIT Criminals

[Doc+Ruby]

So far, they're getting away with it - no cost. We'll see how it goes. BTW, $1.5M:y profit isn't so great - $10K payment for a couple of DNS hackers and a note from the lawyer are a small cost, if that's the upshot of this. Or it's a miscalculation, and someone will get fired. Meanwhile, Panix, NYC's oldest ISP, might very well not survive if all their customers leave for someplace "more reliable", even if there is no such place (except maybe a bigger, cloutier ISP, *like MelbourneIT*).

Re:MelbourneIT Criminals

[Royster]

I am a Panix customer and I am not "trained that logins look insecure". In my ssh-hosts, I have a record, by IP, for each of Panix's shell hosts. I do *not* have a record labelled shell.panix.com. I ssh shell.panix.com and ssh finds the right key. No warnings unless something actually changes. No insecurites.

Re:MelbourneIT Criminals

[Doc+Ruby]

Some do, some don't: I have seen Panix users login with ssh and ignore the host key warning. I have more often seen Panix users repeatedly attempt login, get the warning, and drop the session, then attempt again, until DNS roundrobin offers them the host whose IP# they've cached with the host key they accept.

BTW, what do you do about the POP login/password tuple sent in the clear?

Re:MelbourneIT Criminals

[Royster]

I use encrypted IMAP, not POP or fetchmail over an ssh tunnel depending on where I'm reading mail. There is also a Panix webmail interface with SSL. Even with POP, there is an encrypted alternative which I had sucessfully used before converting.

pent-up anger

[Trepidity]

Michael has irritated a lot of people over the years, so when an opportunity comes up to complain, there's a lot of people who do, and a lot more people who smile and say "finally!"

(Whether this is a good or bad phenomenon is left as an exercise to the reader.)

Re:pent-up anger

[SilverspurG]

Michael has irritated a lot of people over the years

You're not doing anything worthwhile unless someone gets PO'd.

Quote from somewhere. I like it.

Local Action

[Doc+Ruby]

Anyone in Melbourne with a baseball bat, who wants free drinks the next time they visit New York, want to go "knocking" on MelbourneIT's door?

Re:Local Action

[stebe]

I believe you would have a better turn out if you solicit Australians wih cricket paddles, rather than Australians with baseball bats.

Re:Local Action

[Doc+Ruby]

Probably, but I want the Panix "fingerprint" on MelbourneIT to hash out to a NYC origin. Cricket batter proxies welcome, though.

Re:Local Action

[zurtle]

They don't play baseball in Melbourne. Try a tennis racquet or a cricket bat.

IMHO, cricket bats are better... they have edges.

$rbtl

[marafa]

i would vote but i m not a metamoderator

Already contacted people

[ZenJabba1]

I know some people in MelbourneIT, and have already spoken to them. They are looking into the issue

Re:Already contacted people

Dave Null is looking into the issue, eh?

Re:Already contacted people

[bani]

looking into the issue and being completely ineffective? panix.com is still hijacked, nothing has changed.

Re:Already contacted people

[dbIII]

looking into the issue and being completely ineffective?

Conclusive proof that it's MelbourneIT! It's a corporatized government body, and you know what that means - twice the paperwork to fill out, run by geriatric timeservers that never completed twelve years of education with a board made up of political party hacks that never managed to get elected.

Re:Already contacted people

[phayes]

Your sig forks a process per file, how inefficiant...
Try using:
`find / -name "*your_base*" -print | xargs chown us:us`

Re:Already contacted people

[fishdan]

Hilarious! Can't argue with logic like that

Re:Already contacted people

[fcw]

Your sig forks a process per file, how inefficiant...
Try using:
`find / -name "*your_base*" -print | xargs chown us:us`

Unfortunately, this suggestion is less robust than the original version; it breaks when the file names contain symbols that the shell thinks are special.

If you have support for the options that separate args with null, you can do:

find / -name "*your_base*" -print0 | xargs -0 chown us:us

Otherwise, the original version is better, despite being less efficient.

Re:Already contacted people

Except that Melbourne IT isn't owned by the government. But yes, other than that, can't argue with the logic.

Re:Already contacted people

Lol! I never encountered the problem but now that you mention it out I see your point Now I need to work up a sed script to quote the shell metacharacters for my ancient servers that do not have null support. Thanks for the correction fcw!

frontier justice

I have to post this as an AC but ....

This is an issue like spam. Frankly, and I doupt Alexis Rosen et all will go this route, but what should happen now is gunshot wounds to the head. My guess is this is a scam to clean out the paypal accounts of panix customers and/or steal domains that are hosted by panix.

In summation: Michael owned a site and kept it.

This has nothing to do with hijacking.

Re:In summation: Michael owned a site and kept it.

[martinoforum]

In a technical sense, you're obviously quite right. In terms of the actual effect of his actions it's pretty indistinguishable though, and if anything worse because the people hurt by the incident have no legal recourse. Unlike poor old Panix, who will hopefully survive long enough to get their domain back and working again. I wish them luck.

But hey, who cares about Mike and his morals? It's mostly interesting to watch the moderating fury at work, I've been watching thread this since it started and there's been a frantic burst of down-modding and up-modding on anything that's even slightly critical.

Re:If they forgot to renew the domain

[BJH]

Nice post - don't bother looking into the facts yourself, just start spouting wild speculation and slander.

If you'd actually got off your fat ass and done some research, you'd know that the domain did NOT expire, and in fact the registrar still thinks it's registered with them (when it obviously isn't).

Re:If they forgot to renew the domain

[camcloud1]

Thanks for the flame but allow me to retort. When the article was originally posted and I made my reply it wasn't apparent what exactly had transpired. You can see from the other posters that this was the case. The new details weren't posted until I had made my post. Now I know it wasn't case of simple domain expiration. You point is valid just a little harsh.

Panix.com server looks like a spammers paradise

[Chatmag]

Checking the IP that panix.com is on shows several thousand domains, and all seem to have odd names.

That Las Vegas address used for panix.com is also similar to some used by spammers registering domains, and using a Nevada address in the whois.

Maybe a check of some of the blocklists will show the panix.com IP listed already. 142.46.200.72

You could try this link and see if the server is still up. (hint, slashdot effect)

Re:Panix.com server looks like a spammers paradise

[arashi+no+garou]

Apparently it is back in their control, or else the hijacker has been kind enough/sneaky enough to mirror panix.net on panix.com. It is 7:30am EST Sunday morning as I type this, and panix.com seems to be back to normal.

However, I wouldn't trust it just yet. This could be a scheme by the hijackers to steal some info from panix customers.

Re:Panix.com server looks like a spammers paradise

[Vengeance]

Well, at 8:15 EST Sunday morning for me, panix.com is showing as an 'under construction' parked domain.

I've got it on 15 second auto-refresh, though... Just so I can keep an eye on the status.

Re:Panix.com server looks like a spammers paradise

Checking the IP that panix.net is on shows only panix.com. Does this mean that the thief is merely mirroring panix.net to give the impression of a return to normality?

Re:Panix.com server looks like a spammers paradise

[Antique+Geekmeister]

Don't do that! Damn it, slashdotting the DNS servers overloads them in a way that interferes with their recovery from the poisoned addresses. It can actually block the DNS zone transfers or lookups and keep the locally cached address. If you must set a check on it, reduce your frequency to something reasonable, like 15 minutes instead of 15 seconds to avoid local or upstream DNS caches from preserving old data.

Someone please explain this to me

[__aailob1448]

Why is panix offering 128Kbps ISDN for $50 a month? Who actually uses this?

Re:Someone please explain this to me

[vranash]

Maybe people far enough out of town that they can't get broadband? ISDN is known for it's long range, and a 128kb connection is probably a tad cheaper than a full or partial T1 to get :)

Re:Someone please explain this to me

[PerlDudeXL]

I sticked to ISDN for a long time before switching over to DSL. And I still use ISDN for my phone.

I know that some (IT) companies here provide ISDN dial-in for their employees to access the companies Intranet.

Re:Someone please explain this to me

[vvenka1]

Sadly enuf, i pay $120 for a lousy 128Kbps DSL line in India.

Re:Someone please explain this to me

[sulli]

As others have noted, ISDN is useful if youcan't get DSL. It's also a good backup to a T1.

