MelbourneIT Lapse Permitted Panix Hijack

McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."

Overworked

[tuxter]

I'd like to know what can be done to stop this sort of nonsense happening to other domains

You'll never stop this sort of stuff, there is always someone smarter and more determined to find loopholes than the overworked, caffeine addicted guy paid to write the code.

Re:Overworked

[nzkbuk]

You'll never stop this sort of stuff, there is always someone smarter and more determined to find loopholes than the overworked, caffeine addicted guy paid to write the code.

You're joking right ? If my experiance in the IT sector is anything to go by the guy who wrote the code while most probably overworked and caffeine addicted, is almost certainly NOT paid to write this code.

More than likely he's paid to do something else and has had to put this together in an afternoon between other projects.

Re:Overworked

[ajd1474]

I have had my share of problems with Melbourne IT.

My father registered a domain name with them under the company name " Brothers Inc." But on the form mispelled Brothers as Borthers. On top of that, no such company ever existed.

When it came time to transfer the domain name to me, Melbourne IT wouldnt have a bar of it. They wanted proof of my association with this "fictional" company before i could take contral of the domain. When i pointed out that no such company existed, they argued and insisted that i produce a permission of transfer on the company letterhead of "******* Borthers" before they would allow me to move the domain.... even though they acknowledged that no such company exists.

So what did i do? I created a fake letterhead, signed it and faxed it. They then gave me full control of the domain the same day!

Re:Overworked

[dgatwood]

This is, sadly, standard policy for all the registrars. Idiotic, yes, but normal. The problem is that in their (NetSol's) boneheaded minds, the owner of the domain is the COMPANY to which the domain is registered, not the person.

Word to the wise: NEVER put a company name in when registering for a domain unless you are intentionally registering a domain on behalf of an existing company. It will only bite you in the ass later.

Been there, done that. Fortunately, in my case, I had just created the domain and was obsessively checking the registrar's whois. Thus, I caught the problem before they had a chance to upload the data to NetSol's main whois. Since I was able to fax the phony letterhead so quickly, we were able to resolve the problem before NetSol saw the bogus data, so at least I didn't get have to pay for a domain transfer when I realized that I had incorrectly filled out the registrar's forms (which never said anything about this policy).

That said, the policy is totally broken and should be fixed. You should have the choice of registering it to a company OR an individual. The current system allows you to register it to BOTH, and changing EITHER requires paying for a transfer. Talk about a system designed to screw people over and hit them up for extra fees....

Translation of corporate speak

[Magickcat]

Melbourne IT, which sells its domains through Yahoo and many other hosting firms, defended its claim of 24/7 customer service for resellers and technical contacts (although not retail customers), but said it will evaluate whether it can improve.

Translation: We won't commit to doing a damn thing, and frankly we're only interested in the people who pay us to fuck up. Nonethless, we're attempting to put it nicely, so be grateful.

The is simple

[crunk]

There was an error in the checking process prior to initiating the transfer

Someone screwed up.

The loophole that led to this error has been closed.

And they fired the guy.

Re:The is simple

[SteeldrivingJon]

The guy who put the CEO's cellphone on the web has been sacked.

The CEO is not to be disturbed when he's cooking up Vegemite on the barbie.

Not very surprised

[dbIII]

I'm not surprised - not long ago they had the monopoly for the "com.au" domain and very very slow to respond about anything - even ignoring emails form ICANN for a couple of weeks at the start of September 2000. If one person goes on holidays your business in not supposed to stop working for the duration. They used to be a money making sideline for a government run university, and it shows.

They also have all the integrity to be expected of the major ".cx" registrar.

Melbourne IT have a history of fucking with this.

For quite some time, on the NS redelegatiom page of the MelbIT web site, you could enter in either a hostname, or an IP address, or both, to chose your new nameservers. Great for those of us having to move IP ranges or whatnot.

The problem is, the web form did nothing at all with the IP addresses you put in. It completely ignored them. You had to call up Melbourne IT and speak to somebody to get the mess sorted out. That one caused me a day of pain.

Other times, the staff members have stated facts that clearly went against all of their procedures on the web page for redelegation and/or key retreival. "Sorry, no, even though thats what the web page says, it REALLY means the opposite"

The weekend rule

[dbIII]

I should point out that this is in Australia, where government bodies and those decended from them (like MelbourneIT) do not operate on weekends even if their survival depends upon it. In a recent terrorism trial the suspect could not contact anyone on a weekend to report a bomb plot - in 2002. One of the recent election promises was that the intelligence agencies would be contactable on weekends - although the phone number didn't make it into the most recent set of phone books after the entry lapsed.

She'll be right mate - no one at MelbourneIT would lose their job even if they transferred google by mistake on a weekend and did nothing about it until 9am Monday.

Re:The weekend rule

Speaking to an employee at Melbourne IT, I heard that THE CEO of the company was aware of the problem on the WEEKEND, and their response was that the company in question needed to provide sufficient proof that they were in fact the company they claimed to be (also initiated ON THE WEEKEND).

Melbourne IT were working within the policy of ICANN, whereby it is now acceptable for a domain to be transferred without the explicit approval of the original owner. This policy was recently changed - it originally only allowed domains to be transferred in ownership with an explicit APPROVAL from the original company. The policy is now such that if the original company does not respond to the request within 5 days, the company asking for transfer will by default have rights to the domain. Everyone who owns a domain effectively must monitor their whois e-mail address at least every 5 days in order to ensure they keep their domain.

