Slashdot Mirror
New York's Oldest ISP Gets Domain-Jacked
Howard Roark writes "Panix, the oldest commercial Internet provider in New York, had its domain name 'panix.com' hijacked by persons unknown. The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."
One domain hijacked and another soon to be slashdotted, sucks to be them.
Just in case:
"Status as of Sat Jan 15 22:04:33 EST 2005
Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.
For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site."
Their catch phrase "Your $HOME away from home" is quite cute.
Distributed proteome folding @ WorldCommunityGrid.org
Team Slashdot - Members:#1 Run Time:#1 Points:#1 Results:#1
Do you realize how hypocritical that Michael is posting this story when Michael himself hijacked censorware.org from the people it belonged to? I reproduce the story here (you can read the original here:
h2>Michael Sims, Domain Hijacking and Moral Equivalency by Jonathan Wallace jw@bway.net
How would you feel if your webmaster maliciously took your web-site offline, then, when you demanded its return, put up a site attacking your company at your old URL? It happened to a group I was involved in, the Censorware Project, currently at http://www.censorware.net. The purpose of this essay is to put the behavior on record, and to give you some impressions and inferences about it.
The Censorware Project was originally an informal collective of six people who collaborated online to fight censorware: Seth Finkelstein, Bennett Haselton, Jamie McCarthy, Mike Sims, Jim Tyre and myself. Several of us had never met or even spoken on the phone, yet for some time -- around two years as I recall -- we had a remarkably easy collaboration. There was no funding, no hierarchy, no titles, not even project managers. Someone would suggest a project and take the responsibility for a part of it, others would sign up for other elements, and proceeding this way we got a remarkable amount of work done, including reports on X-Stop, Cyberpatrol, Bess and other censorware products.
Even though two of us were attorneys -- Jim and myself -- we never incorporated the group or wrote a charter or any contracts among ourselves. Mike Sims was obliging enough to register the domain, just as other members paid for press releases and the other incidental expenses which came along. Mike also served as webmaster of the censorware.org site and did substantial work for the group, including writing contributions to several of the reports and lead authorship of at least one. Seth was the source of our decrypted censorware blacklists and managed many technical tasks, but later felt he had to leave the group because of the increasing prospects of a lawsuit, particularly under the Digital Millennium Copyright Act (DMCA). After Seth left the group, the remaining five continued.
Robert Frost said that "nothing gold can stay," and the Censorware Project was no exception. Over the summer of 2000, Mike Sims' reaction to a perceived slight from Jim Tyre was to take the site down for a week. He sent us mail at the time saying something like "The Censorware Project is now closed." I replied to him that, given that the group was a collective and we all had an interest in its work product, the domain, and the goodwill it had achieved, the decision was not his to make. Sims did not reply.
After Seth created a partial, text, mirror, Mike put the site back up a week later without explaining, let alone apologizing for, his actions. Given his continuing failure to answer any email from me (and I think from others) and the overall signs that Sims thought the group was exclusively his, I wrote him several emails requesting that he turn the domain over to Jamie or Bennett, as I felt we could no longer trust him to administer it. We also found out during that time that important email from people trying to contact us, including members of the press, was not being answered by Sims, nor being forwarded to other members.
I ultimately became exasperated that my name was listed as a principal on what had now become a "rogue" site I had no control over. Over about
It's not surprising this has happened. Many, many companies do not take administrating their domain seriously, and several registrars -- Network Solutions especially -- make it very easy to steal domains.
I know this from experience -- many years back one morning I woke up and Excite.com, Angelfire.com, and a few other domains were mysterically owned by me. The only thing the hijacker needed to do (it wasn't me, by the way) was send in a single email. Old Story at Wired.
Well, first thing to do is use the feature "REGISTRAR-LOCK" to make sure that for a domain transfer, not only does there need to be authorization from the listed contacts, but also you need to log in to your registrar and unlock it first.
500GB of disk, 5TB of transfer, $5.95/mo
Fod God's sake, this ISP has enough problems as it is. They already have their domain hijacked, the last thing they need is the rest of their website to be unavliable because of a slashdotting.
