New York's Oldest ISP Gets Domain-Jacked

Howard Roark writes "Panix, the oldest commercial Internet provider in New York, had its domain name 'panix.com' hijacked by persons unknown. The main effect on users is that mail sent to panix's customers is being routed to a bogus mail server run by the hijackers."

Panix

[UnCivil+Liberty]

One domain hijacked and another soon to be slashdotted, sucks to be them.

Just in case:
"Status as of Sat Jan 15 22:04:33 EST 2005

Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site."

Their catch phrase "Your $HOME away from home" is quite cute.

Total Hypocrisy, Michael

[Jewcatur]

Wow, total irony here

Do you realize how hypocritical that Michael is posting this story when Michael himself hijacked censorware.org from the people it belonged to? I reproduce the story here (you can read the original here:

h2>Michael Sims, Domain Hijacking and Moral Equivalency by Jonathan Wallace jw@bway.net

How would you feel if your webmaster maliciously took your web-site offline, then, when you demanded its return, put up a site attacking your company at your old URL? It happened to a group I was involved in, the Censorware Project, currently at http://www.censorware.net. The purpose of this essay is to put the behavior on record, and to give you some impressions and inferences about it.

The Censorware Project was originally an informal collective of six people who collaborated online to fight censorware: Seth Finkelstein, Bennett Haselton, Jamie McCarthy, Mike Sims, Jim Tyre and myself. Several of us had never met or even spoken on the phone, yet for some time -- around two years as I recall -- we had a remarkably easy collaboration. There was no funding, no hierarchy, no titles, not even project managers. Someone would suggest a project and take the responsibility for a part of it, others would sign up for other elements, and proceeding this way we got a remarkable amount of work done, including reports on X-Stop, Cyberpatrol, Bess and other censorware products.

Even though two of us were attorneys -- Jim and myself -- we never incorporated the group or wrote a charter or any contracts among ourselves. Mike Sims was obliging enough to register the domain, just as other members paid for press releases and the other incidental expenses which came along. Mike also served as webmaster of the censorware.org site and did substantial work for the group, including writing contributions to several of the reports and lead authorship of at least one. Seth was the source of our decrypted censorware blacklists and managed many technical tasks, but later felt he had to leave the group because of the increasing prospects of a lawsuit, particularly under the Digital Millennium Copyright Act (DMCA). After Seth left the group, the remaining five continued.

Robert Frost said that "nothing gold can stay," and the Censorware Project was no exception. Over the summer of 2000, Mike Sims' reaction to a perceived slight from Jim Tyre was to take the site down for a week. He sent us mail at the time saying something like "The Censorware Project is now closed." I replied to him that, given that the group was a collective and we all had an interest in its work product, the domain, and the goodwill it had achieved, the decision was not his to make. Sims did not reply.

After Seth created a partial, text, mirror, Mike put the site back up a week later without explaining, let alone apologizing for, his actions. Given his continuing failure to answer any email from me (and I think from others) and the overall signs that Sims thought the group was exclusively his, I wrote him several emails requesting that he turn the domain over to Jamie or Bennett, as I felt we could no longer trust him to administer it. We also found out during that time that important email from people trying to contact us, including members of the press, was not being answered by Sims, nor being forwarded to other members.

I ultimately became exasperated that my name was listed as a principal on what had now become a "rogue" site I had no control over. Over about

Re:Total Hypocrisy, Michael

[martinoforum]

It's certainly ironic, I must say. But judging by most of my reading, the sole requirement of being an editor on a Linux or Open Source related news site is to be as insufferable an asshole as possible and refuse to resign, ever, regardless.

If it wasn't for the fact that I read Slashdot purely to be reminded of the fact that being a geek does not make you smart - something I feel it is good to remind oneself of on a regular basis - I would probably have stopped reading in horror.

