Slashdot Mirror
MelbourneIT Lapse Permitted Panix Hijack
McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."
Unless it runs on MacOS or will be available in a smaller form factor of varying stylish colors, I fail to see how this is postworthy on Slashdot.
Be stupid, hack a server and get caught. At least the internet its that much safer. I dont blame those panix users, they must have panix.
just dont panix!
I'd like to know what can be done to stop this sort of nonsense happening to other domains
You'll never stop this sort of stuff, there is always someone smarter and more determined to find loopholes than the overworked, caffeine addicted guy paid to write the code.
...the perpetrators of the hijacking remain at large? If I were a Panix user, I'd be panixing right now too.
Melbourne IT, which sells its domains through Yahoo and many other hosting firms, defended its claim of 24/7 customer service for resellers and technical contacts (although not retail customers), but said it will evaluate whether it can improve.
Translation: We won't commit to doing a damn thing, and frankly we're only interested in the people who pay us to fuck up. Nonethless, we're attempting to put it nicely, so be grateful.
Si tacuisses philosophus mansisses. If you had kept quiet, you would have remained a philosopher.
Someone screwed up.
The loophole that led to this error has been closed.
And they fired the guy.
It's the battle of the minds, and everyone's unarmed.
They also have all the integrity to be expected of the major ".cx" registrar.
For quite some time, on the NS redelegatiom page of the MelbIT web site, you could enter in either a hostname, or an IP address, or both, to chose your new nameservers. Great for those of us having to move IP ranges or whatnot.
The problem is, the web form did nothing at all with the IP addresses you put in. It completely ignored them. You had to call up Melbourne IT and speak to somebody to get the mess sorted out. That one caused me a day of pain.
Other times, the staff members have stated facts that clearly went against all of their procedures on the web page for redelegation and/or key retreival. "Sorry, no, even though thats what the web page says, it REALLY means the opposite"
She'll be right mate - no one at MelbourneIT would lose their job even if they transferred google by mistake on a weekend and did nothing about it until 9am Monday.
If your registrar doesn't support locking, find another one that does. GoDaddy, EV1servers, etc do.
"Loophole" really means somebody at MelbourneIT didn't perform end-to-end tests of their registration server; that, or was only looking for primary adherence to the spec, and didn't check if their implementation could be fucked with.
Big Daddy, Johnny, Burp, Aunt Zelda, Scott, Slurp, Big Momma
In a word - Fosters.
A feeling of having made the same mistake before: Deja Foobar
I'm confused. They were the receiving registrar of the transfer. However, it was the other registrar, that the domain was transfered from, that seems to me more at fault. Most registrars allow customers to "lock" a domain, which means that it cannot be transferred without the customer notifying the current registrar. Panix says they locked the domain. If that is so, then it should not have been transferable without their permission, no matter what loopholes were in Melbourne's system.
Not entirely offtopic... also, we've had a slew of crappy moderations lately, so whoever down-modded the parent thread will doubtlessly down-mod me as well (hence anon).
Translation: We are committed to solutions which enhance your whole internet experience and lifestyle. Please see our website if you have any questions concerning customer service.
404 - Page not found
A feeling of having made the same mistake before: Deja Foobar
Given that it's down to the registry (not the registrar) to actually commit any transfer request, and there are several stages of validation on this, isn't it down to them to NOTICE if something didn't go right?
... right?
If I'm reading the linked description of the transfer process right, in part 2 (allegedly where it fell over) the "gaining registrar is not permitted by the policy to initiate a transfer without approval from the registrant".
Not permitted BY THE POLICY? That's an awful lot of trust to put into each and every registrar never making a mistake or having a design flaw in their systems. Surely they should just bounce every transfer request that doesn't follow some sort of authorization procedure
Why are the registrars responsible for this step, and not the central registry itself? There's an awful lot of trust involved here, and this could happen with any registrar that happened to have a bug in their systems. I bet there's a way to exploit this from many registrars other than Melbourne IT that just haven't been found yet.
Here is a basic explanation of what happened from what I have read.
