Association of Trustworthy Roots?
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C? At the moment, I'm concerned whether we have trustworthy TLD operators. It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
It isn't just that the root operators are silent. On the registrar's list there has been only five items on the subject. 1 Mark Jeftovic (easydns) who is on NANOG, copying the RC list. 2 Ross Rader (tucows) who is not, blowing it off, no delta between authoritative and caching servers 3 Mark asking Ross if he's had coffee yet, and yes delta between authoritative and caching servers 4 Ross, yes he's had two cups and NANOG is a ton of mindless conjecture and pretty silly 5 Mark replies with panix.net's motd and ssl alert That's it. On the registry mailing list ... well, I'm not on the registry constituency mailing list, I haven't been since I left NeuStar and .biz and .us (urk) and .cn (fun), so I don't know, but my guess is the answer is somewhere near zero. How about the IPC mailing list ... well, I never could get a group of indigenous IPR experts admitted to the ICANN IPC, so since the Berlin meeting I've not been on the IPC list, but again, knowing the actors as people, I'm going to buy an integer between -1 and +1. So, after IPC and Registries and Registrars, where would anyone expect to find a policy interest in the area, since ISP/C is wicked dead? Eric
It isn't just that the root operators are silent.
wrt the panix debacle, why wouldn't the root operators have been silent? the root zone was continuously available from all published servers with excellent rtt, no measurable congestion, no inconsistencies, and up-to-date serial numbers. under those conditions, root operators will be silent. -- Paul Vixie
Paul, I ment to refer to the registry operator who operates the constellation of nameservers for the .com zone, and wrote something else. I'm going to press my red ears (both) to the copious available ice. Eric
wsimpson@greendragon.com (William Allen Simpson) wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
I thought we already had built such a thing, currently covered by ICANN. But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level.
At the moment, I'm concerned whether we have trustworthy TLD operators.
One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to.
It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker.
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this. Yours, Elmar.
On Jan 16, 2005, at 3:31 PM, Elmar K. Bins wrote:
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Nothing in the offline papers, but panix.com does appear once in print as the email home of business journalist and Newsweek "Wall Street" editor Allan Sloan, whose unflattering article about Cheney-Halliburton-asbestos appeared in the Washington Post on January 11. The article is here: http://www.washingtonpost.com/wp-dyn/articles/A64535-2005Jan10.html TV
On Sun, 2005-01-16 at 13:31, Elmar K. Bins wrote:
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Yours, Elmar.
slashdot has mentioned it, with lots of quotes from the NANOG list: http://it.slashdot.org/it/05/01/16/0027213.shtml?tid=95&tid=172&tid=17 -- James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa jamesh@cybermesa.com noc@cybermesa.com (505) 795-7101
Nothing like staying on the subject.... That's way I started a new thread. Let's keep this separate, please. James Edwards wrote:
On Sun, 2005-01-16 at 13:31, Elmar K. Bins wrote:
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Yours, Elmar.
slashdot has mentioned it, with lots of quotes from the NANOG list:
http://it.slashdot.org/it/05/01/16/0027213.shtml?tid=95&tid=172&tid=17
http://news.com.com/ISP+fights+for+return+of+hijacked+domain/2100-1025_3-553... -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
----- Original Message ----- From: "William Allen Simpson" <wsimpson@greendragon.com> To: "North American Network Operators Group" <nanog@merit.edu> Sent: Sunday, January 16, 2005 4:33 PM Subject: panix hijack press
Nothing like staying on the subject.... That's way I started a new thread. Let's keep this separate, please.