This was NOT a case of Australian government being lazy. This idea of a "weekend rule" is stupid, and certainly did not apply here. This is illustrated by the fact that the company's CEO was involved ON THE WEEKEND.

Melbourne IT are very much a corporate entity now. They have share holders, and have a large emphasis internally on sales (much to the dismay of the employee I know). This so called "weekend rule" could be applied to many many other corporates as well (the one I work for being one of them!), since normal "BUSINESS hours" are Monday to Friday 9 til 5 (or whatever your variation is). You will notice that Melbourne IT's hours of operations are rather extensive for an Australian "government" organisation. The notion that this situation was bred from some type of government "weekend rule" is ridiculous.

If google was transferred erroneously on a weekend, you can be sure that it would be dealt with very quickly by whoever needs to deal with it, while of course working in the realms of the policies that govern their processes. The policy is at fault here, not the company governed by them.

Re:The weekend rule

[philovivero]

In a recent terrorism trial the suspect could not contact anyone on a weekend to report a bomb plot - in 2002.

Those Aussie terrorist suspects are a lot more polite than the Muslim and American ones. If all terrorist suspects would call in bomb plots, the authorities' jobs would be a lot easier.

"Yes officer, if you cut the red wire directly after the green one, you should have the bomb defused and be home by tea time."

Lock your domain

If your registrar doesn't support locking, find another one that does. GoDaddy, EV1servers, etc do.

Translation of Translation of corporate speak

[ackthpt]

Melbourne IT, which sells its domains through Yahoo and many other hosting firms, defended its claim of 24/7 customer service for resellers and technical contacts (although not retail customers), but said it will evaluate whether it can improve.

Translation: We won't commit to doing a damn thing, and frankly we're only interested in the people who pay us to fuck up. Nonethless, we're attempting to put it nicely, so be grateful.

Translation: We are committed to solutions which enhance your whole internet experience and lifestyle. Please see our website if you have any questions concerning customer service.

404 - Page not found

What Happened

[Marlor]

Here is a basic explanation of what happened from what I have read.

ICANN recently changed the rules for domain name transfers so that rather than requiring confirmation for domain name transfers, they are transferred automatically if the owner does not object within a set period of time (a few weeks IIRC). This is meant to "streamline the domain transfer process". In this regard, I believe that ICANN is partially to blame for this hijacking. These policy changes need to be reviewed. You can, of course, lock your domain against this occurring, but it is a simple error to neglect to do this.

Melbourne IT is also more or less to blame for this hijacking (depending on who you believe). It has been confirmed that one of their resellers allowed someone to create an account with a stolen credit card number, and initiate the domain transfer process. Panix claims that Melbourne IT failed to send the notification of transfer to them or their registrar. They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.

Mebourne IT has also been accused of being unavailable for contact over the weekend, despite promising 24/7 service. The only way that Panix managed to contact them was via the CEO's mobile number.

If these accusations are true, then this shows serious problems within Melbourne IT.

Re:What Happened

They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.

The real question here is whether Panix's registrar failed to lock the domain for transfers, or whether Melbourne IT somehow transferred it anyway after it was locked.

If it was not locked, then a lot of the blame can be shifted off Melbourne IT's shoulders. If it was locked, then there are some real issues with the domain transfer process.

To prevent this from happening to your domains

[Somegeek]

Evidently ICANN made a policy change in November 2004 that was intended to make it easier to transfer domains between registrars, but it turns out to also make it easier to hijack domains. Apparently multiple domains have been hijacked from Dotster.com, (the registrar for panix.com), so I would guess that they have some holes in their procedure for confirming transfers with their customers.

How do you prevent this? Well, when reading the various articles about this, (I know, I'm new here), I ran across the phrase 'locking your domain'. I had never heard of this before, but I checked with my registrar, and sure enough they now have settings for 'normal' and 'high' transfer security. Basically they will not allow any domains that have 'high transfer security' set on to be transferred. Period. Whether they can get in contact with me or not. If I want the domain transferred, I have to log in and reset transfer security to normal, and then a transfer can go ahead. Otherwise it stays with me until it expires. Unfortunately the default setting was normal, but once I knew about it, it only took 30 seconds to set my domains to 'high'.

In theory anyway; panix.com says that their domain was set to 'locked' with dotster, so your mileage may vary. Maybe tucows or someone can randomly test transfer attempts of 'locked' domains and certify registrars that appropriately deny the transfers?

So, check your domains now, set them to locked, or high security, or whatever your registrar calls it. If they don't have such a setting, hey, it ought to be easy to transfer your domain to one that does!

Clearly, MIT has it's priorities.

[Saeed+al-Sahaf]

Panix CEO Alex Rosen said. "I didn't find useful 24-hour NOC-type info anywhere. MIT apparently has no weekend support at all; I finally located their CEO's cellphone in an investor-relations web page."

Clearly, MIT has it's priorities.

Re:Clearly, MIT has it's priorities.

[SteeldrivingJon]

I expect that is the loophole they have fixed. The CEO's contact info is probably completely gone, now.