ICANN recently changed the rules for domain name transfers so that rather than requiring confirmation for domain name transfers, they are transferred automatically if the owner does not object within a set period of time (a few weeks IIRC). This is meant to "streamline the domain transfer process". In this regard, I believe that ICANN is partially to blame for this hijacking. These policy changes need to be reviewed. You can, of course, lock your domain against this occurring, but it is a simple error to neglect to do this.
Melbourne IT is also more or less to blame for this hijacking (depending on who you believe). It has been confirmed that one of their resellers allowed someone to create an account with a stolen credit card number, and initiate the domain transfer process. Panix claims that Melbourne IT failed to send the notification of transfer to them or their registrar. They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.
Mebourne IT has also been accused of being unavailable for contact over the weekend, despite promising 24/7 service. The only way that Panix managed to contact them was via the CEO's mobile number.
If these accusations are true, then this shows serious problems within Melbourne IT.
Soemone used a stolen credit card number to create an account, then initiated the domain transfer process. That sounds like a hijack to me.
I still have a variety of domain names handled by them and their web-based domain management interface has no option to enable REGISTRAR-LOCK, and frankly I don't have 50 mins to spend in their phone queue.
"We normally respond to requests within 48 hours" .... says the email auto-responder....
Evidently ICANN made a policy change in November 2004 that was intended to make it easier to transfer domains between registrars, but it turns out to also make it easier to hijack domains. Apparently multiple domains have been hijacked from Dotster.com, (the registrar for panix.com), so I would guess that they have some holes in their procedure for confirming transfers with their customers.
How do you prevent this? Well, when reading the various articles about this, (I know, I'm new here), I ran across the phrase 'locking your domain'. I had never heard of this before, but I checked with my registrar, and sure enough they now have settings for 'normal' and 'high' transfer security. Basically they will not allow any domains that have 'high transfer security' set on to be transferred. Period. Whether they can get in contact with me or not. If I want the domain transferred, I have to log in and reset transfer security to normal, and then a transfer can go ahead. Otherwise it stays with me until it expires. Unfortunately the default setting was normal, but once I knew about it, it only took 30 seconds to set my domains to 'high'.
In theory anyway; panix.com says that their domain was set to 'locked' with dotster, so your mileage may vary. Maybe tucows or someone can randomly test transfer attempts of 'locked' domains and certify registrars that appropriately deny the transfers?
So, check your domains now, set them to locked, or high security, or whatever your registrar calls it. If they don't have such a setting, hey, it ought to be easy to transfer your domain to one that does!
And as you tread the halls of sanity, You feel so glad to be, Unable to go beyond. I have a message, From another time..
Clearly, MIT has it's priorities.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Registrations are year-to-year, so:
Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-06
Last Updated on: 16-JAN-05
It could only lapse in April - and it sure as hell didn't lapse in April of 2004 and stay working for this long!
"with their freedom lost all virtue lose" - Milton
If by "read the first time this article..." you mean "I didn't read the article and I am speaking out of my ass." Then you are under the correct impression.
I see the words MelbourneIT and I'm not surprised. Have had to transfer domains from them legitimately for clients and/or change hosting information and out of all registrars I've ever dealt with they are one of the most unresponsive in the industry. Verisign/Network Solutions is better. Don't do there.
But..you didn't check your facts. MelbourneIT had the domain transfered to them, even though Panix's registrar, Dotster, was not notified. A transfer lock was also in place for the domain.
I have no idea how you came to the conclusion that this is Panix fault, or the domain expired. Even with this incredible lack of evidence, you proceed to go out on a rant against Panix.
Check your facts before posting.
The good, the CEO admitted it so something will likely happen to prevent it in the future.
The bad, panix.com users were compromized and without service
The ugly hopefully (as far as we know) does not happen. Such hijackings can lead to compromized passwords and accesses to other systems.
Be careful out there...
Who do I use inside Australia besides Melbourne IT?
My only recent interaction with them resulted in a yelling match.
Is this the same Bruce Tonkin from Round Lake, Illinois (U.S.A) who was president of T.N.T. Software, and wrote My Word!, or is this just a coincidence? Not that there couldn't be more than one. I was just wondering.