i sent in a hastily worded summary with some quotes from the list to theregister.com/co.uk. ime, a lot of print media use them to source stories. with any luck, we'll see it up there tomorrow. -p --- paul galynin
http://www.theregister.co.uk/2005/01/19/panix_hijack_more/ Panix.com hijack: Aussie firm shoulders blame By Lucy Sherriff Published Wednesday 19th January 2005 16:49 GMT An Australian domain registrar has admitted to its part in last weekend's domain name hijack. of a New York ISP. Melbourne IT says it failed to properly confirm a transfer request for the Panix.com domain. Ed Ravin, a Panix system administrator, says the Melbourne IT error enabled fraudsters using stolen credit cards to assume control of the domain. Thousands of Panix.com customers lost email access for the duration of the occupation, and many emails will never be recovered. The mistake was compounded by the unavailability of Melbourne IT staff over the weekend - the company rectified its mistake late on Sunday evening, US time. Speaking to ComputerWorld Ravin said he was unable to contact anyone in support at Melbourne IT until the company's offices opened on Monday morning. Bruce Tonkin, Melbourne IT's CTO, offered the following explanation: "In the case of Panix.com, evidence so far indicates that a third party that holds an account with a reseller [UK based Fibranet] of Melbourne IT, fraudulently initiated the transfer. The third party appears to have used stolen credit cards to establish this account and pay for the transfer. That reseller is analysing its logs and cooperating with law enforcement." A loophole that allowed the error, that caused the problem has now been closed, he added. The roots of the affair lie in new rules governing the transfer of domain name ownership. These rules, which came into effect last November, mean that inter-registry transfer requests are automatically approved after five days unless countermanded by the owner of a domain. When ICANN proposed the new procedures, many in the industry warned that as well as making it easier to move domains around, the change would make it easier for people to hijack domains. Network Solutions, for example, took the precautionary step of locking all its customers' domains. Panix.com says its domain name was locked, and that despite this, it was still transferred. ®
On Wed, 2005-01-19 at 15:51 -0800, Dan Hollis wrote:
On Wed, 19 Jan 2005, Darrell Greenwood wrote:
customers' domains. Panix.com says its domain name was locked, and that despite this, it was still transferred. ®
I seem to recall someone saying it wasnt locked, now theyre saying it was?
-Dan
panix claims it was locked but I dont think it was. Like was mentioned they locked there other domains after panix.com was taken over. Why would they just lock one domain?
Thornton wrote:
On Wed, 2005-01-19 at 15:51 -0800, Dan Hollis wrote:
On Wed, 19 Jan 2005, Darrell Greenwood wrote:
customers' domains. Panix.com says its domain name was locked, and that despite this, it was still transferred. ®
I seem to recall someone saying it wasnt locked, now theyre saying it was?
panix claims it was locked but I dont think it was. Like was mentioned they locked there other domains after panix.com was taken over. Why would they just lock one domain?
Upon what verifiable facts do you base your endless speculation? (1) Stop blaming the victim! (2) Registrants can't "lock" domains, it's a registrar-lock. Users can only ask that domains be locked. Stupid policy, bad results. (3) This is a red-herring issue anyway, since there is no evidence that Mel-IT ever sent notification, or even waited 5 days for a response. The domain was hijacked in the middle of the night, in the middle of a weekend -- a very odd time for confirming responses by a staff that wasn't in the office answering the phones.... (4) Mel-IT has admitted it "failed to properly confirm", and a "loophole" caused the error. (5) Mel-IT has an executive and a lawyer that were both notified about the problem, and refused to mitigate the damage. (6) Stop blaming the victim! -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Wed, 19 Jan 2005, William Allen Simpson wrote:
(2) Registrants can't "lock" domains, it's a registrar-lock. Users can only ask that domains be locked. Stupid policy, bad results.
This is not correct, prior to the new policy many registrars were already putting control over the regsitrar-lock directly into the registrants' hands and under the new policy if the registrar employs it they must provide access to the registrant. It's just called a registrar-lock to differentiate it from the registry-lock, basically to describe at what level the lock is set. -mark -- Mark Jeftovic <markjr@easydns.com> Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Mark Jeftovic wrote:
On Wed, 19 Jan 2005, William Allen Simpson wrote:
(2) Registrants can't "lock" domains, it's a registrar-lock. Users can only ask that domains be locked. Stupid policy, bad results.
.... under the new policy if the registrar employs it they must provide access to the registrant.
I stand corrected (although I cannot find it actually _in_ the policy); it's good to learn something new every day. However, that still looks to me like "Users can only ask that domains be locked." Unless you are claiming that users can send the lock request directly to the registry, and monitor its status. Thornton wrote:
i dont think anyone is blaming the victim...what evidence do you have to support the domain being locked?
I repeat, the domain locking red-herring has absolutely nothing to do with this domain hijacking. Gosh officer, if she'd only had a big padlock on her purse, I wouldn't have stolen it. Gosh judge, if she'd only worn running shoes instead of those sexy high heels, I couldn't catch and rape her; the shoes made me do it. Stop blaming the victim!
a user can lock a domain..they can login to the control panel for there registrar and select registrar lock, registrar-lock, or lock and i am sure there are other registrars that word it even differently. once you select that it effectively locks your domain so it cant be transfered.
Not that I've ever noticed. Are you actually a network operator anywhere? Are you even _in_ North America? Your email isn't.... But then, the domain locking red-herring has absolutely nothing to do with this domain hijacking. Stop blaming the victim! -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
William Allen Simpson wrote:
Not that I've ever noticed. Are you actually a network operator anywhere? Are you even _in_ North America? Your email isn't....
