Forgot your password?
typodupeerror
Security The Internet IT

MelbourneIT Lapse Permitted Panix Hijack 200

Posted by timothy
from the malice-finds-a-way-in dept.
McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."
This discussion has been archived. No new comments can be posted.

MelbourneIT Lapse Permitted Panix Hijack

Comments Filter:
  • Overworked (Score:5, Insightful)

    by tuxter (809927) on Tuesday January 18, 2005 @09:05PM (#11404062) Journal
    I'd like to know what can be done to stop this sort of nonsense happening to other domains

    You'll never stop this sort of stuff, there is always someone smarter and more determined to find loopholes than the overworked, caffeine addicted guy paid to write the code.
    • by nzkbuk (773506) on Tuesday January 18, 2005 @09:13PM (#11404136)
      You'll never stop this sort of stuff, there is always someone smarter and more determined to find loopholes than the overworked, caffeine addicted guy paid to write the code.

      You're joking right ? If my experiance in the IT sector is anything to go by the guy who wrote the code while most probably overworked and caffeine addicted, is almost certainly NOT paid to write this code.

      More than likely he's paid to do something else and has had to put this together in an afternoon between other projects.

      • in an afternoon between other projects.
        I'd say right after fixing the CEO's home PC because his son installed the latest ActiveX game on it, and right before the 3 hour Monday meeting that 0h-so-raises productivity.
    • Re:Overworked (Score:5, Interesting)

      by ajd1474 (558490) on Tuesday January 18, 2005 @09:25PM (#11404211)
      I have had my share of problems with Melbourne IT.

      My father registered a domain name with them under the company name " Brothers Inc." But on the form mispelled Brothers as Borthers. On top of that, no such company ever existed.

      When it came time to transfer the domain name to me, Melbourne IT wouldnt have a bar of it. They wanted proof of my association with this "fictional" company before i could take contral of the domain. When i pointed out that no such company existed, they argued and insisted that i produce a permission of transfer on the company letterhead of "******* Borthers" before they would allow me to move the domain.... even though they acknowledged that no such company exists.

      So what did i do? I created a fake letterhead, signed it and faxed it. They then gave me full control of the domain the same day!
      • Re:Overworked (Score:5, Insightful)

        by dgatwood (11270) on Tuesday January 18, 2005 @09:44PM (#11404322) Journal
        This is, sadly, standard policy for all the registrars. Idiotic, yes, but normal. The problem is that in their (NetSol's) boneheaded minds, the owner of the domain is the COMPANY to which the domain is registered, not the person.

        Word to the wise: NEVER put a company name in when registering for a domain unless you are intentionally registering a domain on behalf of an existing company. It will only bite you in the ass later.

        Been there, done that. Fortunately, in my case, I had just created the domain and was obsessively checking the registrar's whois. Thus, I caught the problem before they had a chance to upload the data to NetSol's main whois. Since I was able to fax the phony letterhead so quickly, we were able to resolve the problem before NetSol saw the bogus data, so at least I didn't get have to pay for a domain transfer when I realized that I had incorrectly filled out the registrar's forms (which never said anything about this policy).

        That said, the policy is totally broken and should be fixed. You should have the choice of registering it to a company OR an individual. The current system allows you to register it to BOTH, and changing EITHER requires paying for a transfer. Talk about a system designed to screw people over and hit them up for extra fees....

        • This is, sadly, standard policy for all the registrars. Idiotic, yes, but normal. The problem is that in their (NetSol's) boneheaded minds, the owner of the domain is the COMPANY to which the domain is registered, not the person.

          Factually incorrect. The owner of the domain is the registrant. It's whatever you tell them when you registrer it.

          It's been that way since 1986.

        • Also can cause problems the other way.

          If you aren't careful, person doing the registering (and who goes in as the admin contact) at a company can end up as teh registrant.

          It seems that it can become impossible to even renew the domain without the authority of that individual - and if they've left the company...
          • It seems that it can become impossible to even renew the domain without the authority of that individual - and if they've left the company...

            Huh? I have a bunch of domains that other people use but they're in my name. Community service (not court ordered!) stuff. Every now and then they come up for reneweal so I tell them to go renew them and thay take it in turns going to netsols website and paying for it with a credit card.