Re:Someone please explain this to me

[spikedvodka]

T1 line: $1500/month
ISDN line: $50/month
Router with auto-switchover: $4000
Having corperate internet connection when the T1 line dies: Priceless

there are some things in life money can't buy... for everythign else there's $CC_Company

Password Recovery

[msaulters]

FAILED
The Melbourne IT Registry Key for Domain Name panix.com was not able to be retrieved. This could be due to the Domain Name being managed by a Melbourne IT Reseller. Please contact your Reseller for assistance. If this fails, please go to our help center.

www.panix.com is coming up with a freeparking.co.uk web page. This means that SOMEONE is handling DNS for the domain. That is the one piece of useful information in the current whois record. ns1.ukdnsservers.co.uk
OK, looks like ukdnsservers.co.uk belongs to:
Domain Name:
ukdnsservers.co.uk

Registrant:
ActiveBytes Software LLC

Administrative Contact's Address:
2530 Channin Drive
Wilmington
DE
19810 US

Registrant's Agent:
Fibranet Services Ltd [Tag = FIBRANET]

Relevant Dates:
Registered on: 25-Mar-2000
Renewal Date: 25-Mar-2006
Last updated: 11-Dec-2004

Registration Status:
Registered until renewal date.

Name servers listed in order:
ns3.ukdnsservers.co.uk 142.46.200.68
ns4.ukdnsservers.co.uk 207.61.90.197

This is a company on US soil. If the authorities have been contacted, the FBI should be breaking down these guys' doors right about now, cause they're involved in what could be considered an act of international terrorism, and I'm not being sarcastic. Either ActiveBytes Software, or one of their representatives has knowingly set up DNS records for panix.com, or they have been hacked.

Unfortunately, it appears that even though their offices may be in Delaware, their DNS is a little farther north:

traceroute 142.46.200.67
(Most of traceroute omitted to pass bullshit lameness filter)
23 145 ms 75 ms 74 ms AL-7304-GigE2.telecomottawa.net [142.46.200.1]
24 82 ms 85 ms 88 ms 142.46.200.67

Trace complete.

traceroute 207.61.90.197
(Most of traceroute omitted to pass bullshit lameness filter)
18 65 ms 75 ms 64 ms core1-ottawa23-pos2-2.in.bellnexxia.net [64.230.234.90]
19 221 ms 204 ms 217 ms ottcorr01-pos5-0-0.in.bellnexxia.net [206.108.99.146]
20 Request timed out.
21 244 ms 183 ms 225 ms ns4.ukdnsservers.co.uk [207.61.90.197]

Trace complete.

Maybe someone at telecomottawa.net could be contacted to track these people down or help out in some small way. Here's their Customer Care Page They have a toll-free number! Let's see if enough of us call it, or perhaps if enough of Panix's unhappy customers call it, maybe TelecomOttawa will help out (wouldn't it suck if someone were to steal the telecomottawa.net domain name from them in a similar fashion?) Anyway, the TF# is 1-888-424-7771 (X3?)

Man, this really pisses me off that someone was able to do this, and that these guys aren't having any luck getting the problem fixed.

Re:Password Recovery

[ErichTheWebGuy]

Again, I refer to my earlier post about Melbourne IT being a crappy company to try to deal with. This is the exact problem I had. My domain was being "managed" by Yahoo domains (a Melbourne IT reseller), yet they refused to offer me any kind of support at all, whether via phone, email, or anything. Visting Melbourne's "help" center only offered lip service and run-around.

I repeat my advice which was offered above: Boycott Melbourne IT and all of its resellers until they get their shit together!

Re:Password Recovery

[Legion303]

"cause they're involved in what could be considered an act of international terrorism, and I'm not being sarcastic."

Maybe not, but you're sure diluting the living fuck out of the word "terrorism."

Re:Password Recovery

[HeghmoH]

You can blame various goverments for that, they've been doing it for a long, long time.

Re:Password Recovery

[dbIII]

they're involved in what could be considered an act of international terrorism

Terrorists kill people - lets keep some perspective here.

Re:Password Recovery

[legojenn]

hmm Telecom Ottawa is a subsidiary of Hydro Ottawa, our city-owner electric company. If the internet company acts as quickly as the hydro company, then maybe Panix will get a response by next year.

Re:Password Recovery

Terrorists cause terror, which may or may not involve killing people, many groups issue warnings about attacks so the authorities have time to get people out of the area. Ever wondered where the prefix terror comes from in terrorist? it sure isn't from the word kill.

Re:Password Recovery

No, terrorists cause terror. You don't necessarily need to kill anyone to do that.

Re:Password Recovery

[Fnkmaster]

Can't we just call them "international criminals" and all be happy about it? Somebody is committing a flagrantly criminal act, either for personal gain, retribution against a competitor or former employer, or maybe just some 3733+ hacker cred, depending on who the ultimate perpetrator turns out to be.

If your goal is to inflict mass terror on a population, hijacking popular domain names seems to be a pretty poor way of accomplishing it. If you just want to waste people's time, cost a business lots of money, and generally be a vandal, then it seems like a reasonable thing to do.

Re:Password Recovery

[Grey_14]

No, Terrorists use terror to achieve political gains, usually this terror is caused by killing people, but maiming people, threatening people, or disrupting important services is a start on that, though I dont think this should be considered terrorist, just saying is all...

Re:Password Recovery

How's that? I'd certainly be terrified if my business were in jeopardy due to some hijacker.

Re:Password Recovery

[moonbender]

How's that? I'd certainly be terrified if my business were in jeopardy due to some hijacker.

And I'd certainly be terrified if I saw Britney Spears live. That doesn't make it terrorism. Many people are terrified by dentists - or mice! - that doesn't make either terrorists.

Re:Password Recovery

[6800]

Actually it is a brilliant terrorist plot! Just get all the slashdotters to fly to .au with baseball bats.... and a few .au'rs with crickit paddles and sit back with a no mia culpa smile :-).

Re:Password Recovery

[zurtle]

Terrorists don't necessarily kill people. Terrorists terrorise people.

You've been watching too much TV.

Re:Password Recovery

where does this bizarre idea that a cricket bat is called a cricket paddle come from?
I've seen a few people say cricket paddle in the course of this discussion.

It's a BAT.

Re:Password Recovery

[Antique+Geekmeister]

The FBI computer crime group is one of the biggest jokes in modern law enforcement. Companies actually refer computer crime to the FBI in order to never be bothered about it again, and pretend to have done something useful.

Re:Password Recovery

[jonadab]

> Terrorists kill people

Not necessarily. Well, usually, because that's pretty effective. But the
key thing that terrorists do is terrorize, i.e., scare people out of their
minds. There *are* other effective ways to do that besides killing.
Arranging strategic power outages will do the trick nicely, for example.
Some of the wilder Y2K propaganda also qualified; I know people who were
more scared then than they were the day after 9/11. You don't have to
actually kill anyone to make people fear for their lives.

> lets keep some perspective here.

Agreed. Domain hijacking is definitely criminal, but PANIX isn't major
enough for it to qualify as international terrorism. (OTOH, if they were
to hijack, say, CNN.com and post some alarming fake news, that could
qualify as terrorism.)

Re:Password Recovery

[rjreb]

Consider his sig.

Re:Password Recovery

[Wolvie+MkM]

I work for Telecom and we've been on it for quite some time thank you. Have faith people...

on a related item...

[David427]

Does anyone know where, or how, one can discover the provider for any given email address? For example, if I have an email account "@consultant.com," it turns out that I log into www.mail.com to sign-up for and use that suffix/account. Is it possible to figure out where/who issues any given address or type of address? Thanks! David

Re:on a related item...

[mabinogi]

Look at the MX record for it.

if you've got nslookup then simple run
nslookup
> set query=mx
> consultant.com

And that will give you the name of the mail server(s) handling mail for that domain.

If you don't have nslookup (since it's deprecated), then there's a dig command that will do the same, but I don't know the syntax.

Also "whois consultant.com" is probably useful too...

Re:on a related item...

www.dnsstuff.com allows you to do whois and NSLookup , as the previous posted described, to find the MX record. Go to dnsstuff.com and do a NSLOOKUP of ANY or MX, and you'll get what you need. (the IP of the mail handling server). It won't give you the location (postal address or anything), but often you can traceroute (using DNSSTUFF!) to get a rough location (city) of where the mail server is.

still, you might be located in Phoenix, checking your mail in Washington. Just because the mail server is in Washington, that tells nothing about where the user is.