To correct my own post, I saw Au, and assumed a shill for Mel-IT. But it's Az, which is Arizona (still in North America this year). My question about actually operating a network still stands. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Thu, 2005-01-20 at 00:49 -0500, William Allen Simpson wrote:
William Allen Simpson wrote:
Not that I've ever noticed. Are you actually a network operator anywhere? Are you even _in_ North America? Your email isn't....
To correct my own post, I saw Au, and assumed a shill for Mel-IT.
But it's Az, which is Arizona (still in North America this year). My question about actually operating a network still stands.
Thats good..had me thinking..I'm not in North America..what...haha and since it isn't really relevant..short answer is yes...and no that isn't yes i am not in north America :-)
on 1/19/05 9:14 PM, William Allen Simpson at wsimpson@greendragon.com wrote:
However, that still looks to me like "Users can only ask that domains be locked." Unless you are claiming that users can send the lock request directly to the registry, and monitor its status.
William, as a registrar operator I am certain that Mark Jeftovic knows more about this subject than I do, but I do not believe that there is any generally recognized mechanism for an individual domain holder to directly request that the .com registry lock his domain. However, all domain holders can directly monitor the status of their domain using the .com registry's whois server - including whether or not their domain has a status of registrar-lock. They do not have to rely on their registrar to tell them if their domain is locked or not.
I repeat, the domain locking red-herring has absolutely nothing to do with this domain hijacking.
I don't think registrar-lock is a red-herring. In the wake of the panix.com hijack holders of domain names are naturally going to want to know what they can do to prevent something similar happening to them. The ability to request registrar-lock is one the few defenses domain holders have. If the panix.com domain had indeed been in registar-lock at the time the transfer took place then domain holders would have had every right to be concerned that their own locked domains could fall victim to a similar hijack. The fact that panix.com was not in registar-lock at the time of the hijack provides a little comfort to those worried about a hijack of their own domains.
Gosh officer, if she'd only had a big padlock on her purse, I wouldn't have stolen it.
Gosh judge, if she'd only worn running shoes instead of those sexy high heels, I couldn't catch and rape her; the shoes made me do it.
Stop blaming the victim!
I haven't seen anyone on NANOG claim that Panix is not a victim. Clearly a serious error occurred in the process Melbourne IT uses to authenticate transfers. However, your analogies seem unnecessarily inflammatory. Another analogy might be to describe Panix as a bank. If a bank's vault is robbed the bank is certainly the victim of a crime. If my valuables are secured in a similar bank across town, I might be concerned that the robbers will hit my bank next and steal my valuables, particularly if my bank used the same style of vault. Once learning that the first bank hadn't installed a door on their vault might be somewhat comforting if I check my own bank and see that it has a secure vault door. However, a customer of the first bank might well be upset at the loss of his valuables if he discovered that his bank's vault did not have a door - and it would not be surprising if he was not entirely satisfied if the bank responded by saying "we asked our vault vendor to install a door." -Richard
Apparently, some folks just don't get it.... Richard Parker wrote:
... However, all domain holders can directly monitor the status of their domain using the .com registry's whois server - including whether or not their domain has a status of registrar-lock. They do not have to rely on their registrar to tell them if their domain is locked or not.
Now let's get this straight. You think that ISPs in general need to assign staff to monitor the lock status of the hundreds or thousands of registered domains of our subscribers. Or that the subscribers, who typically aren't even on the whois contacts list, should be monitoring the lock status, of which they probably don't know (nor care) exists? What are you smoking? The whole locking mechanism was a poor design from the beginning. It's opt-out. And we all are so fond of opt-out schemes, eh?
I don't think registrar-lock is a red-herring. In the wake of the panix.com hijack holders of domain names are naturally going to want to know what they can do to prevent something similar happening to them. The ability to request registrar-lock is one the few defenses domain holders have.
Huh? What you are saying is maybe panix.com isn't "at fault" because they had requested (or expected) registrar-lock, but they are "at fault" because their registrar didn't properly lock it? Or "at fault" because they didn't monitor the lock? Stop blaming the victim! The registrar-lock isn't a defense for the domain holder. Not one iota. It was designed as a defense for the registrar. And the registrar in this case is a victim as much as the domain holder. Stop blaming the victim!
I haven't seen anyone on NANOG claim that Panix is not a victim. Clearly a serious error occurred in the process Melbourne IT uses to authenticate transfers. However, your analogies seem unnecessarily inflammatory.
Sometimes folks such as yourself need to be educated in clear, unambigous terms that relate to life. And yet the lesson still hasn't taken hold:
Another analogy might be to describe Panix as a bank.
An analogy that is pretty far off, since the "bank" in this case would be the REGISTRAR, not Panix. And the registrar in this case is a victim as much as the domain holder. Stop blaming the victim! A personal responder wrote:
On Wed, Jan 19, 2005 at 09:35:21PM -0500, William Allen Simpson wrote:
(6) Stop blaming the victim!