My other car is a 1984 Nark Avenger.
That's because some registries allow you to specify IPs, and others don't.
I probably should have added code to the form to not display the IP boxes if the domain space was known not to support it, but I could never get a clear answer as to which ones did and didn't.
Always a good time had by all.
Uh, except you, I guess.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
Fosters outside Australia is usually a license to use the name sold to another brewery, hence not always the horrible uriney crap you get under that name in Australia. Rumour has it it may also be relabled Crown Lager in some markets.
But I do get where you're coming from, everyone overseas seems to think we drink it (thanks to the advertising) but reality is people only drink Fosters here when there's no other choice, like at the Grand Prix.
When you trust a bunch of Australians with the managment of your domain name..
Terrorists *scare* people - killing is just that scary that they do it. Impressively, hijacking an NYC domain name, even one called "Panix", isn't that scary. Maybe there's hope for us after all.
--
make install -not war
Melbourne IT's service has always been lousy. Maybe they'll get their act together one day.
When faced with a situation where the only beer is fosters I would just not drink that day.
Speaking of which...
Symantec: Software company best known for the Norton family of products.
Semantics: The study of meanings in a language.
The recomendation in the linked discussion is that by using both restrar-lock and auth_info the system provides a reasonable comprimise between security and the incentive for registrars to make the domain transfer process as difficult as possible.
Now, I agree that there is certainly a worry that losing registrars could make sending a domain name very difficult if they initiated a transfer. However, a system which provides registrar-lock which many registrars initiate by default and require user action to remove is just as abuseable. So long as the registrar may put on registrar-lock by default they may incorporate any difficulty they want into the process of removing registrar lock. In fact this is even worse than just requiring the losing registrar to initiate a transfer. After all many domain holders like myself until today have no idea that registrar lock even exists and may attempt to do the transfer before we know we have to undo the registrar lock, adding additional difficulty on top of any difficulty for removing registrar-lock.
As it is we get the worst of both worlds. Since registrar-lock is not always turned on many domain names are left vulnerable but those registrars who want to make it difficult to leave have just as much incentive to turn on registrar-lock by default and make it hard to turn off as they would to initiate a transfer. At this point it would be strictly better to go to a loser-initiated system.
I think a good fix would be to require that registrar-lock be off by default. Those domains that wanted it could turn it on easily, after all the registrar has every incentive to make this as easy to do as possible. This is also a good match for the threat/benefit model. Big name domains are must liable to be attacked, but they have departments that can deal with a difficult transfer process, while private users can leave registrar-lock off knowing that they are unlikely to be targeted and being more likely to change registrars anyway.
If you liked this thought maybe you would find my blog nice too:
no mod points today ...
One simple rule for its versus it's
Tip from the wise:
Fosters starts to taste exponentialy better after the seventh jug. That said ugly women start to look better after the fourth so read into that what you will.
The only time when one should actually drink Fosters is when the only other beer available is Tooheys. QED.
~
~
~
-- INSERT --
Panix, the oldest commercial Internet provider in New York, [...] We started in 1989, before the advent of the Internet, and we're still going strong.
Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet.
If your on panix.com and you haven't changed your password yet I highly suggest you do. E-mail might be a good idea to change too if panix lets you.
Basicially, since they owned the domain, they also owned all the servers on it, including the E-mail server. It wouldn't be too hard for them to write a dummy E-mail server that captures every login attempt to it as well as the password sent. From that they got your E-mail address (SPAM!) and your password for it (SPY!).
From what this dotster.com business practice sounds like, It screams spammer, spyware and scammer all in one fun box.
In Soviet Russia, Trojan exploits YOU!
http://shit.slashdot.org/article.pl?sid=05/01/19/0 17229
So you are the fucker thats responsible? .com.au domain!
How hard is it to find out what is valid for a goddamn
Read those RFC's again. If the domain was locked, Verislime was responsible, as the domain registry, for denying any and all transfer requests, period, no question. Dotster never even got so much as a notification of the fradulent request; it had no opportunity to object.