Re:on a related item...

[vandy1]

I use the host bundled with bind9: host -t MX consultant.com [optional query resolver] man host will help you out... Cheers.

Re:on a related item...

[David427]

Hey Mabinogi, thanks, nslookup appears to work like a champ. But having a little trouble discerning the results it's giving me. For the email suffix "@consultant.com" I found that one can visit "www.mail.com" and login for mail there (it isn't free, of course, to setup an account with them necessarily, but worth looking into) However, I haven't discovered where one goes for "@wdlenterprises.com" nslookup gives: ----- wdlenterprises.com MX 5 inbound.net.registeredsite.com wdlenterprises.com NS dns1.hostpro.net wdlenterprises.com NS dns2.hostpro.net wdlenterprises.com NS dns3.hostpro.net inbound.net.registeredsite.com A 216.122.69.129 dns1.hostpro.net A 64.226.28.37 dns2.hostpro.net A 69.0.145.37 ------- What do you make of it? Where/how does "joe"@wdlenterprises.com retrieve mail? Thanks for the insight! David

Oz Time atm

[Magickcat]

It's 9pm on a Sunday night for melbourneIT at the moment. At worst, they'll be open in twelve hours time from now.

Re:Oz Time atm

Yeah, that will give them about a 36 hour response time. Nice.

Re:Oz Time atm

[Magickcat]

You've obviously an optimist.

Re:If they forgot to renew the domain

Thanks for the flame but allow me to retort. When the article was originally posted and I made my reply it wasn't apparent what exactly had transpired. You can see from the other posters that this was the case. The new details weren't posted until I had made my post. Now I know it wasn't case of simple domain expiration. You point is valid just a little harsh.

So now that your original post is (Score: 1, Informative), you still think it's OK to post speculation first, then verify later?

Melb IT certainly is to blame

look at the NANOG discussion. After everyone and their brother tried to get in touch with melbourne IT to let them know there was a problem, Melbourne IT's response was to have its corporate legal counsel call Panix and tell them they wouldn't do anything to help until Monday even if the Oz police themselves called and asked them to. "copping a lot of shit for something that's not their fault" ha ha ha.

Re:Melb IT certainly is to blame

I don't have all the facts, I'll admit that - and I don't know who spoke to whom at Melb IT and elsewhere ... but I _do_ know that Melb IT would never be a willing participant in something like this.

Someone's fucking Melb IT over here, just like everyone else is getting fucked. There's been a security breakdown somewhere. From a legal perspective, I can understand them wanting to be very fucking cautious about handling this.

As an aside - I _know_ people are working on getting to the bottom of this issue at Melb IT's end right at this moment.

possible implications..

[ctime]

Cyber police?

Found the owner of their name server IP

[msaulters]

First name server is ns1.ukdnsservers.co.uk, iP 142.46.200.67

Connecting to whois.arin.net...

Telecom Ottawa Inc. HOT-TELECOMOTTAWA-9 (NET-142-46-199-0-1) 142.46.199.0 - 142.46.202.255
Koallo Inc. TOL-142-46-200-64-95 (NET-142-46-200-64-1) 142.46.200.64 - 142.46.200.95
# ARIN WHOIS database, last updated 2005-01-15 19:10

So, IPs 64-95 belong to Koallo, Inc. A little Googling turns up the following:
http://www.whois.sc/bellsquarry.info

Which lists the Registrant as one Ann Street, 5 Calder Road, Bellsquarry, Livingston, GB. ann.street@btinternet.com

Fake? Probably. But I'd be sending some buddies with baseball bats over to check it out, anyway, and also to 2530 Cannin Drive, Wilmington, Delaware.

Re:Found the owner of their name server IP

[msaulters]

Wow, I don't know about this now... Googling for bellsquarry and ann street gives some fascinating results, but definitely nothing to indicate that Ann Street is anything more than an innocent bystander.

Re:Found the owner of their name server IP

[rs79]

"Which lists the Registrant as one Ann Street, 5 Calder Road, Bellsquarry, Livingston, GB. ann.street@btinternet.com

Fake? Probably. But I'd be sending some buddies with baseball bats over to check it out, anyway, and also to 2530 Cannin Drive, Wilmington, Delaware."

Worse, I sent an IP/domain attorney over there and should hear back soon, complete with celphone cam pics. If nobody's home (it's a residence) not much will happen though.

Re:Man, I remember when trendy names were cool

This is New York we're talking about. The city is a hellhole anyway, what's a little more screwed up services going to do?

Well I guess now we know that John Rocker posts to Slashdot.

Re:Michael Sims A.K.A. #1 Domain Hijacker

> Sent: Friday, October 06, 2000 4:24 PM

Don't you think it's time to move on?

Re:If they forgot to renew the domain

[BJH]

Sorry for the thermite reply, but suggesting the oldest ISP on the East Coast can't find their own asses with a flashlight and a map is a bit insulting.

In any case, I apologise for overreacting.

Re:Panix & FREE Mini Macs

You can slashdot this site: http://freeminimacs.slashdot.us/
http://freeminimacs.slashdot.us/

Not Hypocricy, but Irony

[TFGeditor]

This is a superb example of "irony," oft-misapplied on Slashdot, not hypocricy.

Re:Not Hypocricy, but Irony

I'd like to correct your ignorance of the proper spelling of HYPOCRISY. Or are you just stupid?

Re:Not Hypocricy, but Irony

[TFGeditor]

tsk, tsk, mind your manners, boy.

Re:Not Hypocricy, but Irony

First off, there's no irony involved. Second, you misspelled hypocrisy.

Re:Not Hypocricy, but Irony

[TFGeditor]

My, how the children prattle.

What is your opinion on Melbourne IT?

[MavEtJu]

Funny, got this email from them last week:

Melbourne IT invites you to complete our market research survey.

As a valued customer, your feedback and opinions about Melbourne IT is important to help us improve the service that we offer you. Your responses will help us further develop our products and services that meet your needs and expectations.

The survey will take less than 10 minutes and you will remain anonymous.

Go here to get started:
http://www.melbourneit.com.au/survey.php ?type=bran dhealth

Thank you. Your assistance is greatly appreciated.

If you have any further queries about Melbourne IT or would like to know more about the services we offer, please call us on 1300 654 677.

We wish you a safe and prosperous 2005.

Yours sincerely,
Melbourne IT

How about: You suck?

Re:Panix & FREE Mini Macs

[Orgazmus]

And get you a free Mac at the same time?
st3v@hotmail.com?

Not negative enough

"The Bush-Cheney White House. You will never find a more wretched hive of scum and villainy. www.whatreallyhappened.com"

I think that is excessively positive for a group that has borrowed so much the U.S. has more debt than ever before.

the FBI has already been notified...

[bani]

... no idea how seriously they are taking the matter though.

i'd love to see someone arrested from this...

Melbourne IT, eh?

[pwhysall]

Funnily enough, they're the registrar for the scam site http://american-redcross.org/.

Coincidence? You decide.

Re:Melbourne IT, eh?

Coincidence? No.
My money is on that domain name being registered via a reseller.
A registrar has no control over domain names registered via reseller accounts. You think someone sits there, watching all the registrations coming through, to make sure they are legit? Here's a thought... how about YOU email Melbourne IT and let them know how much of a super sleuth you are, Nancy Drew. Let them know there is a bogus registration out there. *gasp*

Re:Melbourne IT, eh?

[david614]

Is this really a scam site? I found it pretty much indistinguishable from the genuine artilce. D

Re:Melbourne IT, eh?

[rudedog]

I'm guessing that any site that asks for your PIN number in their credit card information form is probably a scam site...

Re:Melbourne IT, eh?

[anttik]

True.

Compare the original and the fake. Fake is missing the navigation bar. Fake's VeriSign verifying thingie leads to validating www.redcross.org instead of american-redcross.org. Notable thing is also that they load images from www.redcross.org to save bandwidth.

Re:Melbourne IT, eh?

[destiny71]

Why is this site still up?

Does no one in authority care to do anything about it?

It's no wonder phishing scams are so popular, and make so much money. No one does anything to stop them.