Also, this is the 2nd post! Since the 1st post was a troll, how in the F is this redundant?
Domain ID:D5537279-LROR
Domain Name:CENSORWARE.ORG
Registrant ID:0-164394-Gandi
Registrant Name:Michael Sims
Registrant Organization:Michael Sims
www.gnaa.us
What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever (this violates all the relevant RFCs for the Shared Registration System and the current ICANN policy *and* seems to indicate a severe bug or security problem somewhere in the registration system).
What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm) and won't do anything to help. There are lots of ugly details in the NANOG mailing-list archive, particularly in this message from Perry Metzger, this message from Richard Cox, and this message from me, which includes a slimy note from some customer-service flack at Verisign.
This has clearly happened to others in the past, and highlights a serious flaw in the current registry-registrar system. We are not 100% sure how the domain was transferred between registrars with no notice to anyone (though I have some hunches I won't go into here right now) but consider this: a rogue or penetrated registrar can effectively put you out of business for the duration of the ICANN complaint and appeals process, with no notice, and there may be nothing you or anyone else can do about it short of extremely expensive legal action, even if you get law enforcement involved. Yuck.
See this story on Netcraft, which details the recent policy change by ICANN.
In short, if someone initiates a transfer request, you then have 5 calendar days to respond, or else the transfer happens unopposed. You can prevent this by activating the REGISTRAR-LOCK feature on your domain name. The procedure varies by registrar, but it's usually called "domain lock" or something similar. All registrars have to at least give you the option of requesting this feature.
Some registrars (godaddy, I know for sure does) activate this lock by default, Some require you to activate it explicitly. Check with the support dept. at your registrar for further details.
bash: rtfm: command not found
...melbourneit, the registrar responsible for the mess, basically told panix to take a flying leap. verisign wasnt any help either.
what a sad state of affairs when it's trivial to hijack a domain, but it takes an act of god to return it to its rightful owner. apparently, even law enforcement can't get verisign or melbourneit to do squat:
Date: Sun, 16 Jan 2005 07:04:46 +0000
From: Thor Lancelot Simon
To: nanog@merit.edu
Subject: Re: panix.com hijacked (VeriSign refuses to help)
Alexis Rosen tried to send this to NANOG earlier this evening but it
looks like it never made it. Apologies if it's a duplicate; we're
both reduced to reading the list via the web interface since the
legitimate addresses for panix.com have now timed out of most folks'
nameservers and been replaced with the hijacker's records.
Note that we contacted VeriSign both directly and through intermediaries
well known to their ops staff, in both cases explaining that we suspect
a security compromise (technical or human) of the registration systems
either at MelbourneIT or at VeriSign itself (we have reasons to suspect
this that I won't go into here right now). We noted that after calling
every publically available number for MelbourneIT and leaving polite
messages, the only response we received was a rather rude brush-off from
MelbourneIT's corporate counsel, who was evidently directed to call us
by their CEO.
We are also told that law enforcement separately contacted VeriSign on
our behalf, to no avail.
Below please find VeriSign's response to our plea for help. We're rather
at a loss as to what to do now; MelbourneIT clearly are beyond reach,
VeriSign won't help, and Dotster just claim they still own the domain and
that as far as they can tell nothing's wrong. Panix may not survive this
if the formal complaint and appeal procedure are the only way forward.
> Date: Sun, 16 Jan 2005 00:21:33 -0500
> To: , NOC Supervisor
> Subject: Re: FW: [alexis@panix.com: Brief summary of panix.com hijacking incident]
(KMM2294267V49480L0KM)
> From: VeriSign Customer Service
> X-Mailer: KANA Response 7.0.1.127
>
> Dear Alexis,
>
> Thank you for contacting VeriSign Customer Service.
>
> Unfortunately there is little that VeriSign, Inc. can do to rectify this
> situation. If necessary, Dotster (or Melbourne) is more than welcome to
> contact us to obtain the specific details as to when the notices were
> sent and other historical information about the transfer itself.