Well, in this case, it appears that the victim is saying that it had taken precautions... and I concur with whomever it was who said that if the lock date on all their other domains is post-incident, that's pretty strong circumstantial evidence that they hadn't requested a lock (which is what we *mean* when we say "customer locked that domain", so kindly leggo that red herring).
You concur, without checking, and have no idea "whomever it was" that speculated, nor how many domains are administered by panix or dotster? You mean the REGISTRAR didn't lock the domain. But the registrar in this case is a victim as much as the domain holder. Stop blaming the victim!
So all we're *really* annoyed about here is that Bruce stepped up to the plate, but Alexis (*reportedly*) won't. IMHO.
Huh? I've seen no such reports. On what do you base your speculation? The only report that I've seen clearly says (Thu, 20 Jan 2005 16:56:41 +1100 quoting Sat, 8 Jan 2005 20:40:34 -0500): (1) you have obtained the requisite authorization from the domain name registrant listed in the database of the Current Registrar, NO. Obviously not. and (2) you have retained a copy of reliable evidence of the authorization. NO. Nothing described here. Indeed, as for Mel-IT stepping up to the plate, we've seen only contrary evidence here. Sure Bruce seems to be a nice guy. So what? His staff wasn't responding to phone calls. His boss wasn't responding, either. His lawyer was actively hostile. Looks to me like Alexis is the one that got screwed. Certainly spent a lot of time at the plate, many many hours! So, let's go back to basics: - If you leave your house unlocked, the thief still goes to jail. - If you leave your car unlocked and the engine running, the thief still goes to jail. - If your bank leaves its doors unlocked and the safe open and all the employees go to lunch, the thief still goes to jail. Stop blaming the victim! -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Ok. I think at this point we all know there are problems with the domain transfer process. I suspect we can further agree that, as with many serious problems, there were probably multiple contributing factors here. I'd like to suggest that getting into a public screaming match or trying to establish fault probably won't do anything useful, or at the very least would be more productive if done in a court rather than on the NANOG list. What might be more useful would be for those of you with a lot of time to spend on this issue to come up with proposals for fixing or better documentng the system, so that it will be more obvious how to avoid problems like this in the future. -Steve On Thu, 20 Jan 2005, William Allen Simpson wrote:
Apparently, some folks just don't get it....
Richard Parker wrote:
... However, all domain holders can directly monitor the status of their domain using the .com registry's whois server - including whether or not their domain has a status of registrar-lock. They do not have to rely on their registrar to tell them if their domain is locked or not.
Now let's get this straight. You think that ISPs in general need to assign staff to monitor the lock status of the hundreds or thousands of registered domains of our subscribers.
Or that the subscribers, who typically aren't even on the whois contacts list, should be monitoring the lock status, of which they probably don't know (nor care) exists?
What are you smoking?
The whole locking mechanism was a poor design from the beginning.
It's opt-out. And we all are so fond of opt-out schemes, eh?
I don't think registrar-lock is a red-herring. In the wake of the panix.com hijack holders of domain names are naturally going to want to know what they can do to prevent something similar happening to them. The ability to request registrar-lock is one the few defenses domain holders have.
Huh? What you are saying is maybe panix.com isn't "at fault" because they had requested (or expected) registrar-lock, but they are "at fault" because their registrar didn't properly lock it? Or "at fault" because they didn't monitor the lock?
Stop blaming the victim!
The registrar-lock isn't a defense for the domain holder. Not one iota. It was designed as a defense for the registrar.
And the registrar in this case is a victim as much as the domain holder.
Stop blaming the victim!
I haven't seen anyone on NANOG claim that Panix is not a victim. Clearly a serious error occurred in the process Melbourne IT uses to authenticate transfers. However, your analogies seem unnecessarily inflammatory.
Sometimes folks such as yourself need to be educated in clear, unambigous terms that relate to life. And yet the lesson still hasn't taken hold:
Another analogy might be to describe Panix as a bank.
An analogy that is pretty far off, since the "bank" in this case would be the REGISTRAR, not Panix.
And the registrar in this case is a victim as much as the domain holder.
Stop blaming the victim!
A personal responder wrote:
On Wed, Jan 19, 2005 at 09:35:21PM -0500, William Allen Simpson wrote:
(6) Stop blaming the victim!
Well, in this case, it appears that the victim is saying that it had taken precautions... and I concur with whomever it was who said that if the lock date on all their other domains is post-incident, that's pretty strong circumstantial evidence that they hadn't requested a lock (which is what we *mean* when we say "customer locked that domain", so kindly leggo that red herring).
