Panix has been deeply involved in efforts to promote and protect Internet security since, I'd wager, long before you even had access to the Internet at all. I should know -- within two months of my first coming to work at Panix in 1993 the majority of my work was shifted from normal system administration to security.
The very first NY Times article (possibly the first national newspaper article at all) on the subject of Internet security featured Panix' heroic efforts to publicize and mitigate a series of network sniffer attacks that had been previously kept under wraps, and compromised the security of thousands of Internet users (at a time when the total population of the Internet was only a few tens or perhaps hundreds of thousands). Panix played a key role in the emergence of full-disclosure security lists by refusing to sit still while vendors and CERT (don't get me wrong. CERT is good. They just weren't then) conspired to cover up known vulnerabilities for years at a time. And so forth.
To this day, security remains a major focus at Panix. It has to -- they're the oldest, most prominent, and one of the largest (if not the largest) shell ISPs still out there, and their users won't tolerate system outages caused by security failures, or security failures that compromise those users' own security. In general, if you find Unix timesharing systems the size of Panix, they're at universities; and look at those folks' security records. Panix, on the other hand, is worlds better.
To respond to your other happy fun mudslinging, Panix has not and does not tolerate "online crimes" by its users, whether your invented "user" Kevin Mitnick or anyone else. Never did, doesn't now; security is important to Panix; it is essential to their business; and so is the health of the Internet itself.
Depending how you count, Panix is the second or third oldest consumer ISP in the world. Panix has been around long enough to remember the times when if they had a security incident, a significant fraction of the Internet shuddered (e.g. when we were offline for two days for security reasons in 1994, traffic on Usenet as a whole fell considerably). It would be hard to find any business on the Internet more fundamentally concerned that its own security problems not impact others than Panix has been, and is.
Which, of course, is quite a different attitude than that exemplified by some other businesses mentioned in this thread.
1) IP addresses are not "part of ssh keys" -- and I can say this with some authority, as the author of one of the first open-source SSH implementations. (Please don't use it here-now-today, it's painfully obsolete!)
2) SSH clients can store multiple valid keys per DNS name (or, for that matter, per IP address) and multiple physical hosts can have the same SSH private key (the latter, in fact, is probably how Panix should configure its shell servers. Since they provide the same service with the same authentication requirements, using the same SSH key is almost certainly right).
3) A lot of SSH clients suck, about both these things. To this day, some can't cope gracefully with either condition at all though it's a matter of about 10 lines of code in each case to do so. Even OpenSSH can't deal with the somewhat less common situation of a host having two different keys on two different IP addresses. It's a sad fact that no matter what you do users seem to blindly click through the client's warning messages -- which, I think, disincents developers to get which message appear when exactly right.
Unfortunately, you've just posted the same tired bundle of false assertions.
Neither the transferred-from registrar (that's Dotster) nor Panix were actually notified prior to the transfer.
In fact, if you actually read the relevant standards (in particular, the description of the TRANSFER message in RFC2832 you'd find that a change of registrar works like this:
1) The transferred-to registrar sends a TRANSFER message to VeriSign. VeriSign or the transferred-to registrar (the specification is extremely unclear) then uses an unspecified out-of-band method to contact the transferred-from registrar.
2) The transferred-from registrar sends an identical TRANSFER message to VeriSign, except that it has either Approved:yes or Approved:no in it. This is what actually causes the change to occur.
3) Since the recent ICANN change in policy, if no Approved: TRANSFER message is received in 5 days, the transfer occurs automatically.
This points out some very, very odd things about this particular transfer. First, Dotster has no record of any TRANSFER request in their log file. Second, they have no record of sending any approval message -- in fact, their database still shows that Panix is their customer; they can't even try to grab the domain back without deleting the record, which would complicate the ongoing investigation.
Yet VeriSign say that the domain was transferred with approval. With approval from whom, exactly?
I have some strong hunches about how it might be possible to do this but I can't really go into them here and now.
I tried to post about this about 10 hours ago, but no luck. Sigh.
What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever (this violates all the relevant RFCs for the Shared Registration System and the current ICANN policy *and* seems to indicate a severe bug or security problem somewhere in the registration system).
This has clearly happened to others in the past, and highlights a serious flaw in the current registry-registrar system. We are not 100% sure how the domain was transferred between registrars with no notice to anyone (though I have some hunches I won't go into here right now) but consider this: a rogue or penetrated registrar can effectively put you out of business for the duration of the ICANN complaint and appeals process, with no notice, and there may be nothing you or anyone else can do about it short of extremely expensive legal action, even if you get law enforcement involved. Yuck.
Slashdot Mirror
To answer your "questions", no and no.
Panix has been deeply involved in efforts to promote and protect Internet security since, I'd wager, long before you even had access to the Internet at all. I should know -- within two months of my first coming to work at Panix in 1993 the majority of my work was shifted from normal system administration to security.