But really, it would only matter if Michael had a good job. "He hijacked their domain! And now he's a success!" they cry. A success? Jesus, by what standards!? He reads hoax stories about fish washed up by tsunamis, doesn't bother to check any facts and just posts them regardless. And that doesn't even constitute doing a bad job, by Slashdot standards. So if that's the standards they require, I can't imagine it is too hard to get qualified "journalists" to work for them, and they doubtless pay a rate commensurate to his boundless skills.

Just get back to your Neal Stephenson books and consider him Andrew Loeb, everybody. He'll doubtless get shot in the end anyway...

Re:Total Hypocrisy, Michael

Mike Sims was obliging enough to register the domain

Because you didn't have any formal orginazation, he screwed you.

That's the problem with relying on donated resources, thay can go away at any time. Mike donated the domain name and webserver, then chose not to.

What he did next shows that he's not an honorable person, but then we knew that from his editorializing here on /..

Re:Total Hypocrisy, Michael

[sexysciencegirl]

Parent's post is at +5 at 12:30amPST, 1/16/05. Who wants to bet that it
1) will be fixed at -1
2) becomes another post of death
before the day is over?
It wouldn't be the first time when slashdot editors' actions go directly against their high-horse stance against censorship and try to hide any views that they personally don't like.
I would like to remind Michael that you only support free speech if you support your enemies' rights to say things that you don't like and hope that you prove me wrong.

This happens quite a bit...

[eviljim]

It's not surprising this has happened. Many, many companies do not take administrating their domain seriously, and several registrars -- Network Solutions especially -- make it very easy to steal domains.

I know this from experience -- many years back one morning I woke up and Excite.com, Angelfire.com, and a few other domains were mysterically owned by me. The only thing the hijacker needed to do (it wasn't me, by the way) was send in a single email. Old Story at Wired.

Rogue registrars?

[tjls]

I tried to post about this about 10 hours ago, but no luck. Sigh.

What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever (this violates all the relevant RFCs for the Shared Registration System and the current ICANN policy *and* seems to indicate a severe bug or security problem somewhere in the registration system).

What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm) and won't do anything to help. There are lots of ugly details in the NANOG mailing-list archive, particularly in this message from Perry Metzger, this message from Richard Cox, and this message from me, which includes a slimy note from some customer-service flack at Verisign.

This has clearly happened to others in the past, and highlights a serious flaw in the current registry-registrar system. We are not 100% sure how the domain was transferred between registrars with no notice to anyone (though I have some hunches I won't go into here right now) but consider this: a rogue or penetrated registrar can effectively put you out of business for the duration of the ICANN complaint and appeals process, with no notice, and there may be nothing you or anyone else can do about it short of extremely expensive legal action, even if you get law enforcement involved. Yuck.

Re:Rogue registrars?

I've worked for Melbourne IT, and can add a little here. I've got a little bit of info on the situation.

It's currently about 9pm on Sunday night in Melbourne. People have been alerted. Things _are_ moving. People are most certainly aware of the situation and are working to get to the bottom of it.

The tech contact address (admin@powerhost.co.uk) is that of one of Melb IT's UK resellers, Fibranet. Its presence would indicate the transfer was initiated under that reseller's account and their access to Melb IT's systems. Possibly (I'm speculating) someone may also have got access to the reseller's account other than the reseller.

It wouldn't surprise me if whoever did this intentionally did this near midnight Saturday, Melbourne time, near the start of Melb IT's longest point of having the office closed (midday Saturday to 8am Monday, Melbourne time). During the week there are staff on 24 hours.

I don't speak for Melb IT here, but I really think they're copping a lot of shit for something that's not their fault. I'm not claiming they're perfect, but hell - this was done when nobody was in the damned office. They're not _evil_ there (or perfect - just human) and would never initiate anything that'd bring down this much bad press.

Someone's playing games and using Melb IT as a tool. It'll all get untangled before long and we'll find out who's really to blame for this.

Re:Rogue registrars?

[xlsior]

What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever

Or so they say.

What many people here may not be aware of, is that the domain registry system had a slight overhaul recently, after ICANN mandated a change in the registrar transfer procedures.