You concur, without checking, and have no idea "whomever it was" that speculated, nor how many domains are administered by panix or dotster?
You mean the REGISTRAR didn't lock the domain.
But the registrar in this case is a victim as much as the domain holder.
Stop blaming the victim!
So all we're *really* annoyed about here is that Bruce stepped up to the plate, but Alexis (*reportedly*) won't. IMHO.
Huh? I've seen no such reports. On what do you base your speculation?
The only report that I've seen clearly says (Thu, 20 Jan 2005 16:56:41 +1100 quoting Sat, 8 Jan 2005 20:40:34 -0500):
(1) you have obtained the requisite authorization from the domain name registrant listed in the database of the Current Registrar,
NO. Obviously not.
and (2) you have retained a copy of reliable evidence of the authorization.
NO. Nothing described here.
Indeed, as for Mel-IT stepping up to the plate, we've seen only contrary evidence here.
Sure Bruce seems to be a nice guy. So what? His staff wasn't responding to phone calls. His boss wasn't responding, either. His lawyer was actively hostile.
Looks to me like Alexis is the one that got screwed. Certainly spent a lot of time at the plate, many many hours!
So, let's go back to basics:
- If you leave your house unlocked, the thief still goes to jail.
- If you leave your car unlocked and the engine running, the thief still goes to jail.
- If your bank leaves its doors unlocked and the safe open and all the employees go to lunch, the thief still goes to jail.
Stop blaming the victim!
-- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Upon what verifiable facts do you base your endless speculation?
(1) Stop blaming the victim!
(2) Registrants can't "lock" domains, it's a registrar-lock. Users can only ask that domains be locked. Stupid policy, bad results.
(3) This is a red-herring issue anyway, since there is no evidence that Mel-IT ever sent notification, or even waited 5 days for a response. The domain was hijacked in the middle of the night, in the middle of a weekend -- a very odd time for confirming responses by a staff that wasn't in the office answering the phones....
(4) Mel-IT has admitted it "failed to properly confirm", and a "loophole" caused the error.
(5) Mel-IT has an executive and a lawyer that were both notified about the problem, and refused to mitigate the damage.
(6) Stop blaming the victim!
i dont think anyone is blaming the victim...what evidence do you have to support the domain being locked? a user can lock a domain..they can login to the control panel for there registrar and select registrar lock, registrar-lock, or lock and i am sure there are other registrars that word it even differently. once you select that it effectively locks your domain so it cant be transfered.
Thornton wrote:
a user can lock a domain..they can login to the control panel for there registrar and select registrar lock, registrar-lock, or lock and i am sure there are other registrars that word it even differently. once you select that it effectively locks your domain so it cant be transfered.
Erm... please tell me where GANDI does this?... I'd love to know.... (I'm sure there are others without locking facilities as well) Regards, Mat (and I am aware that locking was available to panix.com)
Speaking on Deep Background, the Press Secretary whispered:
(1) Stop blaming the victim!
To me, as big an issue as the original FUBAR is the alleged/reported failure of both MelIT and VGRS to respond and attempt to lessen the damage they had helped cause. I'm no lawyer, but believe under US laws such failure to mitigate is a factor in civil judgements -- if you choose to {say} just stand there and look stoopid rather than call 911 after you knock over the propane torch and start the house on fire.... Add to the mix the detail that Verisign is paying a LARGE settlement out on a past infamous theft....and you'd think they'd Buy Some Clue... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On 16 Jan 2005 at 21:31, Elmar K. Bins wrote:
wsimpson@greendragon.com (William Allen Simpson) wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
I thought we already had built such a thing, currently covered by ICANN.
let's think outside the box. there's no reason that nanog (or anyone willing to run a mailing list) couldn't create an ad hoc decentralized Trustworthy ISP/Root service. heck, such a thing may even encourage more active participation in nanog. having a shared group identity where the rubber meets the road is very powerful. it's the underlying motivator behind the nanog, xBSD, GPL, torrent, tor, (pick your non- hierarchical community driven project), etc. clans. there's also no reason that this has to replace ICANN. and it would likely have the exact result on existing entities that you mention below - improved trustworthiness. peace
But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level.
At the moment, I'm concerned whether we have trustworthy TLD operators.
One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to.
It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker.
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Yours, Elmar.
See http://www.public-root.com for an alternative to the ICANN monopoly. Those folks are very concerned with security. ----- Original Message ----- From: <gnulinux@pacinfo.com> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 3:45 PM Subject: Re: Association of Trustworthy Roots?