DCMA

Where is the DCMA when you need it?

Re:DCMA

Err...if you mean the DMCA it is here:

http://en.wikipedia.org/wiki/DMCA

In their defense...

[Mustang+Matt]

I don't disagree with any of your points but one thing I did like about them is that I could email them and say, "This customer is having issues with their domain record control, could you please call them." and the customer would get a call back.

Try doing that with Verisign or netsol. ha!

I haven't tried this in many years so I'm not sure if it's still possible to pull it off.

Re:JW's account of Michael Sims' destruction of ce

[SilverspurG]

LISTSERV.AOL.COM

All involved parties just lost all credibility.

They are really old

[EssenceLumin]

Near the bottom of the page it says -

We started in 1989, before the advent of the Internet.

Who knew?

that's true

[Trepidity]

But the inverse isn't necessarily true.

Very oddly moderated, anyway.

As of 8:30 AM 2005-01-16, the moderation stands at: "40% Informative, 10% Offtopic, 10% Troll". So, what is the remaining 40%?

Re:Very oddly moderated, anyway.

Probably some interesting, funny and underrated/overrated mods.

Hey...

[Cytlid]

...I thought the ISP I worked for was *one* of the oldest (not the oldest but one of them.) Then I remembered, our place was started in 1991. They had us beat by two years! Ours was only a BBS then...

On the topic, seeing as I live in NY ... do the domain hijackers as well? Anyone wanna go on a butt-kicking expedition? Actually looks like the hijackers live in Las Vegas, if they didn't fake the whois info.

you use ISDN for your phone?

[Trepidity]

POTS not good enough?

panix rules

note how alexis keeps his cool in this message:

Hi, all.

I hate to pop my head up after years of lurking, only when things are going bad, but probably better that than remaining silent.

First of all, I'm going to be bounced from this list once its cache of my DNS times out, which will probably be in about 2-3 hours, so if you have anything to say that you'd like me to see, please copy me. We're temporarily accepting mail at panix.net in addition to panix.com, so use alexis (at) panix.net.

A few points to respond to:

First, Eric, thanks for contacting Bruce and Eric on my behalf. While nothing has happened so far, I hope that it will soon, and in any case I appreciate your efforts to help a total stranger.

Someone asked if we had registrar-lock set. It's not clear to me what happened. Our understanding is that we had locks on all of our domains. However, when we looked, locks were off on panix.net and panix.org, which we own but don't normally use. It's not clear how that happened; dotster has yet to contact us with any information about, well, anything at all. They did answer a call this morning; they're apprently in the middle of an ice storm. All I was able to larn from them is that according to the person I talked to, they had no records of any transfer requests on our domain from today back through last October.

Someone suggested invoking a dispute procedure. We'll do that, as soon as we can get someone to actually accept the dispute, but if it goes through that process to completion, many people will suffer, and Panix itself will be tremendously damaged. How long do you think even our customers will stay loyal? (Forever, for many of them, but that doesn't mean the won't be forced to start using a different service.)

While it's true that MelbourneIT won't do anything before (their) Monday morning, I don't want to paint them as bad guys in this drama. I don't know how they're organized and I don't know how difficult it is for them logistically. Of course I want them to move faster. Much faster. But I'll take what I can get.

And speaking of MIT, I don't intend to send them "nastygrams" - nor NSI either. Neither of them owes me anything (at least directly) and being heavyhanded would not be a good way to get what I want (restoral of the panix.com domain to dotster) even if I thought they deserved it. I expect that there will be criminal prosecutions arising out of this, but the time for that sort of thing is later, when things are back to normal, and we've fixed any systemic vulnerabilities that can be fixed before they're used to wreak mass havoc. And it's anyone's guess who the target of those prosecutions will be, but I doubt MIT or NSI will be among them.

Lastly, someone expressed surprise that I'd call MIT's lawyer directly. I didn't. I spent *hours* trying to find working contact info for MIT and Dotster. I didn't find useful 24-hour NOC-type info anywhere. (Someone obviously has this info; I expect it's restricted to a list of registrars.) I reached Dotster's customer support when they opened for business Saturday morning; the guy was polite, and did what he could, but I saw no evidence whatsoever of the promised attempt to assist me after he got off the phone. MIT apparently has no weekend support at all; I finally located their CEO's cellphone in an investor-relations web page. I caled him, and he had his lawyer call me back. That was his choice. FWIW, she's not "just" a lawyer; she's apparently the person who has to make decisions about reverting control of the domain. So she at least needs to be aware of our position. My impression is that she didn't fully grasp the gravity of the situation, and so treated us like she'd treat any other annoying customer who managed to track her down on her day off. This is somewhat understandable (though infuriating) which is why I'd hoped to talk to someone on their tech side first. No luck there, but if any of this reaches them, maybe that will start things going.

Thanks again to everyone who has tried to help us today.

/a

As ford will tell you

[Jimboscott]

The Hitchhiker's Guide to the Galaxy : Don't Panix :)

Main effect = bad

[nurb432]

Pretty bad when your mail doesnt come to you..

Espcially if you are business taking orders.. or have the potential for confidential or personal info being in your emails..

Good thing we all encrypt our mail.. right?

Re:Main effect = bad

The part that's qualified by "A well regulated milita being necessary for..." What in the world makes you think that phrase, when read IN IT'S ENTIRETY gives the unorganized masses the right to own guns?

Oh, and I bet that those statistics where countries with strict gun control laws have FAR less gun deaths and crime are damn lies, too, eh? Or, I suppose you think that australia and Britan anr tyrannical places that are miserable to live in. Heh.

Re:Main effect = bad

[Mycroft_VIII]

Ignoring that you are probably a troll and the
whole thing is off topic. But the only part you got right in your interpretation is the word unorganized. Even that's not quite a bingo.
Seems the person your responding to might know more about it than you do. The founding fathers SPECIFICALLY said they meant all male adults not senile or insane, when they said militia.
They meant trained in using thier guns and able to work together when they said regulated.
Regulated back then was a referent to mechanical terminology as in 'a well regulated machine'. Just like gay once ment happy and carefree, but has come to be more used in conjunction with the homosexual community today.
Also the statistics don't say what you seem to think they say.
Comparing say Japans various crime rates to Nigeria's to the U.S.'s fails to figure in cultural differences. However once you compare simular locals within the us with differing legislation on guns you find an interesting tendancy, criminals don't like an armed populous and people generaly don't tend to go on shootings spree's just because guns are easier to own (just like most road rage involves the middle finger and a few words, not ramming the idiot who just cut you off only to slow down for no reason).

Mycroft

Multiple registrars?

[LProyect]

What I don't understand is how both Melbourne IT and Verisign seem to be involved in domain registration. Unless I'm missing something, you register with Verisign and that's that. I am a Panix customer and have my own website registered through Verisign. Another question. I am surprised that Panix did not mention anything about changing passwords. If my mail is being routed to some mail server in Canada, can anybody read it even if they don't have my password? Finally, on the question of Panix going out of business. That would be a real shame. I have been using them since 1998 and am *very happy* with their service. Unlike some of the giants, you always get tech support in under a minute. And they know what they are doing.

Re:Multiple registrars?

[nasta]

They do not need any passwords if they accept all mail to the domain panix.com... it all can go down to one (big) file and you can read it with less/more/grep or any other tool of your choise without any password whatsoever... -- Who needs sigs?

Re:Multiple registrars?

[KarmaMB84]

No, they don't need the password at all. As far as the illegitimate hijackers are concerned, they can just get everyone's mail in one big pile to search for passwords, credit card numbers, paypal account information, online back account numbers etc.

Re:Multiple registrars?

I am surprised that Panix did not mention anything about changing passwords.

I am sure the RCMP have knocked some doors down and looking at Koalla's computers very closely. NSA, FBI and others are looking at this carefully and hopefully swiftly.

Why? This has the potential of being the biggest computer security breach in history. Say this is coordinated. Say the panix.com users passwords were trapped and email was intercepted. All the sloppy password habits will come back to haunt.

Say passwords were trapped, and sent out through a series of botted computers. Now most security types know most users are lazy. There are likely passwords and IDs in that compromized information to get into city governments, business and perhaps even the US federal government.

This could get worse befor e it gets better. If you are a panix.com user, it would not be a bad idea to change your passwords frewquenty.