The very first NY Times article (possibly the first national newspaper article at all) on the subject of Internet security featured Panix' heroic efforts to publicize and mitigate a series of network sniffer attacks that had been previously kept under wraps, and compromised the security of thousands of Internet users (at a time when the total population of the Internet was only a few tens or perhaps hundreds of thousands). Panix played a key role in the emergence of full-disclosure security lists by refusing to sit still while vendors and CERT (don't get me wrong. CERT is good. They just weren't then) conspired to cover up known vulnerabilities for years at a time. And so forth.
To this day, security remains a major focus at Panix. It has to -- they're the oldest, most prominent, and one of the largest (if not the largest) shell ISPs still out there, and their users won't tolerate system outages caused by security failures, or security failures that compromise those users' own security. In general, if you find Unix timesharing systems the size of Panix, they're at universities; and look at those folks' security records. Panix, on the other hand, is worlds better.
To respond to your other happy fun mudslinging, Panix has not and does not tolerate "online crimes" by its users, whether your invented "user" Kevin Mitnick or anyone else. Never did, doesn't now; security is important to Panix; it is essential to their business; and so is the health of the Internet itself.
Depending how you count, Panix is the second or third oldest consumer ISP in the world. Panix has been around long enough to remember the times when if they had a security incident, a significant fraction of the Internet shuddered (e.g. when we were offline for two days for security reasons in 1994, traffic on Usenet as a whole fell considerably). It would be hard to find any business on the Internet more fundamentally concerned that its own security problems not impact others than Panix has been, and is.
Which, of course, is quite a different attitude than that exemplified by some other businesses mentioned in this thread.
It's not clear that DNSSEC actually would stop this particular kind of attack -- which is one reason why it's so nasty (the attack, not DNSSEC!).
1) IP addresses are not "part of ssh keys" -- and I can say this with some authority, as the author of one of the first open-source SSH implementations. (Please don't use it here-now-today, it's painfully obsolete!)
2) SSH clients can store multiple valid keys per DNS name (or, for that matter, per IP address) and multiple physical hosts can have the same SSH private key (the latter, in fact, is probably how Panix should configure its shell servers. Since they provide the same service with the same authentication requirements, using the same SSH key is almost certainly right).
3) A lot of SSH clients suck, about both these things. To this day, some can't cope gracefully with either condition at all though it's a matter of about 10 lines of code in each case to do so. Even OpenSSH can't deal with the somewhat less common situation of a host having two different keys on two different IP addresses. It's a sad fact that no matter what you do users seem to blindly click through the client's warning messages -- which, I think, disincents developers to get which message appear when exactly right.
Unfortunately, you've just posted the same tired bundle of false assertions. Neither the transferred-from registrar (that's Dotster) nor Panix were actually notified prior to the transfer. In fact, if you actually read the relevant standards (in particular, the description of the TRANSFER message in RFC2832 you'd find that a change of registrar works like this: 1) The transferred-to registrar sends a TRANSFER message to VeriSign. VeriSign or the transferred-to registrar (the specification is extremely unclear) then uses an unspecified out-of-band method to contact the transferred-from registrar. 2) The transferred-from registrar sends an identical TRANSFER message to VeriSign, except that it has either Approved:yes or Approved:no in it. This is what actually causes the change to occur. 3) Since the recent ICANN change in policy, if no Approved: TRANSFER message is received in 5 days, the transfer occurs automatically. This points out some very, very odd things about this particular transfer. First, Dotster has no record of any TRANSFER request in their log file. Second, they have no record of sending any approval message -- in fact, their database still shows that Panix is their customer; they can't even try to grab the domain back without deleting the record, which would complicate the ongoing investigation. Yet VeriSign say that the domain was transferred with approval. With approval from whom, exactly? I have some strong hunches about how it might be possible to do this but I can't really go into them here and now.
No. The registrar the domain was taken from wasn't even notified of the transfer. Something is very wrong.
What seems to have happened is that somehow the Australian registrar "melbourneIT.com" yanked the fully paid-up registration away from Dotster (where Panix had it) without any notice whatsoever (this violates all the relevant RFCs for the Shared Registration System and the current ICANN policy *and* seems to indicate a severe bug or security problem somewhere in the registration system).
What's particularly scary is that melbourneIT.com isn't open on the weekends, period (though oddly enough they transferred the domain first thing on Saturday, hmmmm) and won't do anything to help. There are lots of ugly details in the NANOG mailing-list archive, particularly in this message from Perry Metzger, this message from Richard Cox, and this message from me, which includes a slimy note from some customer-service flack at Verisign.
This has clearly happened to others in the past, and highlights a serious flaw in the current registry-registrar system. We are not 100% sure how the domain was transferred between registrars with no notice to anyone (though I have some hunches I won't go into here right now) but consider this: a rogue or penetrated registrar can effectively put you out of business for the duration of the ICANN complaint and appeals process, with no notice, and there may be nothing you or anyone else can do about it short of extremely expensive legal action, even if you get law enforcement involved. Yuck.