MelbourneIT Lapse Permitted Panix Hijack 200
McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."
Melbourne IT have a history of fucking with this. (Score:5, Informative)
The problem is, the web form did nothing at all with the IP addresses you put in. It completely ignored them. You had to call up Melbourne IT and speak to somebody to get the mess sorted out. That one caused me a day of pain.
Other times, the staff members have stated facts that clearly went against all of their procedures on the web page for redelegation and/or key retreival. "Sorry, no, even though thats what the web page says, it REALLY means the opposite"
Lock your domain (Score:4, Informative)
"Loophole" - Corporate killspeak for fuckup (Score:3, Informative)
What Happened (Score:5, Informative)
ICANN recently changed the rules for domain name transfers so that rather than requiring confirmation for domain name transfers, they are transferred automatically if the owner does not object within a set period of time (a few weeks IIRC). This is meant to "streamline the domain transfer process". In this regard, I believe that ICANN is partially to blame for this hijacking. These policy changes need to be reviewed. You can, of course, lock your domain against this occurring, but it is a simple error to neglect to do this.
Melbourne IT is also more or less to blame for this hijacking (depending on who you believe). It has been confirmed that one of their resellers allowed someone to create an account with a stolen credit card number, and initiate the domain transfer process. Panix claims that Melbourne IT failed to send the notification of transfer to them or their registrar. They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.
Mebourne IT has also been accused of being unavailable for contact over the weekend, despite promising 24/7 service. The only way that Panix managed to contact them was via the CEO's mobile number.
If these accusations are true, then this shows serious problems within Melbourne IT.
To prevent this from happening to your domains (Score:5, Informative)
How do you prevent this? Well, when reading the various articles about this, (I know, I'm new here), I ran across the phrase 'locking your domain'. I had never heard of this before, but I checked with my registrar, and sure enough they now have settings for 'normal' and 'high' transfer security. Basically they will not allow any domains that have 'high transfer security' set on to be transferred. Period. Whether they can get in contact with me or not. If I want the domain transferred, I have to log in and reset transfer security to normal, and then a transfer can go ahead. Otherwise it stays with me until it expires. Unfortunately the default setting was normal, but once I knew about it, it only took 30 seconds to set my domains to 'high'.
In theory anyway; panix.com says that their domain was set to 'locked' with dotster, so your mileage may vary. Maybe tucows or someone can randomly test transfer attempts of 'locked' domains and certify registrars that appropriately deny the transfers?
So, check your domains now, set them to locked, or high security, or whatever your registrar calls it. If they don't have such a setting, hey, it ought to be easy to transfer your domain to one that does!
The registration didn't lapse (Score:2, Informative)
Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-06
Last Updated on: 16-JAN-05
It could only lapse in April - and it sure as hell didn't lapse in April of 2004 and stay working for this long!
Misinformed (Score:4, Informative)
Re:The weekend rule (Score:3, Informative)
An example of keeping things in perspective is the recent arrest of a couple of guys in Kalgoorlie, Western Australia for using explosives to blow up a satellite dish. In other places people might start screaming "terrorist!" but in this case the judge decided it was safe enough to let them out on bail before the trial. Terrorists kill people, they don't highjack domains or blow up inanimate objects.
Re:To prevent this from happening to your domains (Score:3, Informative)
ICANN is soliciting comments on the revised transfer policy: RFC [icann.org]. Let them know what you think.
Re:Alternatives in AU (Score:2, Informative)
Re:Overworked (Score:2, Informative)
oldest ISP in NY ? (Score:1, Informative)
Panix, the oldest commercial Internet provider in New York, [...] We started in 1989, before the advent of the Internet, and we're still going strong.
Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet.
CEO had his attorney call Panix (Score:3, Informative)
From the article: "I finally located their CEO's cellphone in an investor-relations web page."
That would be why the CEO was involved, so his involvement illustrates nothing about the company's laziness or otherwise
As a Panix subscriber (and submitter of this topic), I have seen informal update posts made to internal (Panix-only) newsgroups by Panix staff during and since the crisis.
Not only did Panix get MelbourneIT's CEO's cellphone number from a web page, but when they contacted him, he was most unhelpful and even directed MelbourneIT's corporate counsel to contact Panix and set them straight.
If this is the kind of leadership MelbourneIT shows in times of crisis, I pity anyone who has to depend on them--whether by their own choice or through someone else's--to do the right thing in a pinch.
Re:5 day period is for Registrars, not domain owne (Score:3, Informative)
www.icann.org/transfers/policy-12jul04.htm [icann.org]
Instances when the requested change of Registrar may not be denied include, but are not limited to:
* Nonpayment for a pending or future registration period
* No response from the Registered Name Holder or Administrative Contact.
* Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request.
* Domain name registration period time constraints, other than during the first 60 days of initial registration or during the first 60 days after a registrar transfer.
* General payment defaults between Registrar and business partners / affiliates in cases where the Registered Name Holder for the domain in question has paid for the registration.
The bottom line to all of this is to provide accurate information with your domain registrations, and, lock the domain so that if your Registrar gets a notice that another Registrar wants to transfer your domain, it can't be transfered, even if you are not contactable (say, on a cruise or something).