Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it. Apologies if it's a duplicate; we're both reduced to reading the list via the web interface since the legitimate addresses for panix.com have now timed out of most folks' nameservers and been replaced with the hijacker's records. Note that we contacted VeriSign both directly and through intermediaries well known to their ops staff, in both cases explaining that we suspect a security compromise (technical or human) of the registration systems either at MelbourneIT or at VeriSign itself (we have reasons to suspect this that I won't go into here right now). We noted that after calling every publically available number for MelbourneIT and leaving polite messages, the only response we received was a rather rude brush-off from MelbourneIT's corporate counsel, who was evidently directed to call us by their CEO. We are also told that law enforcement separately contacted VeriSign on our behalf, to no avail. Below please find VeriSign's response to our plea for help. We're rather at a loss as to what to do now; MelbourneIT clearly are beyond reach, VeriSign won't help, and Dotster just claim they still own the domain and that as far as they can tell nothing's wrong. Panix may not survive this if the formal complaint and appeal procedure are the only way forward.
Date: Sun, 16 Jan 2005 00:21:33 -0500 To: <alexis@panix.com>, NOC Supervisor <nocsupervisor@verisign.com> Subject: Re: FW: [alexis@panix.com: Brief summary of panix.com hijacking incident] (KMM2294267V49480L0KM) From: VeriSign Customer Service <info@verisign-grs.com> X-Mailer: KANA Response 7.0.1.127
Dear Alexis,
Thank you for contacting VeriSign Customer Service.
Unfortunately there is little that VeriSign, Inc. can do to rectify this situation. If necessary, Dotster (or Melbourne) is more than welcome to contact us to obtain the specific details as to when the notices were sent and other historical information about the transfer itself.
Dotster can file a Request for Enforcement if Melbourne IT contends that the request was legitimate and we will review the dispute and respond accordingly. Dotster can also contact Melbourne directly and if they come to an agreement that the transfer was fraudulent they can file a Request for Reinstatement and the domain would be reinstated to its original Registrar. Dotster could submit a normal transfer request to Melbourne IT for the domain name and hope that Melbourne IT agrees to transfer the name back to them outside of a dispute having been filed. In order to expedite processing the transfer or submitting a Request for Reinstatement however Dotster will need to contact Melbourne IT directly. If Dotster is unable to get in touch with anyone at Melbourne IT we can assist them directly if necessary.
Best Regards,
Melissa Blythe Customer Service VeriSign, Inc. www.verisign.com info@verisign-grs.com
----- Original Message ----- From: "Thor Lancelot Simon" <tls@NetBSD.org> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 2:04 AM Subject: Re: panix.com hijacked (VeriSign refuses to help)
Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it. Apologies if it's a duplicate; we're
--- snip --- how about trying to get in touch with the folks hosting the dns (on the off chance that they are honest and willing to help) and asking them to put up the correct panix.com zone? -p --- paul galynin
On Sun, Jan 16, 2005 at 02:22:59AM -0500, Paul G wrote:
----- Original Message ----- From: "Thor Lancelot Simon" <tls@NetBSD.org> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 2:04 AM Subject: Re: panix.com hijacked (VeriSign refuses to help)
Alexis Rosen tried to send this to NANOG earlier this evening but it looks like it never made it. Apologies if it's a duplicate; we're
--- snip ---
how about trying to get in touch with the folks hosting the dns (on the off chance that they are honest and willing to help) and asking them to put up the correct panix.com zone?