On 16 Jan 2005 at 21:31, Elmar K. Bins wrote:
wsimpson@greendragon.com (William Allen Simpson) wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
I thought we already had built such a thing, currently covered by ICANN.
let's think outside the box.
there's no reason that nanog (or anyone willing to run a mailing list) couldn't create an ad hoc decentralized Trustworthy ISP/Root service. heck, such a thing may even encourage more active participation in nanog. having a shared group identity where the rubber meets the road is very powerful. it's the underlying motivator behind the nanog, xBSD, GPL, torrent, tor, (pick your non- hierarchical community driven project), etc. clans.
there's also no reason that this has to replace ICANN. and it would likely have the exact result on existing entities that you mention below - improved trustworthiness.
peace
But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level.
At the moment, I'm concerned whether we have trustworthy TLD operators.
One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to.
It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker.
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Yours, Elmar.
On 16 Jan 2005 at 15:52, John Palmer (NANOG Acct) wrote:
See http://www.public-root.com for an alternative to the ICANN monopoly. Those folks are very concerned with security.
these folks don't seem very decentralized. do you know if they have a public mailing list? there doesn't seem to be much information on the website.
----- Original Message ----- From: <gnulinux@pacinfo.com> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 3:45 PM Subject: Re: Association of Trustworthy Roots?
On 16 Jan 2005 at 21:31, Elmar K. Bins wrote:
wsimpson@greendragon.com (William Allen Simpson) wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
I thought we already had built such a thing, currently covered by ICANN.
let's think outside the box.
there's no reason that nanog (or anyone willing to run a mailing list) couldn't create an ad hoc decentralized Trustworthy ISP/Root service. heck, such a thing may even encourage more active participation in nanog. having a shared group identity where the rubber meets the road is very powerful. it's the underlying motivator behind the nanog, xBSD, GPL, torrent, tor, (pick your non- hierarchical community driven project), etc. clans.
there's also no reason that this has to replace ICANN. and it would likely have the exact result on existing entities that you mention below - improved trustworthiness.
peace
But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level.
At the moment, I'm concerned whether we have trustworthy TLD operators.
One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to.
It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker.
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Yours, Elmar.
They don't have a mailing list that is public yet. Might be a good suggestion. ----- Original Message ----- From: <gnulinux@pacinfo.com> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 5:35 PM Subject: Re: Association of Trustworthy Roots?
On 16 Jan 2005 at 15:52, John Palmer (NANOG Acct) wrote:
See http://www.public-root.com for an alternative to the ICANN monopoly. Those folks are very concerned with security.
these folks don't seem very decentralized. do you know if they have a public mailing list? there doesn't seem to be much information on the website.
----- Original Message ----- From: <gnulinux@pacinfo.com> To: <nanog@merit.edu> Sent: Sunday, January 16, 2005 3:45 PM Subject: Re: Association of Trustworthy Roots?
On 16 Jan 2005 at 21:31, Elmar K. Bins wrote:
wsimpson@greendragon.com (William Allen Simpson) wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
I thought we already had built such a thing, currently covered by ICANN.
let's think outside the box.
there's no reason that nanog (or anyone willing to run a mailing list) couldn't create an ad hoc decentralized Trustworthy ISP/Root service. heck, such a thing may even encourage more active participation in nanog. having a shared group identity where the rubber meets the road is very powerful. it's the underlying motivator behind the nanog, xBSD, GPL, torrent, tor, (pick your non- hierarchical community driven project), etc. clans.
there's also no reason that this has to replace ICANN. and it would likely have the exact result on existing entities that you mention below - improved trustworthiness.
peace
But well...life changes everything, and for some (or many) or us, this association doesn't seem so trustworthy anymore. Maybe it would be better to improve trustworthiness of the existing authorities. I believe there is still much room for participation, not to mention political issues you simply cannot counter on a technical level.
At the moment, I'm concerned whether we have trustworthy TLD operators.
One can never know what's going on behind the scenes. Maybe Verysign is on the issue, maybe not. I believe, there are at least three VS people on this list who could address this. I don't know whether they are allowed to.
It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker.
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
Yours, Elmar.
On Sun, 16 Jan 2005, John Palmer (NANOG Acct) wrote:
See http://www.public-root.com for an alternative to the ICANN monopoly. Those folks are very concerned with security.
Whee, AlterNIC take 7! In any case, these are *root* (".") servers, not gTLD (i.e., "com.") servers; they defer to ICANN for those. This wouldn't help one bit. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
At 09:31 PM 16-01-05 +0100, Elmar K. Bins wrote:
By chance - how is the press coverage of this incident? Has anybody read anything in the (online) papers? Unfortunately I haven't been able to follow the newsboards intensely this week-end, but Germany seems very quiet about this.