Isn't it better to, as a rule-of-thumb as far as security goes, enforce a general default-deny policy as opposed to a default-allow policy? IMHO, this is evidence that the whole system needs an overhaul, from ICANN all the way down, with at least some attention paid to security.
bash: rtfm: command not found
So when you say ....
I have a bit of a hard time thinking the core of the organisation retains its *sheltered* workshop origins. Of course MelboureIt is not exactly a *squeaky clean organisation* as they make out to be. Those with long enough memories remember the share allocation irregularities that resulted in the Domain Games story by ABC 4 Corners investigation.
Those interested can read from the ABC 4 Corners investigation and some other snippits from the Auditors General report.
For the non-Australians, a investigative story by 4 Corners is equivalent to say UK BBC, Horizon or US PBS or CBS 60 Minutes expose. As a *public listed company* it is not something you look forward to. I may be wrong, maybe it is just plain incompetence.
peterrenshaw ~ Another Scrappy Startup
... [here] on the transfer process.
I have sent them my comment as follows:
I'm old enough to remember when discussions on Slashdot were well informed.
So if that troll of a woman turns down your drunken advances, you've got three more Foster's before getting over the rejection! Hic!
Stuck down a hole! In the middle of the night! With an owl!
From the article: "I finally located their CEO's cellphone in an investor-relations web page."
That would be why the CEO was involved, so his involvement illustrates nothing about the company's laziness or otherwise
As a Panix subscriber (and submitter of this topic), I have seen informal update posts made to internal (Panix-only) newsgroups by Panix staff during and since the crisis.
Not only did Panix get MelbourneIT's CEO's cellphone number from a web page, but when they contacted him, he was most unhelpful and even directed MelbourneIT's corporate counsel to contact Panix and set them straight.
If this is the kind of leadership MelbourneIT shows in times of crisis, I pity anyone who has to depend on them--whether by their own choice or through someone else's--to do the right thing in a pinch.
I'm posting late and as AC, so this'll never see daylight, but I know what they need to do.
Panix - a NY company - needs to go complain to NY Attorney General Eliot Spitzer. I've heard a number of different things that indicate that
a) Spitzer has a big law behind him giving him crazy stupid amounts of authority
b) He is willing to beat up big companies with this law
c) He's generally a "good guy" (pro individual, anti corporate abuse)
I dunno what'll happen in NY if they ever buy off the NY AG, it's such a powerful position. The eastern seaboard will probably blow up. 'Till then Panix should get Spitzer to crack some heads for 'em.
$.02
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
Its not that domain owners have 5 days to respond to a transfer request. Its the Registrar where the domain is *currently* registered that has to respond within 5 days to approve or deny the transfer.
This policy was put in place because some Registrars were not being very forthcoming in transfers. In essense, this makes the originating Registrar in a domain transfer not be able to block a transfer by simply ignoring the request.
Registrars are still required to get explicit permission from the domain owners for a transfer. Read the entire policy at the provided link.
Mahaps Lord Elric can stop this nonsense, and suck a few souls in the process.
www.icann.org/transfers/policy-12jul04.htm
Instances when the requested change of Registrar may not be denied include, but are not limited to:
* Nonpayment for a pending or future registration period
* No response from the Registered Name Holder or Administrative Contact.
* Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request.
* Domain name registration period time constraints, other than during the first 60 days of initial registration or during the first 60 days after a registrar transfer.
* General payment defaults between Registrar and business partners / affiliates in cases where the Registered Name Holder for the domain in question has paid for the registration.
The bottom line to all of this is to provide accurate information with your domain registrations, and, lock the domain so that if your Registrar gets a notice that another Registrar wants to transfer your domain, it can't be transfered, even if you are not contactable (say, on a cruise or something).
So what actually happens if you transfer someones domain without asking? And you follow the right procedures? My domain sends an email and the loosing company sends an email? There is no response and the domain is tranferred. Can the old ower fuss until they get it back, press legal action? Since they did get the chance to deny and accept it.
Perhaps you meant the University of Woolamaloo.
My other car is a 1984 Nark Avenger.