            Which registrar only lets the registrant renew it? I'd like to avoid that one.
    • Re:Overworked (Score:2, Informative)

      by adeydas (837049)
      The problem and how it was plugged is given here [merit.edu]. As there is no general rule for stopping crackers to gain access though all loopholes, there is no way to completely protect a domain.
      • Sure there is. Close the loopholes. One thing people miss a lot is when you leave a back door or a loophole, its the people inside the company that leak the information. Thus, nothing is safe. Security through obscurity is bogus because if anybody knows, there is the potential for everybody to know.
  • by Magickcat (768797) * on Tuesday January 18, 2005 @09:09PM (#11404105)
    Melbourne IT, which sells its domains through Yahoo and many other hosting firms, defended its claim of 24/7 customer service for resellers and technical contacts (although not retail customers), but said it will evaluate whether it can improve.

    Translation: We won't commit to doing a damn thing, and frankly we're only interested in the people who pay us to fuck up. Nonethless, we're attempting to put it nicely, so be grateful.
  • by crunk (844923) on Tuesday January 18, 2005 @09:10PM (#11404108)
    There was an error in the checking process prior to initiating the transfer

    Someone screwed up.

    The loophole that led to this error has been closed.

    And they fired the guy.

  • Not very surprised (Score:5, Interesting)

    by dbIII (701233) on Tuesday January 18, 2005 @09:11PM (#11404116)
    I'm not surprised - not long ago they had the monopoly for the "com.au" domain and very very slow to respond about anything - even ignoring emails form ICANN for a couple of weeks at the start of September 2000. If one person goes on holidays your business in not supposed to stop working for the duration. They used to be a money making sideline for a government run university, and it shows.

    They also have all the integrity to be expected of the major ".cx" registrar.

    • Quite right. What's in Cthulhu's name was a university organisation doing with ".com.au" domains anyhow. It seemed like a case of nepotism.
      • You might want to read up on the history of .au and .oz. Google Robert "shoeless" Elz.

        Why was IANA at the university of southern california? Same reason. That's where it started.

    • They also have all the integrity to be expected of the major ".cx" registrar.

      I expect that within the year they'll change their name to GoatseIT.
    • even ignoring emails form ICANN for a couple of weeks at the start of September 2000

      At least they got something right.
    • by gtoomey (528943)
      Robert Elz [networksorcery.com] of Melbourne University had "ownership" right to com.au au for many years. He did all administration for free.

      He passed the rights to Melbourne IT, again for free, knowing they were worth a fortune. Melbourne IT went to be become a $100 million company.

  • by Anonymous Coward on Tuesday January 18, 2005 @09:16PM (#11404156)
    For quite some time, on the NS redelegatiom page of the MelbIT web site, you could enter in either a hostname, or an IP address, or both, to chose your new nameservers. Great for those of us having to move IP ranges or whatnot.

    The problem is, the web form did nothing at all with the IP addresses you put in. It completely ignored them. You had to call up Melbourne IT and speak to somebody to get the mess sorted out. That one caused me a day of pain.

    Other times, the staff members have stated facts that clearly went against all of their procedures on the web page for redelegation and/or key retreival. "Sorry, no, even though thats what the web page says, it REALLY means the opposite"

  • The weekend rule (Score:5, Insightful)

    by dbIII (701233) on Tuesday January 18, 2005 @09:23PM (#11404198)
    I should point out that this is in Australia, where government bodies and those decended from them (like MelbourneIT) do not operate on weekends even if their survival depends upon it. In a recent terrorism trial the suspect could not contact anyone on a weekend to report a bomb plot - in 2002. One of the recent election promises was that the intelligence agencies would be contactable on weekends - although the phone number didn't make it into the most recent set of phone books after the entry lapsed.

    She'll be right mate - no one at MelbourneIT would lose their job even if they transferred google by mistake on a weekend and did nothing about it until 9am Monday.

    • by Anonymous Coward on Tuesday January 18, 2005 @10:01PM (#11404431)
      Speaking to an employee at Melbourne IT, I heard that THE CEO of the company was aware of the problem on the WEEKEND, and their response was that the company in question needed to provide sufficient proof that they were in fact the company they claimed to be (also initiated ON THE WEEKEND).

      Melbourne IT were working within the policy of ICANN, whereby it is now acceptable for a domain to be transferred without the explicit approval of the original owner. This policy was recently changed - it originally only allowed domains to be transferred in ownership with an explicit APPROVAL from the original company. The policy is now such that if the original company does not respond to the request within 5 days, the company asking for transfer will by default have rights to the domain. Everyone who owns a domain effectively must monitor their whois e-mail address at least every 5 days in order to ensure they keep their domain.