Is *your* company's DNS registered with VeriSign?

[philgross]

Verisign has spent big $$$ to advertise its brand as the choice for heavyweight corporate customers. It boggles my mind that they're letting a high-visibility ISP twist in the wind. Talk about brand devaluation.

Any slashdot reader in coroporate IT should be writing a memo on this and sending it to the CIO/CTO and Legal teams. What will *your* company's registrar do if someone jacks your domain on a weekend? If you're paying the bucks for Verisign, the answer seems to be nada, or maybe they'll write you an infuriating not-out-problem e-mail.

I think the marketing/sales task for Verisign's competitors just got a notch easier too. Nothing like a good horror story...

very insightful

[r5t8i6y3]

Date: Sun, 16 Jan 2005 10:07:04 +0000
From: Eric Brunner-Williams in Portland Maine
To: nanog@merit.edu
Cc: brunner@nic-naa.net, alexis@panix.net
Subject: Re: panix.com hijacked (VeriSign refuses to help)

Oki all,

Its dawn in Maine, the caffine delivery system has only just started, but I'll comment on the overnight.

You're welcome alexis@panix.net. If you'll send me the cell phone number for the MIT managment I will call wearing my registrar hat and inform whoever I end up speaking with that Bruce needs to call me urgently, on Registrar Constituency business.

Next, put a call into the Washingtom Post. They lost the use of the name "washpost.com" which all their internal email used, to due to expiry, so their internal mail went "dark" for several hours. This was haha funny during the primary season (Feb 6). If they don't get it try the NYTimes. Put the problem on record. There is an elephant in the room.

The elephant is that the existing regime is organized around protecting the IPR lobby from boogiemen of their own invention. They invented the theory that trademark.tld (and trademark.co.cctld) existence dilutes the value of trademark, hence names-are-marks, bringing many happy dollars (10^^6 buys) into the registrar/registry system ($29-or-less/$6, resp., per gtld and some cctlds), and retarding new "gTLD" introductions, as each costs the IPR interests an additional $35 million annually.

To solve their division of spoils problem, is "united.com" UAL or is it UA?, we had DRPs, which is now a UDRP, and more DRPs for lots of cctlds.

These [U]DRPs take many,many,many,many units of 24x7. They were invented for the happy IPR campers, who care about _title_, not _function_. If the net went dark that would be fine with them to, so long as the right owners owned the right names.

Restated, there is no applicable (as in "useful for a 24x7 no downtime claimant") law in the ICANN jurisdiction.

And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of "you").

In case it isn't obvious, the "your own damn fault" refers to a much larger class of "you" than Alexis Rosen.

[Oh, the same happy campers are why :43 is broken. They want perfect data at no cost and w/o restriction. Registrars don't want slamming, today's owie, and registrants don't want spam (which some ISPs do), so the whole :43 issue is a trainwreck of non-operational interests overriding operational interests. Registrars would be happy to pump :43 data to operators, if we could manage the abuse, instead we get knuckleheads who insist that spam would be solved forever if ...]

There is a fundamental choice of jurisdictions question. Is ICANN the correct venue for ajudication, or is there another venue? This is what recourse to the "ask a real person" mechanism assumes, that talking to a human being is the better choice.

Bill made this comment:

> Since folks have been working on this for hours, and
> according to posts on NANOG, both MelbourneIT and
> Verisign refuse to do anything for days or weeks,
> would it be a good time to take drastic action?
>
> Think of what we'd do about a larger ISP, or the
> Well, or really any serious financial target.
>
> Think of the damage from harvesting logins and
> mail passwords of panix users.

You (collectively) are

Re:very insightful

[rs79]

"And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of "you")."

It's *our* fault? Nice try, Eric. I should fly halfway around the world 4X a year at 5 grand a pop to stay in the ICANN 4 or 5 star host-hotel so I get my 15 minutes of being ignored at the mcirophone? BTDT for a couple of years. Even if you think you scored a minor victory ICANN will, and has, quietly chaged the bylaws to circumvent that. Oh, but don't worry, as a membership organization, as dictated by the USG we can all vote on this. Oh that's right, that bit never happened even though ICANN's initial purpose was to only define the organizaion, get members then pass it off to the duly elected board. We still have the current IBM/Magaziner appointed board and the "members" don't exists.

Lesse here, on one side we have the Intellectual Property wonks who ARE funded to fly to every meeting and are paid full time to lobby ICANN. Those buggers are everywhere, do not operate in the open and are anything but transparent. They work for companies with 3 letter names.

On the other side we have "us" and "our funding" (hahahahah). We lose. Thanks for playing; tragedy of the commons.

Interest in the DNSO and ICANN has waned because people are tired of beating their head against a brick wall till it's a bloody pulp; you can't begin to fight the behind the scenes back channel closed shenanigans the IP folks play, you don't even find out what they are till years later (cf the secret, thou shall not disclose meeting that IBM arranged with ICANN and NSI that Farber and Cerf attended that set this all in motion). They and they alone, as correctly pointed out, are and have always been the boogeymen behind virtually all troubles in the DNS today and have been since long before ICANN was a glint in Joe's eye.

To paraphrase Mark Twain, "It's a good thing we don't get all the ICANN we pay for"

Look what happened to Aurbach. ICANN see's openness as a fault and routes around it.

Re:very insightful

This is Eric. I think I know who you are, but that's not important.

Yes, the system sucks. However, the network operators are letting it happen. That part is their collective fault.

They acted in their own interests in the SiteFinder event, and prevailed. This isn't a global failure of dns-based mail policy, but it is everygeek's ISP, so it may be in their own interests as well.

Thanks for taking a piss from on high on me however!

Re:very insightful

This guy sounds like he has been smoking too much peyote...

"many,many,many,many units of 24x7"
"(for all 24x7 operational values of "you")"
"You (collectively) are another venue."

It's a shame to see what too much involvement in the DNS does to people. Although this is the first case of utter raving incoherency I've seen in a Registrar, the more common effect is simply degeneracy into incompetence. We saw that with Network Solutions, we saw it with Melbourne IT... need I mention ICANN ???

preventable

[john_uy]

if we use dnssec. i read an article just this week about the integrity of the dns. initially, i thought that why would you need this type of implementation - here comes the reason. we can see it happen more. by using dnssec, in theory it should be able to "legitimize" dns requests and verify their authenticity before changes are being made to dns records. in this case, 3rd party will not be able to change the records because they will not have the private key from panix, for example.

this technology is new but this type of scenarios should speed things up in making it a requirement for dns deployments.

Re:preventable

[tjls]

It's not clear that DNSSEC actually would stop this particular kind of attack -- which is one reason why it's so nasty (the attack, not DNSSEC!).

Re:preventable

[WoodstockJeff]

DNSSEC has nothing to do with this. DNSSEC allows you to verify the source of changes to a domain server's entries, but does not address the problem of a domain's DNS servers being changed at the root server level.

A note from the hijackers

[webteeth]

"Who's panicking now, Biotch"

Hello, NY Times?

[wytcld]

Panix at least used to have a lot of users with jobs like "NY Times reporter" and "Wall Street technology analyst." This story needs to be amplified to the point where there's a total restructuring of the domain registration system, one which removes Network Solutions entirely from the business. Can we assume that Panix users will be doing their part to play this up in the mainstream media capital of America?

Re:Hello, NY Times?

[fishbowl]

> Panix at least used to have a lot of users with
>jobs like "NY Times reporter" and "Wall Street
>technology analyst."

But not, "Secretary of State", or "Director of ICANN", unfortunately.

Parent should be modded funny

[vp_development]

Dude, that was nice.

Check Jewcatur Previous Post Moderation Now...

And the slashdot moderators bitchslap him. This post is one of the many modded 100% insightful, with an overall score of one.

Re:Check Jewcatur Previous Post Moderation Now...