The longest piece: <http://www.theage.com.au/news/Breaking/New-York-ISPs-domain-hijacked/2005/01/17/1105810810053.html> Also: http://news.zdnet.com/2100-9588_22-5538227.html -Hank
On Sun, 16 Jan 2005, William Allen Simpson wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
At the moment, I'm concerned whether we have trustworthy TLD operators.
It's been about 24 hours, it is well-known that the domain has been hijacked, we've heard directly from the domain owner and operator, but the TLD servers are still pointing to the hijacker.
(this is kinda old since it seems the problem is being reversed, but...) It's possible that the process which exists today to move and un-move domains from registrar to registrar is in fact working. It's also possible that changing that process based on 'size of the abused' is not looked upon kindly by: 1) operators 2) icann 3) the world at large I'm not sure what's happening with Melbourne IT (is anyone aside from Mr Rosen and MIT?) I'm also not sure what's going on with Verisign, though I assume Mr. Rosen and MIT do... If the proper process was started then things look good, though unfortunately it may take some time to resolve the problem. That process/procedure is in place for a good reason, circumventing it will lead to problems in the long run. Do you circumvent for MS, for AOL, for ATT? At what point do you draw the line? My home business of pot painting? A process that is equally applied across the board serves all folks better. Fixing the current process to have faster, more complete reaction times would certainly seem in order (and I'd expect Mr Rosen and several others here to have something to say about that at the next ICANN meeting?). As to the percieved lack of progress by a Registrar, it does seem strange that ICANN/Verisign/Core (I'm not sure which of the three really) don't have some sort of 24/7 management, monitoring and operations requirements built into registrar contracts. Perhaps they do and this will be some leaverage to revoke that contract? -Chris
Chris, CORE was neither the losing nor the gaining registrar. Please acquire context. Eric IANA-439, and CORE-124
Once upon a time, Christopher L. Morrow <christopher.morrow@mci.com> said:
That process/procedure is in place for a good reason, circumventing it will lead to problems in the long run. Do you circumvent for MS, for AOL, for ATT? At what point do you draw the line? My home business of pot painting?
If the proper procedure was circumvented in the first place (which appears to be the case with panix.com), then it should be circumvented to repair the damage as fast as possible. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Sun, 16 Jan 2005, Chris Adams wrote:
Once upon a time, Christopher L. Morrow <christopher.morrow@mci.com> said:
That process/procedure is in place for a good reason, circumventing it will lead to problems in the long run. Do you circumvent for MS, for AOL, for ATT? At what point do you draw the line? My home business of pot painting?
If the proper procedure was circumvented in the first place (which appears to be the case with panix.com), then it should be circumvented to repair the damage as fast as possible.
If it can be proven to have been cicumvented, sure. I don't think anything beyond conjecture about that has been said 'publicly' yet, has it?
Christopher L. Morrow wrote:
On Sun, 16 Jan 2005, Chris Adams wrote:
If the proper procedure was circumvented in the first place (which appears to be the case with panix.com), then it should be circumvented to repair the damage as fast as possible.
If it can be proven to have been cicumvented, sure. I don't think anything beyond conjecture about that has been said 'publicly' yet, has it?
Why yes, you must have missed the messages. The domain owner and ISP and registrar all clearly stated that they had received no notification, and had not approved the transfer. Notification and approval are required by the process. Therefore, it was proven to be circumvented. QED. Now, as to the actual mechanism of circumvention, that has not yet been revealed here. All we know is that a registry *supervisor* stopped the workers from finishing their investigation. Clearly, this .com registry operator is not trustworthy. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Sun, 16 Jan 2005, Christopher L. Morrow wrote:
assume Mr. Rosen and MIT do... If the proper process was started then things look good, though unfortunately it may take some time to resolve the problem. That process/procedure is in place for a good reason, circumventing it will lead to problems in the long run. Do you circumvent for MS, for AOL, for ATT? At what point do you draw the line? My home business of pot painting?
That's the asymmetric problem with identity theft. Companies seem to make it easier to steal the identity (24x7 transfers with 10 minute zone file updates) than to correct the theft (only open Monday-Friday, find the right department, fill out multiple forms, wait 2 weeks, etc). I agree rules and processes are important. Instead of calling it circumvention, I would call it a robust exception handling process. Both the intial process of protecting your identity, as well as the exception handling process in the event it is compromised, should be available for both my home domain as well as well-known companies like MS, AOL and AT&T. It should be as hard to steal my domain as it is to steal AOL.COM. Unfortunately, there is very little I can do to prevent a Registry/Registrar from giving my identity away without my permission.