More specifically: while in the past a domain transfer would automatically be rejected when the account holder did not approve it, recently this changed so now a transfer request get approved by default unless the account holder actively rejects it.

Yes -- that means that if the owner to be on vacation, doesn't check his mail frequently enough, has a spamfilter that ate the transfer notice, or simply never received the message in the first place for whatever other reason, the domain transfer request will automatically be granted.

ICANN's reasoning for this was alledgedly that it would prevent a defunct hosting provider or non-working administrative account from keeping a customer's domain hostage.

The only way to change this behaviour and reject a domain transfer by default, is to lock the domain with the registrar. Many of the registrars responded to this policy change by proactively locking all domains hosted with them with little warning (Network Solutions, for example)

Anyway, it's quite likely that this domain in question simply didn't get locked (or was actively unlocked by the administrator because it was deemed inconvenient?). Then if anyone sent a (bogus) transfer request and the administrator either didn't see the notice or didn't respond in a timely fashion to reject it, this would happen.

This will happen to ANY domain that is not currently locked, and who's admin contacts aren't paying close enough attention to their mailbox. If you haven't already done so: MAKE SURE YOUR DOMAINS ARE LOCKED!!!

Yet another example of how ICANN makes the world a better place, I guess.

Re:Rogue registrars?

I've been involved in investigating this for most of today. In fact, it's not just the admin and tech contacts at Panix who were never notified; the transferred-from registrar (Dotster) was never notified.

Even under the new ICANN rules, that's not supposed to be possible. Someone is playing games with the system.

It's not just Censorware

[bonch]

People do not like him as an editor here. Michael constantly editorializes by sticking his opinions into the article submission instead of in a comment like the rest of us have to. He often modbombs threads and blacklists people who post in them from moderating. Even if you don't like Taco's endless dupes or typos, at least he lets the submission speak for itself (iPod launch comment excluded). Michael does very unprofessional things like the infamous all-caps attack toward Intel in the 64-bit chip article last year.

No, this is not just a hobby site where those kinds of things fly. This is a highly-visited news site, considered a major source of tech news for geeks, and a corporate-owned entity of OSTG who employs Malda and company. There's an amount of responsibility you ethically must adopt when your site gets so popular that it's name alone becomes a verb due to the server-killing power of its readerbase.

Michael also does things like edit the words of people's submissions, like adding quotation marks around the word "revealed" in this story (now in my sig). Regardless of what you think of the story, that's just plain misleading and twisting the words and intent of the submitter, making it appear they meant something other than what they did. If it was an anonymous submitter, that would be different, but now Michael has stuffed a message into the submitter's mouth that was not there. At least show a little respect for the people who are providing your content.

How This Can Happen

[ErichTheWebGuy]

See this story on Netcraft, which details the recent policy change by ICANN.

In short, if someone initiates a transfer request, you then have 5 calendar days to respond, or else the transfer happens unopposed. You can prevent this by activating the REGISTRAR-LOCK feature on your domain name. The procedure varies by registrar, but it's usually called "domain lock" or something similar. All registrars have to at least give you the option of requesting this feature.

Some registrars (godaddy, I know for sure does) activate this lock by default, Some require you to activate it explicitly. Check with the support dept. at your registrar for further details.

Re:More details, please...

[Gendalia]

Panix's registrar has no record of the transfer request. Dotster's whois shows that the domain needs to be renewed by April.
Registrant:
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US

Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-05
Last Updated on: 15-JAN-05

Administrative, Technical Contact:
Hostmaster, Panix hostmaster@panix.com
Public Access Networks Corp.
15 West 18th Street, 5th floor
New York, NY 10011
US
212-741-4400
212-741-5311

Domain servers in listed order:
NS1.ACCESS.NET
NS2.ACCESS.NET

End of Whois Information

Re:Password Recovery

[Legion303]

"cause they're involved in what could be considered an act of international terrorism, and I'm not being sarcastic."