So a Mercatur fanboy gets bitchslapped. Big fucking deal. It was a slap well deserved. Now crawl back to your hole.

whois.melbourneit.com

[pureone]

whois south-parsonalbanking.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SOUTH-PARSONALBANKING.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: ACTIVE
Updated Date: 15-jan-2005
Creation Date: 15-jan-2005
Expiration Date: 15-jan-2006

>>> Last update of whois database: Sun, 16 Jan 2005 07:38:23 EST

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name.......... south-parsonalbanking.com
Creation Date........ 2005-01-15
Registration Date.... 2005-01-15
Expiry Date.......... 2006-01-15
Organisation Name.... Douglas Hurcomb
Organisation Address. 1516 Hidden Valley Ln
Organisation Address.
Organisation Address. Rochester
Organisation Address. 48306
Organisation Address. MI
Organisation Address. UNITED STATES

Admin Name........... Douglas Hurcomb
Admin Address........ 1516 Hidden Valley Ln
Admin Address........
Admin Address........ Rochester
Admin Address........ 48306
Admin Address........ MI
Admin Address........ UNITED STATES
Admin Email.......... douglashurcomb@yahoo.com
Admin Phone.......... +1.2486568102
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address.........

Panix.com WAS locked, moved anyway

[Burdell]

Panix thought that they had all of their domains in registrar-lock status. When they checked panix.net and panix.org after panix.com got swiped, they were no longer locked.

However, this has nothing to do with them being locked or not. The registrar Panix uses is Dotster, and they show no record of panix.com being transferred. In other words, Verisign (who is in charge of all .com registrations) allowed a domain to be transferred to a different regsitrar without following the published procedures. Even if a domain is not locked, there is a notification and waiting period that was ignored. Somehow MelbourneIT and Verisign short-circuited the system (quite possibly an inside job at both).

IIRC the .net control is up for renewal soon and other companies may bid to take it away from Verisign; let's hope that happens (my main domains are all .net).

Re:Panix.com WAS locked, moved anyway

All your domains are for network infrastructure related companies? If no, stop abusing the .net domain. You are as bad as Verisign.

My god, you're right...

It's an exact copy of the redcross.org site, complete with VeriSign Secure Site logo (which, when clicked, verifies redcross.org and not american-redcross.org). It's registered through Yahoo domains to Elizabeth Cantrell of Alabama (probably false) and hosted by Yahoo. It was just created yesterday. Why doesn't yahoo lay the smack down on this scam immediately?

Re:My god, you're right...

It's pretty amusing how Slashdot reveals that michael is abusing you. It shows -1 in your list of posts... yet, it's not actually moderated here and has a score 0.

Re:Is *your* company's DNS registered with VeriSig

Remember, Panix was using Dotster as their registrar and not Network Solutions.

Where Network Solutions gets involved is that they are still responsible for the root servers (I think) and could change which registrar owns the name.

All I know is that this multiple registrars for the domains is just making things worse even though it caused registration rates to drop.

Re:Is *your* company's DNS registered with VeriSig

[Daedala]

Anyone who believes Verisign is trustworthy isn't paying attention. I personally admire their competence almost as much as I admire their integrity....

Red Cross scam site

I suspect the scammer used Yahoo! to host his scam site because Yahoo! already has a legitimate Red Cross donation service up on their system.

MelbourneIT just happens to be the back end registrar.

panix and the media

a quick google news search shows:

"Allan Sloan is Newsweek's Wall Street editor. His e-mail address is sloan@panix.com"

lets hope the press picks up on this and puts some pressure on the companies responsible. Maybe we'll see some much needed change in the registrar system.

.net domain usage

.net is not just for internet infrastructure companies. It is also for a company's own network infrastructure.

Besides when has .net .com & .org been used correctly in the past umpteen years?

I'm a panix user and victim

[6502_C64]

and I lurk slashdot. Panix has been my main e-mail address for the last 14 years. I have found the panix staff to be very competent and the panix community very knowledgeable. As a victim, who and where can I register my complaint. I simply want my ISP back online. thank you

Hey, my domain was stolen the other week too

[maugt]

This does happen a lot more than you think. I started a blog to document it at Orangelimey.blogs.com

NSI is currently claiming that the transfer was legitimate - somehow the hijacker got into the administrative contact's email and compromised the accounts - how we still don't know. However, the person that ended up with the domain seems to be willing to give it back.

Really, the whole domain security thing is ridiculous. For a domain (which is considered property under a ruling from the appeals court in the sex.com case) to be transfered with such lax legal proceedings is pathetic. Can I steal your car or your house by simply faking email and guessing passwords? Of course not.

Maybe panix can make enough of a stink about this to get someone to stand up and take notice - although who can do this I don't know. ICANN is toothless and only cares about trademark disputes.

Someone told me as a result of this that 40,000 domains were hijacked in the last year. I don't know where this data comes from, but really, obviously something is wrong.

Feel sorry for panix, I used them when I lived in NYC

Re:Hey, my domain was stolen the other week too

[HiThere]

I'm not sure that ICANN is toothless at all. I suspect their interests just lie elsewhere.

Whatever happened to the election of the ICANN board? Trust them? For anything? After that?

Re:Hey, my domain was stolen the other week too

[rs79]

Can I steal your car or your house by simply faking email and guessing passwords? Of course not

No, but you can walk up to a car dealership and have a key made and steal a car. It's the analog version of hacking a password.

Re:Hey, my domain was stolen the other week too

[capilot]

NSI is currently claiming that the transfer was legitimate - somehow the hijacker got into the administrative contact's email and compromised the accounts

I've heard it described thusly: NSI couldn't secure a lava pool against snowmen.

Think of races.com, sex.com and who knows how many others. As long as NSI feels no pain when they fuck up and give a domain away, the situation will continue.

From what I've heard, only a fool would register with NSI.

Ever had you Domain Hijacked?

I experienced this once, me and some friends formed a group to do web work.

Well the guy in charge of our hosting forgot to renew the site. The site got taken by some name camper and they wanted something like $300 to get the domain back we were not willing to pay.

The temporary site the set up was hilarious had job postings for secretaries and had hot pictures of them. The company was out of the Bahamas or some place which is funny as i often go to the Caribbean! Anyway, it was nice to see some domain lurker schwag a domain and host a domain that was interesting, bunch of cute women looking for temp work, sure beats the way other domain lurkers schwag a site.

Readable version

http://shit.slashdot.org/article.pl?sid=05/01/16/0 027213

ICANN: a slow moving parody of itself.

[rs79]

Exsqueeze me? One of the biggest registrars that a lot of poeple have had trouble with is CLOSED for the weekend?

I run a bunch of (free) mailing lists and DNS for a variety of stupid things like cars, tropical fish, dns etc. I'm open 24/7 and get calls at 4:30 am, not happily, but I do fix stuff. That MIT as a multimillion dollar organization thinks it's ok to take the weekend off critical internet infrastructure should be enough to get their precious ICANN accreditation yanked. But given how much money MIT pays ICANN this will never happen.

Expect fully a press release from ICANN saying how responsive MIT was in this situation.

Welcome to the modern internet.

Panix mail accessible!

[howardcohen]

I *am* getting my panix.com mail by going to mail.panix.NET, and using their web-based mail client.

By way of background, I've been a Panix user for more than a decade. They are classy, intelligent people, which sets them apart from most folks in their line of work.

Gee...first LJ, now Panix...

First LiveJournal falls over due to Internap and then Panix was domainjacked?

What else is going to happen internet-wise this weekend?
(I know, I know, I really should not ask that question, it begs something to happen.)

This is irresponsible

[wotevah]

In an environment like email where 90% of traffic is noise (spam), it is very likely that such emails would get lost, and I am sure ICANN are aware of this. Not to mention that this opens the possibility of bombing (i.e. send 100 transfer requests, you only need one to go unanswered). This ruling is idiotic and makes no sense. A domain is a lease, if it's paid up then it doesn't matter that you ignore somebody else wanting it. It's still yours.

WHAT ARE THE PANIX.COM NS RECORDS SUPPOSED TO BE

[rs79]

(Yes I'm shouting. I don't even have a caps lock key)

If the oppertunity presents itself to repair this it would be good to know what they are.

Re:Deal with the Devil

No, Panix isn't known for that.

Next.

Re:Deal with the Devil

[tjls]

Nice try, troll.

To answer your "questions", no and no.

Panix has been deeply involved in efforts to promote and protect Internet security since, I'd wager, long before you even had access to the Internet at all. I should know -- within two months of my first coming to work at Panix in 1993 the majority of my work was shifted from normal system administration to security.