Sean,
That's the asymmetric problem with identity theft. Companies seem to make it easier to steal the identity (24x7 transfers with 10 minute zone file updates) than to correct the theft (only open Monday-Friday, find the right department, fill out multiple forms, wait 2 weeks, etc).
That just makes it hard to do business period, you need to make it harder for a user to verify who they are. Such as a secret password and a faxed in authorization form or choose your level of security.
I agree rules and processes are important. Instead of calling it circumvention, I would call it a robust exception handling process. Both the intial process of protecting your identity, as well as the exception handling process in the event it is compromised, should be available for both my home domain as well as well-known companies like MS, AOL and AT&T. It should be as hard to steal my domain as it is to steal AOL.COM.
Yes, it should be equally as hard to steal your domain as it would be to steal AOL, MS, AT&T, MCI or any of the larger "world-wide traffic holders"
Unfortunately, there is very little I can do to prevent a Registry/Registrar from giving my identity away without my permission.
Theres alot you can do, you can always complain. More complaints to your registrar about security end up with alot more results. So try that out. -- Joshua Brady
On Sun, 16 Jan 2005, Sean Donelan wrote:
On Sun, 16 Jan 2005, Christopher L. Morrow wrote:
assume Mr. Rosen and MIT do... If the proper process was started then things look good, though unfortunately it may take some time to resolve the problem. That process/procedure is in place for a good reason, circumventing it will lead to problems in the long run. Do you circumvent for MS, for AOL, for ATT? At what point do you draw the line? My home business of pot painting?
I agree rules and processes are important. Instead of calling it circumvention, I would call it a robust exception handling process. Both the intial process of protecting your identity, as well as the exception handling process in the event it is compromised, should be available for both my home domain as well as well-known companies like MS, AOL and AT&T. It should be as hard to steal my domain as it is to steal AOL.COM.
Unfortunately, there is very little I can do to prevent a Registry/Registrar from giving my identity away without my permission.
So, more folks need to make the right noise at ICANN meetings about this policy.
--On 16 January 2005 15:18 -0500 William Allen Simpson <wsimpson@greendragon.com> wrote:
While the Association of Trustworthy ISPs idea has some merit, we've not been too successful in self-organizing lately. ISP/C?
At the moment, I'm concerned whether we have trustworthy TLD operators.
Please distinguish (as I'm sure you are, but the subject line and, it seems some replying aren't) between Root Servers on the one hand, and TLD operators and the policy controlling them on the other. You may or may not think Verisign as registry is blameless / disreputable and to blame for this incident. You may or may not think the gaining/losing registrars are blameless / disreputable for this incident. Tou may or may not think that ICANN gTLD policy is blameless / disreputable for this incident. What it has nothing to do with, however, is *root* policy (as in how the root servers are operated and what goes in them) - it's gTLD policy. There are plenty of things in the root other than gTLDs, and even policy variation for gTLDs. Arguing for alternative roots is recipe for chaos and less protection for existing registrants. Arguing for policy changes (or even operator changes) within the TLD you find fault with is fair game. To illustrate the point, .uk has (a) direct contracts between registry and registrant (even when registered through a registrar), and (b) registrar<->registar moves done by push (either by the losing registrar or failing that by the registrant) rather than by pull. I make no claim it is perfect, and am not even here going to argue it's superior. I will, however, argue that the failure modes are substantially different. Do not attempt to apply the same medicine to diverse illnesses! (more details at http://www.nominet.org.uk for those interested) Alex
You may or may not think Verisign as registry is blameless / disreputable and to blame for this incident.
There is causation for incoherence between the authoritative and non-authoritative nameservers for a particular data set.
You may or may not think the gaining/losing registrars are blameless / disreputable for this incident.
There is causation for provisioning state change triggers to the database used to construct a particular data set published by the authoritative nameservers for that particular data set.
Tou may or may not think that ICANN gTLD policy is blameless / disreputable for this incident.
There is causation for policy and mechanism that is articulated in end-to-end transactions between registrants, intermediate entities, and registries. These are not mutually exclusive. Blame and repute are secondary to the correct reconstructions of causations. Eric
participants (24)
-
Alex Bligh
-
Chris Adams
-
Christopher L. Morrow
-
Dan Hollis
-
Darrell Greenwood
-
David Lesher
-
Elmar K. Bins
-
Eric Brunner-Williams in Portland Maine
-
gnulinux@pacinfo.com
-
Hank Nussbacher
-
James Edwards
-
John Palmer (NANOG Acct)
-
Joshua Brady
-
Mark Jeftovic
-
Matthew Sullivan
-
Paul G
-
Paul Vixie
-
Richard Parker
-
Sean Donelan
-
Steve Gibbard
-
Thornton
-
Todd Vierling
-
Tom Vest
-
William Allen Simpson