Slashdot Mirror
MelbourneIT Lapse Permitted Panix Hijack
McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."
They also have all the integrity to be expected of the major ".cx" registrar.
I have had my share of problems with Melbourne IT.
My father registered a domain name with them under the company name " Brothers Inc." But on the form mispelled Brothers as Borthers. On top of that, no such company ever existed.
When it came time to transfer the domain name to me, Melbourne IT wouldnt have a bar of it. They wanted proof of my association with this "fictional" company before i could take contral of the domain. When i pointed out that no such company existed, they argued and insisted that i produce a permission of transfer on the company letterhead of "******* Borthers" before they would allow me to move the domain.... even though they acknowledged that no such company exists.
So what did i do? I created a fake letterhead, signed it and faxed it. They then gave me full control of the domain the same day!
I refuse to have a sig... dammit!
Given that it's down to the registry (not the registrar) to actually commit any transfer request, and there are several stages of validation on this, isn't it down to them to NOTICE if something didn't go right?
... right?
If I'm reading the linked description of the transfer process right, in part 2 (allegedly where it fell over) the "gaining registrar is not permitted by the policy to initiate a transfer without approval from the registrant".
Not permitted BY THE POLICY? That's an awful lot of trust to put into each and every registrar never making a mistake or having a design flaw in their systems. Surely they should just bounce every transfer request that doesn't follow some sort of authorization procedure
Why are the registrars responsible for this step, and not the central registry itself? There's an awful lot of trust involved here, and this could happen with any registrar that happened to have a bug in their systems. I bet there's a way to exploit this from many registrars other than Melbourne IT that just haven't been found yet.
'All' and I mean ALL domestic and international field sites controlled or operated by the 'intelligence agencies' have 24/7 contact phone numbers. Generally during normal 9-5 weekday working hours you will get a secretary, after that you will get the guard house. Yes, there are direct phone lines inside the compounds, but these are not typically published.
The thing is, you have to know who you want to speak to, and what section they work in. If you are just some tinfoil off the street, you don't get through.
As have I - I used to use VIANetworks in Atlanta for client hosting, and as part of their new "No Soupport for you!" policy, they got into some silly reciprocal relationship with MIT. For a client's domain (when I opened the account I was still being stupid and lazy and letting the ISP register the domain for me - never again) VIANetworks said Melbourne IT was the registrar, MIT said Network Solutions was the registrar, and Network Solutions said VIANetworks was the registrar (no kidding).
Calling them wasn't an option - any attempts at e-mail produced at least a 72-hour lag - sometimes more. And meanwhile, the site in question was unreachable for over a month. I even went so far as to apologize for the election here, in case that had anything to do with it.
I tell this maudlin tale of woe in order to get to the punchline - finally, after several different go-rounds with them, faxing this and that (all of which they admitted that they misplaced - I felt great about having my client fax his signature and then hearing that), I finally simply badgered them into giving me the registry key. They had no proof of who I was, took my word for the fact that I had sent them the information I sent them, and gave me access to the DNS settings simply because I barked loud and long enough. I wrote mad e-mails and it worked (score: squeaky wheels 1, rightful domain owners, 0). I don't call that a policy "loophole" - it struck me as simple bonehead security.
I'm quite surprised that this doesn't happen more often with them - maybe it does, and most of the people who pester this kind of response out of them are just doing it for whatever practical, non-malicious reasons.
The problem was that MelbourneIT transferred the domain *without* any approval from the domain *owner*. In that case, it doesn't matter what the original registrar does...
But if the domain is locked, then that is not supposed to be possible. To transfer a domain from registrar X to registrar Y, registrar Y basically has to ask registrar X to do it. For a domain that has been locked, X is supposed to say "no" and refuse the transfer.
So, what has been described so far is very puzzling. I can't see how it could be MelbourneIT's fault...but they are accepting blame, so something very strange apparently happened.
Bollocks. Advent means, and always has meant, the very beginning. Check any dictionary. 'Advent', for Christians, is the month before Christ was born - not the month when Christianity 'caught on'. You can't just just go around redefining words because you've made an arse of yourself in public.
I'm old enough to remember when discussions on Slashdot were well informed.
Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet.
Disclaimer: I am a Panix user, and I have always been very satisfied of their service.
A Panix old-timer once explained that the first connection between Panix and the outside world was a UUCP link. So they did predate the Internet in a way, since that connection was not TCP/IP.
This being said, they probably meant before the Internet was mainstream...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)