>
> Dotster can file a Request for Enforcement if Melbourne IT contends that
> the request was legitimate and we will review the dispute and respond
> accordingly. Dotster can also contact Melbourne directly and if they
> come to an agreement that the transfer was fraudulent they can file a
> Request for Reinstatement and the domain would be reinstated to its
> original Registrar. Dotster could submit a normal transfer request to
> Melbourne IT for the domain name and hope that Melbourne IT agrees to
> transfer the name back to them outside of a dispute having been filed.
> In order to expedite processing the transfer or submitting a Request for
> Reinstatement however Dotster will need to contact Melbourne IT
> directly. If Dotster is unable to get in touch with anyone at Melbourne
> IT we can assist them directly if necessary.
>
> Best Regards,
>
> Melissa Blythe
> Customer Service
> VeriSign, Inc.
> www.verisign.com
> info@verisign-grs.com
Panix's registrar has no record of the transfer request. Dotster's whois shows that the domain needs to be renewed by April.
Registrant:
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US
Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-05
Last Updated on: 15-JAN-05
Administrative, Technical Contact:
Hostmaster, Panix hostmaster@panix.com
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US
212-741-4400
212-741-5311
Domain servers in listed order:
NS1.ACCESS.NET
NS2.ACCESS.NET
End of Whois Information
http://web.archive.org/web/20030618204944/http://c ensorware.org/
FAILED
The Melbourne IT Registry Key for Domain Name panix.com was not able to be retrieved. This could be due to the Domain Name being managed by a Melbourne IT Reseller. Please contact your Reseller for assistance. If this fails, please go to our help center.
www.panix.com is coming up with a freeparking.co.uk web page. This means that SOMEONE is handling DNS for the domain. That is the one piece of useful information in the current whois record. ns1.ukdnsservers.co.uk
OK, looks like ukdnsservers.co.uk belongs to:
Domain Name:
ukdnsservers.co.uk
Registrant:
ActiveBytes Software LLC
Administrative Contact's Address:
2530 Channin Drive
Wilmington
DE
19810 US
Registrant's Agent:
Fibranet Services Ltd [Tag = FIBRANET]
Relevant Dates:
Registered on: 25-Mar-2000
Renewal Date: 25-Mar-2006
Last updated: 11-Dec-2004
Registration Status:
Registered until renewal date.
Name servers listed in order:
ns3.ukdnsservers.co.uk 142.46.200.68
ns4.ukdnsservers.co.uk 207.61.90.197
This is a company on US soil. If the authorities have been contacted, the FBI should be breaking down these guys' doors right about now, cause they're involved in what could be considered an act of international terrorism, and I'm not being sarcastic. Either ActiveBytes Software, or one of their representatives has knowingly set up DNS records for panix.com, or they have been hacked.
Unfortunately, it appears that even though their offices may be in Delaware, their DNS is a little farther north:
traceroute 142.46.200.67
(Most of traceroute omitted to pass bullshit lameness filter)
23 145 ms 75 ms 74 ms AL-7304-GigE2.telecomottawa.net [142.46.200.1]
24 82 ms 85 ms 88 ms 142.46.200.67
Trace complete.
traceroute 207.61.90.197
(Most of traceroute omitted to pass bullshit lameness filter)
18 65 ms 75 ms 64 ms core1-ottawa23-pos2-2.in.bellnexxia.net [64.230.234.90]
19 221 ms 204 ms 217 ms ottcorr01-pos5-0-0.in.bellnexxia.net [206.108.99.146]
20 Request timed out.
21 244 ms 183 ms 225 ms ns4.ukdnsservers.co.uk [207.61.90.197]
Trace complete.
Maybe someone at telecomottawa.net could be contacted to track these people down or help out in some small way. Here's their Customer Care Page They have a toll-free number! Let's see if enough of us call it, or perhaps if enough of Panix's unhappy customers call it, maybe TelecomOttawa will help out (wouldn't it suck if someone were to steal the telecomottawa.net domain name from them in a similar fashion?) Anyway, the TF# is 1-888-424-7771 (X3?)
