MelbourneIT Lapse Permitted Panix Hijack 200
McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."
Not very surprised (Score:5, Interesting)
They also have all the integrity to be expected of the major ".cx" registrar.
Re:Overworked (Score:5, Interesting)
My father registered a domain name with them under the company name " Brothers Inc." But on the form mispelled Brothers as Borthers. On top of that, no such company ever existed.
When it came time to transfer the domain name to me, Melbourne IT wouldnt have a bar of it. They wanted proof of my association with this "fictional" company before i could take contral of the domain. When i pointed out that no such company existed, they argued and insisted that i produce a permission of transfer on the company letterhead of "******* Borthers" before they would allow me to move the domain.... even though they acknowledged that no such company exists.
So what did i do? I created a fake letterhead, signed it and faxed it. They then gave me full control of the domain the same day!
This could happen again ... (Score:2, Interesting)
If I'm reading the linked description of the transfer process right, in part 2 (allegedly where it fell over) the "gaining registrar is not permitted by the policy to initiate a transfer without approval from the registrant".
Not permitted BY THE POLICY? That's an awful lot of trust to put into each and every registrar never making a mistake or having a design flaw in their systems. Surely they should just bounce every transfer request that doesn't follow some sort of authorization procedure
Why are the registrars responsible for this step, and not the central registry itself? There's an awful lot of trust involved here, and this could happen with any registrar that happened to have a bug in their systems. I bet there's a way to exploit this from many registrars other than Melbourne IT that just haven't been found yet.
Comment removed (Score:4, Interesting)
Re:MelbourneIT (Score:1, Interesting)
Calling them wasn't an option - any attempts at e-mail produced at least a 72-hour lag - sometimes more. And meanwhile, the site in question was unreachable for over a month. I even went so far as to apologize for the election here, in case that had anything to do with it.
I tell this maudlin tale of woe in order to get to the punchline - finally, after several different go-rounds with them, faxing this and that (all of which they admitted that they misplaced - I felt great about having my client fax his signature and then hearing that), I finally simply badgered them into giving me the registry key. They had no proof of who I was, took my word for the fact that I had sent them the information I sent them, and gave me access to the DNS settings simply because I barked loud and long enough. I wrote mad e-mails and it worked (score: squeaky wheels 1, rightful domain owners, 0). I don't call that a policy "loophole" - it struck me as simple bonehead security.
I'm quite surprised that this doesn't happen more often with them - maybe it does, and most of the people who pester this kind of response out of them are just doing it for whatever practical, non-malicious reasons.
Re:It doesn't look like their fault to me (Score:3, Interesting)
Re:It doesn't look like their fault to me (Score:3, Interesting)
But if the domain is locked, then that is not supposed to be possible. To transfer a domain from registrar X to registrar Y, registrar Y basically has to ask registrar X to do it. For a domain that has been locked, X is supposed to say "no" and refuse the transfer.
So, what has been described so far is very puzzling. I can't see how it could be MelbourneIT's fault...but they are accepting blame, so something very strange apparently happened.
Re:oldest ISP in NY ? (Score:3, Interesting)
Bollocks. Advent means, and always has meant, the very beginning. Check any dictionary. 'Advent', for Christians, is the month before Christ was born - not the month when Christianity 'caught on'. You can't just just go around redefining words because you've made an arse of yourself in public.
Re:oldest ISP in NY ? (Score:3, Interesting)
Disclaimer: I am a Panix user, and I have always been very satisfied of their service.
A Panix old-timer once explained that the first connection between Panix and the outside world was a UUCP link. So they did predate the Internet in a way, since that connection was not TCP/IP.
This being said, they probably meant before the Internet was mainstream...