The purported current admin contact appears to be a couple in Las Vegas who are probably the victims of a joe job. A little searching will reveal that people by that name really *do* live at the address given, and that one of the phone numbers given is a slightly obfuscated form of a Las Vegas number that either now or in the recent past belonged to one of them. Suffice to say it doesn't seem to be possible to get them to change the DNS. Chasing down the records for the tech contact, and the allocated party for the IP addresses now returned for various panix.com hosts (e.g. 142.46.200.72 for panix.com itself), and doing a little gumshoe work, seems to show that they're all in some way associated with a UK holding company that, when contacted by phone, claims no knowledge of today's mishap involving Panix.com. It's possible that this set of entities was chosen specifically *because* its convoluted ownership structure would make getting it to let go of a domain it may or may not know it now is the tech contact for as difficult as possible. Beyond the above, it's basically a matter for law enforcement. Who is really behind the malfeasance here is not clear, but what is clear enough to me at this point is that there is, in fact, some deliberate wrongdoing going on. Whether the point is just to harm Panix or to actually somehow profit by it I don't know, but I do note that an earlier message in this thread pointed out a very similar earlier incident involving MelbourneIT as the registrar, the same bogus new domain contacts, and another hapless U.S. corporate victim. I don't know if these are merely isolated attempts at harassment and mischief or the precursors to a more widespread attack. What I do know is that I'm very concerned, Panix is quite literally fighting for its life, everyone we've shown details of the problem to is concerned -- including CERT, AUSCERT, and knowledgeable law enforcement personnel -- with the notable exception of MelbourneIT, whose sole corporate response has been one of decided unconcern, and VeriSign, who seem entirely determined to pass the buck instead of investigating, fixing, or helping. And so it goes. Thor
----- Original Message ----- From: "Thor Lancelot Simon" <tls@NetBSD.org> To: "Paul G" <paul@rusko.us> Cc: <nanog@merit.edu> Sent: Sunday, January 16, 2005 2:40 AM Subject: Re: panix.com hijacked (VeriSign refuses to help) --- snip ---
I don't know if these are merely isolated attempts at harassment and mischief or the precursors to a more widespread attack. What I do know is that I'm very concerned, Panix is quite literally fighting for its life, everyone we've shown details of the problem to is concerned -- including CERT, AUSCERT, and knowledgeable law enforcement personnel -- with the notable exception of MelbourneIT, whose sole corporate response has been one of decided unconcern, and VeriSign, who seem entirely determined to pass the buck instead of investigating, fixing, or helping.
And so it goes.
i know people from verisign (used to?) read nanog-l. perhaps some sort of a deus ex machina intervention may be forthcoming? one can hope. -p --- paul galynin
Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action? Think of what we'd do about a larger ISP, or the Well, or really any serious financial target. Think of the damage from harvesting <>logins and mail passwords of panix users. === Does somebody have a fast DNS server that can AXFR the records from those 2 name servers, then fix the panix.com entries? Are people willing to announce some replacement servers as /32 BGP? Sort of an emergency anycast? === Alternatively, are people willing to block those name servers and/or the entire blocks they are located in, to prevent the distribution of the false panix.com addresses? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes and so on to resolve a problem. It makes VeriSign position very strange (of course, it is dumb clueless behemot as it was all the time around) - instead of saying _OK, let's return last transactions and then you can object this change_, they just step out. Problem is much more serious than just one stolen domain - it shows 100% that VeriSign is not able to manage domain system properly. What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days? ----- Original Message ----- From: "William Allen Simpson" <wsimpson@greendragon.com> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 12:38 AM Subject: Re: panix.com hijacked (VeriSign refuses to help)
Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action?
Think of what we'd do about a larger ISP, or the Well, or really any serious financial target.
Think of the damage from harvesting <>logins and mail passwords of panix users.
===
Does somebody have a fast DNS server that can AXFR the records from those 2 name servers, then fix the panix.com entries?
Are people willing to announce some replacement servers as /32 BGP? Sort of an emergency anycast?
===
Alternatively, are people willing to block those name servers and/or the entire blocks they are located in, to prevent the distribution of the false panix.com addresses?
-- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
----- Original Message ----- From: "Alexei Roudnev" <alex@relcom.net> To: "William Allen Simpson" <wsimpson@greendragon.com>; <nanog@merit.edu> Sent: Sunday, January 16, 2005 4:07 AM Subject: Re: panix.com hijacked (VeriSign refuses to help)
I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes and
so
on to resolve a problem.
agreed. but then proverbially, "common sense isn't".
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days?
with due respect to panix (i knew of panix before i ever knew of aol, even living in europe), i imagine another bigger 'behemoth', as you so deftly put it, has a better way of liaising with verisign than you, me or panix. -p --- paul galynin
I addition, there is a good rule for such situations: - first, return everything to _previous_ state; - having it fixed in previous state, allow time for laywers, disputes
so
on to resolve a problem.
agreed. but then proverbially, "common sense isn't".
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days?
with due respect to panix (i knew of panix before i ever knew of aol, even living in europe), i imagine another bigger 'behemoth', as you so deftly
and put
it, has a better way of liaising with verisign than you, me or panix.