Man, this really pisses me off that someone was able to do this, and that these guys aren't having any luck getting the problem fixed.
These people looked deep into my soul and assigned me a number based on the order in which I joined.
Funnily enough, they're the registrar for the scam site http://american-redcross.org/.
Coincidence? You decide.
Peter
Well, first thing to do is use the feature "REGISTRAR-LOCK" to make sure that for a domain transfer, not only does there need to be authorization from the listed contacts, but also you need to log in to your registrar and unlock it first.
I am following the NANOG mailing list, and the domains were locked.whois south-parsonalbanking.com
.com and .net domains can now be registered
.COM, .NET, .EDU domains and
Whois Server Version 1.3
Domain names in the
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: SOUTH-PARSONALBANKING.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: ACTIVE
Updated Date: 15-jan-2005
Creation Date: 15-jan-2005
Expiration Date: 15-jan-2006
>>> Last update of whois database: Sun, 16 Jan 2005 07:38:23 EST
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY
Registrars.
Domain Name.......... south-parsonalbanking.com
Creation Date........ 2005-01-15
Registration Date.... 2005-01-15
Expiry Date.......... 2006-01-15
Organisation Name.... Douglas Hurcomb
Organisation Address. 1516 Hidden Valley Ln
Organisation Address.
Organisation Address. Rochester
Organisation Address. 48306
Organisation Address. MI
Organisation Address. UNITED STATES
Admin Name........... Douglas Hurcomb
Admin Address........ 1516 Hidden Valley Ln
Admin Address........
Admin Address........ Rochester
Admin Address........ 48306
Admin Address........ MI
Admin Address........ UNITED STATES
Admin Email.......... douglashurcomb@yahoo.com
Admin Phone.......... +1.2486568102
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address.........
120 chars is not bloody enough for a real sig!!! you bastards even count spaces!!!
Panix thought that they had all of their domains in registrar-lock status. When they checked panix.net and panix.org after panix.com got swiped, they were no longer locked.
.com registrations) allowed a domain to be transferred to a different regsitrar without following the published procedures. Even if a domain is not locked, there is a notification and waiting period that was ignored. Somehow MelbourneIT and Verisign short-circuited the system (quite possibly an inside job at both).
.net control is up for renewal soon and other companies may bid to take it away from Verisign; let's hope that happens (my main domains are all .net).
However, this has nothing to do with them being locked or not. The registrar Panix uses is Dotster, and they show no record of panix.com being transferred. In other words, Verisign (who is in charge of all
IIRC the
I *am* getting my panix.com mail by going to mail.panix.NET, and using their web-based mail client.
By way of background, I've been a Panix user for more than a decade. They are classy, intelligent people, which sets them apart from most folks in their line of work.
"And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of "you")."
It's *our* fault? Nice try, Eric. I should fly halfway around the world 4X a year at 5 grand a pop to stay in the ICANN 4 or 5 star host-hotel so I get my 15 minutes of being ignored at the mcirophone? BTDT for a couple of years. Even if you think you scored a minor victory ICANN will, and has, quietly chaged the bylaws to circumvent that. Oh, but don't worry, as a membership organization, as dictated by the USG we can all vote on this. Oh that's right, that bit never happened even though ICANN's initial purpose was to only define the organizaion, get members then pass it off to the duly elected board. We still have the current IBM/Magaziner appointed board and the "members" don't exists.
Lesse here, on one side we have the Intellectual Property wonks who ARE funded to fly to every meeting and are paid full time to lobby ICANN. Those buggers are everywhere, do not operate in the open and are anything but transparent. They work for companies with 3 letter names.
On the other side we have "us" and "our funding" (hahahahah). We lose. Thanks for playing; tragedy of the commons.
Interest in the DNSO and ICANN has waned because people are tired of beating their head against a brick wall till it's a bloody pulp; you can't begin to fight the behind the scenes back channel closed shenanigans the IP folks play, you don't even find out what they are till years later (cf the secret, thou shall not disclose meeting that IBM arranged with ICANN and NSI that Farber and Cerf attended that set this all in motion). They and they alone, as correctly pointed out, are and have always been the boogeymen behind virtually all troubles in the DNS today and have been since long before ICANN was a glint in Joe's eye.
