Slashdot Mirror

← Back to Stories (view on slashdot.org)

MelbourneIT Lapse Permitted Panix Hijack

Posted by timothy on from the malice-finds-a-way-in dept.

McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."

8 of 200 comments (clear)

  1. Not very surprised by dbIII · · Score: 4, Interesting
    I'm not surprised - not long ago they had the monopoly for the "com.au" domain and very very slow to respond about anything - even ignoring emails form ICANN for a couple of weeks at the start of September 2000. If one person goes on holidays your business in not supposed to stop working for the duration. They used to be a money making sideline for a government run university, and it shows.

    They also have all the integrity to be expected of the major ".cx" registrar.

  2. Re:Overworked by ajd1474 · · Score: 5, Interesting

    I have had my share of problems with Melbourne IT.

    My father registered a domain name with them under the company name " Brothers Inc." But on the form mispelled Brothers as Borthers. On top of that, no such company ever existed.

    When it came time to transfer the domain name to me, Melbourne IT wouldnt have a bar of it. They wanted proof of my association with this "fictional" company before i could take contral of the domain. When i pointed out that no such company existed, they argued and insisted that i produce a permission of transfer on the company letterhead of "******* Borthers" before they would allow me to move the domain.... even though they acknowledged that no such company exists.

    So what did i do? I created a fake letterhead, signed it and faxed it. They then gave me full control of the domain the same day!

    --
    I refuse to have a sig... dammit!
  3. This could happen again ... by Anonymous Coward · · Score: 2, Interesting

    Given that it's down to the registry (not the registrar) to actually commit any transfer request, and there are several stages of validation on this, isn't it down to them to NOTICE if something didn't go right?

    If I'm reading the linked description of the transfer process right, in part 2 (allegedly where it fell over) the "gaining registrar is not permitted by the policy to initiate a transfer without approval from the registrant".

    Not permitted BY THE POLICY? That's an awful lot of trust to put into each and every registrar never making a mistake or having a design flaw in their systems. Surely they should just bounce every transfer request that doesn't follow some sort of authorization procedure ... right?

    Why are the registrars responsible for this step, and not the central registry itself? There's an awful lot of trust involved here, and this could happen with any registrar that happened to have a bug in their systems. I bet there's a way to exploit this from many registrars other than Melbourne IT that just haven't been found yet.

  4. Re:The weekend rule by digitalchinky · · Score: 3, Interesting

    'All' and I mean ALL domestic and international field sites controlled or operated by the 'intelligence agencies' have 24/7 contact phone numbers. Generally during normal 9-5 weekday working hours you will get a secretary, after that you will get the guard house. Yes, there are direct phone lines inside the compounds, but these are not typically published.

    The thing is, you have to know who you want to speak to, and what section they work in. If you are just some tinfoil off the street, you don't get through.

  5. Re:It doesn't look like their fault to me by BJH · · Score: 3, Interesting

    The problem was that MelbourneIT transferred the domain *without* any approval from the domain *owner*. In that case, it doesn't matter what the original registrar does...

  6. Re:It doesn't look like their fault to me by harlows_monkeys · · Score: 2, Interesting
    The problem was that MelbourneIT transferred the domain *without* any approval from the domain *owner*

    But if the domain is locked, then that is not supposed to be possible. To transfer a domain from registrar X to registrar Y, registrar Y basically has to ask registrar X to do it. For a domain that has been locked, X is supposed to say "no" and refuse the transfer.

    So, what has been described so far is very puzzling. I can't see how it could be MelbourneIT's fault...but they are accepting blame, so something very strange apparently happened.

  7. Re:oldest ISP in NY ? by Simon+Brooke · · Score: 2, Interesting
    "Advent" is commonly used to describe when something catches on and takes hold. "before the advent of the Internet" has a subtle yet distinctly different meaning than "before the Internet was invented" and that's why I think they chose to write it the way they did.

    Bollocks. Advent means, and always has meant, the very beginning. Check any dictionary. 'Advent', for Christians, is the month before Christ was born - not the month when Christianity 'caught on'. You can't just just go around redefining words because you've made an arse of yourself in public.

    --
    I'm old enough to remember when discussions on Slashdot were well informed.
  8. Re:oldest ISP in NY ? by Noryungi · · Score: 2, Interesting

    Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet.

    Disclaimer: I am a Panix user, and I have always been very satisfied of their service.

    A Panix old-timer once explained that the first connection between Panix and the outside world was a UUCP link. So they did predate the Internet in a way, since that connection was not TCP/IP.

    This being said, they probably meant before the Internet was mainstream...

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)