      This was NOT a case of Australian government being lazy. This idea of a "weekend rule" is stupid, and certainly did not apply here. This is illustrated by the fact that the company's CEO was involved ON THE WEEKEND.

      Melbourne IT are very much a corporate entity now. They have share holders, and have a large emphasis internally on sales (much to the dismay of the employee I know). This so called "weekend rule" could be applied to many many other corporates as well (the one I work for being one of them!), since normal "BUSINESS hours" are Monday to Friday 9 til 5 (or whatever your variation is). You will notice that Melbourne IT's hours of operations [melbourneit.com.au] are rather extensive for an Australian "government" organisation. The notion that this situation was bred from some type of government "weekend rule" is ridiculous.

      If google was transferred erroneously on a weekend, you can be sure that it would be dealt with very quickly by whoever needs to deal with it, while of course working in the realms of the policies that govern their processes. The policy is at fault here, not the company governed by them.
      • Melbourne IT's hours of operations are rather extensive

        I can no longer beleive that, and I think this incident demonstrates that the 24/7 claim is false advertising.

        Everyone who owns a domain effectively must monitor their whois e-mail address at least every 5 days in order to ensure they keep their domain.

        Remember that MelbourneIT is the group that wouldn't even answer emails from ICANN to the ".com.au" whois address for a couple of weeks in 2000 - perhaps that's one of the reasons they no longer have it.

        • They were working on the problem either Saturday or Sunday morning. I believe it was sunday as someone from melborne was posting to the previous story in regard to the problem. I don't know if they were working on it any earlier though.

          I'm quite certain someone got through... I just don't believe we are getting all of the details.
          • They were working on the problem either Saturday or Sunday morning
            At 11:56AM Sunday Morning Melbourne time an email was sent to the SAGE-AU mailing list on this issue desperately asking for a MelbourneIT contact. Since people were still trying to get in touch at that point I would say the earliest would be Sunday afternoon - and far more likely Monday morning normal working hours - since it is a management issue and not a technical one.
      • by Anonymous Coward
        This is illustrated by the fact that the company's CEO was involved ON THE WEEKEND.

        From the article: "I finally located their CEO's cellphone in an investor-relations web page."

        That would be why the CEO was involved, so his involvement illustrates nothing about the company's laziness or otherwise

        Melbourne IT were working within the policy of ICANN, whereby it is now acceptable for a domain to be transferred without the explicit approval of the original owner.

        Again, from the article: "No notificati

        • From the article: "I finally located their CEO's cellphone in an investor-relations web page."
          That would be why the CEO was involved, so his involvement illustrates nothing about the company's laziness or otherwise

          As a Panix subscriber (and submitter of this topic), I have seen informal update posts made to internal (Panix-only) newsgroups by Panix staff during and since the crisis.

          Not only did Panix get MelbourneIT's CEO's cellphone number from a web page, but when they contacted him, he was most unhel

        • '... With universities forced increasingly to find creative new ways of fundraising, Melbourne Uni took an unprecedented step. It set up a new company, Melbourne IT, to run the .com.au names operation and, in December 1999, floated the body on the stock market. The stock rocketed far above the listing price. ... [ABC 4 Corners, Domain Games, 05/06/2000, Stephen McDonell]

        So when you say ....

        • ... Melbourne IT are very much a corporate entity now. They have share holders, and have a large emphasis interna
      • The policy is now such that if the original company does not respond to the request within 5 days, the company asking for transfer will by default have rights to the domain. Everyone who owns a domain effectively must monitor their whois e-mail address at least every 5 days in order to ensure they keep their domain.

        That's just dumb. I could see having such a policy if domains were free, but they aren't.

        You should be notified by post and have a little longer than that to respond. You could be optionally
        • If I'm not mistaken, domain owners may set a registrar-lock to prevent the snatching of domains via the 5 day rule. However, in this case, MelbourneIT ignored all of it, did not attempt contact with either the holding registrar or the owner and simply gave someone a taken domain.
      • Melbourne IT were working within the policy of ICANN, whereby it is now acceptable for a domain to be transferred without the explicit approval of the original owner. This policy was recently changed - it originally only allowed domains to be transferred in ownership with an explicit APPROVAL from the original company. The policy is now such that if the original company does not respond to the request within 5 days, the company asking for transfer will by default have rights to the domain. Everyone who owns
    • by philovivero (321158) on Tuesday January 18, 2005 @10:05PM (#11404462) Homepage Journal
      In a recent terrorism trial the suspect could not contact anyone on a weekend to report a bomb plot - in 2002.