Maybe not, but you're sure diluting the living fuck out of the word "terrorism."

panix rules

note how alexis keeps his cool in this message:

Hi, all.

I hate to pop my head up after years of lurking, only when things are going bad, but probably better that than remaining silent.

First of all, I'm going to be bounced from this list once its cache of my DNS times out, which will probably be in about 2-3 hours, so if you have anything to say that you'd like me to see, please copy me. We're temporarily accepting mail at panix.net in addition to panix.com, so use alexis (at) panix.net.

A few points to respond to:

First, Eric, thanks for contacting Bruce and Eric on my behalf. While nothing has happened so far, I hope that it will soon, and in any case I appreciate your efforts to help a total stranger.

Someone asked if we had registrar-lock set. It's not clear to me what happened. Our understanding is that we had locks on all of our domains. However, when we looked, locks were off on panix.net and panix.org, which we own but don't normally use. It's not clear how that happened; dotster has yet to contact us with any information about, well, anything at all. They did answer a call this morning; they're apprently in the middle of an ice storm. All I was able to larn from them is that according to the person I talked to, they had no records of any transfer requests on our domain from today back through last October.

Someone suggested invoking a dispute procedure. We'll do that, as soon as we can get someone to actually accept the dispute, but if it goes through that process to completion, many people will suffer, and Panix itself will be tremendously damaged. How long do you think even our customers will stay loyal? (Forever, for many of them, but that doesn't mean the won't be forced to start using a different service.)

While it's true that MelbourneIT won't do anything before (their) Monday morning, I don't want to paint them as bad guys in this drama. I don't know how they're organized and I don't know how difficult it is for them logistically. Of course I want them to move faster. Much faster. But I'll take what I can get.

And speaking of MIT, I don't intend to send them "nastygrams" - nor NSI either. Neither of them owes me anything (at least directly) and being heavyhanded would not be a good way to get what I want (restoral of the panix.com domain to dotster) even if I thought they deserved it. I expect that there will be criminal prosecutions arising out of this, but the time for that sort of thing is later, when things are back to normal, and we've fixed any systemic vulnerabilities that can be fixed before they're used to wreak mass havoc. And it's anyone's guess who the target of those prosecutions will be, but I doubt MIT or NSI will be among them.

Lastly, someone expressed surprise that I'd call MIT's lawyer directly. I didn't. I spent *hours* trying to find working contact info for MIT and Dotster. I didn't find useful 24-hour NOC-type info anywhere. (Someone obviously has this info; I expect it's restricted to a list of registrars.) I reached Dotster's customer support when they opened for business Saturday morning; the guy was polite, and did what he could, but I saw no evidence whatsoever of the promised attempt to assist me after he got off the phone. MIT apparently has no weekend support at all; I finally located their CEO's cellphone in an investor-relations web page. I caled him, and he had his lawyer call me back. That was his choice. FWIW, she's not "just" a lawyer; she's apparently the person who has to make decisions about reverting control of the domain. So she at least needs to be aware of our position. My impression is that she didn't fully grasp the gravity of the situation, and so treated us like she'd treat any other annoying customer who managed to track her down on her day off. This is somewhat understandable (though infuriating) which is why I'd hoped to talk to someone on their tech side first. No luck there, but if any of this reaches them, maybe that will start things going.

Thanks again to everyone who has tried to help us today.

/a

Re:it's worse than that...

I'm just a paralegal, so this isn't legal advice. But I've worked on these cases enough to know what that letter is telling you. First, you need to hire a lawyer to handle this. Second, the letter is telling you the precise steps to take. Follow them like you would command line instructions and you will get the best results.

Only the new registrar can help. That is your target. Get Dotster to send the Request for Enforcement. Call up and get to know someone at Dotster (and Melbourne) and call and call and call. Be friendly and do all they ask, step by step. Give them all the info you can find about the new person claiming ownership. Look up in Betterwhois and find out who is the new owner. I'm betting dollars to doughnuts, you will find it isn't a real address. Try to contact the new owner by the address, email, phone listed. If you get no response, tell Dotster. Point that out. Find out if the new place is spamming, porn, whatever. That is almost certainly what is happening to your customers. Make clear to the new registrar that they got the domain through lying, trickery, however they got it. Details and proof.

