Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security The Internet IT

MelbourneIT Lapse Permitted Panix Hijack 200

Posted by timothy from the malice-finds-a-way-in dept.
McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."
This discussion has been archived. No new comments can be posted.

MelbourneIT Lapse Permitted Panix Hijack More

MelbourneIT Lapse Permitted Panix Hijack

Comments Filter:

  • Not very surprised (Score:5, Interesting)

    by dbIII ( 701233 ) on Tuesday January 18, 2005 @10:11PM (#11404116)
    I'm not surprised - not long ago they had the monopoly for the "com.au" domain and very very slow to respond about anything - even ignoring emails form ICANN for a couple of weeks at the start of September 2000. If one person goes on holidays your business in not supposed to stop working for the duration. They used to be a money making sideline for a government run university, and it shows.

    They also have all the integrity to be expected of the major ".cx" registrar.

  • Re:Overworked (Score:5, Interesting)

    by ajd1474 ( 558490 ) on Tuesday January 18, 2005 @10:25PM (#11404211)
    I have had my share of problems with Melbourne IT.

    My father registered a domain name with them under the company name " Brothers Inc." But on the form mispelled Brothers as Borthers. On top of that, no such company ever existed.

    When it came time to transfer the domain name to me, Melbourne IT wouldnt have a bar of it. They wanted proof of my association with this "fictional" company before i could take contral of the domain. When i pointed out that no such company existed, they argued and insisted that i produce a permission of transfer on the company letterhead of "******* Borthers" before they would allow me to move the domain.... even though they acknowledged that no such company exists.

    So what did i do? I created a fake letterhead, signed it and faxed it. They then gave me full control of the domain the same day!

  • This could happen again ... (Score:2, Interesting)

    by Anonymous Coward on Tuesday January 18, 2005 @10:34PM (#11404271)
    Given that it's down to the registry (not the registrar) to actually commit any transfer request, and there are several stages of validation on this, isn't it down to them to NOTICE if something didn't go right?

    If I'm reading the linked description of the transfer process right, in part 2 (allegedly where it fell over) the "gaining registrar is not permitted by the policy to initiate a transfer without approval from the registrant".

    Not permitted BY THE POLICY? That's an awful lot of trust to put into each and every registrar never making a mistake or having a design flaw in their systems. Surely they should just bounce every transfer request that doesn't follow some sort of authorization procedure ... right?

    Why are the registrars responsible for this step, and not the central registry itself? There's an awful lot of trust involved here, and this could happen with any registrar that happened to have a bug in their systems. I bet there's a way to exploit this from many registrars other than Melbourne IT that just haven't been found yet.

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Tuesday January 18, 2005 @11:08PM (#11404477)
    Comment removed based on user account deletion

  • Re:MelbourneIT (Score:1, Interesting)

    by Anonymous Coward on Tuesday January 18, 2005 @11:41PM (#11404665)
    As have I - I used to use VIANetworks in Atlanta for client hosting, and as part of their new "No Soupport for you!" policy, they got into some silly reciprocal relationship with MIT. For a client's domain (when I opened the account I was still being stupid and lazy and letting the ISP register the domain for me - never again) VIANetworks said Melbourne IT was the registrar, MIT said Network Solutions was the registrar, and Network Solutions said VIANetworks was the registrar (no kidding).

    Calling them wasn't an option - any attempts at e-mail produced at least a 72-hour lag - sometimes more. And meanwhile, the site in question was unreachable for over a month. I even went so far as to apologize for the election here, in case that had anything to do with it.

    I tell this maudlin tale of woe in order to get to the punchline - finally, after several different go-rounds with them, faxing this and that (all of which they admitted that they misplaced - I felt great about having my client fax his signature and then hearing that), I finally simply badgered them into giving me the registry key. They had no proof of who I was, took my word for the fact that I had sent them the information I sent them, and gave me access to the DNS settings simply because I barked loud and long enough. I wrote mad e-mails and it worked (score: squeaky wheels 1, rightful domain owners, 0). I don't call that a policy "loophole" - it struck me as simple bonehead security.

    I'm quite surprised that this doesn't happen more often with them - maybe it does, and most of the people who pester this kind of response out of them are just doing it for whatever practical, non-malicious reasons.

  • Re:It doesn't look like their fault to me (Score:3, Interesting)

    by BJH ( 11355 ) on Wednesday January 19, 2005 @12:00AM (#11404785)
    The problem was that MelbourneIT transferred the domain *without* any approval from the domain *owner*. In that case, it doesn't matter what the original registrar does...

  • Re:It doesn't look like their fault to me (Score:3, Interesting)

    by harlows_monkeys ( 106428 ) on Wednesday January 19, 2005 @01:06AM (#11405136) Homepage
    The problem was that MelbourneIT transferred the domain *without* any approval from the domain *owner*

    But if the domain is locked, then that is not supposed to be possible. To transfer a domain from registrar X to registrar Y, registrar Y basically has to ask registrar X to do it. For a domain that has been locked, X is supposed to say "no" and refuse the transfer.

    So, what has been described so far is very puzzling. I can't see how it could be MelbourneIT's fault...but they are accepting blame, so something very strange apparently happened.

  • Re:oldest ISP in NY ? (Score:3, Interesting)

    by Simon Brooke ( 45012 ) * <stillyet@googlemail.com> on Wednesday January 19, 2005 @06:25AM (#11406382) Homepage Journal
    "Advent" is commonly used to describe when something catches on and takes hold. "before the advent of the Internet" has a subtle yet distinctly different meaning than "before the Internet was invented" and that's why I think they chose to write it the way they did.

    Bollocks. Advent means, and always has meant, the very beginning. Check any dictionary. 'Advent', for Christians, is the month before Christ was born - not the month when Christianity 'caught on'. You can't just just go around redefining words because you've made an arse of yourself in public.

  • Re:oldest ISP in NY ? (Score:3, Interesting)

    by Noryungi ( 70322 ) on Wednesday January 19, 2005 @08:22AM (#11406745) Homepage Journal
    Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet.

    Disclaimer: I am a Panix user, and I have always been very satisfied of their service.

    A Panix old-timer once explained that the first connection between Panix and the outside world was a UUCP link. So they did predate the Internet in a way, since that connection was not TCP/IP.

    This being said, they probably meant before the Internet was mainstream...

Slashdot Top Deals

2.4 statute miles of surgical tubing at Yale U. = 1 I.V.League

Close