      Those Aussie terrorist suspects are a lot more polite than the Muslim and American ones. If all terrorist suspects would call in bomb plots, the authorities' jobs would be a lot easier.

      "Yes officer, if you cut the red wire directly after the green one, you should have the bomb defused and be home by tea time."

      • Re:The weekend rule (Score:3, Informative)

        by dbIII (701233)

        Those Aussie terrorist suspects are a lot more polite than the Muslim and American ones

        The guy appeared to have got mixed up with some very scary people in terrorist groups and tried several times to get help in return for telling everything he knew after he was asked to identify sites in Australia to place bombs. Eventaully he got through to someone and gave them information, but it wasn't taken seriously. A couple of years later some results had to be shown, so someone went back through the files and pu

        • Terrorists *scare* people - killing is just that scary that they do it. Impressively, hijacking an NYC domain name, even one called "Panix", isn't that scary. Maybe there's hope for us after all.
    • Re:The weekend rule (Score:4, Interesting)

      by digitalchinky (650880) <dtchky@gmail.com> on Tuesday January 18, 2005 @10:08PM (#11404477)
      'All' and I mean ALL domestic and international field sites controlled or operated by the 'intelligence agencies' have 24/7 contact phone numbers. Generally during normal 9-5 weekday working hours you will get a secretary, after that you will get the guard house. Yes, there are direct phone lines inside the compounds, but these are not typically published.

      The thing is, you have to know who you want to speak to, and what section they work in. If you are just some tinfoil off the street, you don't get through.
  • Lock your domain (Score:4, Informative)

    by Anonymous Coward on Tuesday January 18, 2005 @09:23PM (#11404200)
    If your registrar doesn't support locking, find another one that does. GoDaddy, EV1servers, etc do.
  • by schmaltz (70977) on Tuesday January 18, 2005 @09:25PM (#11404210)
    "Loophole" really means somebody at MelbourneIT didn't perform end-to-end tests of their registration server; that, or was only looking for primary adherence to the spec, and didn't check if their implementation could be fucked with.
  • by ackthpt (218170) *
    He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."

    In a word - Fosters.

    • There are not one, but two beer companies in australia!

      Carlton and United Breweries (55%): Victorian Bitter, Fosters Lite Ice, Carlton Cold, Crown Lager, Mildara wine.

      Lion Nathan (42%): Tooheys, Castlemaine XXXX, Swan, S.A.B.

  • by harlows_monkeys (106428) on Tuesday January 18, 2005 @09:28PM (#11404239) Homepage
    I'm confused. They were the receiving registrar of the transfer. However, it was the other registrar, that the domain was transfered from, that seems to me more at fault. Most registrars allow customers to "lock" a domain, which means that it cannot be transferred without the customer notifying the current registrar. Panix says they locked the domain. If that is so, then it should not have been transferable without their permission, no matter what loopholes were in Melbourne's system.
  • by Anonymous Coward
    Given that it's down to the registry (not the registrar) to actually commit any transfer request, and there are several stages of validation on this, isn't it down to them to NOTICE if something didn't go right?

    If I'm reading the linked description of the transfer process right, in part 2 (allegedly where it fell over) the "gaining registrar is not permitted by the policy to initiate a transfer without approval from the registrant".

    Not permitted BY THE POLICY? That's an awful lot of trust to put into each
    • Why are the registrars responsible for this step, and not the central registry itself? There's an awful lot of trust involved here, and this could happen with any registrar that happened to have a bug in their systems. I bet there's a way to exploit this from many registrars other than Melbourne IT that just haven't been found yet.

      Because then Verisign would be liable when this sort of thing happened, and they don't want to be.
      • Because then someone at Verisign would have to be awake during US business hours to handle the transfer, rather than Bangalore business hours to handle the tech support call. I'm only half kidding. Sometimes it's a lot cheaper in a corporate sense to clean up after the accidents rather than to keep from spilling the milk.
  • What Happened (Score:5, Informative)

    by Marlor (643698) on Tuesday January 18, 2005 @09:34PM (#11404272)
    Here is a basic explanation of what happened from what I have read.

