MelbourneIT Lapse Permitted Panix Hijack

McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."

Overworked

[tuxter]

I'd like to know what can be done to stop this sort of nonsense happening to other domains

You'll never stop this sort of stuff, there is always someone smarter and more determined to find loopholes than the overworked, caffeine addicted guy paid to write the code.

Re:Overworked

[dgatwood]

This is, sadly, standard policy for all the registrars. Idiotic, yes, but normal. The problem is that in their (NetSol's) boneheaded minds, the owner of the domain is the COMPANY to which the domain is registered, not the person.

Word to the wise: NEVER put a company name in when registering for a domain unless you are intentionally registering a domain on behalf of an existing company. It will only bite you in the ass later.

Been there, done that. Fortunately, in my case, I had just created the domain and was obsessively checking the registrar's whois. Thus, I caught the problem before they had a chance to upload the data to NetSol's main whois. Since I was able to fax the phony letterhead so quickly, we were able to resolve the problem before NetSol saw the bogus data, so at least I didn't get have to pay for a domain transfer when I realized that I had incorrectly filled out the registrar's forms (which never said anything about this policy).

That said, the policy is totally broken and should be fixed. You should have the choice of registering it to a company OR an individual. The current system allows you to register it to BOTH, and changing EITHER requires paying for a transfer. Talk about a system designed to screw people over and hit them up for extra fees....

Translation of corporate speak

[Magickcat]

Melbourne IT, which sells its domains through Yahoo and many other hosting firms, defended its claim of 24/7 customer service for resellers and technical contacts (although not retail customers), but said it will evaluate whether it can improve.

Translation: We won't commit to doing a damn thing, and frankly we're only interested in the people who pay us to fuck up. Nonethless, we're attempting to put it nicely, so be grateful.

The weekend rule

[dbIII]

I should point out that this is in Australia, where government bodies and those decended from them (like MelbourneIT) do not operate on weekends even if their survival depends upon it. In a recent terrorism trial the suspect could not contact anyone on a weekend to report a bomb plot - in 2002. One of the recent election promises was that the intelligence agencies would be contactable on weekends - although the phone number didn't make it into the most recent set of phone books after the entry lapsed.

She'll be right mate - no one at MelbourneIT would lose their job even if they transferred google by mistake on a weekend and did nothing about it until 9am Monday.

Re:The weekend rule

Speaking to an employee at Melbourne IT, I heard that THE CEO of the company was aware of the problem on the WEEKEND, and their response was that the company in question needed to provide sufficient proof that they were in fact the company they claimed to be (also initiated ON THE WEEKEND).

Melbourne IT were working within the policy of ICANN, whereby it is now acceptable for a domain to be transferred without the explicit approval of the original owner. This policy was recently changed - it originally only allowed domains to be transferred in ownership with an explicit APPROVAL from the original company. The policy is now such that if the original company does not respond to the request within 5 days, the company asking for transfer will by default have rights to the domain. Everyone who owns a domain effectively must monitor their whois e-mail address at least every 5 days in order to ensure they keep their domain.

This was NOT a case of Australian government being lazy. This idea of a "weekend rule" is stupid, and certainly did not apply here. This is illustrated by the fact that the company's CEO was involved ON THE WEEKEND.

Melbourne IT are very much a corporate entity now. They have share holders, and have a large emphasis internally on sales (much to the dismay of the employee I know). This so called "weekend rule" could be applied to many many other corporates as well (the one I work for being one of them!), since normal "BUSINESS hours" are Monday to Friday 9 til 5 (or whatever your variation is). You will notice that Melbourne IT's hours of operations are rather extensive for an Australian "government" organisation. The notion that this situation was bred from some type of government "weekend rule" is ridiculous.

If google was transferred erroneously on a weekend, you can be sure that it would be dealt with very quickly by whoever needs to deal with it, while of course working in the realms of the policies that govern their processes. The policy is at fault here, not the company governed by them.

Re:The weekend rule

This is illustrated by the fact that the company's CEO was involved ON THE WEEKEND.

From the article: "I finally located their CEO's cellphone in an investor-relations web page."

That would be why the CEO was involved, so his involvement illustrates nothing about the company's laziness or otherwise

Melbourne IT were working within the policy of ICANN, whereby it is now acceptable for a domain to be transferred without the explicit approval of the original owner.