This is a standard hustle, and usually names change as well as registrars. They generally use more than one hop because it is harder to get it back, harder to trace. Verizon is the worst, in my experience, and they won't help you, but if you can get Dotster and Melbourne on this, they will have to. Make a note of who didn't help you and make future decisions about who you want as your registrar.

You should be able to get it back, but it may take time.

Again, the key to it all is get a lawyer. They know exactly how this dance goes. A lawyer who does UDRP. That is what you ask for. It's called domain name hijacking.

Hey, my domain was stolen the other week too

[maugt]

This does happen a lot more than you think. I started a blog to document it at Orangelimey.blogs.com

NSI is currently claiming that the transfer was legitimate - somehow the hijacker got into the administrative contact's email and compromised the accounts - how we still don't know. However, the person that ended up with the domain seems to be willing to give it back.

Really, the whole domain security thing is ridiculous. For a domain (which is considered property under a ruling from the appeals court in the sex.com case) to be transfered with such lax legal proceedings is pathetic. Can I steal your car or your house by simply faking email and guessing passwords? Of course not.

Maybe panix can make enough of a stink about this to get someone to stand up and take notice - although who can do this I don't know. ICANN is toothless and only cares about trademark disputes.

Someone told me as a result of this that 40,000 domains were hijacked in the last year. I don't know where this data comes from, but really, obviously something is wrong.

Feel sorry for panix, I used them when I lived in NYC

Re:Deal with the Devil

[tjls]

Nice try, troll.

To answer your "questions", no and no.

Panix has been deeply involved in efforts to promote and protect Internet security since, I'd wager, long before you even had access to the Internet at all. I should know -- within two months of my first coming to work at Panix in 1993 the majority of my work was shifted from normal system administration to security.

The very first NY Times article (possibly the first national newspaper article at all) on the subject of Internet security featured Panix' heroic efforts to publicize and mitigate a series of network sniffer attacks that had been previously kept under wraps, and compromised the security of thousands of Internet users (at a time when the total population of the Internet was only a few tens or perhaps hundreds of thousands). Panix played a key role in the emergence of full-disclosure security lists by refusing to sit still while vendors and CERT (don't get me wrong. CERT is good. They just weren't then) conspired to cover up known vulnerabilities for years at a time. And so forth.

To this day, security remains a major focus at Panix. It has to -- they're the oldest, most prominent, and one of the largest (if not the largest) shell ISPs still out there, and their users won't tolerate system outages caused by security failures, or security failures that compromise those users' own security. In general, if you find Unix timesharing systems the size of Panix, they're at universities; and look at those folks' security records. Panix, on the other hand, is worlds better.

To respond to your other happy fun mudslinging, Panix has not and does not tolerate "online crimes" by its users, whether your invented "user" Kevin Mitnick or anyone else. Never did, doesn't now; security is important to Panix; it is essential to their business; and so is the health of the Internet itself.

Depending how you count, Panix is the second or third oldest consumer ISP in the world. Panix has been around long enough to remember the times when if they had a security incident, a significant fraction of the Internet shuddered (e.g. when we were offline for two days for security reasons in 1994, traffic on Usenet as a whole fell considerably). It would be hard to find any business on the Internet more fundamentally concerned that its own security problems not impact others than Panix has been, and is.

Which, of course, is quite a different attitude than that exemplified by some other businesses mentioned in this thread.

This just in!!!

(Posted by Ed Ravin [staff]) Sun, Jan 16 2005 -- 5:41 PM
----------------
Recovery is underway from the panix.com domain hijack.

The root name servers now have the correct information, as does the WHOIS registry. Portions of the Internet will still not be able to see panix.com until their name servers expire the false data. More info soon.

-- Ed