There is _rollback to the first state in case of any conflicts_ common sense rule, just to prevent liaising. If you purchase domain or transferred it, and I suspended change for a week, it may never make big harm to you.
-p
--- paul galynin
Hi, Thus wrote Alexei Roudnev (alex@relcom.net):
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days?
I remember that in a similar case in .de several larger ISPs put the previous ('correct') zone on their resolvers. Would a) people here feel that is an appropriate measure for this case b) do it on their resolvers c) the panix.com people want that to happen in the first place? regards, Petra Zeidler
As much as it pains me to say, I'm sure there is a little difference when it comes to some of the big domains. 1. It doesn't take any rocket scientist to sit back and say "Ummmm... I really don't think this is a legit move" without a lot of thinking! 2. If a lawyer for AOL or MS or some really big company sent a letter saying something about if you don't change this back in the next 30 seconds or we will destroy your company, it would be more believable! Unfortunately, size does matter. :) Scott -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Petra Zeidler Sent: Sunday, January 16, 2005 6:28 AM To: nanog@merit.edu Subject: seed resolvers? Re: panix.com hijacked (VeriSign refuses to help) Hi, Thus wrote Alexei Roudnev (alex@relcom.net):
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days?
I remember that in a similar case in .de several larger ISPs put the previous ('correct') zone on their resolvers. Would a) people here feel that is an appropriate measure for this case b) do it on their resolvers c) the panix.com people want that to happen in the first place? regards, Petra Zeidler
On Sun, 16 Jan 2005, Alexei Roudnev wrote:
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'? How much damage will be done until this sleeping behemots wake up, set up a meeting (in Tuesday I believe - because Monday is a holiday), make any decision, open a toicket, pass thru change control and restore domain? 5 days?
AOL has gamed the system in the past to take over domainnames they wanted which were inconviently registered by someone else by sending in a e-mail to transfer the name to AOL. Despite NSI's assurances, the domain was changed to AOL in spite of the original registrant's objection. NSI said there was nothing they could do. http://www.internetnews.com/bus-news/article.php/3_143441 On the other hand, when someone made an unauthorized change to AOL's domain information, NSI reversed the change in a few hours. http://news.com.com/2100-1023-216813.html?tag=bplst Other than Panix having a constinuency, unauthorized domain changes is a old problem the registrar/registry haven't been able to solve in a decade.
Oki all, Its dawn in Maine, the caffine delivery system has only just started, but I'll comment on the overnight. You're welcome alexis@panix.net. If you'll send me the cell phone number for the MIT managment I will call wearing my registrar hat and inform whoever I end up speaking with that Bruce needs to call me urgently, on Registrar Constituency business. Next, put a call into the Washingtom Post. They lost the use of the name "washpost.com" which all their internal email used, to due to expiry, so their internal mail went "dark" for several hours. This was haha funny during the primary season (Feb 6). If they don't get it try the NYTimes. Put the problem on record. There is an elephant in the room. The elephant is that the existing regime is organized around protecting the IPR lobby from boogiemen of their own invention. They invented the theory that trademark.tld (and trademark.co.cctld) existence dilutes the value of trademark, hence names-are-marks, bringing many happy dollars (10^^6 buys) into the registrar/registry system ($29-or-less/$6, resp., per gtld and some cctlds), and retarding new "gTLD" introductions, as each costs the IPR interests an additional $35 million annually. To solve their division of spoils problem, is "united.com" UAL or is it UA?, we had DRPs, which is now a UDRP, and more DRPs for lots of cctlds. These [U]DRPs take many,many,many,many units of 24x7. They were invented for the happy IPR campers, who care about _title_, not _function_. If the net went dark that would be fine with them to, so long as the right owners owned the right names. Restated, there is no applicable (as in "useful for a 24x7 no downtime claimant") law in the ICANN jurisdiction. And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of "you"). In case it isn't obvious, the "your own damn fault" refers to a much larger class of "you" than Alexis Rosen. [Oh, the same happy campers are why :43 is broken. They want perfect data at no cost and w/o restriction. Registrars don't want slamming, today's owie, and registrants don't want spam (which some ISPs do), so the whole :43 issue is a trainwreck of non-operational interests overriding operational interests. Registrars would be happy to pump :43 data to operators, if we could manage the abuse, instead we get knuckleheads who insist that spam would be solved forever if ...] There is a fundamental choice of jurisdictions question. Is ICANN the correct venue for ajudication, or is there another venue? This is what recourse to the "ask a real person" mechanism assumes, that talking to a human being is the better choice. Bill made this comment:
Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action?