Again, from the article: "No notification was received by either our registrar, Dotster, or us,"

The five day rule isn't what happened here, contact wasn't made. This is confirmed by "Melbourne IT today acknowledged that it failed to properly confirm a transfer request for Panix.com". I don't believe that this is a case of the Australian government being lazy either. I don't see they have much to do with it. But Melbourne IT fucked up, and they fucked up badly.

It doesn't look like their fault to me

[harlows_monkeys]

I'm confused. They were the receiving registrar of the transfer. However, it was the other registrar, that the domain was transfered from, that seems to me more at fault. Most registrars allow customers to "lock" a domain, which means that it cannot be transferred without the customer notifying the current registrar. Panix says they locked the domain. If that is so, then it should not have been transferable without their permission, no matter what loopholes were in Melbourne's system.

Re:It doesn't look like their fault to me

[chip+rosenthal]

Do you have a reference to where Panix said they locked the domain? I've been wondering whether or not that was done. I posted a blog entry on this topic earlier this evening.

Re:What Happened

They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.

The real question here is whether Panix's registrar failed to lock the domain for transfers, or whether Melbourne IT somehow transferred it anyway after it was locked.

If it was not locked, then a lot of the blame can be shifted off Melbourne IT's shoulders. If it was locked, then there are some real issues with the domain transfer process.

Re:"Loophole" - Corporate killspeak for fuckup

What about the systems at the central registry that allowed something so far out of compliance to actually succeed? That's more worrying to me.

Re:What Happened

If it was locked, I'd blame Dotster (the original registrar) because there should've been no way, at all, for Melbourne to even start transfering it.

Re:But..

But..you didn't check your facts. MelbourneIT had the domain transfered to them, even though Panix's registrar, Dotster, was not notified. A transfer lock was also in place for the domain.

I have no idea how you came to the conclusion that this is Panix fault, or the domain expired. Even with this incredible lack of evidence, you proceed to go out on a rant against Panix.

Check your facts before posting.

Using Lock makes this a bad comprimise!

[logicnazi]

The recomendation in the linked discussion is that by using both restrar-lock and auth_info the system provides a reasonable comprimise between security and the incentive for registrars to make the domain transfer process as difficult as possible.

Now, I agree that there is certainly a worry that losing registrars could make sending a domain name very difficult if they initiated a transfer. However, a system which provides registrar-lock which many registrars initiate by default and require user action to remove is just as abuseable. So long as the registrar may put on registrar-lock by default they may incorporate any difficulty they want into the process of removing registrar lock. In fact this is even worse than just requiring the losing registrar to initiate a transfer. After all many domain holders like myself until today have no idea that registrar lock even exists and may attempt to do the transfer before we know we have to undo the registrar lock, adding additional difficulty on top of any difficulty for removing registrar-lock.

As it is we get the worst of both worlds. Since registrar-lock is not always turned on many domain names are left vulnerable but those registrars who want to make it difficult to leave have just as much incentive to turn on registrar-lock by default and make it hard to turn off as they would to initiate a transfer. At this point it would be strictly better to go to a loser-initiated system.

I think a good fix would be to require that registrar-lock be off by default. Those domains that wanted it could turn it on easily, after all the registrar has every incentive to make this as easy to do as possible. This is also a good match for the threat/benefit model. Big name domains are must liable to be attacked, but they have departments that can deal with a difficult transfer process, while private users can leave registrar-lock off knowing that they are unlikely to be targeted and being more likely to change registrars anyway.

Re:oldest ISP in NY ?

[shark72]

"Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet."

"Advent" is commonly used to describe when something catches on and takes hold. "before the advent of the Internet" has a subtle yet distinctly different meaning than "before the Internet was invented" and that's why I think they chose to write it the way they did.

You're 100% correct, of course, that had they tried to claim that they were around before the Internet was invented, then it would be laughable.

Re:Not very surprised

[gtoomey]

Robert Elz of Melbourne University had "ownership" right to com.au au for many years. He did all administration for free.

He passed the rights to Melbourne IT, again for free, knowing they were worth a fortune. Melbourne IT went to be become a $100 million company.

Re:oldest ISP in NY ?

[pommiekiwifruit]

They probably mean the public internet, hence the p in panix. IIRC there was a political decision made at some point which let the public get access to the internet (not just universities). This makes the world.std.com the first to provide public (dialup) internet service in 1990. Before then, the public had to make do with BBSs.

Re:What Happened

[TheFifthHorseMan]

what I would like to know, is has anyone actually attempted to track the perps - seems weird that they would pick panix out of the blue at random, and why send part to Australia, have it done through Australia, send part to UK, and mail systems to Canada ?