the panix hijacking and icann's transfer policy

[Harold Feld]

I would suggest that the Consticuency send a formal request to ICANN to
make an inquiry into how this happened. We should circulate the request to
the other consticuencies to see if they will join us in asking for such an
inquiry.

This is both intolerable and frightening.  Even if no one is at fault, it
is imperative for ICANN, as the organization charged with technical
stability of the Internet.  To investigate what happened and determine
what, if anything, should be done to prevent recurrence.

Harold Feld

At 04:19 PM 1/17/2005, Frannie Wellings wrote:
>[Important:  "...As Panix offers shell access from anywhere, the
>person or people who hijacked could theoretically have collected the
>usernames and passwords of those who logged in during the period when
>the domain was hijacked..."  Still not a lot of news coverage about
>the Panix incident, but I thought this was quite a good article.]
>
>New York ISP's domain hijacked
>By Sam Varghese
>January 17, 2005
>http://www.theage.com.au/news/Breaking/New-York-ISPs-domain-hijacked/2005/01/17/1105810810053.html?oneclick=true
>
>The domain name of Panix, the oldest commercial internet service
>provider in New York, was hijacked on Friday evening US time and the
>company is in the process of recovering the same.
>
>In a statement on its website, the company said the ownership of
>panix.com was moved to a company in Australia, the actual DNS records
>were moved to a company in the United Kingdom, and panix.com's mail
>has been redirected to yet another company in Canada.
>
>The Australian company, MelbourneIT, "has reverted the domain back to
>us, and the global internet registry and domain name servers are now
>showing the correct information," Panix said.
>
>"However, due to the distributed nature of the internet domain name
>system, it will take four to 24 more hours before the false data from
>the hijacking expires and is discarded by the various name servers."
>
>As Panix offers shell access from anywhere, the person or people who
>hijacked could theoretically have collected the usernames and
>passwords of those who logged in during the period when the domain
>was hijacked, according to one post to the mailing list of the North
>American Network Operators Group.
>
>The panix.com domain was registered with Dotster. According to
>postings to the NANOG mailing list, Panix contacted Verisign which
>serves as the definitive registry for .com and .net domain names.
>
>However, Verisign replied that there was little it could do to
>rectify the situation. "If necessary, Dotster (or Melbourne) is more
>than welcome to contact us to obtain the specific details as to when
>the notices were sent and other historical information about the
>transfer itself," a customer service representative replied to Panix.
>
>"Dotster can file a Request for Enforcement if Melbourne IT contends
>that the request was legitimate and we will review the dispute and
>respond accordingly. Dotster can also contact Melbourne directly and
>if they come to an agreement that the transfer was fraudulent they
>can file a Request for Reinstatement and the domain would be
>reinstated to its original Registrar," the Verisign customer service
>representative wrote.
>
>"Dotster could submit a normal transfer request to Melbourne IT for
>the domain name and hope that Melbourne IT agrees to transfer the
>name back to them outside of a dispute having been filed. In order to
>expedite processing the transfer or submitting a Request for
>Reinstatement however Dotster will need to contact Melbourne IT
>directly. If Dotster is unable to get in touch with anyone at
>Melbourne IT we can assist them directly if necessary."
>
>In the interim, Panix set up a panix.net domain for its subscribers
>to utilise as a temporary solution.
>
>Several network admins who posted to the NANOG list were critical of
>Melbourne IT, claiming that the company was slow to react to the
>situation.
>
>However Theo Hnarakis, chief executive officer and managing director
>of the company, denied Melbourne IT had been slow to act. "Alex Rosen
>contacted me at midday Sunday and within 24 hours we ascertained that
>his complaint was genuine and transferred the domain back," he said.
>
>"I indicated to Alex that it would take some time to ascertain the
>autenticity of the charge and that we would act as soon as possible."
>
>Hnarakis said a transfer could not be done until procedures were gone
>through to ascertain whether the complaint was genuine.
>
>"We ourselves were not involved in the transfer of panix.com; it was
>done by one of our authorised resellers. We are now trying to
>ascertain the how and why of things and as soon as we have a clear
>picture we will be able to provide more details publicly if the other
>parties involved have no objection," he said.
>
>In a posting to the NANOG list, Melbourne IT's chief technology
>officer Bruce Tonkin said: "We are... investigating the chain of
>events that led to the problem in the first place. This will take
>longer, due to the various timezones and parties involved. In this
>case one of the parties was an ISP in the United Kingdom, which is a
>reseller of Melbourne IT."
>
>New rules for transferring domains came into effect on November 12
>and under these rules requests for transferring a domain are
>automatically approved in five days unless they are denied by the
>owner of the domain.
>
>However in the case of Panix, this does not appear to be the case.
>
>According to the old rules, the ownership of a domain and the
>nameservers allotted stayed as such if a request for a transfer
>evoked no response.
>
>Shortly before the rules took effect, the network services provider
>Netcraft had warned that domain owner who did not manage their
>records carefully would face problems under the new regime.
>
>If the contact addresses given in the records were incorrect then a
>request for transfer would go to a wrong address and after five days
>of no response, the transfer would become effective, it said.
>
>No reply becomes the equivalent of saying "yes" to a transfer
>request, according to the new ICANN policy. ICANN recently put up a
>page seeking public comment on experiences with inter-registrar
>transfer.
>--
>
>~~~
>Frannie Wellings
>Policy Fellow, the Electronic Privacy Information Center   ~
>http://www.epic.org
>Director, The Public Voice    ~   http://www.thepublicvoice.org
>
>1718 Connecticut Ave. N.W., Suite 200
>Washington, D.C.  20009
>USA
>
>wellings at epic.org
>
>+1 202 483 1140 x 107 (telephone)
>+1 202 483 1248 (fax)
>~~~