The very first NY Times article (possibly the first national newspaper article at all) on the subject of Internet security featured Panix' heroic efforts to publicize and mitigate a series of network sniffer attacks that had been previously kept under wraps, and compromised the security of thousands of Internet users (at a time when the total population of the Internet was only a few tens or perhaps hundreds of thousands). Panix played a key role in the emergence of full-disclosure security lists by refusing to sit still while vendors and CERT (don't get me wrong. CERT is good. They just weren't then) conspired to cover up known vulnerabilities for years at a time. And so forth.

To this day, security remains a major focus at Panix. It has to -- they're the oldest, most prominent, and one of the largest (if not the largest) shell ISPs still out there, and their users won't tolerate system outages caused by security failures, or security failures that compromise those users' own security. In general, if you find Unix timesharing systems the size of Panix, they're at universities; and look at those folks' security records. Panix, on the other hand, is worlds better.

To respond to your other happy fun mudslinging, Panix has not and does not tolerate "online crimes" by its users, whether your invented "user" Kevin Mitnick or anyone else. Never did, doesn't now; security is important to Panix; it is essential to their business; and so is the health of the Internet itself.

Depending how you count, Panix is the second or third oldest consumer ISP in the world. Panix has been around long enough to remember the times when if they had a security incident, a significant fraction of the Internet shuddered (e.g. when we were offline for two days for security reasons in 1994, traffic on Usenet as a whole fell considerably). It would be hard to find any business on the Internet more fundamentally concerned that its own security problems not impact others than Panix has been, and is.

Which, of course, is quite a different attitude than that exemplified by some other businesses mentioned in this thread.

Federal wiretap laws?

[Deimios]

The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."

IANAL, But doesn't this violate federal wiretap laws somehow? Intercepting communications intended for another party? Shouldn't the FBI be involved?

Re:Federal wiretap laws?

Oh, I so hope you are right. And I hope Panix follows up on it that way.

Re:Federal wiretap laws?

From further up the story,

Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada.

US laws do not apply in Australia. US wiretap laws do not apply in the UK. And US wiretap laws do not apply in Canada.

RTFA, and realise that there is a world outside your borders you stupid yank.

Re:Federal wiretap laws?

And at least the registrar has an office in the US, and a US addy was used on the domain registration. So US law applies to some of the people who hijacked the domain.

Take it back?

[wandazulu]

As it was unlawfully taken away from Panix, can't they take the same or similar steps and simply take their domain back? Presumably the jerks who did this in the first place aren't exactly in a position to cry foul.

As an aside, if not Panix, then why not IBM or ebay or Amazon? Is it a case of "nobody's tried this yet" or do the "big names" have something that everybody else doesn't? I would think microsoft.com is presumably just as vunerable to domain theft as joespixoftoilets.com. Also, while if the folks who did this to Panix were Aussies, and if they tried it with IBM or Microsoft, those companies would have lawyers literally pounding on the door of the offending registrar within minutes, who's to say the person can't do it at some ISP in Russia or some other country where the likelyhood of having any legal weight is practically nil?

Re:Take it back?

[dbIII]

if they tried it with IBM or Microsoft, those companies would have lawyers literally pounding on the door of the offending registrar within minutes

Which would do just as much good on a Sunday in Australia with MelbourneIT as Panix achieved. These are the guys who wouldn't even reply to emails from ICANN for two weeks when they had control of ".com.au", which is probably one of the main reasons they don't control it anymore.

How much integrity do you think a registrar for ".cx" has anyway?

can't do it at some ISP in Russia or some other country where the likelyhood of having any legal weight is practically nil

Since MelbourneIT is some sort of odd quasi-government privatised organisation it would also be difficult to take legal action against it from overseas, kick up enough fuss and annoy the locals and you will find the local laws changing to oppose you.

Update

Update: As of this morning, all web and mail traffic going to the hijacked panix.com domain goes in to a network black hole (A .0 address, to be exact). The listed email servers for panix.com do not respond to port 25 connections.

This means that email sent to name@panix.com will be queues by the sender's host for a period of three to five days, and will not be delivered to a malicious entity.

MelbourneIT, Verisign, ICANN, and anyone else responsible for this fiasco needs to quickly get their stuff together to this sender-queued mail does not bounce.

no, it's a good thing

[frovingslosh]

what a sad state of affairs when it's trivial to hijack a domain, but it takes an act of god to return it to its rightful owner. apparently, even law enforcement can't get verisign or melbourneit to do squat:>/I>

I think it's good that the response was what it was. After the lawsuits service providers like verisign will have learned an important lesson. Had they just put things back and said "opps" the chance to teach them them the importance of not letting this happen in the first place might have been lost.

Umm wrong....

An address ending in .0 can be valid, it just depends on the netmask associated with the address.

UPDATE

[rs79]

Berryhill went to the house in Wilmington. The address is bogus.

Or rather the address is real but the guy we're looking for doesn't live there any more and the poeple there get all "sorts of wierd things".

This apparanly is not the first time this happened.

The lawyer in question has moved to PA.

John's gong home to check state corporate registration records to try to find him.

The most important thing

Don't panix! (-1, Not Funny.)

Panix Customer base...

No matter how quickly this is resolved, I believe Panix will lose a noticable percentage of their customers.

In the case of a few people I know, they will keep their account until their [pre]paid time runs out, which could be up to almost a year.

So, the true extent of this domainjacking may not be known for many months unless Panix issues partial refunds to people cancelling their accounts.

And even then, I know some won't cancel for a couple of months at least to make sure they have caught everybody and updated their email addresses everywhere.

Re:Deal with the Devil

[mslinux]

Honest mistake. I confused one of Mitnick's passwords with the panix domain name. I looked it up... it was escape.com, not panix.com.

My mistake.

This just in!!!

(Posted by Ed Ravin [staff]) Sun, Jan 16 2005 -- 5:41 PM
----------------
Recovery is underway from the panix.com domain hijack.

The root name servers now have the correct information, as does the WHOIS registry. Portions of the Internet will still not be able to see panix.com until their name servers expire the false data. More info soon.

-- Ed

Useful advice for protection please?

[fishbowl]

There is someone out there who seems to really want my domain, really bad, but evidently not badly enough
to warm me up by, say, buying me a beachfront house in Kaui and a nice Gulfstream as an ante to open negotiations :-)

Now, I would never, ever, do anything stupid like forget to renew the registration (and I believe that anyone this careless *SHOULD* lose his registration.)

But aside from keeping it renewed, what should I be doing to protect my domain name?

I get calls once in a while, and I make it very clear to the callers that I am not interested in surrendering my domain to anyone, and that I do not even want to hear their offer (because I *know* it's not going to start with the house in Kaui and the Gulfstream, and that's not my price, that's the incentive to get me interested in talking about negotiating. I want my lawyers to be comfortable while we begin the negotiation process.)

I usually piss off the solicitors pretty bad by basically telling them they don't have anything to offer me to get my interest, and that since they've insulted me by calling without being prepared to meet my terms, then they are harassing me. They never get it.

But what stops them from simply *taking* my name?

Re:WHAT ARE THE PANIX.COM NS RECORDS SUPPOSED TO B

[benedict]

ns1.access.net 198.7.0.1
ns2.access.net 198.7.0.2

Note that access.net DNS was _not_ hijacked. Just panix.com.

BTW, it's morning in Melbourne, and the root DNS is now fixed.

Slashdot's Apparent Policy on Censorware.org

[schmaltz]

Slashdot's search engine turns up no articles for 'censorware.org' after the point in time that Michael Sims hijacked the domain, a grand total of 26 articles overall. That's if you search under 'Stories'. If you search 'Censorware.org' under 'Comments', it turns up exactly 18 comments. Interesting, considering that I've witnessed many, many threads about 'censorware.org' across dozens of articles Michael approved.

It seems as though Slashdot has anti-"Censorware.org" censorware built into their version of slashcode.

I fully expect this comment to disappear, at least from the search engine, if not the database.

Re:Slashdot's Apparent Policy on Censorware.org

I thought slashdot only searched the subject of comments

We could help them out, possibly...

[Okian+Warrior]

Someone should E-mail some honeypot information to them right now (meaning: the hijacked site). Something with username/password and money potential.

This can be simple, like sending an E-mail confirmation of someone's (honeypot) E-mail address, and seeing if it gets spam at a later date. Then log all attempts to access the account.