    ICANN recently changed the rules for domain name transfers so that rather than requiring confirmation for domain name transfers, they are transferred automatically if the owner does not object within a set period of time (a few weeks IIRC). This is meant to "streamline the domain transfer process". In this regard, I believe that ICANN is partially to blame for this hijacking. These policy changes need to be reviewed. You can, of course, lock your domain against this occurring, but it is a simple error to neglect to do this.

    Melbourne IT is also more or less to blame for this hijacking (depending on who you believe). It has been confirmed that one of their resellers allowed someone to create an account with a stolen credit card number, and initiate the domain transfer process. Panix claims that Melbourne IT failed to send the notification of transfer to them or their registrar. They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.

    Mebourne IT has also been accused of being unavailable for contact over the weekend, despite promising 24/7 service. The only way that Panix managed to contact them was via the CEO's mobile number.

    If these accusations are true, then this shows serious problems within Melbourne IT.
    • Re:What Happened (Score:4, Insightful)

      by Anonymous Coward on Tuesday January 18, 2005 @09:39PM (#11404294)
      They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.

      The real question here is whether Panix's registrar failed to lock the domain for transfers, or whether Melbourne IT somehow transferred it anyway after it was locked.

      If it was not locked, then a lot of the blame can be shifted off Melbourne IT's shoulders. If it was locked, then there are some real issues with the domain transfer process.
      • Re:What Happened (Score:2, Insightful)

        by Anonymous Coward
        If it was locked, I'd blame Dotster (the original registrar) because there should've been no way, at all, for Melbourne to even start transfering it.
        • Read those RFC's again. If the domain was locked, Verislime was responsible, as the domain registry, for denying any and all transfer requests, period, no question. Dotster never even got so much as a notification of the fradulent request; it had no opportunity to object.
      • what I would like to know, is has anyone actually attempted to track the perps - seems weird that they would pick panix out of the blue at random, and why send part to Australia, have it done through Australia, send part to UK, and mail systems to Canada ?
    • If you look hard enough you'll find that about 2 weeks ago the transfer process was changed so that the losing registrar no longer has to ACK the transfer. This was apparanly at the impetus of an intellectual property lobbyist within ICANN who has never owned or managed a domain, ever.

      I dare you to create a meaningful sentance with the words "IANA" and "lobbyist" in it.

  • by Somegeek (624100) on Tuesday January 18, 2005 @09:55PM (#11404394)
    Evidently ICANN made a policy change in November 2004 that was intended to make it easier to transfer domains between registrars, but it turns out to also make it easier to hijack domains. Apparently multiple domains have been hijacked from Dotster.com, (the registrar for panix.com), so I would guess that they have some holes in their procedure for confirming transfers with their customers.

    How do you prevent this? Well, when reading the various articles about this, (I know, I'm new here), I ran across the phrase 'locking your domain'. I had never heard of this before, but I checked with my registrar, and sure enough they now have settings for 'normal' and 'high' transfer security. Basically they will not allow any domains that have 'high transfer security' set on to be transferred. Period. Whether they can get in contact with me or not. If I want the domain transferred, I have to log in and reset transfer security to normal, and then a transfer can go ahead. Otherwise it stays with me until it expires. Unfortunately the default setting was normal, but once I knew about it, it only took 30 seconds to set my domains to 'high'.

    In theory anyway; panix.com says that their domain was set to 'locked' with dotster, so your mileage may vary. Maybe tucows or someone can randomly test transfer attempts of 'locked' domains and certify registrars that appropriately deny the transfers?

    So, check your domains now, set them to locked, or high security, or whatever your registrar calls it. If they don't have such a setting, hey, it ought to be easy to transfer your domain to one that does!
  • by Saeed al-Sahaf (665390) on Tuesday January 18, 2005 @09:56PM (#11404407) Homepage
    Panix CEO Alex Rosen said. "I didn't find useful 24-hour NOC-type info anywhere. MIT apparently has no weekend support at all; I finally located their CEO's cellphone in an investor-relations web page."

    Clearly, MIT has it's priorities.

  • The good, the CEO admitted it so something will likely happen to prevent it in the future.

    The bad, panix.com users were compromized and without service

    The ugly hopefully (as far as we know) does not happen. Such hijackings can lead to compromized passwords and accesses to other systems.