Think of what we'd do about a larger ISP, or the Well, or really any serious financial target.
Think of the damage from harvesting <>logins and mail passwords of panix users.
You (collectively) are another venue. When the SiteFinder patch was broadly adopted to work around a change made at one of the registries, you (collectively) were replacing ICANN as the regulatory body. ICANN took weeks to arive at a conclusion about that change, then endorsed that patch to the deployed DNS, while depricating incoherence in the DNS. [I spent 5 minutes at the Rome Registrar Constituency meeting chewing Vint Cerf and Paul Twomey in front of about 100 registrars and back benchers for taking many,many,many,many units of 24x7 to arive at the conclusion that breakage, or "surprise" in .com was not a good thing.] There is a stability of the internet issue. An ISP's user names and their passwords are compromised by VGRS, MIT, DOTSTER, and PANIX all following the controlling authority -- the ICANN disputed transfer process. It isn't MCI or AOL or ... and if it were a bank it might not be Bank of America ... and if it were a newspaper it might not be the WaPo. But if size defines the class of protected businesses under the controlling jurisdiction [1], then Panix's core problem is that it isn't AOL or MSN or the ISP side of a RBOC. I'd be nervous if I were Alexis. Not enough people are running their cups on the bars to get the attention of the wardens. Eric <registrar_hat="on"/> [1] In the US FCC space, the 3-2 decision mid-last month on CLEC access to unbundled UNE is a "size defines the class of protected businesses" policy decision. As one of the two dissenting Commissioners noted, it means the end of the 1996 Act.
On Sun, 16 Jan 2005, Eric Brunner-Williams in Portland Maine wrote: One could almost think this hijack was timed to the release of the ICANN "Requests Public Comments on Experiences with Inter-Registrar Transfer Policy" from Jan 12: http://www.icann.org/announcements/announcement-12jan05.htm -Hank
Oki all,
Its dawn in Maine, the caffine delivery system has only just started, but I'll comment on the overnight.
You're welcome alexis@panix.net. If you'll send me the cell phone number for the MIT managment I will call wearing my registrar hat and inform whoever I end up speaking with that Bruce needs to call me urgently, on Registrar Constituency business.
Next, put a call into the Washingtom Post. They lost the use of the name "washpost.com" which all their internal email used, to due to expiry, so their internal mail went "dark" for several hours. This was haha funny during the primary season (Feb 6). If they don't get it try the NYTimes. Put the problem on record. There is an elephant in the room.
The elephant is that the existing regime is organized around protecting the IPR lobby from boogiemen of their own invention. They invented the theory that trademark.tld (and trademark.co.cctld) existence dilutes the value of trademark, hence names-are-marks, bringing many happy dollars (10^^6 buys) into the registrar/registry system ($29-or-less/$6, resp., per gtld and some cctlds), and retarding new "gTLD" introductions, as each costs the IPR interests an additional $35 million annually.
To solve their division of spoils problem, is "united.com" UAL or is it UA?, we had DRPs, which is now a UDRP, and more DRPs for lots of cctlds.
These [U]DRPs take many,many,many,many units of 24x7. They were invented for the happy IPR campers, who care about _title_, not _function_. If the net went dark that would be fine with them to, so long as the right owners owned the right names.
Restated, there is no applicable (as in "useful for a 24x7 no downtime claimant") law in the ICANN jurisdiction.
And it is your own damn fault. Cooking up the DRPs took years of work by the concerned interests, and they were more concerned with enduring legal title then momentary loss of possession. During those years, interest in the DNSO side of ICANN by network operators went from some to zero, and at the Montevideo meeting the ISP and Business constituencies were so small they meet in a small room and only half the seats were taken. After that point they were effectively merged. IMHO, Marilyn Cade and Phillipe Shepard are the ISP/B Constituency, and they can't hear you (for all 24x7 operational values of "you").
In case it isn't obvious, the "your own damn fault" refers to a much larger class of "you" than Alexis Rosen.