For a more interesting example, if someone can quickly setup a reasonably official looking honeypot online banking site, then send an E-mail pretending to be the parent of a college student letting him know that his "allowance account" for the upcoming semester is online, with username and password and balance.

This could help out enormously in tracking down the culprits at a later date.

Re:WHAT ARE THE PANIX.COM NS RECORDS SUPPOSED TO B

[rs79]

The root dns was never broken. The NS records for panix.com were wrong in the .com zone. The root DNS tells you where to find the pointers to the .com tld servers.

But I'm glad it's fixed.

MINDVOX was the oldest ISP in NYC, not Panix

The now defunct Mindvox was the first ISP in NYC. There was a bitter rivalry between the Panix and Mindvox people back in the early 1990's. Considering that Mindvox is now defunct its easy to try and say that it was Panix... but it really wasn't. Of course, Panix was always run by much more competant people that weren't shooting up heroin half the time.

Re:MINDVOX was the oldest ISP in NYC, not Panix

[KXGBD3C0]

This last sounds incredibly apocryphal, but was true.

Re:MINDVOX was the oldest ISP in NYC, not Panix

[I+judge+you]

Not to be a total ass, but there is a difference between "first" and "oldest." MINDVOX *was* the first ISP in NYC. Panix *is* the oldest ISP in NYC. Oldest means of greatest age.

Sure Bonch, whatever you say.

More love for Slashdot, eh old troll?

Your advocacy of anything is a good sign the thing is pure bullshit. Let's go back in time and look at some of the M$ love fest, apologizing and Slashdot insulting from Bonch:

1. Blames the user for MyDoom, which distributed itself through Kazaa.
2. Begging for free software goodies to be ported to M$'s junk.
3. "Slashdot discussion--the Internet king of groupthink and propaganda." More insults, you wonder why he reads Slashdot other than to cause trouble.
4. Here he is bitching over being blacklisted for his behavior. Of course, he was on the infamous troll post.
5. "Slashdot is a bunch of kooks complaining about stuff." His way of excusing the use of M$ garbage in voting machines that were both impossible to verify and easy to manipulate.

All of the above was found by looking at two pages of google results for bonch slashdot. More than half of the results were like those.

Well, that's enough fun for me for now. Thanks for playing, Bonch. I hope your account is deleted soon. Until then, I think I'll save this post and put it wherever you show up.

Fallen for the propaganda

[dbIII]

There *are* other effective ways to do that besides killing. Arranging strategic power outages will do the trick nicely

How many people were terrified by the power outages on the east cost of the USA a while back? Terrorists kill people. Terrorism is not new - it wasn't even new when it started WWI. These days if you call someone a terrorist they are an outcast unprotected by any rights at all, so it is convenient to widen the definition to avoid that annoying due process.

Don't fall for the propaganda. I've heard September 11 being used as an excuse to crack down on noisy parties. Lets keep it real, call these guys domain stealers or confidence trickers or whatever, and stop stirring people up.

Re:Fallen for the propaganda

[jonadab]

> How many people were terrified by the power outages on the east cost of
> the USA a while back?

Those were clearly accidental. Try making sure everyone knows it was done
deliberately and letting them think it can be repeated at will. Additionally,
those were in the summertime. The power outages we had after the ice storm
here last week have people visibly shaken, and that's without a raving
lunatic claiming credit and threatening to do it again.

> Terrorists kill people.

Murderers kill people. Terrorists terrorize. Often they do it by killing
people, in which case they are also murderers, but just killing people is
not in itself terrorism.

> Terrorism is not new

I'm quite aware of that.

> it wasn't even new when it started WWI.

Assasination started WWI. That's not terrorism.

> These days if you call someone a terrorist they are an outcast unprotected
> by any rights at all, so it is convenient to widen the definition to avoid
> that annoying due process.

Your conspiracy theories don't change anything: a terrorist has always been
someone who employs terror as a weapon. Additionally, your logic doesn't
even hold up internally; if it were convenient to label people as terrorists
in order to get rid of due process, and if killing people were the primary
defining factor in terrorism, then why do we still bother with murder trials?

The proper "business" way to fix this...

The proper geek way to fix this is with BGP. Why hasn't anybody had the cajones to do this yet?


But... the proper "business" way to fix this is for Panix to sue the holy fawk out of all the domain registrar organizations both directly and indirectly involved in this domain-jacking episode for being negligent in failing to authenticate who actually had permission to move/manipulate the established domain.

Attack the registrars themselves with armys of lawyers to put the fear into them in order to force them to be abso-fawking-lutely positive that any serious domain changes are concretely proven to be legitimate before allowing those changes to be applied to the global DNS system.

Litigation, not technology, will be the ultimate fix for these kinds of problems.

don;t bet on it...

[alizard]

Some registrars (godaddy, I know for sure does) activate this lock by default,

If you're with godaddy and haven't locked yours, go check now. I just locked mine at godaddy.

They may lock new accounts by default... mine's a couple or three years old. I'm just saying don't count on your domain being locked unless you have locked it yourself.

Re:don;t bet on it...

[ErichTheWebGuy]

I got mine about, er, about 18 months or so ago and it was locked when I got it, and has been since. Nevertheless, that's good advice. I check the details/status of my domain like monthly or thereabouts, just because it's a prudent measure that only takes a sec.

Re:don;t bet on it...

[alizard]

thanks, I just set a monthly calendar reminder to do that myself.

Legal != right

[leereyno]

Are you one of these people who don't know the difference between right and wrong? Who make excuses like "I did nothing illegal" when caught doing something WRONG?

Taking time to point out that something patently wrong is technically legal in order to defend or justify it is well....disturbing. It shows a clear lack of any sort of a moral compass, and that is a character flaw that is all too common in today's world.

Don't feel too bad, at least you're in famous (if not good) company. Bill Clinton, SCO executives, Enron Execs, etc. etc.

Lee

oops !

[chrisranjana.com]

Hmm that's not good news !

But what comes next?

[Royster]

I have been a Panix customer for almost 10 years. I manage a number of domains with that address as a contact address. The hijackers could have requested the transfer keys to all of my registered domains. My domains could disappear tomorrow and without the contacts Alexis has, I might never get them back.

Re:WHAT ARE THE PANIX.COM NS RECORDS SUPPOSED TO B

[benedict]

Yeah, I mis-spoke. Sorry. I plead stress due to working all weekend.

Mods: The truth about bonch/rd_syringe/OverlyCrGuy

Moderators: Please note that "bonch" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft shilling. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, bonch is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider bonch and not mod him up whenever he posts his filler preformatted rants about installing Windows or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than bonch. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

For example, in this recent post bonch not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "MS". Yes, if you're confused, you're not alone. The reply (modded +0) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, bonch wants to be Bill Gates, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD, and more FUD. This guy is like the Monty Python SPAM skit, but with FUD and more FUD instead of canned meat. Amazed yet? Don't forget that KDE and Gnome make you dumb, and it's all a Slashdot conspiracy. How low do you want to go? Maybe as low as this?

The infamous Fax Manifest? Nuclear fireballs? It goes on and on and on and on and on and on and on (troll?). Like the energizer bunny. Or take these two, which stretch the definition of weird.

It's up to you. We can get rid of this guy and make Slashdot a better place. I don't know about you, but I'd rather take the trolls and crapflooders over people like "bonch" any day. And I sure as hell don't want to be categorized along with him. This is not how you advocate free software, period.

Lights out is not as scary as blood on the streets

[dbIII]

Assasination started WWI. That's not terrorism.

When done by a bunch of Serbian anarchists, assasinations and bombings really cannot be called anything else but terrorism.

Murderers kill people.

and bombers bomb, but they still fit the definition.

Your conspiracy theories

I suggest you direct that accusation at the person who thought misappropriating domain names was an act of terrorism.

Additionally, your logic doesn't even hold up internally; if it were convenient to label people as terrorists in order to get rid of due process,

Read some history (or watch the recent documentary): the French, who the Americans strangely accuse of being soft on terrorism, killed of lot of suspects during and after questioning without any sort of trial in Algeria. It appeared that was completely effective in getting rid of the major terrorist group of the time, but it pissed everyone off, other groups started and ultimately France lost Algeria.

There's a phrase which has never applied more

"Never ascribe to malice that which is adequately explained by incompetence."