    Be careful out there...

    • Haven't you ever worked for a government run company? There are procedures for this sort of thing! The change will be the CEO getting a new cell phone, one that takes pictures of his stock portfolio to send to investors and has a different number to prevent this kind of upset of his chain of command.
      • Haven't you ever worked for a government run company? There are procedures for this sort of thing! The change will be the CEO getting a new cell phone, one that takes pictures of his stock portfolio to send to investors and has a different number to prevent this kind of upset of his chain of command.

        Yes I have worked for a government run company and the senior management usually has self denial, run for the hills and procedures are for "other" people unless if is convenient.

        This is why it was surprisi

  • The recomendation in the linked discussion is that by using both restrar-lock and auth_info the system provides a reasonable comprimise between security and the incentive for registrars to make the domain transfer process as difficult as possible.

    Now, I agree that there is certainly a worry that losing registrars could make sending a domain name very difficult if they initiated a transfer. However, a system which provides registrar-lock which many registrars initiate by default and require user action to remove is just as abuseable. So long as the registrar may put on registrar-lock by default they may incorporate any difficulty they want into the process of removing registrar lock. In fact this is even worse than just requiring the losing registrar to initiate a transfer. After all many domain holders like myself until today have no idea that registrar lock even exists and may attempt to do the transfer before we know we have to undo the registrar lock, adding additional difficulty on top of any difficulty for removing registrar-lock.

    As it is we get the worst of both worlds. Since registrar-lock is not always turned on many domain names are left vulnerable but those registrars who want to make it difficult to leave have just as much incentive to turn on registrar-lock by default and make it hard to turn off as they would to initiate a transfer. At this point it would be strictly better to go to a loser-initiated system.

    I think a good fix would be to require that registrar-lock be off by default. Those domains that wanted it could turn it on easily, after all the registrar has every incentive to make this as easy to do as possible. This is also a good match for the threat/benefit model. Big name domains are must liable to be attacked, but they have departments that can deal with a difficult transfer process, while private users can leave registrar-lock off knowing that they are unlikely to be targeted and being more likely to change registrars anyway.
  • If your on panix.com and you haven't changed your password yet I highly suggest you do. E-mail might be a good idea to change too if panix lets you.

    Basicially, since they owned the domain, they also owned all the servers on it, including the E-mail server. It wouldn't be too hard for them to write a dummy E-mail server that captures every login attempt to it as well as the password sent. From that they got your E-mail address (SPAM!) and your password for it (SPY!).

    From what this dotster.com business prac
  • Isn't it better to, as a rule-of-thumb as far as security goes, enforce a general default-deny policy as opposed to a default-allow policy? IMHO, this is evidence that the whole system needs an overhaul, from ICANN all the way down, with at least some attention paid to security.
  • ... [here [icann.org]] on the transfer process.

    I have sent them my comment as follows:

    One of the features of the recent PANIX domain hijacking which was particularly egregious was that the gaining registrar, Melbourne IT, did not have any technical staff on duty over a period of in excess of thirty six hours who had authority to review the transfer.

    It seems to me that it would be reasonable to require registrars to have competent and authorised staff available at all times - '24/7' - to handle problems that ari

    • ... [here] on the transfer process.

      Anyone involved with the PANIX outage or otherwise stolen domains should really write their comments there. Please help bring ICANN back to their senses. Without public comments, they may even think that everything's fine with their screwed domain transfer policy.

      • As opposed to with a barrage of public comments they still might think everythings ok. Any real cyange at ICANN comes in the bar, after hours duting the public meetings in exotic lovales 4X a year and only from lobbyists from compaies with three letter names.

        ICANN was created to create new tlds, they really were. Big business didn't want this and spent literally hundreds of millions of dollars to prevent it.

        Hows that .coop working out for ya?
  • From ICANN [icann.org]:

    Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.

    In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.

    Its

    • That isn't to say that Registrars cannot simply deny the transfer though. The *current* Registrar cannot deny the transfer of a domain to a different Registrar if:

      www.icann.org/transfers/policy-12jul04.htm [icann.org]

      Instances when the requested change of Registrar may not be denied include, but are not limited to:

      * Nonpayment for a pending or future registration period

      * No response from the Registered Name Holder or Administrative Contact.

      * Domain name in Registrar Lock Status, unless the Regis

Things equal to nothing else are equal to each other.

Working...