To paraphrase Mark Twain, "It's a good thing we don't get all the ICANN we pay for"
Look what happened to Aurbach. ICANN see's openness as a fault and routes around it.
Need Mercedes parts ?
1) IP addresses are not "part of ssh keys" -- and I can say this with some authority, as the author of one of the first open-source SSH implementations. (Please don't use it here-now-today, it's painfully obsolete!)
2) SSH clients can store multiple valid keys per DNS name (or, for that matter, per IP address) and multiple physical hosts can have the same SSH private key (the latter, in fact, is probably how Panix should configure its shell servers. Since they provide the same service with the same authentication requirements, using the same SSH key is almost certainly right).
3) A lot of SSH clients suck, about both these things. To this day, some can't cope gracefully with either condition at all though it's a matter of about 10 lines of code in each case to do so. Even OpenSSH can't deal with the somewhat less common situation of a host having two different keys on two different IP addresses. It's a sad fact that no matter what you do users seem to blindly click through the client's warning messages -- which, I think, disincents developers to get which message appear when exactly right.
It's not clear that DNSSEC actually would stop this particular kind of attack -- which is one reason why it's so nasty (the attack, not DNSSEC!).
To answer your "questions", no and no.
Panix has been deeply involved in efforts to promote and protect Internet security since, I'd wager, long before you even had access to the Internet at all. I should know -- within two months of my first coming to work at Panix in 1993 the majority of my work was shifted from normal system administration to security.
The very first NY Times article (possibly the first national newspaper article at all) on the subject of Internet security featured Panix' heroic efforts to publicize and mitigate a series of network sniffer attacks that had been previously kept under wraps, and compromised the security of thousands of Internet users (at a time when the total population of the Internet was only a few tens or perhaps hundreds of thousands). Panix played a key role in the emergence of full-disclosure security lists by refusing to sit still while vendors and CERT (don't get me wrong. CERT is good. They just weren't then) conspired to cover up known vulnerabilities for years at a time. And so forth.
To this day, security remains a major focus at Panix. It has to -- they're the oldest, most prominent, and one of the largest (if not the largest) shell ISPs still out there, and their users won't tolerate system outages caused by security failures, or security failures that compromise those users' own security. In general, if you find Unix timesharing systems the size of Panix, they're at universities; and look at those folks' security records. Panix, on the other hand, is worlds better.
To respond to your other happy fun mudslinging, Panix has not and does not tolerate "online crimes" by its users, whether your invented "user" Kevin Mitnick or anyone else. Never did, doesn't now; security is important to Panix; it is essential to their business; and so is the health of the Internet itself.
Depending how you count, Panix is the second or third oldest consumer ISP in the world. Panix has been around long enough to remember the times when if they had a security incident, a significant fraction of the Internet shuddered (e.g. when we were offline for two days for security reasons in 1994, traffic on Usenet as a whole fell considerably). It would be hard to find any business on the Internet more fundamentally concerned that its own security problems not impact others than Panix has been, and is.
Which, of course, is quite a different attitude than that exemplified by some other businesses mentioned in this thread.
Err...if you mean the DMCA it is here:
http://en.wikipedia.org/wiki/DMCA
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Berryhill went to the house in Wilmington. The address is bogus.
Or rather the address is real but the guy we're looking for doesn't live there any more and the poeple there get all "sorts of wierd things".
This apparanly is not the first time this happened.
The lawyer in question has moved to PA.
John's gong home to check state corporate registration records to try to find him.
Need Mercedes parts ?
(Posted by Ed Ravin [staff]) Sun, Jan 16 2005 -- 5:41 PM
----------------
Recovery is underway from the panix.com domain hijack.
The root name servers now have the correct information, as does the WHOIS registry. Portions of the Internet will still not be able to see panix.com until their name servers expire the false data. More info soon.
-- Ed