[Oh, the same happy campers are why :43 is broken. They want perfect data at no cost and w/o restriction. Registrars don't want slamming, today's owie, and registrants don't want spam (which some ISPs do), so the whole :43 issue is a trainwreck of non-operational interests overriding operational interests. Registrars would be happy to pump :43 data to operators, if we could manage the abuse, instead we get knuckleheads who insist that spam would be solved forever if ...]
There is a fundamental choice of jurisdictions question. Is ICANN the correct venue for ajudication, or is there another venue? This is what recourse to the "ask a real person" mechanism assumes, that talking to a human being is the better choice.
Bill made this comment:
Since folks have been working on this for hours, and according to posts on NANOG, both MelbourneIT and Verisign refuse to do anything for days or weeks, would it be a good time to take drastic action?
Think of what we'd do about a larger ISP, or the Well, or really any serious financial target.
Think of the damage from harvesting <>logins and mail passwords of panix users.
You (collectively) are another venue. When the SiteFinder patch was broadly adopted to work around a change made at one of the registries, you (collectively) were replacing ICANN as the regulatory body. ICANN took weeks to arive at a conclusion about that change, then endorsed that patch to the deployed DNS, while depricating incoherence in the DNS.
[I spent 5 minutes at the Rome Registrar Constituency meeting chewing Vint Cerf and Paul Twomey in front of about 100 registrars and back benchers for taking many,many,many,many units of 24x7 to arive at the conclusion that breakage, or "surprise" in .com was not a good thing.]
There is a stability of the internet issue. An ISP's user names and their passwords are compromised by VGRS, MIT, DOTSTER, and PANIX all following the controlling authority -- the ICANN disputed transfer process. It isn't MCI or AOL or ... and if it were a bank it might not be Bank of America ... and if it were a newspaper it might not be the WaPo. But if size defines the class of protected businesses under the controlling jurisdiction [1], then Panix's core problem is that it isn't AOL or MSN or the ISP side of a RBOC.
I'd be nervous if I were Alexis. Not enough people are running their cups on the bars to get the attention of the wardens.
Eric <registrar_hat="on"/>
[1] In the US FCC space, the 3-2 decision mid-last month on CLEC access to unbundled UNE is a "size defines the class of protected businesses" policy decision. As one of the two dissenting Commissioners noted, it means the end of the 1996 Act.
+++++++++++++++++++++++++++++++++++++++++++ This Mail Was Scanned By Mail-seCure System at the Tel-Aviv University CC.
On 16.01 16:34, Hank Nussbacher wrote:
On Sun, 16 Jan 2005, Eric Brunner-Williams in Portland Maine wrote:
One could almost think this hijack was timed to the release of the ICANN "Requests Public Comments on Experiences with Inter-Registrar Transfer Policy" from Jan 12: http://www.icann.org/announcements/announcement-12jan05.htm
Bingo!
On 16.01 16:34, Hank Nussbacher wrote:
On Sun, 16 Jan 2005, Eric Brunner-Williams in Portland Maine wrote:
One could almost think this hijack was timed to the release of the ICANN "Requests Public Comments on Experiences with Inter-Registrar Transfer Policy" from Jan 12: http://www.icann.org/announcements/announcement-12jan05.htm
Bingo! Part forgotten earlier: http://forum.icann.org/lists/transfer-comments-b/msg00000.html
--On Sunday, January 16, 2005 07:40 +0000 Thor Lancelot Simon <tls@NetBSD.org> wrote:
The purported current admin contact appears to be a couple in Las Vegas who are probably the victims of a joe job. A little searching will reveal that people by that name really *do* live at the address given, and that one of the phone numbers given is a slightly obfuscated form of a Las Vegas number that either now or in the recent past belonged to one of them.
AS a sort of aside the other phone numbers referenced there are Nampa, ID wireless cells...AT&T wireless I believe. A quick check on nanpa.com agrees with that. It's possible those numbers might be far more interesting since they stand out. *shrugs*
participants (11)
-
Alexei Roudnev
-
Daniel Karrenberg
-
Eric Brunner-Williams in Portland Maine
-
Hank Nussbacher
-
Michael Loftis
-
Paul G
-
Petra Zeidler
-
Scott Morris
-
Sean Donelan
-
Thor Lancelot Simon
-
William Allen Simpson